CISP信息安全模型讲稿

《CISP信息安全模型讲稿》由会员分享，可在线阅读，更多相关《CISP信息安全模型讲稿（54页珍藏版）》请在金锄头文库上搜索。

1、信息安全模型信息安全模型n n1 安全模型概念n n2 访问控制模型n n3 信息流模型n n4 完整性模型n n5 信息安全模型21 安全模型概念安全模型概念n n安全模型用于安全模型用于精确地和形式地描述精确地和形式地描述信息系统的安信息系统的安全特征，以及用于全特征，以及用于解释解释系统安全相关行为的理由。系统安全相关行为的理由。n n分类分类1 1：访问控制模型，信息流模型。：访问控制模型，信息流模型。n n分类分类2 2：机密性要求，完整性，可用性：机密性要求，完整性，可用性 DoSDoS，等，等n n现有的现有的“安全模型安全模型”本质上不是完整的本质上不是完整的“模型模型”：仅描

2、述了安全要求：仅描述了安全要求( (如：机密性如：机密性) )，未给出实现，未给出实现要求的任何相关要求的任何相关机制机制和方法。和方法。31.1 安全模型安全模型n n安全目标：机密性，完整性，安全目标：机密性，完整性，DoSDoS，n n控制目标：保障（控制目标：保障（TCB Trust Compute Base, TCB Trust Compute Base, Reference Monitor Reference Monitor ），安全政策（），安全政策（Policy Policy DAC MACDAC MAC），审计），审计n n安全模型的形式化方法：安全模型的形式化方法：状态机，

3、状态转换，状态机，状态转换，不变量不变量模块化，抽象数据类型（面向对象模块化，抽象数据类型（面向对象）41.2 安全模型作用安全模型作用n n设计阶段n n实现阶段n n检查阶段（Review）n n维护阶段51.3 安全模型抽象过程安全模型抽象过程n nStep 1: Identify Requirements on the External Interface.(input,output,attribute.)n nStep 2: Identify Internal Requirementsn nStep 3: Design Rules of Operation for Policy En

4、forcementn nStep 4: Determine What is Already Known.n nStep 5: Demonstrate (论证)Consistency and Correctnessn nStep 6: Demonstrate Relevance（适当的）61.4 Overview机密性访问控制信息流DAC自主MAC强制完整性RBACBLPChinese Wall（非干扰性，非观察性）BibaClark-Wilsonthe “Chinese Wall” Policy is a mandatory access control policy for stock ma

5、rket analysts. This organizational policy is legally binding in the United Kingdom stock exchange.72 访问控制模型访问控制模型n n2.1 自主访问控制（Discretionary Access Control- DAC）机密性与完整性机密性与完整性 木马程序木马程序n n2.2 强制访问控制（Mandatory Access Control- MAC） 机密性机密性 隐通道隐通道n n2.3 基于角色访问控制(RBAC) 管理方式管理方式82.1 自主访问控制自主访问控制特点：根据主体的根据主

6、体的身份身份和和授权授权来决定访问模式。来决定访问模式。缺点：信息在移动过程中，其信息在移动过程中，其访问权限关系访问权限关系会被改会被改变。如用户变。如用户A A可将其对目标可将其对目标O O的访问权限传递给用的访问权限传递给用户户B B，从而使不具备对从而使不具备对O O访问权限的访问权限的B B可访问可访问O O。9状态机状态机n nLampson Lampson 模型模型模型的结构被抽象为状态机，模型的结构被抽象为状态机，状态三元组状态三元组( ( S S, , O O, , M M ) )， S S 访问访问主体集主体集， O O 为访问为访问客体集客体集（可包含（可包含S S的子集

7、），的子集）， M M 为为访问矩阵访问矩阵，矩阵单元记为，矩阵单元记为M M s,os,o ，表示，表示主主体体s s对对客客体体o o的的访访问问权权限限。所所有有的的访访问问权权限限构构成成一一有限集有限集A A。状态变迁状态变迁通过改变访问矩阵通过改变访问矩阵M M实现。实现。该该安安全全模模型型尽尽管管简简单单，但但在在计计算算机机安安全全研研究究史史上上具具有有较较大大和和较较长长的的影影 响响 ， HarrisonHarrison、 RuzzoRuzzo和和 UllmanUllman提提 出出 HRUHRU安安 全全 模模 型型 以以 及及 Bell Bell LaPadulaL

