Contents
Kaspersky Security Module
For each developed solution, Kaspersky Security System technology lets you generate code for the Kaspersky Security Module that implements the specified security policy. The security module controls all interactions between entities, i.e. in MILS terms, it is a security monitor.
Controlling IPC messages
The kernel calls the Kaspersky Security Module each time one entity sends a message to another entity. The security module checks whether the message structure corresponds to the description of the called method. If so, then the security module calls all the rules associated with this message and makes a decision: "allowed" or "denied". The kernel enforces the resulting decision, i.e. delivers the message only if the decision is "allowed".
In this way, the code that makes decisions (Policy Decision Point) is separate from the code that enforces them (Policy Enforcement Point).
IPC responses are controlled just like IPC requests. This may be used, for example, to guarantee the integrity of responses.
The kernel delivers the IPC message only if Kaspersky Security Module allows delivery
Controlling startup of entities
The kernel also calls the security module each time when an entity is started. This is usually used to initialize the entity's security context.
Security interface
Entities can directly query the Kaspersky Security Module using the security interface to report information about their state or the context of some event. Additionally, the security module enforces all rules associated with the called method of the security interface. Then the entity itself can use the decision received from the security module. The security interface is used, for example, to implement entities that control access to resources.
Page top