关键词: 安全操作系统, 安全策略, 最小特权, 权能, 角色, 域

Abstract: Least privilege mechanism can provide a reasonable degree of security assurance for secure operating systems.This paper described a framework for implementing dynamically modified least privilege security policy,which combined role’s duty separation property and domain’s function separation property.Under the control of its new capability mechanism based on a process’s executable image,current role and current domain,it restricted the process to the minimum amount of privileges within these contexts.This paper illustrated its implementation in ANSHENG OS v4.0,a copyrighted secure operating system satisfying all the specified requirements of Criteria class 4,"Structured-Protection",in GB17859-1999 (equally,the B2 level in TCSEC) in China.Thus it demonstrates that this framework can help enforcing dynamically least privilege control on a secure operating system,while still providing a flexible efficient system.

Key words: secure operating system, security policy, least privilege, capability, role, domain