Описания сущностей
Сущности Application и LogViewer не предоставляют функциональности другим сущностям.
Application.edl
entity secure_logger.Application
LogViewer.edl
entity secure_logger.LogViewer
Сущность Logger предоставляет функциональность для записи логов в хранилище и содержит реализацию интерфейса Write, который содержит метод WriteInLog() для добавления записи в лог.
Logger.edl
entity secure_logger.Logger
interfaces
{
write : secure_logger.Write
}
Write.idl
package secure_logger.Write
const UInt32 MaxLogMessageSize = 512;
const UInt32 MaxLogMessageCount = 1;
typedef sequence<UInt8, MaxLogMessageSize> MsgString;
typedef array<MsgString, MaxLogMessageCount> Message;
interface
{
WriteInLog(in Message message);
}
Сущность Reader предоставляет функциональность для чтения логов из хранилища и содержит реализацию интерфейса Read, который содержит метод ReadFromLog() для чтения записи лога, а также реализацию интерфейса GetLastIndex, который содержит метод GetLogLastIndex() для получения индекса последней записи лога.
Reader.edl
entity secure_logger.Reader
interfaces
{
read : secure_logger.Read
getLastIndex : secure_logger.GetLastIndex
}
Read.idl
package secure_logger.Read
const UInt32 MaxLogMessageSize = 512;
const UInt32 MaxLogMessageCount = 100;
typedef sequence<UInt8, MaxLogMessageSize> MsgString;
typedef sequence<MsgString, MaxLogMessageCount> MsgList;
struct LogRequest
{
UInt64 startIndex;
UInt64 endIndex;
}
interface
{
ReadFromLog(in LogRequest logReq, out MsgList logRes);
}
GetLastIndex.idl
package secure_logger.GetLastIndex
interface
{
GetLogLastIndex(out UInt64 logLastIndex);
}
Init-описание
init.yaml
entities:
- name: secure_logger.Application
connections:
- target: secure_logger.Logger
id: logger_connection
- name: secure_logger.LogViewer
connections:
- target: secure_logger.Reader
id: reader_connection
- name: secure_logger.Logger
connections:
- target: kl.VfsEntity
id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}
- name: secure_logger.Reader
connections:
- target: kl.VfsEntity
id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}
- name: kl.VfsEntity
path: VFS
connections:
- target: kl.drivers.PCIE
id: kl.drivers.PCIE
- name: kl.drivers.PCIE
path: pcie_hw
Политика безопасности решения
security.psl
execute: kl.core.Execute
use nk.base._
use trusted._
/**
* This code includes EDL descriptions of corresponding non-platform
* untrusted entities.
*/
use EDL secure_logger.Logger
use EDL secure_logger.Reader
use EDL secure_logger.Application
use EDL secure_logger.LogViewer
/**
* Next code enables to send requests from untrusted entities to KasperskyOS kernel
* and get responses. It makes able to use system calls by untrusted entities.
* Caution! This rule is strictly for early-stage development as it
* exposes a variety of system services that can be invoked by an attacker.
* An audit must be performed to determine minimal set of methods to allow.
*/
request src=secure_logger.Logger, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=secure_logger.Logger
{
grant()
}
request src=secure_logger.Reader, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=secure_logger.Reader
{
grant()
}
request src=secure_logger.Application, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=secure_logger.Application
{
grant()
}
request src=secure_logger.LogViewer, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=secure_logger.LogViewer
{
grant()
}
/**
* Next code enables to send requests from untrusted entities to kl.VfsEntity
* and get responses. It makes able to use system calls, related to file
* system, by untrusted entities.
*/
request src=secure_logger.Reader, dst=kl.VfsEntity
{
grant()
}
response src=kl.VfsEntity, dst=secure_logger.Reader
{
grant()
}
request src=secure_logger.Logger, dst=kl.VfsEntity
{
grant()
}
response src=kl.VfsEntity, dst=secure_logger.Logger
{
grant()
}
/**
* Next code enables interactions between untrusted entities.
*/
request src=secure_logger.Application, dst=secure_logger.Logger, interface=secure_logger.Write, method=WriteInLog
{
grant()
}
response src=secure_logger.Logger, dst=secure_logger.Application, interface=secure_logger.Write, method=WriteInLog
{
grant()
}
request src=secure_logger.LogViewer, dst=secure_logger.Reader, interface=secure_logger.Read, method=ReadFromLog
{
grant()
}
response src=secure_logger.Reader, dst=secure_logger.LogViewer, interface=secure_logger.Read, method=ReadFromLog
{
grant()
}
request src=secure_logger.LogViewer, dst=secure_logger.Reader, interface=secure_logger.GetLastIndex, method=GetLogLastIndex
{
grant()
}
response src=secure_logger.Reader, dst=secure_logger.LogViewer, interface=secure_logger.GetLastIndex, method=GetLogLastIndex
{
grant()
}
trusted.psl
/**
* This file describes trusted platform entities and their connections.
*/
/**
* This code includes EDL descriptions of corresponding platform entities.
*/
use EDL kl.core.Core
use EDL kl.VfsEntity
use EDL kl.drivers.PCIE
use EDL Einit
/**
* This instruction enables to start up system entities by KasperskyOS kernel.
*/
execute src=kl.core.Core, dst=kl.core.Core
{
grant()
}
execute src=kl.core.Core, dst=Einit
{
grant()
}
/**
* This instruction enables to start up and initialize non-platform entities.
*/
execute src=Einit
{
grant()
}
/**
* This code enables to send requests from Einit entity to KasperskyOS kernel and get
* responses. It makes able to use system calls by Einit.
*/
request src=Einit, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=Einit
{
grant()
}
/**
* This code enables to send requests from kl.VfsEntity entity (system VFS
* driver implementation) to KasperskyOS kernel and get responses. It makes
* system calls by kl.VfsEntity allowed.
*/
request src=kl.VfsEntity, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=kl.VfsEntity
{
grant()
}
/**
* This code enables to send requests from kl.drivers.PCIE entity (system PCIE
* driver implementation) to KasperskyOS kernel and get responses. It makes able to use
* system calls by kl.drivers.PCIE.
*/
request src=kl.drivers.PCIE, dst=kl.core.Core
{
grant()
}
response src=kl.core.Core, dst=kl.drivers.PCIE
{
grant()
}
В начало