Strategy and method for realizing minimum privilege control in safety operating system

An operating system and privilege technology, applied in the field of security information systems, which can solve the problems of inability to solve the isolation and dynamic requirements of privileged control domains, the complexity of privilege management, and the growth of system risks.

Inactive Publication Date: 2006-11-01
INST OF SOFTWARE - CHINESE ACAD OF SCI
View PDF0 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The method based on user / user group identification is to create a specific user / user group and make a specific program run with the identity and authority of a specific user / user group, such as the setuid mechanism in the LINUX system. Its advantage is that the implementation technology is very Simple, the disadvantage is: it is easy to cause superusers (specific users with all permissions) to do anything, and most of the current security systems no longer use it as the main technology, only for providing compatibility or maintaining the system.
Although this method simplifies authorization management, ensures the isolation of duties and the minimization of user privileges, it has two shortcomings: (1) It is only a static, user-level granular control
The disadvantages are: (1) Least privilege control must be implemented for each program to complicate privilege management; (2) Appropriate privilege assignment must be performed for each program, otherwise the risk of the system will increase accordingly
[0008] Although these three methods or a combination of methods can make up for some shortcomings of traditional privilege control methods to a certain extent, such as the isolation of responsibilities and the granularity of fine-grained control, they cannot solve the domain isolation and dynamic requirements of privilege control.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Strategy and method for realizing minimum privilege control in safety operating system
  • Strategy and method for realizing minimum privilege control in safety operating system
  • Strategy and method for realizing minimum privilege control in safety operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0027] According to the above technical solution, an example of the implementation of the present invention in a LINUX-based security operating system is given below.

[0028] figure 1 Indicates the mapping relationship between authorized entities involved in the privilege control strategy. The specific technical steps of these relationships in the secure LINUX system are as follows:

[0029] 1. Define the capability set C, that is, divide the original system superuser privileges into several fine-grained capabilities. The current design supports the definition of 64 capabilities (the original LINUX system only supports the definition of 32 capabilities). This design requires that when defining capabilities, the security requirements of the system must be clarified, based on the security mechanisms to be implemented by the system, such as autonomous access control (DAC ), Mandatory Access Control (MAC) and Domain Enforcement (DTE) technologies to find out all security-related...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

A method for realizing minimum privilege control in safety operation system includes providing layer mapping relation between user, role, DTE domain, power and function for said system; revising and adding core function relating to privilege, system interface, power and function management, power and function decision as well as power and function operation at operation system; providing power and function management command for application layer and revising initial session program of said system.

Description

technical field [0001] The invention relates to the technical field of digital computer safety information system, more precisely, it relates to a strategy and method for realizing least privilege control in a safety operating system. Background technique [0002] Least privilege is an important design principle of information system security, and it is also to ensure that the security system reaches the level above B2 of the US "Trusted Computer System Evaluation Standard" (DoD5200.28-STD-1985), and the international standard "IT Security Evaluation Standard" (ISO / IEC15408-1999) EAL5 level or above, the Chinese national standard "Computer Information System Security Protection Classification Criteria" (GB17859-1999) level 4 or above, the Chinese national standard "Information Technology Security Technology Information Technology Security Evaluation Criteria" (GB / T18336-2001) A key issue that must be solved for EAL5 and above. [0003] Due to traditional reasons, there is...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F1/00
Inventor 卿斯汉沈晴霓李丽萍唐柳英季庆光
Owner INST OF SOFTWARE - CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap