基于程序资源访问建模的安全增强

Resource Access Model Based Security Improvement

在传统的访问控制系统中,程序执行时需要的权限和程序执行者拥有的权限并不完全一致。一般后者的权限大于前者,这一点也导致了很多安全漏洞的出现。文章针对传统访问控制系统的这一缺陷,设计了一套程序资源访问控制系统(pRM),它通过对程序执行过程中访问到的系统资源,如文件、目录等,进行建模和实时的监控,较为精确地限定了程序执行期间的权限,增强了程序的安全性能。

The privileges that programs need during their execution are not the same as that of users or user groups, while the traditional access control systems always grant programs privileges according to that of users or groups. Because of this limitation of traditional access system many security holes emerged in modern operation systems. This paper introduces a system named pRM （Process Resource Monitor） which can monitor and control the access to the system resources at rnntime. By using pRM more precise authorizing of privileges to processes can be carried out according to what they need during their execution. Through the experiments on many applications such as Apache the paper shows that pRM is efficient and does not impose significant performance penalties.