基于LSM框架构建Linux安全模块

操作系统安全是信息安全的一个重要方向.Linux安全模块(LSM)为Linux操作系统内核支持多个安全模块提供了有力的支持.首先介绍了LSM的实现机制,详细分析了它的关键技术.然后,以一个具体的安全模块为例,描述了如何使用LSM机制在Linux操作系统中完成一个简单的安全模块的开发.介绍了安全模型构建的过程,并对它的安全性进行了讨论.使用LSM框架可以使得操作系统灵活的支持和采用各种不同的安全策略,提高系统的安全性.     

微内核中断机制的形式化设计与验证

操作系统的正确性和安全性很难用定量的方法进行描述。形式化方法是操作系统设计和验证领域公认的标 准方法。以操作系统对象语义模型(OSOSM)为基础,采用形式化方法对微内核架构的中断机制进行了设计和验证, 在自行开发的安全可信操作系统VTOS上加以实现,采用Isabelle/HOL对设计过程进行了形式化描述,对VTOS中 断机制的完整性进行了验证,这对操作系统的形式化设计和验证工作起到了一定的借鉴意义。     

安全操作系统中基于多策略的应用支持模型

在安全操作系统中，安全策略的实施可能导致已有的应用程序无法正常运行。把应用程序抽象为一组功能模块的集合，在此基础上提出安全策略与应用程序之间的兼容性检测方法。基于多策略安全模型，该文建立安全操作系统的应用支持模型，分析了该模型的安全性。     

构建Linux安全模块

Linux安全模块（LSM）为Linux操作系统内核支持多个安全模块提供了有力的支持。本文首先介绍了LSM的实现机制,详细分析了它的关键技术。然后,以一个简单的安全模块为例,描述了如何使用LSM机制在Linux操作系统中完成一个简单的安全模块的开发。使用LSM框架可以使得操作系统灵活的支持和采用各种不同的安全策略,提高系统的安全性。     

安全操作系统等级评测系统

操作系统安全性的测评是实现安全操作系统的一个极为重要的环节，如果不测评、验证所开发操作系统的安全性和该安全性的可信度，那么开发出的安全操作系统的安全性就没有任何保证。该文给出了一个自主设计的安全操作系统等级评测系统，能够对安全操作系统的安全级别进行半自动评测，也就是在操作员的参与下对操作系统的安全性等级进行量化。     

基于服务体模型的安全操作系统中的通信与安全控制

在介绍基于执行流／服务体的操作系统模型的基础上，重点讨论了基于该模型的安全操作系统中的通信机制及其安全控制．分析了通信可能受到的威胁，并给出了相应的对抗方法．从而简便有效的保证了操作系统的安全性．     

文件安全性血统的演变方法

现有的操作系统文件安全一般采用授权机制,它忽略了文件之间存在的安全性关联。血统是动物之间固有的一种亲缘关系,该文借鉴血统描述文件的宗亲关系,建立了一个安全体系。给出了文件血统的基本定义和模型的描述,并以Linux为背景,给出了一个文件血统的建立、演变、杂交和权限运算的文件安全机制。     

一种通用中间件安全模型及形式化描述

本文通过对中间件安全性的分析，结合传统安全模型的特点，从中间件安全模型设计要求的特点出发，建立了一个可应用于任何中间件技术的通用中间件安全模型；最后对该模型的特征进行分析，并运用有穷状态自动机（FSM）对该模型进行形式化描述，并证明了系统的安全性。     

操作系统的安全性概述

信息安全，计算机安全现在已经成为人们普遍关心的问题，其中操作系统的安全性不容忽视。本文概要探讨操作系统安全的重要性，并简单比较了几个流行的操作系统。     

操作系统对象语义模型(OSOSM)及形式化验证

操作系统的复杂性使得其安全性问题日益突出.有不少的研究工作采用形式化的方式对现有的操作系统进行了正确性的验证,这些工作主要是采用程序形式逻辑验证代码级的功能实现性.从系统设计的角度,以高阶逻辑和类型论为基础,提出了操作系统对象语义模型(OSOSM).OSOSM采用分层结构,包括基本功效层、实现层和优化层.OSOSM将操作系统中的行为主体和资源抽象为操作系统对象,建立操作系统的论域,利用以操作系统对象变元集合为定义域到论域的映射表示操作系统的状态,描述操作系统系统调用等行为的语义,使用逻辑系统的谓词公式表达操作系统的安全属性,给出如何验证操作系统在运行过程中保持安全策略和属性的形式化描述方法.以实现并经过形式化验证的可信操作系统(VTOS)为例,阐述OSOSM的语义正确性.使用Isabelle定理证明工具验证设计和安全需求的一致性,以说明VTOS具有预期的安全属性.     

