Professional Documents
Culture Documents
Α.Π.Σ. - Φορμαλιστικά Μοντέλα Ελέγχου Προσπέλασης
Α.Π.Σ. - Φορμαλιστικά Μοντέλα Ελέγχου Προσπέλασης
gaggelinos@ssl-unipi.gr
;
()
.
:
:
.
:
.
Hilbert:
.
(1/3)
(.. , )
(.. )
.
,
.
:
.
4
(2/3)
:
: observe alter
Bell LaPadula: read, write, append,
execute
(3/3)
:
.
,
.
b a a b.
.
a b u a u b u
( )
:
.
6
,
.
:
.
.
.
Access Control Decision Facility
(ISO)
Access Control Enforcement Facility
.
&
(MAC)
.
need-to-know
MAC :
,
, ,
.
H MAC
.
(DAC)
.
(
) .
/
.
,
10
.
(RBAC)
,
, (..
) .
.
-
.
,
.
RBAC
,
(: , , ,
).
11
(CWAC)
.
.
:
,
.
12
Bell-Lapadula (1/3)
.
S,
, e, r,
a, w L.
: V=(BxCxM).
B
.
b.
b (Si,Oj,x).
C LSxLSxLO. C
(cmax(s),c(s),c(o)).
M .
13
Bell-Lapadula (1/3 )
C LSxLSxLO.
C
(cmax(s),c(s),c(o)).
cmax(s) S
c(s) S
c(o)
M .
14
Bell-Lapadula (2/3)
: s
o c(o) c(s).
*: s
o,
p c(o) c(p).
ds:
.
15
Bell-Lapadula (3/3)
.
v1 v2
v1 v2 .
,
, .
:
.
MAC
.
DAC.
16
(1/2)
, (Sandhu)
.
n
COI1, COI2, , COIn.
mi .
n-
.
: ni1 , i2 ,..., in
ik COI k
ik , k 1...n
17
(2/2)
: l1 l2
l1i=l2i l1i= l2i=, i=1,2,,n.
18
RBAC (1/6)
RBAC
:
FLAT RBAC ()
Hierarchical RBAC
Constrained RBAC
Symmetric RBAC
19
RBAC (2/6)
Flat RBAC
RBAC :
.
- -.
-.
.
.
20
RBAC (3/6)
Hierarchical RBAC
( 2)
Flat RBAC :
(
).
2a
.
2b
(, ).
21
RBAC (4/6)
Constrained RBAC ( 3)
Hierarchical
RBAC
3a
.
3b
(, ).
22
RBAC (5/6)
Symmetric RBAC ( 4)
Constrained
RBAC :
.
4a
.
4b
(, ).
23
RBAC (6/6)
RBAC
:
24
RBAC
(1/5)
:
,
.
:
.
25
RBAC
(2/5)
:
, ,
.
:
.
:
.
26
RBAC
(3/5)
:
.
:
.
27
RBAC
(4/5)
:
, ,
,
.
28
RBAC
(5/5)
:
,
.
29
Harrison-Ruzzo-Ullman (1/2)
.
R
C
-
(S, O, A) , (S= , =
, = ).
C.
command name (o1, o2, , ok)
if r1 in A[s1, o1] and r2 in A[s2, o2] and
rm in A[sm, om]
30
Harrison-Ruzzo-Ullman (2/2)
:
create object o.
.
create subject s.
.
destroy subject s.
.
destroy object o.
.
enter r into A[s,o].
s .
delete r from A[s,o].
s o.
31
Graham-Denning
32
- (Take-Grant)
:
33
(Information Flow Models)
(1/5)
.
.
,
.
X
n pi
i, i=1,2,,n. H
X ) p k log 2 p k
X H (
1
k
H ( X ) p k log 2
p
, ,
k
34
(Information Flow Models)
(2/5)
.
yj Y,
1
H (Xy
y jj )
p ( x k y j )
log 2 p ( x k y j ) p ( x k y j ) log 2
k
p( xk y j )
p ( xk y j )
.
X xk
Y yj
H ( X Y ) H ( X y ) p( y )
j
-
.
35
(Information Flow Models)
(3/5)
:
.
(
)
(
=
)
(bits/sec)
36
(Information Flow Models)
(4/5)
. .
: (
) .
: x
( ) .
x<=y
x y
x
y, H(x/y).
.
37
(Information Flow Models)
(5/5)
.
,
.
.
(Non Interference):
.
,
,
.
38
39
Biba (1/2)
:
: s
I(s)I(o).
*: s
p () (p).
: s
q I(s)
I(q).
40
Biba (2/2)
: s
,
.
I(s)
I(o) q
I(q) I(s).
Biba
MAC
BellLaPadula.
41
Clark-Wilson (1/6)
.
:
:
,
.
:
.
42
Clark-Wilson (2/6)
()
3 : ,
, .
43
Clark-Wilson (3/6)
(
) :
1:
.
2:
,
.
44
Clark-Wilson (4/6)
:
3:
.
4:
( )
.
5:
.
45
Clark-Wilson (5/6)
(
):
1:
2
.
2:
(_, i, (a,
b,)), ,
.
.
46
Clark-Wilson (6/6)
:
3:
4:
,
.
47
(1/7)
: (workflows)
,
(tasks).
:
.
(Workflow
Authorisation Model WAM).
(Task-Based Authorisation Controls TBAC).
48
(2/7)
:
.
: S =
=
=
PR =
w =
w1 , w2 ,..wn
=
r R 3 r 0
49
(3/7)
wi={Opi, INi,OUTi,[tli,tui]}
Opi
wi
INi & OUTi
,
.
[tli,tui] .
wi
winsti ={OPERi, INi, OUTi, [tsi,tf]}
50
(4/7)
:Ai
=
AT ( wi ) =
:
AT ( wi ) ( si , i , , pri )
w i OPi , IN , OUT , tl , tu
Ai si , oi , pri , tb , te
i
.
51
(5/7)
:
oi
wi tai..
tsi.
tai tui sis(AT),
tui
tai tli
pripr(AT), tei
tbitli
tbittai.
52
(6/7)
:
wi tf.
tftui
teitf.
53
(7/7)
:
:
,
.
,
w1=({read request, prepare check}, {request, check}, {check},
[10,50])
w2=({approve check}, {check}, {check}, [20,60])
w3=({issue check}, {check}, {check}, [40,80]).
: , .
:
A1(w1)=(, (request,-), read),
AT2(w2)=(, (check,-), prepare),
AT(w2)=(, (check,-), approve),
AT(w3)=(, (check,-), issue).
54
TBAC
:
.
:
55
DoS
:
.
.
.
.
.
.
.
CPU.
56
57