高完整性系统工程（五）：Alloy Example and Trace-Based Modelling(Capability-Based Access Control)

目录

1. ACCESS CONTROL

1.2 AC Mechanisms and Policies

1.3 Protection State

1.4 Storing Protection State

1.5 Access Control Lists (ACLs)

1.6 Capabilities

1.7 Capabilities: Implementations

1.8 Mandatory vs. Discretionary AC

1.9 MAC

1.10 Bell-LaPadula (BLP) Model

1.11 BLP: Rules

1.12 Boebert’s Attack

2. LET’S MODEL THIS IN ALLOY

2.1 Initial Conditions for Attack

2.2 What we need to model

2.3 Boebert’s Attack

2.4 Boebert’s Attack: Lessons

3. TRACE-BASED MODELLING IN DETAIL

3.1 Trace-Based Modelling

3.2 Trace (Sequence of States) 

3.3 Traces in Alloy 

3.4 Defining Traces

3.5 Summary

---

1. ACCESS CONTROL

• who can access what in which ways
  • the “who” are called subjects
    • e.g. users, processes etc.
• the “what” are called objects
  • e.g. individual files, sockets, processes etc.
  • includes all subjects
• the “ways” are called permissions
  • e.g. read, write, execute etc.
  • are usually specific to each kind of object
  • include those meta-permissions that allow modification of the protection state
    • e.g. own

• 访问控制是关于谁能以什么方式访问什么的问题。其中，“谁”被称为主体，如用户、进程等；“什么”被称为对象，如单个文件、套接字、进程等；“方式”被称为权限，如读取、写入、执行等。
• 访问控制包含所有主体，并且包括那些允许修改保护状态的元权限，如所有者权限。

1.2 AC Mechanisms and Policies

• AC Policy
  • Specifies allowed accesses
  • And how these can change over time
• AC Mechanism
  • Implements the policy
• Certain mechanisms lend themselves to certain kinds of policies
  • Certain policies cannot be expressed using certain mechanisms

• 访问控制策略规定了允许的访问方式以及这些访问方式如何随时间变化。
• 访问控制机制实现了访问控制策略。特定的机制适用于特定类型的策略，而有些策略不能使用特定的机制来表达。

1.3 Protection State

Access control matrix defines the protection state at any instant in time

此表格展示了在任何特定时间点，不同主体（Subj1, Subj2, Subj3）对不同对象（Obj1, Obj2, Obj3, Subj2）的访问权限。

1.4 Storing Protection State

• Not usually as access control matrix
  • too sparse, inefficient
• Two obvious choices:
  • store individual columns with each object
    • defines the subjects that can access each object
    • each such column is called the object’s access control list
• store individual rows with each subject
  • defines the objects each subject can access
  • each such is called the subject’s capability list

通常情况下，保护状态不是以访问控制矩阵的形式存储的，因为这种方式太过稀疏，效率不高。有两个明显的选择：

1. 将每个对象的各个列存储起来，定义了可以访问每个对象的主体，这种列被称为对象的访问控制列表（Access Control List，ACL）。
2. 将每个主体的各个行存储起来，定义了每个主体可以访问的对象，这种行被称为主体的能力列表（Capability List）。

1.5 Access Control Lists (ACLs)

• Subjects usually aggregated into classes
  • e.g. UNIX: owner, group, everyone 、
• Meta-permissions (e.g. own)
  • control class membership
  • allow modifying the ACL
• Implemented in almost all commercial OSes

• 主体通常被聚合到类中，如UNIX中的所有者、组、每个人。
• 元权限（如所有者权限）控制类成员资格，允许修改ACL。
• 几乎所有的商业操作系统都实现了ACLs。例如：

此表格展示了对于对象Obj1，不同主体（Subj1, Subj2, Subj3）的访问权限。