中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
可动态载入的模块化安全Linux内核
作者: 王涛
答辩日期: 2003
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 安全内核 ; 安全模块 ; 动态载入 ; 电子证书 ; 通用缓存
其他题名: Runtime Loadable Modulized Secure Linux Kernel
摘要: 本文综合已有安全操作系统方面的实际研究成果和经验,提出了一种能从应用层动态载入、具有模块化结构的操作系统安全内核的构建模型。KNumen就是根据该模型在L拍ux平台上开发的一个实例,具有结构简单、配置灵活、可移植性强、功能全面、便于维护、易于使用等特点。其基于电子证书的身份认证、可根据实际需要对安全模块进行灵活配置、远程管理等功能尤为突出。KNumen结构紧凑,主要由执行机构、决策机构、安全策略库三大部分组成。执行机构负责截取来自应用程序的系统调用、形成决策请求和实施决策结果。决策机构提供的回调函数是安全模块实现动态加载和模块化机制的基础,而安全模块是实施各种安全机制的中心。安全策略库存放整个系统的安全策略配置信息,具体的存储方式与文件系统无关。为提高系统性能,可以在安全内核中创建一个以分裂树为基础的访问控制信息通用缓存。实践证明,缓存的加入能够有效地克服内核执行效率下降的问题。此外,基于电子证书的身份认证机制加强了系统的安全性和可靠性。用户有自己的公、私钥,可以使用证书文件进行远程认证和登陆,建立可一信、保密的网络连接。在KNumen的安全模块中,既有实现普通安全功能的模块,如MAC模块、ACL模块、审计模块等,也有负责完成特殊安全功能的模块,如重要进程保护模块和可信进程授权模块。事实上,可以实现的安全模块远不止这些,系统本身可以扩充和改进的地方还很多,这些都是今后进一步完善和发展的方向。本文提出的思想是在安全操作系统研究和开发上的一种新的尝试。实践已表明该系统行之有效,达到了预期的效果,因而可以作为今后在这方面进一步深入研究和发展的基础。
英文摘要: Based on various research results and practical experiences, this paper presents a new design model to build a modulized secure OS kernel loadable from the application level. The project named KNumen has been developed to realize this new model on Linux system. Practical experience shows that KNumen is simple, strong, configurable, portable, and at the same time easy to use and maintain. Especially, users are required to authenticate through digital certificate. Security administrator can make flexible combinations of security modules according to practical security requirements, and administrate the system remotely by using graphical interfaces. Being compact in its architecture, KNumen is devided into three main parts: Enforcement, Decision and Security Policy Database. Enforcement facilities intercept system calls from application programs, transform them into decision requests and enforce the decision results. The kernel mechanisms to be runtime-loadable and modulized are mainly built on the callback function interfaces provided by the decision facility. And various security policies are implemented inside the security modules. Security Policy Database is where security policies are stored, independent of any underlying file systems. In order to improve system performance, a general cache to preserve access control information is built upon split trees inside the secure kernel. It has been proved that the usage of cache can effectively overcome the performance deficiencies. Further more, the authentication mechanism based on digital certificate intensified the security and reliability of the whole system. Users have their own public and private keys. They can remotely authenticate and login hy using certificate files, then buid up a trusted and secure network connection to the target machine. Among the implemented security modules in KNumen, are well known ones, like Mac, Acl and Audit modules, as well as specially designed ones, like Important Process Protection and Trusted Program Authorization modules. Actually, the potential security modules which can be implemented are far more than these. And there are still many problems to be solved and the whole system is required to be optimized. These are all the work waiting to be done in the future. The idea put forward by this paper intend to open a new approach to build secure OS kernels. The effectiveness of this approach is proved by practical systems, making it a solid ground for future research and development in this direction.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6052
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW011227.pdf(3549KB)----限制开放-- 联系获取全文

Recommended Citation:
王涛. 可动态载入的模块化安全Linux内核[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2003-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[王涛]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[王涛]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace