Domain-based access control method and system

Abstract

The invention relates to a domain-based access control method and system. The domain-based access control method comprises the following steps of: setting a domain label of each application and establishing a domain-based access control policy library on subject and object of each application in a system through aiming at different application domains according to requirements of a user on protection of the system; capturing an access request of the subject on the object in the system; submitting the access request to the domain-based access control policy library to perform domain label detection; and judging whether a current operation is allowed or not, accepting the current access request if the current operation is allowed, and refusing the current access request if the current operation is not allowed. The domain-based access control system comprises a capturing filtering module, an access control judging module, a domain database module, a domain information managing module and a safety journal querying module, wherein the capturing filtering module is used for capturing and filtering data access requests of application programs in the system, the access control judging module is used for judging whether a subject domain label and an object domain label are same or not and determining whether an access action is allowed or not, the domain database module is used for saving information of the access control policy library, the domain information managing module is used for modifying the information of the access control policy library and querying safety journals, and the safety journal querying module is used for storing dangerous operation information disobeying an access control policy. According to the domain-based access control method and system, disclosed by the invention, the application program can be effectively protected, and the safety of the application program and an operating system can be improved.

Description

technical field [0001] The invention relates to an operating system, in particular to an access control method and system for the operating system. Background technique [0002] Access control of existing operating systems generally includes Discretionary Access Control, Mandatory Access Control, Role-Based Access Control (Role-Based Access Control) Bell-Lapadula model, and Biba model ,in, [0003] Discretionary Access Control Model (Discretionary Access Control), the subject can independently grant the access control authority of the object it owns to other subjects or withdraw the granted authority from other subjects, leaving part of the right to grant or cancel the access authority to the individual user. It is difficult for administrators to determine which users have access rights to which resources, which is not conducive to the realization of unified global access control. In many organizations, users do not have ownership of the resources they can access, and the ...

AI Technical Summary

Problems solved by technology

[0007] In the face of current application security issues, the above access control model cannot effectively solve application security, such as: role-based access control (Role-Based Access Control), which mainly focuses on the rights and responsibilities of different roles in the system Separation; the Discretionary Access Control (Discretionary Access Control) subject has full control over its objects and running programs. The current mainstream operating system provides this access control model by default, which has poor security.

Images