Contents
- PSL language syntax
- Describing the global parameters of a KasperskyOS-based solution security policy
- Including PSL files
- Including EDL files
- Creating security model objects
- Binding methods of security models to security events
- Describing security audit profiles
- Describing and performing tests for a KasperskyOS-based solution security policy
- PSL data types
- Examples of binding security model methods to security events
- Example descriptions of basic security policies for KasperskyOS-based solutions
- Example descriptions of security audit profiles
- Example descriptions of tests for KasperskyOS-based solution security policies
PSL language syntax
Basic rules
- Declarations can be listed in any sequence in a file.
- One declaration can be written to one or multiple lines. The second and subsequent lines of the declaration must be written with indentations relative to the first line. The closing brace that completes the declaration can be written on the first line.
- A multi-line declaration utilizes different-sized indentations to reflect the nesting of constructs comprising this declaration. The second and subsequent lines of a multi-line construct enclosed in braces must be written with an indentation relative to the first line of this construct. The closing brace of a multi-line construct can be written with an indentation or on the first line of the construct.
- The PSL language is case sensitive.
- Single-line comments and multi-line comments are supported:
/* This is a comment
* And this, too */
// Another comment
Types of declarations
The PSL language has declarations for the following purposes:
- Describing the global parameters of a solution security policy
- Including PSL files
- Including EDL files
- Creating security model objects
- Binding methods of security models to security events
- Describing security audit profiles
- Describing solution security policy tests
Describing the global parameters of a KasperskyOS-based solution security policy
Global parameters include the following parameters of a solution security policy:
- Execute interface used by the KasperskyOS kernel when querying the Kaspersky Security Module to notify it about kernel startup or about initiating the startup of a process by the kernel or by other processes. To assign this interface, use the following declaration:
execute: kl.core.Execute
KasperskyOS currently supports only one execute interface (
Execute) defined in the file namedkl/core/Execute.idl. (This interface consists of onemainmethod, which has no parameters and does not perform any actions. Themainmethod is reserved for potential future use.) - [Optional] Global security audit profile and initial security audit runtime-level. To define these parameters, use the following declaration:
audit default = <security audit profile name> <security audit runtime-level>
Example:
audit default = global 0
The default global profile is the
emptysecurity audit profile described in the file namedtoolchain/include/nk/base.pslfrom the KasperskyOS SDK, and the default security audit runtime-level is 0.
Including PSL files
To include a PSL file, use the following declaration:
use <link to PSL file._>
The link to the PSL file is the file path (without the extension and dot before it) relative to the directory that is included in the set of directories where the nk-psl-gen-c compiler searches for PSL, IDL, CDL, and EDL files. (This set of directories is defined by the parameters -I <path to files> when starting the makekss script or the nk-psl-gen-c compiler.) A dot is used as a separator in a path description. A declaration is ended by the ._ character sequence.
Example:
use policy_parts.flow_part._
This declaration includes the flow_part.psl file, which is located in the policy_parts directory. The policy_parts directory must reside in one of the directories where the nk-psl-gen-c compiler searches for PSL, IDL, CDL, and EDL files. For example, the policy_parts directory may reside in the same directory as the PSL file containing this declaration.
Including a PSL file containing a formal description of a security model
To use the methods of a required security model, you need to include a PSL file containing a formal description of this model. PSL files containing formal descriptions of security models are located in the KasperskyOS SDK at the following path:
toolchain/include/nk
Example:
/* Include the base.psl file containing a formal description of the
* Base security model */
use nk.base._
/* Include the flow.psl file containing a formal description of the
* Flow security model */
use nk.flow._
/* The nk-psl-gen-c compiler must be configured to search for
* PSL, IDL, CDL, and EDL files in the toolchain/include directory. */
Including EDL files
To include an EDL file for the KasperskyOS kernel, use the following declaration:
use EDL kl.core.Core
To include an EDL file for a program (such as a driver or application), use the following declaration:
use EDL <link to EDL file>
The link to the EDL file is the EDL file path (without the extension and dot before it) relative to the directory that is included in the set of directories where the nk-psl-gen-c compiler searches for PSL, IDL, CDL, and EDL files. (This set of directories is defined by the parameters -I <path to files> when starting the makekss script or the nk-psl-gen-c compiler.) A dot is used as a separator in a path description.
Example:
/* Include the UART.edl file, which is located
* in the KasperskyOS SDK at the path sysroot-*-kos/include/kl/drivers. */
use EDL kl.drivers.UART
/* The nk-psl-gen-c compiler must be configured to search for
* PSL, IDL, CDL, and EDL files in the sysroot-*-kos/include directory. */
The nk-psl-gen-c compiler finds IDL and CDL files via EDL files because EDL files contain links to the corresponding CDL files, and the CDL files contain links to the corresponding CDL and IDL files.