8、aPadula提出提出BLPBLP安全模型均基于此。安全模型均基于此。10HRU模型模型 (1)(1)系系统请统请求的形式求的形式if if if if a a1 1 inininin M M s s1 1 ; o; o1 1 andandandand a a2 2 inininin M M s s2 2 ; o ; o2 2 andandandand . . a am m in in in in M M s sm m ; o ; om m then then then then op op1 1 . . op opn n 11HRU模型模型 (2)(2)n n系系统统请请求求分分为为条条件件

9、和和操操作作两两部部分分，其其中中a ai i A A，并并且且opopi i属属于于下下列列六六种种元元操操作作之之一一（元元操操作作的的语语义义如其名称示意）：如其名称示意）：enter enter enter enter a a intointointointo ( (s, os, o), ), （矩矩阵阵）delete delete delete delete a a from from from from ( (s, os, o) ), , create subject create subject create subject create subject s ,s , （主体主体

10、） destroy subject destroy subject destroy subject destroy subject s s , , create objectcreate objectcreate objectcreate object o o , , （客体客体）destroy object destroy object destroy object destroy object o o 。 12HRU模型模型 (3)(3)n n系统的安全性定义：系统的安全性定义：n n若若存存在在一一个个系系统统，其其初初始始状状态态为为Q Q0 0，访访问问权权限限为为a a，当当从从状

11、状态态Q Q0 0开开始始执执行行时时，如如果果不不存存在在将将访访问问矩矩阵阵单单元元不不包包含含的的访访问问权权限限写写入入矩矩阵单元的系统请求阵单元的系统请求，那么我们说，那么我们说Q Q0 0对权限对权限a a而言是安全的。而言是安全的。n n系统安全复杂性基本定理：系统安全复杂性基本定理：对对于于每每个个系系统统请请求求仅仅含含一一个个操操作作的的单单操操作作请请求求系系统统（mono-mono-operational system-MOSoperational system-MOS），系统的安全性是），系统的安全性是可判定的可判定的；对于一般的非单操作请求系统（对于一般的非单操作请

12、求系统（NMOSNMOS）的安全性是）的安全性是不可判定的不可判定的。13HRU模型模型 (4)(4)n n基本定理隐含的窘境：一般的一般的HRUHRU模型具有模型具有很强的很强的安全政策安全政策表达能力表达能力，但是，但是，不存在不存在决定相关安全政策效果的决定相关安全政策效果的一般可一般可计算的算法计算的算法；（递归可枚举）；（递归可枚举）虽然虽然存在存在决定满足决定满足MOSMOS条件的条件的HRUHRU模型的安全模型的安全政策效果的一般的可计算的算法，但是，满足政策效果的一般的可计算的算法，但是，满足MOSMOS条件的条件的HRUHRU模型的模型的表达能力太弱表达能力太弱，以至于，以至

13、于无法表达很多重要的安全政策。无法表达很多重要的安全政策。 14HRU模型模型 (5)(5)n n对对HRUHRU模模型型进进一一步步的的研研究究表表明明，即即使使我我们们完完全全了了解解了了扩扩散散用用户户的的访访问问权权限限的的程程序序，在在HRUHRU模模型型中中也也很很难预测访问权限怎样被扩散难预测访问权限怎样被扩散。n n与与此此相相关关，由由于于用用户户通通常常不不了了解解程程序序实实际际进进行行的的操操作作内内容容，这这将将引引起起更更多多的的安安全全问问题题。例例如如，用用户户甲甲接接受受了了执执行行另另一一个个用用户户乙乙的的程程序序的的权权利利，用用户户甲甲可可能能不不知知

14、道道执执行行程程序序将将用用户户甲甲拥拥有有的的与与用用户户乙乙完完全全不不相相关关的的访访问问权权限限转转移移给给用用户户乙乙。类类似似的的，这这类类表表面面上上执执行行某某功功能能（如如提提供供文文本本编编辑辑功功能能），而而私私下下隐隐藏藏执执行行另另外外的的功功能能（如如扩扩散散被被编编辑辑文文件件的的读读权权限限）的程序称为特洛伊的程序称为特洛伊木马程序木马程序木马程序木马程序。152.2 强制访问控制强制访问控制 特点：特点：特点：特点：(1). (1). 将主体和客体分级，根据主体和客体的级别标记将主体和客体分级，根据主体和客体的级别标记将主体和客体分级，根据主体和客体的级别标记

