Device Access example

The Device Access example demonstrates use of the Privilege Separation pattern.

Example architecture

The example contains the following three entities: Device, LoginManager and Storage.

In this example, the Device entity queries the Storage entity to receive information and queries the LoginManager entity for authorization.

The Device entity obtains access to the Storage entity after successful authorization.

This example demonstrates the capability to separate the authorization logic and the data access logic into independent security domains. This separation guarantees that data access can be opened only after successful authorization. The security module monitors whether authorization was successfully completed. This architecture also enables independent development and testing of the authorization logic and the data access provision logic.

A security policy in the Device Access example has the following characteristics:

• The Device entity has the capability to query the LoginManager entity for authorization.
• Calls of the GetInfo() method of the Storage entity are controlled by using security policies of the flow class (finite-state machine model):
  • The finite-state machine described in the session object configuration has two states: unauthenticated and authenticated.
  • The initial state is unauthenticated.
  • Only transitions from unauthenticated to authenticated and vice versa are allowed.
  • The session object is created when the Device entity is started.
  • When the Device entity successfully calls the Login() method of the LoginManager entity, the state of the session object changes to authenticated.
  • When the Device entity successfully calls the Logout() method of the LoginManager entity, the state of the session object changes to unauthenticated.
  • When the Device entity calls the GetInfo() method of the Storage entity, the current state of the session object is verified. The call is allowed only if the current state of the object is authenticated.

Building the example

The example is built using the CMake build system that is included in KasperskyOS Community Edition.

Files containing the code of the example and build scripts are available at the following path:

/opt/KasperskyOS-Community-Edition-<version>/examples/device_access

To build and run the example, run the following script:

/opt/KasperskyOS-Community-Edition-<version>/examples/device_access/cross-build.sh

In this section Description files in the Device Access example Implementation of the Device entity in the Device Access example Implementation of the Storage entity in the Device Access example Implementation of the LoginManager entity in the Device Access example

Page top