Creating security model objects
To call the methods of a required security model, create an object for this security model.
To create a security model object, use the following declaration:
policy object <security model object name : security model name> {
[security model object parameters]
}
The parameters of a security model object are specific to the security model. A description of parameters and examples of creating objects of various security models are provided in the "KasperskyOS security models" section.
Page topBinding methods of security models to security events
To create an attachment between methods of security models and a security event, use the following declaration:
<security event type> [security event selectors] {
[security audit profile]
<called security model rules>
}
Security event type
The following specifiers are used to define the security event type:
request– sending IPC requests.response– sending IPC responses.error– sending IPC responses containing information about errors.security– processes querying the Kaspersky Security Module via the security interface.execute– initializing the startups of processes or the startup of the KasperskyOS kernel.
When processes interact with the security module, they use a mechanism that is different from IPC. However, when describing a policy, queries sent by processes to the security module can be viewed as the transfer of IPC messages because processes actually transmit messages to the security module (the recipient is not indicated in these messages).
The IPC mechanism is not used to start processes. However, when the startup of a process is initiated, the kernel queries the security module and provides information about the initiator of the startup and the started process. For this reason, the policy description developer can consider the startup of a process to be analogous to sending an IPC message from the startup initiator to the started process. When the kernel is started, this is analogous to the kernel sending an IPC message to itself.
Security event selectors
Security event selectors let you clarify the description of the defined type of security event. The following selectors are used:
src=<kernel/process class name> – processes of the defined class or the KasperskyOS kernel are the sources of IPC messages.dst=<kernel/process class name> – processes of the defined class or the kernel are the recipients of IPC messages.interface=<interface name> – describes the following security events:- Clients attempt to use the endpoints of servers or the kernel with the defined interface.
- Processes query the Kaspersky Security Module via the defined security interface.
- The kernel or servers send clients the results from using the endpoints with the defined interface.
component=<component name> – describes the following security events:- Clients attempt to use the core or server endpoints provided by the defined component.
- The kernel or servers send clients the results from using the endpoints provided by the defined component.
endpoint=<qualified endpoint name> – describes the following security events:- Clients attempt to use the defined core or server endpoints.
- The kernel or servers send clients the results from using the defined endpoint.
method=<method name> – describes the following security events:- Clients attempt to query servers or the kernel by calling the defined method of the endpoint.
- Processes query the security module by calling the defined method of the security interface.
- The kernel or servers send clients the results from calling the defined method of the endpoint.
- The kernel notifies the security module about its startup by calling the defined method of the execute interface.
- The kernel initiates the startup of processes by calling the defined method of the execute interface.
- Processes initiate the startup of other processes, which results in the kernel calling the defined method of the execute interface.
Process classes, components, instances of components, interfaces, endpoints, and methods must be named the same as they are in the IDL, CDL, and EDL descriptions. The kernel must be named kl.core.Core.
The qualified name of the endpoint has the format <path to endpoint.endpoint name>. The path to the endpoint is a sequence of component instance names separated by dots. Among these component instances, each subsequent component instance is embedded into the previous one, and the last one provides the endpoint with the defined name.
For security events, specify the qualified name of the security interface method if you need to use the security interface defined in a CDL description. (If you need to use a security interface defined in an EDL description, it is not necessary to specify the qualified name of the method.) The qualified name of a security interface method is a construct in the format <path to security interface.method name>. The path to the security interface is a sequence of component instance names separated by dots. Among these component instances, each subsequent component instance is embedded into the previous one, and the last one supports the security interface that includes the method with the defined name.
If selectors are not specified, the participants of a security event may be any process and the kernel (except security events in which the kernel cannot participate).
You can use combinations of selectors. Selectors can be separated by commas.
There are restrictions on the use of selectors. The interface, component, and endpoint selectors cannot be used for security events of the execute type. The dst, component, and endpoint selectors cannot be used for security events of the security type.
There are also restrictions on combinations of selectors. For security events of the request, response and error types, the method selector can only be used together with one of the endpoint, interface, or component selectors or a combination of them. (The method, endpoint, interface and component selectors must be coordinated. In other words, the method, endpoint, interface, and component must be interconnected.) For security events of the request type, the endpoint selector can be used only together with the dst selector. For security events of the response and error types, the endpoint selector can be used only together with the src selector.
The type and selectors of a security event make up the security event description. It is recommended to describe security events with maximum precision to allow only the required interactions between different processes and between processes and the kernel. If IPC messages of the same type are always verified when processing the defined event, the description of this event is maximally precise.