15、将主体和客体分级，根据主体和客体的级别标记来来来来决定访问模式。如，绝密级，机密级，秘密级，无密决定访问模式。如，绝密级，机密级，秘密级，无密决定访问模式。如，绝密级，机密级，秘密级，无密决定访问模式。如，绝密级，机密级，秘密级，无密级。级。级。级。(2). (2). 其访问控制关系分为：上读其访问控制关系分为：上读其访问控制关系分为：上读其访问控制关系分为：上读/ /下写下写下写下写 ，下读下读下读下读/ /上写上写上写上写（完整性）（完整性）（完整性）（完整性）（机密性）（机密性）（机密性）（机密性）(3). (3). 通过梯度安全标签实现单向信息流通模式通过梯度安全标签实现单向信息流通模

16、式通过梯度安全标签实现单向信息流通模式通过梯度安全标签实现单向信息流通模式。Ln HiHn HiHn LiLn Li16BLP模型模型类似于类似于HRUHRU模型，模型，BLPBLP模型的组成元素包括访问主体、访模型的组成元素包括访问主体、访问客体、访问权限和访问控制矩阵。但问客体、访问权限和访问控制矩阵。但BLPBLP在集合在集合S S和和O O中中不改变状态不改变状态函数函数 F: S F: S O L O L，语义是将函数应用于某一状态下的访，语义是将函数应用于某一状态下的访问主体与访问客体时，导出相应的安全级别。问主体与访问客体时，导出相应的安全级别。 安全级别安全级别L L构成不变格

17、，构成不变格，状态集状态集V V在该模型中表现为序偶（在该模型中表现为序偶（F F，MM）的集合，）的集合，MM是访是访问矩阵。问矩阵。变迁函数变迁函数T T：VRVVRV。 R R请求集合，在系统请求执行时，请求集合，在系统请求执行时，系统实现状态变迁。系统实现状态变迁。 17BLP模型模型(1)n n定定定定义义义义4.14.14.14.1： 状状态态 ( ( F, F, M M ) ) 是是“ “读读安安全全” ”（也也称称为为“ “simple securitysimple security” ”）的充分必要条件是）的充分必要条件是 n n定定定定义义义义4.24.24.24.2： 状

18、状态态 ( ( F, F, M M ) ) 是是“ “写写安安全全” ”（也也称称为为“ “* *- -propertyproperty” ”）的充分必要条件是）的充分必要条件是 n n定定定定义义义义4.34.34.34.3： 状状态态是是“ “状状态态安安全全” ”（state state securesecure）的的充充分分必要条件是它既是必要条件是它既是“ “读安全读安全” ”又是又是“ “写安全写安全” ”。n n定定定定义义义义4.44.44.44.4： 系系统统 ( ( v v0 0 , , R R , , T T ) ) 是是安安全全的的充充分分必必要要条条件件是是初初始始状

19、状态态v v0 0是是“ “状状态态安安全全” ”的的，并并且且由由初初始始状状态态v v0 0开开始始通通过过执执行行一一系系列列有有限限的的系系统统请请求求R R可可达达的的每每个个状状态态v v也也是是“ “状态安全状态安全” ”的。的。 18BLP模型模型(2)n n定理定理定理定理4.34.34.34.3：系统系统 ( (v v0 0 ,R ,T ,R ,T ) )是安全的是安全的充分必要条件充分必要条件是是其其中中，T T为为转转移移函函数数，是是指指由由初初始始状状态态v v0 0通通过过执执行行一一系系列列有有限限的的系系统统请请求求R R到达可达状态到达可达状态v v。19B

20、LP模型模型(3)“ “读安全读安全” ”禁止低级别的用户获得高级别文件的读权限。禁止低级别的用户获得高级别文件的读权限。“ “写安全写安全” ”防止高级别的特洛伊木马程序把高级别文件内防止高级别的特洛伊木马程序把高级别文件内容拷贝到低级别用户有读访问权限的文件。容拷贝到低级别用户有读访问权限的文件。20自主自主vs.强制强制1. 1. 自主式太弱自主式太弱2. 2. 强制式太强强制式太强3. 3. 二者工作量大，不便管理二者工作量大，不便管理例，例，10001000主体访问主体访问1000010000客体，须客体，须10001000万次配万次配置。如每次配置需置。如每次配置需1 1秒，每天工

