Research Of Access Control Technology On Role-Based Authorization

Security operation system cannot really be accepted and used extensively by usersbecause of two obstacles. One is the weak protecting ability of the security operation system;the other is the difficulty of applying the security operation system. Access Controlmechanism is an important way to enhance the security of operating system, when thetraditional common operation system use Discretionary Access Control to protect the systemresources. However, Discretionary Access Control mechanism brings the problem of excessaccess. Therefore, one of the main objects of the security operation system is to realizeMandatory Access Control. Now there are many researching achievements about theMandatory Access Control policy in the world. In order to put all these achievements together,the MAC framework projects of LSM and FreeBSD realize the access control framework,which supports realizing the access control policy by means of Loadable Kernel Module andprovides multi-policy and agile substitution of policies. However, the main puzzle brought bymulti-policy and agile substitution of policies is the complexity of configuring the securitypolicy, which include: when the administrator configures the security policy for every user, heneed to have professional security policy knowledge and discern the logic domination relationamong the security labels; when security policy changes, he must change the security attributeof every users, which requires not only professional knowledge but also heavy workload. Thecomplexity of configuration decreases the easiness of applying the security operation system.On the base of analyzing access control policy and access control framework technologydeeply, the thesis puts the Role-Based Authorization technology forward to increase theeasiness of applying the security operation system.The thought of Role-Based Authorization is to append a new conception "role" between user and access permission in the operation system, and to associate system user with role, which is endowed with corresponding security attributes. This changes the authorization form of associating operating system user directly with security attributes. Role-Based Authorization technology accords with the management mode in the real life. In the real life, there is usually a great deal of workers and they change frequently, but there is one thing in common basically: "job" is fixed oppositely, and the authority of "job" is fixed oppositely. Therefore, operating system appends the concept "role", which is equal to "job", can decrease the complexity of security configuration efficiently. According to different application environment, operating system provides default configuration of the role's access permission. Then the administrator's work is to assign different role to the user according to his job, which reduces the workload and doesn't require professional security policy knowledge.On the base of Role-Based Authorization thought, the thesis puts forward and realizesaccess control framework based on Role-Based Authorization, which supports realizing access control policy by the form of Loadable Kernel Module. The object of access control framework is to provide a platform for realizing many kinds of access control policy, which are under the control of Role-Based Authorization mechanism. The access control framework based on Role-Based Authorization expands the "session" structure of traditional operating system, appends a new conception of role, and provides HOOK function for the access control policy developers to configure the security policy attribute of role. It also provides system calling for configuring the role attribute of user, and many kinds of HOOK function for realizing the ability of initializing the role's access permission in different policies and computing the process security label.The Role-Based Authorization technology not only can increase the easiness of applying security operation system, but also is beneficial to enhancing the security of operating system. Role-Based Authorization provides very agile mechanism and defines access permission for different users, including the traditional super-users. If the super-user is given an ordinary role, he is the same as an ordinary user. The Role-Based Authorization technology provides a very important base for the least privilege of users.