To ensure that IPC messages of the same type correspond to a security event description, one of the following conditions must be fulfilled for this description:
- For events of the
request,responseanderrortype, the "interface method-endpoint-server class or kernel" chain is unequivocally defined. For example, the security event descriptionrequest dst=Server endpoint=net.Net method=Sendcorresponds to IPC messages of the same type, and the security event descriptionrequest dst=Servercorresponds to any IPC message sent to theServer. - For
securityevents, the security interface method is specified. - The execute-interface method is indicated for
executeevents.There is currently support for only one fictitious method of the
mainexecute-interface. This method is used by default, so it does not have to be defined through themethodselector. This way, any description of anexecutesecurity event corresponds to IPC messages of the same type.
Security audit profile
A security audit profile is defined by the construct audit <security audit profile name>. If a security audit profile is not defined, the global security audit profile is used.
Called security model rules
Called security model rules are defined by a list from the following type of constructs:
[security model object name.]<security model rule name> <parameter>
Input data for security model rules may be values returned by security model expressions. The following construct is used to call a security model expression:
[security model object name.]<security model expression name> <parameter>
Parameters of interface methods can also be used as input data for methods of security models (rules and expressions). (For details about obtaining access to parameters of interface methods, see "Struct security model"). In addition, input data for methods of security models can also be the SID values of processes and the KasperskyOS kernel that are defined by the src_sid and dst_sid reserved words. The first reserved word refers to the SID of the process (or kernel) that is the source of the IPC message. The second reserved word refers to the SID of the process (or kernel) that is the recipient of the IPC message (dst_sid cannot be used for queries to the Kaspersky Security Module).
For calls of some rules and expressions of security models, you can choose not to indicate the security model object name, and you can use operators. For details about the methods of security models, see KasperskyOS Security models.
Embedded constructs for binding methods of security models to security events
In one declaration, you can bind methods of security models to different security events of the same type. To do so, use the match sections that consist of the following types of constructs:
match <security event selectors> {
[security audit profile]
<called security model rules>
}
Match sections can be embedded into another match section. A match section simultaneously uses its own security event selectors and the security event selectors at the level of the declaration and all match sections in which this match section is "wrapped". By default, a match section applies the security audit profile of its own container (match section of the preceding level or the declaration level), but you can define a separate security audit profile for the match section.
In one declaration, you can define different variants for processing a security event depending on the conditions in which this event occurred (for example, depending on the state of the finite-state machine associated with the resource). To do so, use the conditional sections that are elements of the following construct:
choice <call of the security model expression that verifies fulfillment of conditions> {
"<condition 1>" : [{] // Conditional section 1
[security audit profile]
<called security model rules>
[}]
"<condition 2>" : ... // Conditional section 2
...
_ : ... // Conditional section, if no condition is fulfilled.
}
The choice construct can be used within a match section. A conditional section uses the security event selectors and security audit profile of its own container, but you can define a separate security audit profile for a conditional section.
If multiple conditions described in the choice construct are simultaneously fulfilled when a security event is processed, only the one conditional section corresponding to the first matching condition on the list is triggered.
You can verify the fulfillment of conditions in the choice construct only by using the expressions that are specially intended for this purpose. Some security models contain these expressions (for more details, see KasperskyOS Security models).
Examples of binding security model methods to security events
See "Examples of binding security model methods to security events", "Example descriptions of basic security policies for KasperskyOS-based solutions", and "KasperskyOS security models".
Page topDescribing security audit profiles
To perform a security audit, you need to associate security model objects with security audit profile(s). A security audit profile (hereinafter also referred to as an audit profile) combines security audit configurations (hereinafter also referred to as audit configurations), each of which defines the security model objects covered by the audit, and specifies the conditions for conducting the audit. You can define a global audit profile (for more details, see "Describing the global parameters of a KasperskyOS-based solution security policy") and/or assign audit profile(s) at the level of binding security model methods to security events, and/or assign audit profile(s) at the level of match sections or choice sections (for more details, see "Binding methods of security models to security events").
Regardless of whether or not audit profiles are being used, audit data contains information about "denied" decisions that were made by the Kaspersky Security Module when IPC messages were invalid and when handling security events that are not associated with any security model rule.
To describe a security audit profile, use the following declaration:
audit profile <security audit profile name> =
{ <security audit runtime-level> :
// Description of the security audit configuration
{ <security model object name> :
{ kss: <security audit conditions linked to the results
from calls of security model rules>
[, security audit conditions specific to the security model]
}
[,]...
...
}
[,]...
...
}
Security audit runtime-level
The security audit runtime-level (hereinafter referred to as the audit runtime-level) is a global parameter of a solution security policy and consists of an unsigned integer that defines the active security audit configuration. (The word "runtime-level" here refers to the configuration variant and does not necessarily involve a hierarchy.) The audit runtime-level can be changed during operation of the Kaspersky Security Module. This is done by using a specialized method of the Base security model that is called when processes query the security module via the security interface (for more details, see "Base security model"). The initial audit runtime-level is assigned together with the global audit profile (for more details, see "Describing the global parameters of a KasperskyOS-based solution security policy"). An empty audit profile can be explicitly assigned as the global audit profile.