21、作秒，每天工作8 8小时，就需小时，就需 1010，000000，000/000/（3600*83600*8） =347.=347.2 2天天21自主自主vs.强制强制222.3 RBAC模型模型n n角色的概念角色的概念：角色的抽象定义是指相对于特定的工作活动的一系列行动和职责集合，角色面向于用户组，但不同于用户组，角色包含了用户集和权限集。232.3 角色控制与角色控制与DAC、MAC 角色控制相对独立，根据配置可使某些角角色控制相对独立，根据配置可使某些角色接近色接近DACDAC，某些角色接近，某些角色接近MACMAC242.3 RBAC模型模型基本模型基本模型RBAC0RBAC0角色分

22、级模型角色分级模型RBAC1RBAC1角色限制模型角色限制模型RBAC2RBAC2统一模型统一模型RBAC3RBAC3 RBAC3RBAC1 RBAC2 RBAC0252.3 RBAC模型模型262.3 RBAC模型模型 272.3 RBAC模型模型 282.3 RBAC模型模型292.3 角色控制优势角色控制优势便于授权管理便于授权管理便于角色划分便于角色划分便于赋予最小特权便于赋予最小特权便于职责分担便于职责分担便于目标分级便于目标分级30强制强制vs.信息流信息流隐通道：隐通道：访问控制模型通过对访问主体与访问客访问控制模型通过对访问主体与访问客体的控制实施安全策略，但恶意的用户仍然可能

23、体的控制实施安全策略，但恶意的用户仍然可能利用系统的副作用（边界效应）形成从高安全级利用系统的副作用（边界效应）形成从高安全级别到低安全级别的别到低安全级别的隐通道。隐通道。信息流模型：不对访问主体与客体实施控制，而信息流模型：不对访问主体与客体实施控制，而是直接控制用户间的信息流是直接控制用户间的信息流 例如：例如：例如：例如：if if a = 0 a = 0 then then b := c,b := c,information flows information flows explicitly explicitly from c to b (when a = from c to b

24、(when a = 0) and0) and implicitly implicitly from a to b (when b=from a to b (when b= c).c).313 信息流模型信息流模型 n n信息流概念：信息流概念：信息流可表述为“从对象a流向对象b的信息（信息流）是指对象b的值按某种方式依靠对象a的值”。323 信息流模型信息流模型n n对于程序语言代码我们可以通过枚举所有程序变量对于程序语言代码我们可以通过枚举所有程序变量间的信息流，从而验证是否存在不合法信息流。间的信息流，从而验证是否存在不合法信息流。n n信息流模型的形式化是信息流模型的形式化是状态机状态机

25、模型，因此可以形成模型，因此可以形成一系列信息流一系列信息流“ “断言断言” ”，信息流，信息流“ “断言断言” ”也称为安也称为安全性质，安全性质包括非干扰性全性质，安全性质包括非干扰性(non(noninterference)interference)和非观察性和非观察性(nonobservability)(nonobservability)等等n n描述工具使用描述工具使用HoareHoare逻辑的逻辑的SPASPA语言（语言（Security Security Process Algebra Process Algebra SPASPA）（）（tracetrace） 333 信息流模型

26、信息流模型 344 完整性模型完整性模型n n数据完整性n n信息保护，信息保护，DATABASEDATABASE（域，实体，引用，应用语义，域，实体，引用，应用语义，并发控制并发控制） n n系统完整性n n系统保护，硬件保护，容错技术系统保护，硬件保护，容错技术35完整性目标完整性目标n nPreventing Unauthorized Users From Making Modifications (机密性)n nMaintaining Internal and External Consistency (一致性)n nPreventing Authorized Users From M

