• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

计算机工程与科学 ›› 2023, Vol. 45 ›› Issue (10): 1770-1778.

• 计算机网络与信息安全 • 上一篇    下一篇

基于属性的操作系统动态强制访问控制机制

丁滟,王鹏,王闯,李志鹏,宋连涛,冯了了   

  1. (国防科技大学计算机学院,湖南 长沙 410073)
  • 收稿日期:2022-11-11 修回日期:2023-04-22 接受日期:2023-10-25 出版日期:2023-10-25 发布日期:2023-10-17
  • 基金资助:
    国家自然科学基金(U19A2060,62172431)

An attribute-based dynamic mandatory access control mechanism for operating system

DING Yan,WANG Peng,WANG Chuang,LI Zhi-peng,SONG Lian-tao,FENG Liao-liao   

  1. (College of Computer Science and Technology,National University of Defense Technology,Changsha 410073,China)
  • Received:2022-11-11 Revised:2023-04-22 Accepted:2023-10-25 Online:2023-10-25 Published:2023-10-17

摘要: 操作系统强制访问控制技术因运行在高特权级,为系统带来较强的安全性保障。然而,由于经典操作系统强制访问控制仅支持静态安全策略,当应用场景安全需求发生变化时,必须重新配置与加载安全策略,难以满足高敏感应用状态转换、云原生动态调度以及BYOD等场景访问权限动态调控的需求。基于属性的访问控制具有强扩展性、高度灵活性和强大的表达能力,为提高安全策略的动态性和灵活性提供了解决思路。首先,提出了基于属性的操作系统动态强制访问控制理论模型与系统架构模型;然后,结合Linux经典强制访问控制机制设计实现了原型系统,验证了模型的可行性;最后,针对引入属性可能带来的性能影响,从时间和空间2个方面展开访问控制的优化研究。

关键词: 属性, 操作系统, 动态强制访问控制

Abstract: Mandatory access control (MAC) for operating system (OS) brings strong security guarantee for the system because it runs at high privilege level. However, the classical OS MAC only supports static security policies. When the security requirements change, the security policies must be reconfigured and reloaded. Therefore, it is difficult to meet the requirements of dynamic regulation of access permissions in scenarios such as high-sensitivity application state transition, cloud native dynamic scheduling, and BYOD. Attributes-based access control has strong extensibility, flexibility and expression ability, which provides a solution to improve the dynamic and flexibility of the security policy of MAC in OS. In this paper, the theoretical model and system architecture model of attributes-based dynamic mandatory access control for operating systems are proposed. Then, the prototype system is designed and implemented by combining with the classic MAC mechanism of Linux, and the feasibility of the model is verified. Finally, in view of the possible performance impact of the introduction of attribute factors, the optimization research of access control is carried out from two aspects of time and space.

Key words: attribute, operating system, dynamic mandatory access control ,