You can define multiple audit configurations in an audit profile. In different configurations, different security model objects can be covered by the audit and different conditions for conducting the audit can be applied. Audit configurations in a profile correspond to different audit runtime-levels. If a profile does not have an audit configuration corresponding to the current audit runtime-level, the security module will activate the configuration that corresponds to the next-lowest audit runtime-level. If a profile does not have an audit configuration for an audit runtime-level equal to or less than the current level, the security module will not use this profile (in other words, an audit will not be performed for this profile).
Audit runtime-levels can be used to regulate the level of detail of an audit, for example. The higher the audit runtime-level, the higher the level of detail. The higher the level of detail, the more security model objects are covered by the audit and/or the less restrictions are applied in the audit conditions.
Another example of applying audit runtime-levels is the capability to shift the audit from one subsystem to another subsystem (for example, shift an audit related to drivers to an audit related to applications, or shift an audit related to the network subsystem to an audit related to the graphic subsystem).
Name of the security model object
The security model object name is indicated so that the methods provided by this object can be covered by the audit. These methods will be covered by the audit whenever they are called, provided that the conditions for conducting the audit are observed.
Information about the decisions of the Kaspersky Security Module contained in audit data includes the overall decision of the security module as well as the results from calling individual methods of security modules covered by the audit. To ensure that information about a security module decision is included in audit data, at least one method called during security event handling must be covered by the audit.
The names of security model objects and the names of methods provided by these objects are included in the audit data.
Security audit conditions
Security audit conditions are defined separately for each object of a security model.
To define the audit conditions related to the results from calling security model rules, use the following constructs:
["granted"]– the audit is performed if the rules return the "granted" result.["denied"]– the audit is performed if the rules return the "denied" result.["granted", "denied"]– the audit is performed if the rules return the "granted" or "denied" result.[]– the audit is not performed, regardless of the result returned by the rules.
Audit conditions related to results from calling rules are not applied to expressions. These conditions must be defined (by any allowed construct) even if the security model contains only expressions because PSL language syntax requires it.
Audit conditions specific to security models are defined by constructs specific to these models (for more details, see KasperskyOS Security models). These conditions apply to rules and expressions. For example, one of these conditions can be the state of a finite-state machine.
Security audit profile for a security audit route
A security audit route includes the kernel and the Klog and KlogStorage processes, which are connected by IPC channels based on the "kernel – Klog – KlogStorage" scheme. Security model methods that are associated with transmission of audit data via this route must not be covered by the audit. Otherwise, this will lead to an avalanche of audit data because any data transmission will give rise to new data.
To "suppress" an audit that was defined by a profile with a wider scope (for example, by a global profile or a profile at the level of binding security model methods to a security event), you need to assign an empty audit profile at the level of binding security model methods to security events or at the level of the match section or choice section.
Example descriptions of audit profiles
See Example descriptions of security audit profiles.
Page topDescribing and performing tests for a KasperskyOS-based solution security policy
A solution security policy is tested to verify whether or not the policy actually allows what should be allowed and denies what should be denied.
To describe a set of tests for a solution security policy, you need to use the following declaration:
assert "<name of test set>" {
// Constructs in PAL (Policy Assertion Language)
[setup {<initial part of tests>}]
sequence "<test name>" {<main part of test>}
...
[finally {<final part of tests>}]
}
You can describe multiple sets of tests by using several of these declarations.
The test set description can optionally include the initial part of the tests and/or the final part of the tests. The execution of each test from the set begins with whatever is described in the initial part of the test and ends with whatever is described in the final part of the test. This lets you describe the repeated initial and/or final parts of tests in each test.
After completing each test, all modifications in the Kaspersky Security Module related to the execution of this test are rolled back.
Each test includes one or more test cases.
Test cases
A test case associates a security event description and values of interface method parameters with an expected decision of the Kaspersky Security Module. If the actual security module decision matches the expected decision, the test case passes. Otherwise it fails.
When a test is run, the test cases are executed in the same sequence in which they are described. In other words, you can test how the security module handles a sequence of security events.
If all test cases within a test pass, the test passes. If even one test case fails to pass, the test fails. A test is terminated on the first failing test case.
A test case description is created in the PAL language and is comprised of a sequence of values:
[expected decision of security module] ["test example name"] <security event type> <security event selectors> [{interface method parameter values}]
The expected decision of the security module can be indicated as grant ("granted"), deny ("denied") or any ("any decision"). If the expected security module decision is not specified, the "granted" decision is expected. If the any value is specified, the security module decision does not have any influence on whether or not the test case passes. In this case, the test case may fail due to errors that occur when the security module processes an IPC message (for example, when the IPC message has an invalid structure).
