Файлы описаний в примере Secure Login

Описания сущностей

Сущность WebServer не предоставляет функциональности другим сущностям.

WebServer.edl

entity server.WebServer

Сущность AuthService представляет собой доверенный компонент, аутентифицирующий пользователей, и содержит реализации интерфейсов ILoginForm (для получения формы ввода имени пользователя и пароля) и ILoginResultForm (для получения результатов аутентификации).

AuthService.edl

entity auth_service.AuthService

interfaces

{

login : auth_service.ILoginForm

result : auth_service.ILoginResultForm

}

ILoginForm.idl

package auth_service.ILoginForm

const UInt32 MaxHtmlSize = 5120;

typedef sequence<UInt8, MaxHtmlSize> HtmlLine;

typedef UInt8 Bool;

interface

{

Open(out Bool result);

Read(out HtmlLine line);

Dispose();

}

ILoginResultForm.idl

package auth_service.ILoginResultForm

const UInt32 MaxHtmlSize = 5120;

typedef sequence<UInt8, MaxHtmlSize> HtmlLine;

typedef sequence<UInt8, MaxHtmlSize> String;

typedef UInt8 Bool;

struct UserRequest

{

String userName;

String password;

String cryptoB;

}

interface

{

Open(in UserRequest login, out Bool result);

Read(out HtmlLine line);

Dispose();

}

Init-описание

init.yaml

entities:

- name: server.WebServer

connections:

- target: auth_service.AuthService

id: authservice

- target: kl.VfsEntity

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- name: auth_service.AuthService

connections:

- target: kl.VfsEntity

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- name: kl.VfsEntity

path: VFS

connections:

- target: kl.drivers.ATA

id: kl.drivers.ATA

- target: kl.drivers.PCIE

id: kl.drivers.PCIE

- name: kl.rump.Dhcpcd

path: dhcpcd_entity

connections:

- target: kl.VfsEntity

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- name: kl.drivers.ATA

path: ata

connections:

- target: kl.drivers.PCIE

id: kl.drivers.PCIE

- name: kl.drivers.PCIE

path: pcie_hw

Политика безопасности решения

security_x86.psl

/* Include internal and external security policies. */

use internal._

use external._

/* Only for x86 platform. */

use EDL kl.drivers.ATA

use EDL kl.drivers.PCIE

request src=kl.drivers.ATA, dst=kl.drivers.PCIE

{

grant()

}

response src=kl.drivers.PCIE, dst=kl.drivers.ATA

{

grant()

}

request src=kl.VfsEntity, dst=kl.drivers.PCIE

{

grant()

}

response src=kl.drivers.PCIE, dst=kl.VfsEntity

{

grant()

}

request src=kl.drivers.ATA, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.ATA

{

grant()

}

request src=kl.drivers.PCIE, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.PCIE

{

grant()

}

external.psl

use nk.base._

/**

* This code includes EDL descriptions of corresponding external

* entities.

*/

use EDL server.WebServer

use EDL auth_service.AuthService

/**

* Next code enables to send requests from external entities to KasperskyOS kernel

* and get responses. It makes able to use system calls by external entities.

* Caution! This rule is strictly for early-stage development as it

* exposes a variety of system services that can be invoked by an attacker.

* An audit must be performed to determine minimal set of methods to allow.

*/

request src=server.WebServer, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=server.WebServer

{

grant()

}

request src=server.WebServer, dst=kl.VfsEntity

{

grant()

}

response src=kl.VfsEntity, dst=server.WebServer

{

grant()

}

request src=auth_service.AuthService, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=auth_service.AuthService

{

grant()

}

request src=auth_service.AuthService, dst=kl.VfsEntity

{

grant()

}

response src=kl.VfsEntity, dst=auth_service.AuthService

{

grant()

}

request src=server.WebServer, dst=auth_service.AuthService

{

grant()

}

response src=auth_service.AuthService, dst=server.WebServer

{

grant()

}

internal.psl

/**

* This file describes internal entities and their connections.

*/

use nk.base._

/**

* This code includes EDL descriptions of corresponding internal entities.

*/

use EDL Einit

use EDL kl.core.Core

use EDL kl.VfsEntity

use EDL kl.rump.Dhcpcd

/**

* This policy enables to start up system entities by KasperskyOS kernel.

*/

execute src=kl.core.Core, dst=kl.core.Core

{

grant()

}

execute src=kl.core.Core, dst=Einit

{

grant()

}

/**

* This instruction enables to start up and initialize entities specified in file init.yaml.in.

*/

execute src=Einit

{

grant()

}

/**

* This code enables to send requests from Einit entity to KasperskyOS kernel and get

* responses. It makes able to use system calls by Einit.

*/

request src=Einit, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=Einit

{

grant()

}

request src=kl.VfsEntity, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.VfsEntity

{

grant()

}

request src=kl.rump.Dhcpcd, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.rump.Dhcpcd

{

grant()

}

request src=kl.rump.Dhcpcd, dst=kl.VfsEntity

{

grant()

}

response src=kl.VfsEntity, dst=kl.rump.Dhcpcd

{

grant()

}

В начало