基于广义污点传播模型的操作系统访问控制

摘要

动态调整安全级是目前提高强制访问控制模型可用性的主要途径,它大致包括两类方法.其中,安全级范围方法对主体权限最小化的支持不够,而污点传播方法存在已知隐蔽通道.提出了保护操作系统保密性和完整性的广义污点传播模型(generalized taint propagation model,简称GTPM),它继承了污点传播在最小权限方面的特点,拓展了污点传播语义,以试图关闭已知隐蔽通道,引入了主体的降密和去污能力以应对污点积累；还利用通信顺序进程(CSP)语言描述了模型的规格,以明确基于GTPM的操作系统的信息流控制行为的形式化语义；基于CSP的进程等价验证模型定义了可降密无干扰,并借助FDR工具证明形式化构建的抽象GTPM系统具有可降密无干扰安全性质.最后,通过一个示例分析了模型的可用性提升.%Dynamically adjusting the security label of each subject is a main approach to improving the availability of MAC models. It includes the method of security label range and the method of taint propagation. The former lacks the support for a less proviledge subject, and the latter has a known covert channels. In this paper, a model called generalized taint propagation model (GTPM) is proposed to protect the confidentiality and integrity of operating systems. It inherits the least privilege characteristic of taint propagation model (TPM), expands the semantics of TPM to close the known covert channels, and introduces declassification and decontamination capacities of subjects to avoid accumulating contamination. The paper also introduces its specification using communicating sequential processes (CSP) language to clear the formal semantics of a GTPM operating system's behaviors of information flow control; Moreover, the study noninterference with declassification in CSP verification model of process equivalence, and proves that abstract GTPM system have the security property of noninterference with declassification in virtue of FDR tool. Finally, this paper uses an example to demonstrate its improvement of availability.