Contents
HashSet security model
The HashSet security model associates resources with one-dimensional tables of unique values of the same type, adds or deletes these values, and checks whether a defined value is in the table. For example, a process of the network server can be associated with the set of ports that this server is allowed to open. This association can be used to check whether the server is allowed to initiate the opening of a port.
A PSL file containing a description of the HashSet security model is located in the KasperskyOS SDK at the following path:
toolchain/include/nk/hashmap.psl
HashSet security model object
To use the HashSet security model, you need to create an object or objects of this model.
A HashSet security model object contains a pool of one-dimensional tables of the same size intended for storing the values of one type. A resource can be associated with only one table from the tables pool of each HashSet security model object.
A HashSet security model object has the following parameters:
type Entry
– type of values in tables (these can be integer types,Boolean
type, and dictionaries and tuples based on integer types and theBoolean
type).config
– configuration of the pool of tables:set_size
– size of the table.pool_size
– number of tables in the pool.
All parameters of a HashSet security model object are required.
Example:
A HashSet security model object can be covered by a security audit. There are no audit conditions specific to the HashSet security model.
It is necessary to create multiple objects of the HashSet security model in the following cases:
- You need to configure a security audit differently for different objects of the HashSet security model (for example, you can apply different audit profiles or different audit configurations of the same profile for different objects).
- You need to distinguish between calls of methods provided by different objects of the HashSet security model (audit data includes the name of the security model method and the name of the object that provides this method, so you can verify that the method of a specific object was called).
- You need to use tables of different sizes and/or with different types of values.
HashSet security model init rule
It associates a free table from the tables pool with the sid
resource. If the free table contains values after its previous use, these values are deleted.
It returns the "allowed" result if an association was created between the table and the sid
resource.
It returns the "denied" result in the following cases:
- There are no free tables in the pool.
- The
sid
resource is already associated with a table from the tables pool of the HashSet security model object being used. - The
sid
value is outside of the permissible range.
Example:
HashSet security model fini rule
It deletes the association between the table and the sid
resource (the table becomes free).
It returns the "allowed" result if the association between the table and the sid
resource was deleted.
It returns the "denied" result in the following cases:
- The
sid
resource is not associated with a table from the tables pool of the HashSet security model object being used. - The
sid
value is outside of the permissible range.
HashSet security model add rule
It adds the entry
value to the table associated with the sid
resource.
It returns the "allowed" result in the following cases:
- The rule added the
entry
value to the table associated with thesid
resource. - The table associated with the
sid
resource already contains theentry
value.
It returns the "denied" result in the following cases:
- The table associated with the
sid
resource is completely full. - The
sid
resource is not associated with a table from the tables pool of the HashSet security model object being used. - The
sid
value is outside of the permissible range.
Example:
HashSet security model remove rule
It deletes the entry
value from the table associated with the sid
resource.
It returns the "allowed" result in the following cases:
- The rule deleted the
entry
value from the table associated with thesid
resource. - The table associated with the
sid
resource does not contain theentry
value.
It returns the "denied" result in the following cases:
- The
sid
resource is not associated with a table from the tables pool of the HashSet security model object being used. - The
sid
value is outside of the permissible range.
HashSet security model contains expression
It checks whether the entry
value is in the table associated with the sid
resource.
It returns a value of the Boolean
type. If the entry
value is in the table associated with the sid
resource, it returns true
. Otherwise it returns false
.
It runs incorrectly in the following cases:
- The
sid
resource is not associated with a table from the tables pool of the HashSet security model object being used. - The
sid
value is outside of the permissible range.
When the expression runs incorrectly, the Kaspersky Security Module returns the "denied" decision.
Example: