Institutional Repository
| 基于可信计算的策略标签保护架构 | |
| Alternative Title | a trusted computing-based security architecture for policy-label protection |
| 刘孜文; 冯登国; 于爱民 | |
| 2011 | |
| Source | 计算机研究与发展
 |
| ISSN | 1000-1239 |
| Volume | 48Issue:12Pages:2219-2226 |
| English Abstract | 策略和标签是访问控制技术中的核心内容,决定了一个访问控制系统的实施内容.现今的大部分安全系统对策略的保护较为严格,但对标签的保护却缺乏一个完善、系统的保护方案,这导致即使策略本身是安全的、完备的,恶意者仍然可以通过篡改用作策略实施判断的标签来危害系统,系统安全仍然无法保证.为此提出了一个保护架构,着重保护系统中的安全标签.它通过使用加密文件系统、完整性度量等机制扩展可信计算芯片的控制范围,将标签置于可信计算的保护范围内,从而防止标签遭受篡改,确保其安全性.最后给出其基于Linux操作系统的原型实现. |
| Indexed Type | CNKI ; EI ; WANFANG |
| Abstract | Policies and labels are the most important parts in access control technique. Labels present some security properties of the subject and the object, meanwhile policies present some logical algorithms based on the security properties carried by labels. The enforcement of access control system can be mainly decided by these two factors. Nowadays most security systems can give a well protection to the policies, but almost none of them have systemic and well-defined methods to protect labels. They just believe that the operation system can do the work itself. The lack of label protection leads to a result that even the policies are secure and well-defined, malwares can still do harms to the system by tempering the labels. Then the system is unsafe in the end. An architecture mainly to protect the security labels in the system by using TPM (trusted computing module) chip is proposed. TPM chip is a kind of hardware provided by TCG (Trusted Computing Group). It can be used to build a TCB (trusted computing base) in a secure system. But the TCB here is too small to hold labels. By using some mechanisms such as encrypting file system and integrity measurement, we extend the edge of the TPM chip's control area and keep the labels into this area in order to enhance the safety of access control system. Implementation of a prototype system on the Linux OS is given and the experiments show the security and efficiency of our implementation. |
| Keyword | 策略标签保护 可信计算 访问控制 加密文件系统 完整性度量 |
| Department | 中国科学技术大学电子工程与信息科学系;信息安全国家重点实验室(中国科学院软件研究所); |
| Sponsorship | 国家科技支撑计划基金项目(2008BAH22B06)|国家“八六三”高技术研究发展计划基金项目(2007AA01Z412,2007AA01Z465)|国家自然科学基金项目(60970028) |
| Language | 中文 |
| Content Type | 期刊论文 |
| URI | http://ir.iscas.ac.cn/handle/311060/16131 |
| Collection | 中国科学院软件研究所 |
| Recommended Citation GB/T 7714 | 刘孜文,冯登国,于爱民. 基于可信计算的策略标签保护架构[J]. 计算机研究与发展,2011,48(12):2219-2226. |
| APA | 刘孜文,冯登国,&于爱民.(2011).基于可信计算的策略标签保护架构.计算机研究与发展,48(12),2219-2226. |
| MLA | 刘孜文,et al."基于可信计算的策略标签保护架构".计算机研究与发展 48.12(2011):2219-2226. |
| Files in This Item: | There are no files associated with this item. | |||||
Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.
Edit Comment