| With the rapid growth of computer networks, mobile code technologies has developed greatly, which makes the safe execution of mobile code from untrusted source is becoming more and more prominent. Model-Carrying Code, which makes untrusted code accompanied by additional information that takes the form of a model that captures the security-relevant behavior of code, provides a framework that enables code producers and consumers to collaborate in order to achieve safety. At the heart of MCC is that code producers provide security-relevant behavior model, code users make use of the model to verify whether the code satisfies their security policy. If the model is not consistent with the policy, the user can refine the policy. During the code executes, the policy can be enforced to ensure that the execution will not cause damage.The definition of security policies is an important component of MCC method. This paper makes use of Security Policy Description Language to define security policies. SPDL language specifies the behavior of application using patterns that captures the sequences of system calls. System calls constitute the event alphabet, while the behavior of application is captured in terms of sequences of events. Variables are introduced to trace the value of event parameters so that patterns can represent sequnces of event ccurrence and relations of data flow among event parameters. A rule is of the form: pattern -> action, which indicates that when a process is monitored using the specification and the process makes a sequnence of system calls that matches pattern, reponse actions contained in action are launched. A definition of security policy for ftpd instantiates how to define security policy with SPDL language.In Chapter Three, a overview of security policies has been provided and two typical security policy models, Bell-LaPadula model and Biba model, have been studied and defined. BLP model, which is based on the classification and clearance strategy, focuses on the confidentiality of the system. BLP model enforces two properties: no read up and no write down. In contrast to BLP model, Biba model focuses on integrity other than confidentiality. Biba model enforces two properties: no read down and no write up. According to the discussion about Bell-LaPadula model and Biba model, security means different things in different applications. Understanding of security policy models is useful to define security policies. This paper provides the method to produce security policies according to security policy models defined formally.This paper predefines some abstract events and security rule sets, which can be reused frequently. System calls whose functions are similar and related are grouped together and defined as an abstract event. This paper introduces eight categories of abstract events, including fileAccessOps, fileManageOps, networkManageOps, userManageOps, memoryManageOps, processManageOps, resourceManageOps and systemManageOps. Abstract events can simplify the definition of patterns so that rules defined with abstract events are easier to understand, which can reduce the workload for the definition of security policies. In addition, abstract events are helpful for the development of portable security policies that are not dependent on specific system calls. Thera are 18 definitions of rules that can be reused frequently in the paper, such as readSysFiles. The user can select and use them when he needs them.In this paper, in order to facilitate the definition of security policy and management, security policies are divided into ten classes: Viewer, Editor, Converter, FileOrganizer, SystemManager, DeviceDriver, Searcher, NetworkUtility, EaseUtility and Others. Each class of security policies has default definition according to the principle of least privilege. These default definitions are available to users as a template to help them develop their own security policies. At the same time, the use of such a classification simplifies the management of security policy repository.The security policy definition and management tool SPTool is implemented using MFC, which provides the user-friendly interface to help users define security policies better. The system has a total of three functional modules: the definition of textual security policy, the showing of the state transition diagram of EFSA, the management of security policy repository. The definition of textual security policy module implements the create function, insertion function, text editing function and file management function and provides users some templates for creating security policy. Users can easily insert pre-defined elements of the security policy.SPTool provides the function that produces the state transition diagram of EFSA according to EFSA files. EFSA files contain event tables, state conversion tables, and termination state tables of security policies. At first, the graphic elements that express EFSA are defined. And then the algorithm for drawing EFSA is implemented just like the breadth-first search algorithm. The algorithm starts at the initial state. Fisrtly, draw out all the adjacent states of the current state and produce edges that are from the initial state to these adjacent states. Secondly, change the current state to the next state. Repeat the steps above until the state transition diagram of EFSA is done.The security policy repository is implemented using the Accesss database. Some additional information is designed for save security policies in database. The additional information includes the name of security policy, the class that security policy belongs to, the source of corresponding application that security policy is used for, the describe of security policy. The name of security policy uniquely identify a security policy. Both the name of security policy and security policy classname can be used to search security policy. The search using security policy classname will return all of the security policy in the class. The source of the corresponding application can help users choice and define security policies better. The level of trust placed on an application will be determined to a large extent by the level of trust of its source. The state transition diagram of EFSA of a security policy, which is dealt with as a binary large object, can be saved to the security policy repository. SPTool provides add, search, delete and browse functions for security policy repository.This paper provides a user-friendly tool to support the research of MCC. The design of SPTool takes both expert users and normal users into account. The definition of security policies is based on linux system calls so that the security policies are not portable. In the future, difinitions of security policy models, as well as abstract events and rules, should be further enriched and refined. |
PDF Full Text Request