There are many business needs for implementing delegation in IT (Information Technology) systems. However, existing approaches to delegation in IT systems are limited in their usability, flexibility, and capability ...There are many business needs for implementing delegation in IT (Information Technology) systems. However, existing approaches to delegation in IT systems are limited in their usability, flexibility, and capability to implement least privilege. The result is that delegation is either not implemented or is implemented informally (e.g., by sharing credentials [passwords or hardware tokens] between users), resulting in serious security concerns and a lack of accountability. This paper describes a methodology for delegation based on the persona concept. A persona is a special category of user that embodies only delegated privileges, and which is explicitly assumed only after the "real" human user taking on that persona explicitly chooses it, This paper describes the persona delegation framework in the context of a large enclave-based architecture currently being implemented by a major enterprise. The creation of a persona solves a lot of downstream problems by allowing the persona to be treated like any other entity in the system. That is, identity, authentication, authorization, and other security processes already know how to handle an entity of this type. Benefits of the framework include increased flexibility to handle a number of different delegation business scenarios, decreased complexity of the solution, and greater accountability with only a modest amount of additional infrastructure required.展开更多
In order to enforce the least privilege principle in the operating system, it is necessary for the process privilege to be effectively controlled; but this is very difficult because a process always changes as time ch...In order to enforce the least privilege principle in the operating system, it is necessary for the process privilege to be effectively controlled; but this is very difficult because a process always changes as time changes. In this paper, based on the analysis on how the process privilege is generated and how it works, a hierarchy implementing the least privilege principle with three layers, i.e. administration layer, functionality control layer and performance layer, is posed. It is clearly demonstrated that to bound privilege's working scope is a critical part for controlling privilege, but this is only mentioned implicitly while not supported in POSIX capability mechanism. Based on analysis of existing control mechanism for privilege, not only an improved capability inheritance formula but also a new complete formal model for controlling process based on integrating RBAC, DTE, and POSIX capability mechanism is introduced. The new invariants in the model show that this novel privilege control mechanism is different from RBAC's, DTE's, and POSIX's, and it generalizes subdomain control mechanism and makes this mechanism dynamic.展开更多
文摘There are many business needs for implementing delegation in IT (Information Technology) systems. However, existing approaches to delegation in IT systems are limited in their usability, flexibility, and capability to implement least privilege. The result is that delegation is either not implemented or is implemented informally (e.g., by sharing credentials [passwords or hardware tokens] between users), resulting in serious security concerns and a lack of accountability. This paper describes a methodology for delegation based on the persona concept. A persona is a special category of user that embodies only delegated privileges, and which is explicitly assumed only after the "real" human user taking on that persona explicitly chooses it, This paper describes the persona delegation framework in the context of a large enclave-based architecture currently being implemented by a major enterprise. The creation of a persona solves a lot of downstream problems by allowing the persona to be treated like any other entity in the system. That is, identity, authentication, authorization, and other security processes already know how to handle an entity of this type. Benefits of the framework include increased flexibility to handle a number of different delegation business scenarios, decreased complexity of the solution, and greater accountability with only a modest amount of additional infrastructure required.
基金supported by the National Key Basic Research Program of China(Grant No.G1999035802)the National Natural Science Foundation of China(Grant No.60083007)
文摘In order to enforce the least privilege principle in the operating system, it is necessary for the process privilege to be effectively controlled; but this is very difficult because a process always changes as time changes. In this paper, based on the analysis on how the process privilege is generated and how it works, a hierarchy implementing the least privilege principle with three layers, i.e. administration layer, functionality control layer and performance layer, is posed. It is clearly demonstrated that to bound privilege's working scope is a critical part for controlling privilege, but this is only mentioned implicitly while not supported in POSIX capability mechanism. Based on analysis of existing control mechanism for privilege, not only an improved capability inheritance formula but also a new complete formal model for controlling process based on integrating RBAC, DTE, and POSIX capability mechanism is introduced. The new invariants in the model show that this novel privilege control mechanism is different from RBAC's, DTE's, and POSIX's, and it generalizes subdomain control mechanism and makes this mechanism dynamic.