For information about the types and selectors of security events, and about the limitations when using selectors, see Binding methods of security models to security events. Selectors must ensure that the security event description corresponds to IPC messages of the same type. (When security model methods are bound to security events, selectors may fail to ensure this.)
In security event descriptions, you need to specify the SID instead of the process class name (and the KasperskyOS kernel). However, this requirement does not apply to execute events for which the SID of the started process (or kernel) is unknown. To save the SID of the process or kernel to a variable, you need to use the <- operator in the test case description in the following format:
<variable name> <- execute dst=<kernel/process class name> ...
The SID value will be assigned to the variable even if startup of the process of the defined class (or kernel) is denied by the tested policy but the "denied" decision is expected.
The PAL language supports abbreviated forms of security event descriptions:
security: <Process SID>!<qualified name of security interface method> corresponds tosecurity src=<process SID>method=<qualified name of security interface method>.request: <client SID>~><kernel/server SID>:<qualified name of endpoint.method name> corresponds torequest src=<client SID>dst=<kernel/server SID>endpoint=<qualified name of endpoint>method=<method name>.response: <client SID><~<kernel/server SID>:<qualified name of endpoint.method name> corresponds toresponse src=<kernel/server SID>dst=<client SID>endpoint=<qualified name of endpoint>method=<method name>.
If an interface method has parameters, their values are defined by comma-separated constructs:
<parameter name> : <value>
The names and types of parameters must comply with the IDL description. The sequence order of parameters is not important.
Example definition of parameter values
{ param1 : 23, param2 : "bar", param3: { collection : [5,7,12], filehandle : 15 }, param4 : { name : ["foo", "baz" } }
In this example, the number is passed through the param1 parameter. The string buffer is passed through the param2 parameter. A structure consisting of two fields is passed through the param3 parameter. The collection field contains an array or sequence of three numeric elements. The filehandle field contains the SID. A union or structure containing one field is passed through the param4 parameter. The name field contains an array or sequence of two string buffers.
Currently, only an SID can be indicated as the value of a Handle parameter, and there is no capability to indicate the SID together with a handle permissions mask. For this reason, it is not possible to properly test a solution security policy when the permissions masks of handles influence the security module decisions.
Example descriptions of policy tests
See "Example descriptions of tests for KasperskyOS-based solution security policies".
Test procedure
Descriptions of tests are placed into PSL files, including those that contain a solution security policy description (for example, into the security.psl file).
To run tests, you need to use the --tests run parameter when starting the nk-psl-gen-c compiler:
$ nk-psl-gen-c --tests run <other parameters> security.psl
You also need to indicate the following data for the nk-psl-gen-c compiler:
- Directories that contain auxiliary files from the KasperskyOS SDK (
common,sysroot-*-kos/include,toolchain/include). This set of directories is defined by the parameters-I, -include-dir<path to files>. - Directories that contain PSL, IDL, CDL, and EDL files related to the solution. This set of directories is defined by the parameters
-I, --include-dir<path to files>. - Path to the file that will save the source code of the Kaspersky Security Module and tests. This path is defined by the parameter
-o, --output<path to file>.
The nk-psl-gen-c compiler generates the source code of the security module and tests in the C language, saves this code to a file, and then runs the compilation of this code using gcc and executes the obtained test program. The test program is run in an environment where the KasperskyOS SDK is installed (on a computer running a Linux operating system). It does not utilize the KasperskyOS kernel, system software or applications of the solution.
To generate the source code of the security module and tests without compiling it, you need to use the --tests generate parameter when starting the nk-psl-gen-c compiler.
Test results are printed to the console. To print the test results to a file, you need to use the --test-output <path to file> parameter when starting the nk-psl-gen-c compiler.
Example test results:
# PAL test run
## Execute (1/2)
* Happy path: FAIL
Step 2/2: ExpectGrant Execute "This should not fail"
component/secure_platform/kss/nk/psl/nk-psl-gen-c/tests/examples/include/router.psl:38:5-40:3
* No rule: PASS
## IPC (2/2)
* Happy path: PASS
* No rule: PASS
## Security (2/2)
* Happy path: PASS
* No rule: PASS
The test results contain information about whether or not each test passed or failed. If a test failed, the results indicate which test case from the specific test did not pass, and provide the location of the description of the failed test case in the PSL file.
Page topPSL data types
The data types supported in the PSL language are presented in the table below.