27、aking Improper Modifications (逻辑一致性)36完整性原理完整性原理n n1 IDENTITY1 IDENTITYn n2 CONSTRAINTS 2 CONSTRAINTS n n3 OBLIGATION(3 OBLIGATION(职责职责) )n n4 ACCOUNTABILITY4 ACCOUNTABILITYn n5 AUTHORIZATION5 AUTHORIZATIONn n6 LEAST PRIVILEGE6 LEAST PRIVILEGEn n7 SEPARATION7 SEPARATIONn n8 MONITORING8 MONITORINGn n

28、9 ALARMS9 ALARMS10 NON-REVERSIBLE ACTIONS11 REDUNDANCY12 MINIMIZATION.Variable MinimizationData MinimizationTarget Value MinimizationAccess Time Minimization37BIBA模型模型38完整性策略完整性策略 BIBABIBA认为内部威胁已经由程序测试与验证技术作了充分地认为内部威胁已经由程序测试与验证技术作了充分地处理；处理；BIBA; BIBA; 模型仅针对外部威胁。模型仅针对外部威胁。低限策略低限策略Low-Water Mark Polic

29、yLow-Water Mark Policy针对客体的低限策略针对客体的低限策略Low-Water Mark Policy for Low-Water Mark Policy for ObjectsObjects低限的完整性审计策略低限的完整性审计策略 Low Water Mark Integrity Audit Low Water Mark Integrity Audit PolicyPolicy环策略环策略 Ring PolicyRing Policy严格的完整性策略严格的完整性策略 Strict Integrity PolicyStrict Integrity Policy39低限策略低

30、限策略for_all s element_of S, o element_of Ofor_all s element_of S, o element_of On ns s mm o = il(o) o = il(o) leqleq il(s) il(s)n nfor_all s1,s2 element_of Sfor_all s1,s2 element_of Sn ns1 s1 i i s2 = il(s2) s2 = il(s2) leqleq il(s1) il(s1)n nFor each observe access by a subject s to an object o:For

31、each observe access by a subject s to an object o:n nil(s) = il(s) = minmin il(s), il(o) il(s), il(o)n nwhere il(s) is the integrity level of s immediately where il(s) is the integrity level of s immediately following the access.following the access.40Clark-Wilson模型模型n nClark-WilsonClark-Wilson模型定义的

32、四个要素模型定义的四个要素: : n nconstrained data items (constrained data items (CDIsCDIs), unconstrained data ), unconstrained data items (items (UDIsUDIs), integrity verification procedures ), integrity verification procedures ( (IVPsIVPs),and transformation procedures (),and transformation procedures (TPsTPs)

33、. ).n nThere are nineThere are nine certification certification (C)(C) and and enforcement enforcement (E)(E) rules that govern the rules that govern the interaction of these model elements. interaction of these model elements. CertificationCertification is done by the security officer, is done by t

34、he security officer, system owner, and system custodian with system owner, and system custodian with respect to an integrity policy; respect to an integrity policy; enforcement enforcement is is done by the system. done by the system. 41Clark-Wilson完整性原理完整性原理n nThe The principle principle of of sepa

35、ration separation of of dutyduty states states no no single single person person should should perform perform a a task task from from beginning beginning to to end, end, but but that that the the task task should should be be divided divided among among two two or or more more people people to prev

36、ent fraud(to prevent fraud(欺骗欺骗) by one person acting alone.) by one person acting alone. n nThe The principle principle of of well-formed well-formed transactiontransaction( (合合式式事事务务) )is is defined defined as as a a transaction transaction where where the the user user is is unable unable manipul

37、ate manipulate data data arbitrarily, arbitrarily, but but only only in in constrained constrained (limitations (limitations or or boundaries) boundaries) ways ways that that preserve preserve or or ensure ensure the the integrity integrity of of the the datadata. . A A security security system syst

38、em in in which which transactions transactions are are well-formed well-formed ensures ensures that that only only legitimate legitimate actionsactions can can be be executed. executed. Ensures Ensures the the internal internal data data is is accurate accurate and and consistent consistent to to wh

39、at what it it represents represents in in the the real real world.world. 42验证性规则n nC1 C1 (IVP (IVP Certification)Certification) - - The The system system will will have have an an IVPIVP for for validating the integrity of any CDI.validating the integrity of any CDI. n nC2 C2 (Validity)(Validity) -

40、- The The application application of of a a TPTP to to any any CDI CDI must must maintain maintain the the integrityintegrity of of that that CDI. CDI. CDIs CDIs must must be be certified certified to to ensure that they result in a valid CDIensure that they result in a valid CDI n nC3C3 - - A A CDI

41、 CDI can can only only be be changed changed by by a a TPTP. . TPs TPs must must be be certified certified to to ensure ensure they they implement implement the the principles principles of of separation of duties separation of duties & & least privilege least privilege n nC4 C4 (Journal (Journal Ce

42、rtification)Certification) - - TPsTPs must must be be certified certified to to ensure that their actions areensure that their actions are loggedlogged n nC5C5 - - TPs TPs which which act on UDIsact on UDIs must be certified to ensure must be certified to ensure that they result in a valid CDIthat t

43、hey result in a valid CDI 43强制性规则 ( (AmorosoAmoroso) ) n nE1 E1 (Enforcement (Enforcement of of Validity)Validity) - - Only Only certified certified TPs TPs can can operate on CDIsoperate on CDIs n nE2 E2 (Enforcement (Enforcement of of Separation Separation of of Duty)Duty) - - Users Users must mus

44、t only only access access CDIs CDIs through through TPs TPs for for which which they they are are authorized.authorized. n nE3 E3 (User (User Identity)Identity) - - The The system system must must authenticate authenticate the the identity of each user attempting to execute a TPidentity of each user

45、 attempting to execute a TP n nE4 E4 (Initiation)(Initiation) - - Only Only administrator administrator can can specify specify TP TP authorizationsauthorizations n nThe The CW CW model model differs differs fromfrom the the other other models models that that allow allow subjects subjects to to gai

46、n gain access access to to objects objects directlydirectly, , rather rather thanthan through through programs. programs. The The access access triple triple is is at at the the heart heart of of the the CW CW model, model, which which prevents prevents unauthorized users from modifying data or prog

47、rams.unauthorized users from modifying data or programs.44NT安全模型概要n n基本基本组件件 :n nLogon processLogon process, , which accept logon request from users. It is the which accept logon request from users. It is the process that accepts the users initial interactive logon, password, process that accepts th

48、e users initial interactive logon, password, authenticates it, and grants entry into the system.authenticates it, and grants entry into the system. n nLSALSA (Local Security Authority). (Local Security Authority). is the is the heartheart of the security of the security subsystem. It verifies the lo

49、gon information from the SAM database subsystem. It verifies the logon information from the SAM database and ensures that the user has permission to access the system. It and ensures that the user has permission to access the system. It generates generates access tokenaccess token, administers the l

50、ocal security policy , administers the local security policy defined in the system and is responsible for auditing and logging defined in the system and is responsible for auditing and logging security events.security events.n nSecurity Account Manager (SAM)Security Account Manager (SAM) is the data

51、base that contains is the database that contains information for all user and group account information and validates information for all user and group account information and validates users.users. 45n nSecurity Reference MonitorSecurity Reference Monitor provides real-time services to provides re

52、al-time services to validate every object access and action made by a user to ensure validate every object access and action made by a user to ensure that the access or action is authorized. This part enforces the that the access or action is authorized. This part enforces the access validation and

53、audit generation policy defined by the Local access validation and audit generation policy defined by the Local Security Authority.Security Authority.n nSecurity Identifiers (SIDs),Security Identifiers (SIDs), Each user of Windows NT has a Each user of Windows NT has a unique security ID (SID). When

54、 a user logs on, Windows NT unique security ID (SID). When a user logs on, Windows NT creates a security access token. creates a security access token. n nResources, such as processes, files, shares, and printers are Resources, such as processes, files, shares, and printers are represented in Window

55、s NT as objects. represented in Windows NT as objects. Users never access these Users never access these objects directly,objects directly, but Windows NT acts but Windows NT acts as a proxyas a proxy to these objects, to these objects, controlling access to and usage of these objects. controlling a

56、ccess to and usage of these objects. A subjectA subject in in Windows NT is the combination of the users access token plus the Windows NT is the combination of the users access token plus the program acting on the users behalf. Windows NT uses subjects to program acting on the users behalf. Windows

57、NT uses subjects to track and manage permission for the programs each user runs.track and manage permission for the programs each user runs.46Rule 1. The system will have an IVP for validating the integrity of any CDI.In Windows NT there is a local security authority (LSA) which checks the security

