进程内细粒度保护域模型及其实现

Fine-grained protection domain model in a process and its implementation

下载PDF

导出

摘要提出了一种利用细粒度保护域方法实现进程权限动态改变的机制。根据进程的不同执行阶段对系统资源和程序地址空间访问方式的不同,将其划分为多个保护域。设置各个保护域对程序地址空间的访问方式,使之能有效地防御用户态代码注入攻击;保护域对系统资源访问的控制通过一个强制访问控制框架来实施,以此满足系统的安全策略。 A fine-grained protection domains method was proposed to address the problem of dynamically changing a proeeas＇s capabilities. According to a precess＇s different access mode of its address space and system resources in its different executing phases, this model partitions it into multiple protection domains. Then it sets up access mode of address space for each of them, which makes it feasible to resist code injection attacks. Meanwhile, it integrates Mandatory Access Control （MAC） framework into it to provide the access control of system resources, which meets the security requirement of the system.

作者王志强黄皓夏磊

机构地区南京大学计算机科学与技术系

出处《计算机应用》 CSCD 北大核心 2007年第6期1356-1359,共4页 journal of Computer Applications

基金国家自然科学基金资助项目(60473093)

关键词保护域访问控制 flask安全体系结构信息安全 protection domain access control flask security architecture information security

分类号 TP309 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献8

1WALKER KM,STERNE DF,BADGER ML,et al.Confining Root Programs with Domain and Type Enforcement[A].In Proceedings of the Sixth USENIX UNIX Security Symposium[C].August 1996.
2SPENCER R,SMALLEY S,LOSCOCCO P,et al.The Flask Security Architecture:System Support for Diverse Security Policies[A].In Proceedings of the Eighth USENIX Security Symposium[C].August 1999.
3LOSCOCCO P,SMALLEY S.Integrating Flexible Support for Security Policies into the Linux Operating System[A].In Proceedings of the FREENIX Track:2001 USENIX Annual Technical Conference[C].2001.29-42.
4SELinuxhomepage[EB/OL].http://www.nsa.gov/selinux/,2006.
5SWIFT M,BERSHAD B,LEVY H.Improving the Reliability of Commodity Operating Systems[A].In Proceedings of the 19th ACM Symposium on Operating Systems Principles[C].2003.
6TAKAHASHI M,KONO K,MASUDA T.Efficient Kernel Support of Fine-Grained Protection Domains for Mobile Code[A].In Proceedings of the 19th IEEE International Conference on Distributed Computing Systems[C].1999.
7谢钧,黄皓,张佳.多保护域进程模型及其实现[J].电子学报,2005,33(1):38-42. 被引量：4
8CHIUEH T-C,VENKITACHALAM G,PRADHAN P.Integrating segmentation and paging protection for safe,efficient and transparent software extensions[A].In Proceedings of 17th ACM Symposium on Operating System Principles[C].December 1999.140-153.

二级参考文献9

1K Kourai, S Chiba. A Secure Access Control Mechanism Against Intemet Crackers[R]. ISE-TR-01176, Institute of Information Sciences and Electronics, Univ.of Tsukuba, 2001.
2J S Shapiro,J M Smith.D J Father.EROS:A fast capability system[A].In Proc.17th ACM Symposium on Operating Systems Principles[C].New York,1999.170—185.
3K M Walker, D F Steme, M L Badger, et al. Confining root programs with domain and type enforcement (DTE) [A]. In Proc 6th USENIX Security Symposium[ C]. Washington DC, 1996.21 - 36.
4C Cowan,P Wagle,C Pu,et al. Buffer overflows:Attacks and defenses for the vulnerability of the decade [A]. In Proc DARPA lnformation Survivability Conference and Expo[C] .Hilton Head SC,2000.1119-1130.
5W D Young, P A Telega, W E Boebert. A verified labeler for the secure ada target [A]. In Proe 9th National Computer Security Conference[C]. Gaithersburg MD, 1986.55 - 61.
6R Wahbe, S Lucco, T E Anderson, S L Graham. Ffficieat softwarebased fault isolation [J]. ACM Operating Systems Review, 1993, 27(5) :203 - 16.
7B N Bershad,T E Anderson, E D Lazowska, et al. Extensibility, safety and performance in the SPIN operating system [J]. ACM Operating Systems Review, 1995,29(5):267 - 284.
8T C Chiueh, G Venkitachalam, P Pradhan. Integrating segmantation and paging protection for safe, efficient and transparent software extensions[A].In Proc 17th ACM Symposium on Operating Systems Principles[C] .New York,1999.140- 153.
9M Takahashi, K Kono, T Masuda. Efficient kerenel support of fine-grained protection domains for mobile code [A]. In Proc 19th IEEE International Conference on Distributed Computing Systems[C]. Austin TX, 1999.64- 73.

共引文献3

1马俊,王志英,任江春,伍江江,程勇,梅松竹.DIFS:基于临时文件隔离实现数据泄漏防护[J].计算机研究与发展,2011,48(S1):17-23. 被引量：2
2任江春,王志英,戴葵.一种新的进程可信保护方法[J].武汉大学学报（理学版）,2006,52(5):532-536. 被引量：3
3马俊,王志英,任江春,刘聪,伍江江,程勇,梅松竹.TRSF:一种移动存储设备主动防护框架[J].电子学报,2012,40(2):376-383. 被引量：2

1金胜昔,步俊杰,吉逸.Java2的安全体系及其应用[J].微型机与应用,2000,19(4):38-41.
2谢钧,黄皓,张佳.多保护域进程模型及其实现[J].电子学报,2005,33(1):38-42. 被引量：4
3马自忠,陶李娜.计算机系统的安全与保护[J].合肥工业大学学报（自然科学版）,1999,22(3):124-128.
4杨建强,陈天煌,邹青梅.无线Java中基于保护域的访问控制[J].现代计算机,2005,11(2):66-68. 被引量：1
5Tony We 盛青(译).保护域管理员和企业管理员的密码[J].Windows IT Pro Magazine（国际中文版）,2007(12):64-64.
6李云雪,苏智睿,王晓斌.SELinux安全策略配置[J].信息网络安全,2004(2):53-55.
7岳阳,郑志蓉.Java安全体系结构研究[J].网络安全技术与应用,2003(5):73-78. 被引量：3
8乐丁惕.基于IPSec的域安全策略研究[J].闽江学院学报,2009,30(2):72-75. 被引量：3
9吴楠,张东,刘璧怡.面向高可用计算机的驱动隔离系统设计与实现[J].计算机工程与设计,2013,34(4):1280-1286.
10翟桂锋,曾庆凯.Flask结构对象管理器的通用设计与实现[J].中国电子商情（通信市场）,2010(3):95-98. 被引量：1

计算机应用

2007年第6期

浏览历史

内容加载中请稍等...

进程内细粒度保护域模型及其实现

参考文献8

二级参考文献9

共引文献3

相关作者

相关机构

相关主题

浏览历史