PSL data types
Designations of types |
Description of types |
|---|---|
|
Unsigned integer |
|
Signed integer |
|
Boolean type The Boolean type includes two values: |
|
Text type |
|
The |
|
Text literal A text literal includes one immutable text value. Example definitions of text literals:
|
< |
Integer literal An integer literal includes one immutable integer value. Example definitions of integer literals:
|
< |
Variant type A variant type combines two or more types and may perform the role of either of them. Examples of definitions of variant types:
|
|
Dictionary A dictionary consists of one or more types of fields. A dictionary can be empty. Examples of dictionary definitions:
|
|
Tuple A tuple consists of fields of one or more types in the order in which the types are listed. A tuple can be empty. Examples of tuple definitions:
|
|
Set A set includes zero or more unique elements of the same type. Examples of set definitions:
|
|
List A list includes zero or more elements of the same type. Examples of list definitions:
|
|
Associative array An associative array includes zero or more entries of the "key-value" type with unique keys. Example of defining an associative array:
|
|
Array An array includes a defined number of elements of the same type. Example of defining an array:
|
|
Sequence A sequence includes from zero to the defined number of elements of the same type. Example of defining a sequence:
|
Aliases of certain PSL types
The nk/base.psl file from the KasperskyOS SDK defines the data types that are used as the types of parameters (or structural elements of parameters) and returned values for methods of various security models. Aliases and definitions of these types are presented in the table below.
Aliases and definitions of certain data types in PSL
Type alias |
Type definition |
|---|---|
|
Unsigned integer
|
|
Signed integer
|
|
Integer
|
|
Scalar literal
|
|
Literal
|
|
Type of security ID (SID)
|
|
Type of security ID (SID)
|
|
Dictionary containing fields for the SID and handle permissions mask
|
|
Type of data received by expressions of security models called in the
|
|
Type of data defining the conditions for conducting the security audit
|
Mapping IDL types to PSL types
Data types of the IDL language are used to describe the parameters of interface methods. The input data for security model methods have types from the PSL language. The set of data types in the IDL language differs from the set of data types in the PSL language. Parameters of interface methods transmitted in IPC messages can be used as input data for methods of security models, so the policy description developer needs to understand how IDL types are mapped to PSL types.
Integer types of IDL are mapped to integer types of PSL and to variant types of PSL that combine these integer types (including with other types). For example, signed integer types of IDL are mapped to the Signed type in PSL, and integer types of IDL are mapped to the ScalarLiteral type in PSL.
The Handle type in IDL is mapped to the HandleDesc type in PSL.
Unions and structures of IDL are mapped to PSL dictionaries.
Arrays and sequences of IDL are mapped to arrays and sequences of PSL, respectively.
String buffers in IDL are mapped to the text type in PSL.
Byte buffers in IDL are not currently mapped to PSL types, so the data contained in byte buffers cannot be used as inputs for security model methods.
Page topExamples of binding security model methods to security events
Before analyzing examples, you need to become familiar with the Base security model.
Processing the initiation of process startups
/* The KasperskyOS kernel and any process
* in the solution is allowed to start any
* process. */
execute { grant () }
/* The kernel is allowed to start a process
* of the Einit class. */
execute src=kl.core.Core, dst=Einit { grant () }
/* An Einit-class process is allowed
* to start any process in the solution. */
execute src=Einit { grant () }
Handling the startup of the KasperskyOS kernel
/* The KasperskyOS kernel is allowed to start.
* (This binding is necessary so that the security
* module can be notified of the kernel SID. The kernel starts irrespective
* of whether this is allowed by the solution security policy
* or denied. If the solution security policy denies the
* startup of the kernel, after startup the kernel will terminate its
* execution.) */
execute src=kl.core.Core, dst=kl.core.Core { grant () }
Handling IPC request forwarding
/* Any client in the solution is allowed to query
* any server and the KasperskyOS kernel. */
request { grant () }
/* A client of the Client class is allowed to query
* any server in the solution and the kernel. */
request src=Client { grant () }
/* Any client in the solution is allowed to query
* a server of the Server class. */
request dst=Server { grant () }
/* A client of the Client class is not allowed to
* query a server of the Server class. */
request src=Client dst=Server { deny () }
/* A client of the Client class is allowed to
* query a server of the Server class
* by calling the Ping method of the net.Net endpoint. */
request src=Client dst=Server endpoint=net.Net method=Ping {
grant ()
}
/* Any client in the solution is allowed to query
* a server of the Server class by calling the Send method
* of the endpoint with the MessExch interface. */
request dst=Server interface=MessExch method=Send {
grant ()
}
Handling IPC response forwarding
/* A server of the Server class is allowed to respond to
* queries of a Client-class client that
* calls the Ping method of the net.Net endpoint. */
response src=Server, dst=Client, endpoint=net.Net, method=Ping {
grant ()
}
/* The server containing the kl.drivers.KIDF component
* that provide endpoints with the monitor interface is allowed to
* respond to queries of a DriverManager-class client
* that uses these endpoints. */
response dst=DriverManager component=kl.drivers.KIDF interface=monitor {
grant ()
}
Handling the transmission of IPC responses containing error information
/* A server of the Server class is not allowed to notify a client
* of the Client class regarding errors that occur
* when the client queries the server by calling the
* Ping method of the net.Net endpoint. */
error src=Server, dst=Client, endpoint=net.Net, method=Ping {
deny ()
}
Handling queries sent by processes to the Kaspersky Security Module
/* A process of the Sdcard class will receive the
* "granted" decision from the Kaspersky Security Module
/* by calling the Register method of the security interface.