58、information in the subjects access token with the security information in the objects security descriptorRule 2.The application of a TP to any CDI must maintain the integrity of that CDIIn Windows NT, most subjects cannot change the attribution of the objects, but some subjects have this privilege,

59、such as administrator But this is only limited to some special users. So this rule is not applied to Windows NT strictlyRule 3. A CDI can only be changed by a TPAs mentioned above some special users can change attribution of the objects, and no other methods can be applied to change objectsRule 4. S

60、ubjects can only initiate certain TPs on certain CDIsIn windows NT, the subjects access token includes what kinds of operations are permitted. Only when information of the access token is consistent with the information in the objects security descriptor, the operation is allowed C-W 模型的模型的NT解解释 47R

61、ule 5. CW-triples must enforce some appropriate separation of duty policy on subjects In Windows NT, administrator can do anything. So this rule is not appliedRule 6. Certain special TPs on UDIs can produce CDIs as outputIn Windows NT, users can change the object from without ACL state to with ACL s

62、tate. Generally, this operation is performed by AdministratorRule 7. Each TP application must cause information sufficient to reconstruct the application to be written to a special append-only CDIIn Windows NT, audit services can collect information about how the system is being usedRule 8. The syst

63、em must authenticate subjects attempting to initiate a TPIn Windows NT, any user has her or his SID, and any process in behalf of this user copies the same SID. By this way, Windows NT can authenticate subjects attempting to initial a TPRule 9. The system must only permit special subjects (i.e., sec

64、urity officers) to make any authorization-related lists.In Windows NT, only administrator can do and view some high security events485 信息安全模型信息安全模型 49主要参考文献主要参考文献 n nA Guide to Understanding Security Modeling in A Guide to Understanding Security Modeling in Trusted Systems NCSC-1992Trusted Systems N

65、CSC-1992n nIntegrity in Automated Information Systems Integrity in Automated Information Systems NCSC-1991NCSC-199150n n1 1给计算机系统的资产分配的记号被称为什么？给计算机系统的资产分配的记号被称为什么？C Cn nA A安全属性安全属性B B安全特征安全特征n nC C安全标记安全标记D D安全级别安全级别n n2 2ITSECITSEC标准是不包括以下哪个方面的内容？标准是不包括以下哪个方面的内容？D Dn nA A功能要求功能要求B B通用框架要求通用框架要求n nC

66、 C保证要求保证要求D D特定系统的安全要求特定系统的安全要求n n3 3以下哪些模型可以用来保护分级信息的机密性？以下哪些模型可以用来保护分级信息的机密性？B Bn nA ABibaBiba模型和模型和BellBellLapadulaLapadula模型模型n nB BBellBellLapadulaLapadula模型和信息流模型模型和信息流模型n nC CBellBellLapadulaLapadula模型和模型和ClarkClarkWilsonWilson模型模型n nD DClarkClarkWilsonWilson模型和信息流模型模型和信息流模型n n4 4桔皮书主要强调了信息的哪

67、个属性？桔皮书主要强调了信息的哪个属性？B Bn nA A完整性完整性B B机密性机密性C C可用性可用性D D有效性有效性51n n5 5ITSECITSEC的功能要求不包括以下哪个方面的内容？的功能要求不包括以下哪个方面的内容？D Dn nA A机密性机密性B B完整性完整性C C可用性可用性D D有效性有效性n n6 6OSIOSI中哪一层不提供机密性服务？中哪一层不提供机密性服务？D Dn nA A表示层表示层B B传输层传输层C C网络层网络层D D会话层会话层n n7 7在参考监控器的概念中，一个参考监控器不需要符合在参考监控器的概念中，一个参考监控器不需要符合以下哪个设计要求？以下哪个设计要求？B Bn nA A必须是必须是TAMPERPROOFTAMPERPROOFB B必须足够大必须足够大n nC C必须足够小必须足够小D D必须总在其中必须总在其中n n8 8在以下哪种安全模型中，系统的访问至少在最高层是在以下哪种安全模型中，系统的访问至少在最高层是安全的？安全的？C C（301301页）页）n nA A多级安全模型多级安全模型B BDedicatedDedicated安全模型安全模型n nC CCompartmentedCompartmented模型模型D D受控模型受控模型52Thanks53Any Questions ?54