The Research And Design Of Policy Langauge For Access Control

With the extensive application and the continuous development of computer systems, the security of various information resources on computer system has received more and more concerns and attentions, and applying security reinforcement on the operating system is the key to solve this problem. With the increasing number of access control model and the diversity of security requirements, the combination of access control model for application is becoming an important security goal in the design of operating system, such as the combination of DTE and RBAC in Selinux. This puts forward new demands on the research of access control policy language: On the one hand, the language should exhibits the abilities of rich, accurate and flexible to describe a variety of unified access control model; on the other hand, the language should be good readable, succinct and easy to use, which requires the language using the structuralized and object-oriented design manner at the design stage to enhance the reusability and readability of policy code, and make it easy for developer to understand and use. At present, the existing language either have limitations of readability and ease application, not easy to understand and use; or have some deficiencies in unification, only support a particular access control technology, but can not provide better support to others.Based on the research of existing security policy language and access control model, this paper presents an access control policy language EGACPL (Easy to Use and General Access Control Policy language) which applied to the field of secure operating system. EGACPL provides a unified description of policy elements and security rules to support a wide range of access control model; and with the application of structuralized and object-oriented design idea, code reusing will be supported, that makes language easy to understand and program. The EGACPL embodies better generality and easily use.The main work and feature of this paper reflect in the following two aspects:(1) research and design a access control policy language applied to the field of security operation systemBased on the analysis of the existing security model and policy language, and the extraction of the common security features of security model and the key elements of policy language, this paper makes a abstraction and summary of the realization of security model, designs the lexical and grammatical norms for access control policy language, in order to ensure the generality of language. Moreover, with reference to some design ideas of high-level languages such as C, C++, it adds structuralized definition and object-oriented design elements, and provides the support for the design concept of object, inheritance and so on, improving the readability and reusability and enhance the easily use of language. That meets the new requirements for access control policy language, which is put forward by the current research field of security operating system.(2) Design and implement a language compiler which supports retargetable back-end.In order to ensure the robustness and easily use of the language, this paper designs and implements a language compiler. It provides the basic syntax checking and semantic analysis, what can help users to carry out the analysis and investigation of policy conflict. The compiler uses the retargetable design idea to support various back-end, and provides a flexible interface for developers to add new ones, which enable the language to adapt to various systems and application environments and enhance the practicality and flexibility.