* (Using the security interface defined
* in the EDL description.) */
security src=Sdcard, method=Register {
grant ()
}
/* A process of the Sdcard class will receive the "denied" decision
* from the security module when calling the Comp.Register method
* of the security interface. (Using the security interface
* defined in the CDL description.) */
security src=Sdcard, method=Comp.Register {
deny ()
}
Using match sections
/* A client of the Client class is allowed to query
* a server of the Server class by calling the Send
* and Receive methods of the net endpoint. */
request src=Client, dst=Server, endpoint=net {
match method=Send { grant () }
match method=Receive { grant () }
}
/* A client of the Client class is allowed to query
* a server of the Server class by calling the Send
* and Receive methods of the sn.Net endpoint and the Write and
* Read methods of the sn.Storage endpoint. */
request src=Client, dst=Server {
match endpoint=sn.Net {
match method=Send { grant () }
match method=Receive { grant () }
}
match endpoint=sn.Storage {
match method=Write { grant () }
match method=Read { grant () }
}
}
Assigning audit profiles
/* Assigning the default global audit profile
* and initial audit runtime-level of 0 */
audit default = global 0
request src=Client, dst=Server {
/* Assigning a parent audit profile at the level of
* binding methods of security models to
* security events */
audit parent
match endpoint=net.Net, method=Send {
/* Assigning a child audit profile at the
* match section level */
audit child
grant ()
}
/* This match section applies a
* parent audit profile. */
match endpoint=net.Net, method=Receive {
grant ()
}
}
/* This binding of the security model method
* to the security event utilizes the
* global audit profile. */
response src=Client, dst=Server {
grant ()
}
Example descriptions of basic security policies for KasperskyOS-based solutions
Before analyzing examples, you need to become familiar with the Struct, Base and Flow security models.
Example 1
The solution security policy in this example allows any interaction between different processes of the Client, Server and Einit classes, and between these processes and the KasperskyOS kernel. The "granted" decision will always be received when these processes query the Kaspersky Security Module. This policy can be used only as a stub during the early stages of development of a KasperskyOS-based solution so that the Kaspersky Security Module does not interfere with interactions. It would be unacceptable to apply such a policy in a real-world KasperskyOS-based solution.
security.psl
execute: kl.core.Execute
use nk.base._
use EDL Einit
use EDL Client
use EDL Server
use EDL kl.core.Core
execute { grant () }
request { grant () }
response { grant () }
error { grant () }
security { grant () }
Example 2
The solution security policy in this example imposes limitations on queries sent from clients of the FsClient class to servers of the FsDriver class. When a client opens a resource controlled by a server of the FsDriver class, a finite-state machine in the unverified state is associated with this resource. A client of the FsClient class is allowed to read data from a resource controlled by a server of the FsDriver class only if the finite-state machine associated with this resource is in the verified state. To switch a resource-associated finite-state machine from the unverified state to the verified state, a process of the FsVerifier class needs to query the Kaspersky Security Module.
In a real-world KasperskyOS-based solution, this policy cannot be applied because it allows an excessive variety of interactions between different processes and between processes and the KasperskyOS kernel.
security.psl
execute: kl.core.Execute
use nk.base._
use nk.flow._
use nk.basic._
policy object file_state : Flow {
type States = "unverified" | "verified"
config = {
states : ["unverified" , "verified"],
initial : "unverified",
transitions : {
"unverified" : ["verified"],
"verified" : []
}
}
}
execute { grant () }
request { grant () }
response { grant () }
use EDL kl.core.Core
use EDL Einit
use EDL FsClient
use EDL FsDriver
use EDL FsVerifier
response src=FsDriver, endpoint=operationsComp.operationsImpl, method=Open {
file_state.init {sid: message.handle.handle}
}
request src=FsClient, dst=FsDriver, endpoint=operationsComp.operationsImpl, method=Read {
file_state.allow {sid: message.handle.handle, states: ["verified"]}
}
security src=FsVerifier, method=Approve {
file_state.enter {sid: message.handle.handle, state: "verified"}
}
Example descriptions of security audit profiles
Before analyzing examples, you need to become familiar with the Base, Regex and Flow security models.
Example 1
// Describing a trace security audit profile
// base – Base security model object
// session – Flow security model object
audit profile trace =
/* If the audit runtime-level is equal to 0, the audit covers
* base object rules when these rules return
* the "denied" result. */
{ 0 :
{ base :
{ kss : ["denied"]
}
}
/* If the audit runtime-level is equal to 1, the audit covers methods
* of the session object in the following cases:
* 1. Rules of the session object return a "granted"
* or "denied" result, and the finite-state machine is in a state
* other than closed.
