基于轻量级虚拟化环境的可信多级安全容器机制

传统的多级安全机制在实现时一般需要依赖安全操作系统，但最终证明这些多级安全系统在实际应用方面并不成功。针对目前多级安全机制实用性差的问题，提出一种基于轻量级虚拟化环境的可信多级安全容器机制。首先对系统安全域进行划分，提出一套多级安全策略规则，然后通过形式化方法证明其符合多级安全要求；最后通过联合文件系统技术和容器技术说明该机制的技术可行性，并对应用场景给出了说明。结果表明，本方法实现简单，应用范围广，可以有效改善多级安全机制实用性差的问题。

A Trusted Multi-level Security Container Mechanism based on Lightweight Virtualization Environment

Traditional multi-level security mechanism usually depends on the safety of operating system, which has been finally proved to be not practical. In order to improve the applicability of the multi-level mechanism, a trusted multi-level security container mechanism based on lightweight virtualization environment has been proposed in this paper. This method firstly proposed a set of multi-level security policy rules based on the division of the system security domain. Then the policy was proved to be meeting the requirements of multi-level security by means of formal methods. Finally, this paper illustrated the technical feasibility of the mechanism by the union file system technology and container technology, and discussed the application scenarios. The results show that the method is simple to be achieved and has a wide application range. Also, the applicability of the multi-level security mechanism can be effectively improved.