The pros and cons of Unix and Windows security policies

Supporters frequently tout Windows NT as being the most secure commercially available operating system. Others tend to believe this opinion after hearing of Unix's many infamous security vulnerabilities. In reality, the two operating systems have far more in common from a security point of view than people expect. This, then, makes it difficult to honestly assert that NT is more secure than Unix. By providing a brief introduction to the security architectures of Unix and Windows, we hope to convince readers that both operating systems have substantial merit from a security point of view and that neither operating system offers clearly superior security     

Design of secure operating systems with high security levels

Numerous Internet security incidents have shown that support from secure operating systems is paramount to fighting threats posed by modern computing environments. Based on the requirements of the relevant national and international standards and criteria, in combination with our experience in the design and development of the ANSHENG v4.0 secure operating system with high security level (hereafter simply referred to as ANSHENG OS), this paper addresses the following key issues in the design of secure operating systems with high security levels: se- curity architecture, security policy models, and covert channel analysis. The design principles of security architecture and three basic security models: confidentiality, integrity, and privilege control models are discussed, respectively. Three novel security models and new security architecture are proposed. The prominent features of these proposals, as well as their applications to the ANSHENG OS, are elaborated. Cover channel analysis (CCA) is a well-known hard problem in the design of secure operating systems with high security levels since to date it lacks a sound theoretical basis and systematic analysis approach. In order to resolve the fundamental difficulties of CCA, we have set up a sound theoretical basis for completeness of covert channel identification and have proposed a unified framework for covert channel identification and an efficient backward tracking search method. The successful application of our new proposals to the ANSHENG OS has shown that it can help ease and speedup the entire CCA process.     

Design and implementation of a database inference controller

The Inference Problem compromises database systems which are usually considered to be secure. here, users pose sets of queries and infer unauthorized information from the responses that they obtain. An Inference Controller is a device that prevents and/or detects security violations via inference. We are particularly interested in the inference problem which occurs in a multilevel operating environment. In such an environment, the users are cleared at different security levels and they access a multilevel database where the data is classified at different sensitivity levels. A multilevel secure database management system (MLS/DBMS) manages a multilevel database where its users cannot access data to which they are not authorized. However, providing a solution to the inference problem, where users issue multiple requests and consequently infer unauthorized knowledge is beyond the capability of currently available MLS/DBMSs. This paper describes the design and prototype development of an Inference Controller for a MLS/DBMS that functions during query processing. To our knowledge this is the first such inference controller prototype to be developed. We also describe some extensions to the inference controller so that an integrated solution can be provided to the problem.     

安全操作系统非传统开发模式研究

1 引言美国国防部于1983年颁布并于1985年修定的TCSEC标准是安全操作系统发展史上的第一个计算机安全评价标准,它对安全操作系统的开发具有根深蒂固的影响,基于TCSEC标准的开发模式成了传统开发模式的代名词。基于TCSEC标准的开发模式的根本特点是根据以TCSEC标准为中     

How to shrink holes in corporate data dikes

The security of computer systems is a very hard and complex problem. IT staffers who apply security patches or use layered approaches have lulled themselves into a false sense of security. This perceived security is illusionary at best and destructive in the extreme. True security will increasingly require the use of hardened servers and guards. Defense in depth with distributed guards serving as penetration detectors and reporting attacks on corporate systems provides strong protection against both external and internal attackers. This strategy lets system managers minimize damage and greatly improve the recovery of damaged systems and data. Corporations that choose not to appropriately secure their systems will likely regret it. In the future, companies will probably face liability for third-party losses that arise from system compromises     

Security extension for the Canetti-Krawczyk model in identity-based systems

The Canetti-Krawczyk (CK) model is a formalism for the analysis of key-exchange protocols, which can guarantee many security properties for the protocols proved secure by this model. But we find this model lacks the ability to guarantee key generation center (KGC) forward secrecy, which is an important security property for key-agreement protocols based on Identity. The essential reason leading to this weakness is that it does not fully consider the attacker's capabilities. In this paper, the CK model is accordingly extended with a new additional attacker's capability of the KGC corruption in Identity-based systems, which enables it to support KGC forward secrecy.     

可证安全的入侵容忍签名方案

提出了一种可证安全的入侵容忍签名方案,方案具有比前向安全签名和密钥隔离签名更强的安全性,满足无论签名者和基地被入侵多少次,只要入侵不是同时发生的,其他任何时间段的签名都是安全的.另外,即使入侵者同时入侵签名者和基地,获得所有秘密信息,仍然不能伪造以前时间段的签名.方案具有良好的平均性能,所有费用参数包括密钥产生、基密钥(用户密钥)演化、基密钥(用户密钥)更新、签名、验证的时间和签名长度、公钥长度和基地(用户)存储空间大小的复杂性都不超过O(logT).最后证明,假定CDH问题是     

SELinux特权用户管理的设计与应用

分析SELinux体系在当前Linux类操作系统中的应用,基于角色的访问控制模型与可信计算,提出新的特权用户标识定义,利用该定义给出一种安全Linux操作系统特权用户管理方案。通过UID与角色的二维标识方法解决特权用户区分的问题,以可信计算中的密码服务加强认证的安全强度,用内核安全加固解决安全模式切换问题,从而改进SELinux在Linux类操作系统中的安全性。     

安全政策格及一个格的修正

对安全政策灵活性的支持是现代安全操作系统追求的重要目标，安全政策格为安全政策灵活性的研究提供了一个很好的手段。本文通过分析DTOS项目的研究成果讨论安全政策格的基本思想，介绍DTOS项目中设计的一个安全政策格，并针对该安全政策格中存在的问题给出一个修正结果。