* 2. A query expression of the session object is called, and the
* finite-state machine is in a state other than closed. */
, 1 :
{ session :
{ kss : ["granted", "denied"]
, omit : ["closed"]
}
}
/* If the audit runtime-level is equal to 2, the audit covers methods
* of the session object in the following cases:
* 1. Rules of the session object return a "granted"
* or "denied" result.
* 2. A query expression of the session object is called. */
, 2 :
{ session :
{ kss : ["granted", "denied"]
}
}
}
Example 2
// Describing a test security audit profile
// base – Base security model object
// re – Regex security model object
audit profile test =
/* If the audit runtime-level is equal to 0, rules of the base object
* and expressions of the re object are not covered by the audit. */
{ 0 :
{ base :
{ kss : []
}
, re :
{ kss : []
, emit : []
}
}
/* If the audit runtime-level is equal to 1, rules of the
* base object are not covered by the audit, and expressions of the
* re object are covered by the audit.*/
, 1 :
{ base :
{ kss : []
}
, re :
{ kss : []
, emit : ["match", "select"]
}
}
/* If the audit runtime-level is equal to 2, rules of the base object
* and expressions of the re object are covered by the audit. Rules
* of the base object are covered by the audit irrespective of the
* result that they return.*/
, 2 :
{ base :
{ kss : ["granted", "denied"]
}
, re :
{ kss : []
, emit : ["match", "select"]
}
}
}
Example descriptions of tests for KasperskyOS-based solution security policies
Example 1
/* Description of a test set that includes only one test. */
assert "some tests" {
/* Description of a test that includes four test cases. */
sequence "first sequence" {
/* It is expected that startup of a Server-class process is allowed.
* If this is true, the s variable will be assigned the SID value
* of the started Server-class process. */
s <- execute dst=Server
/* It is expected that startup of a Client-class process is allowed.
* If this is true, the c variable will be assigned the SID value
* of the started Client-class process. */
c <- execute dst=Client
/* It is expected that a client of the Client class is allowed to query
* a server of the Server class by calling the Ping method of the pingComp.pingImpl endpoint
* with the value parameter equal to 100. */
grant "Client calls Ping" request src=c dst=s endpoint=pingComp.pingImpl
method=Ping { value : 100 }
/* It is expected that a server of the Server class is not allowed to respond to a client
* of the Client class if the client calls the Ping method of the pingComp.pingImpl endpoint.
* (The IPC response does not contain any parameters because the Ping interface method
* has no output parameters.) */
deny "Server cannot respond" response src=s dst=c endpoint=pingComp.pingImpl
method=Ping {}
}
}
Example 2
/* Description of a test set that includes two tests. */
assert "ping tests"{
/* Initial part of each of the two tests */
setup {
s <- execute dst=Server
c <- execute dst=Client
}
/* Description of a test that includes two test cases. */
sequence "ping-ping is denied" {
/* It is expected that a client of the Client class is allowed to query
* a server of the Server class by calling the Ping method of the pingComp.pingImpl endpoint
* with the value parameter equal to 100. */
c ~> s : pingComp.pingImpl.Ping { value : 100 }
/* It is expected that a client of the Client class is not allowed to query
* a server of the Server class by once again calling the Ping method of the pingComp.pingImpl endpoint
* with the value parameter equal to 100. */
deny c ~> s : pingComp.pingImpl.Ping { value : 100 }
}
/* Description of a test that includes two test cases. */
sequence "ping-pong is granted" {
/* It is expected that a client of the Client class is allowed to query
* a server of the Server class by calling the Ping method of the pingComp.pingImpl endpoint
* with the value parameter equal to 100. */
c ~> s : pingComp.pingImpl.Ping { value: 100 }
/* It is expected that a client of the Client class is allowed to query
* a server of the Server class by calling the Pong method of the pingComp.pingImpl endpoint
* with the value parameter equal to 100. */
c ~> s : pingComp.pingImpl.Pong { value: 100 }
}
}
Example 3
/* Description of a test set that includes only one test. */
assert {
/* Description of a test that includes eight test cases. */
sequence {
storage <− execute dst=test.kl.UpdateStorage
manager <− execute dst=test.kl.UpdateManager
deployer <− execute dst=test.kl.UpdateDeployer
downloader <− execute dst=test.kl.UpdateDownloader
grant manager ~>
downloader:UpdateDownloader.Downloader.LoadPackage { url : ”url012345678” }
grant response src=downloader dst=manager endpoint=UpdateDownloader.Downloader
method=LoadPackage { handle : 29, result : 1 }
deny manager ~> deployer:UpdateDeployer.Deployer.Start { handle : 29 }
deny request src=manager dst=deployer endpoint=UpdateDeployer.Deployer
method=Start { handle : 29 }
}
}