Security policies

Security policies and policy families

A security policy, or simply policy, is a function that returns a decision of "allowed" or "denied". Security policies are used to monitor events.

Security policies make a decision based on event data :for example, the name of the entity being startedor the actual arguments of the method being called, and may also consider the state of the family instance – see below.

There are also attr policies that do not return a decision.

A security policy family is a set of semantically related policies implementing a particular security model.

KasperskyOS Starter Kit provides the following policy families:

• base – base family that implements grant and deny policies
• flow and flow2 – implementations of a finite-state machine
• era – implementation of a variety of timed automata (Event-Recording Automata)
• ocap – implementation of capabilities (Object Capability)
• te – implementation of Type Еnforcement.

For more details, refer to "Security policy families".

Instance of the family

Each policy is a method of an object called a family instance. A family instance has an internal state that policies can consider when making a decision of "allowed" or "denied". For certain policy families, such as flow and era, the state of the instance is global, and for others, such as flow2 and te, it is linked to a specific security domain.

A security domain is a self-contained system unit whose interactions are controlled by using Kaspersky Security System.

Certain policies can change the state of a family instance.

By way of analogy using object-oriented programming terminology, a policy family can be compared to a class, a family instance can be likened to a class object, and the actual policies would be equivalent to methods.

Linking to events and calling policies

When an entity initiates an event, e.g. by sending a request or response, starting another entity or calling a security interface, Kaspersky Security System calls all policies bound to a specific event. If all policies have returned an "allowed" decision, Kaspersky Security System returns an "allowed" decision. If even one policy returned a "denied" decision, Kaspersky Security System returns a "denied" decision.

If no security policy is bound to the event, Kaspersky Security System returns a "denied" decision. This means that, in KasperskyOS, all that is not explicitly allowed, is denied (Default Deny principle).

Linking of events to policies is statically defined in a special file named security.cfg, the so-called security configuration.

Page top