摘要
针对POSIX.1e标准的权能模块的缺陷进行了改进,在Linux内核安全模块(LSM)框架基础上,加载改进的模块,对操作系统内核层进行监听和控制处理,完成进程信任状特权仲裁、安全i节点(i-node)操作、信息队列反馈等一系列操作,最后调用字符设备反馈监控信息到应用层进行安全控制处理。实验表明,改进方案与加载原有权能模块Linux内核的方法相比,不仅在系统的运行效率、监控的正确率和系统扫描覆盖率上有所提高,而且在系统资源占用率等多项指标中都显示其具有良好的监控性能。
A method was proposed to improve POSIX. l e standard capability module. In addition, monitoring and controlling were performed on the operation system kernel layer after loading improved module at the kernel of Linux Security Module (LSM) framework. Furthermore, a series of operations were carried out, which included the process trust-like privileges arbitration, security i-node operation, information feedback, queue operation, etc. At last, the character devices were used to feedback the monitor information to application layer and performed security control. Compared with original capability module, the proposed scheme not only improves efficiency of system operation, correct monitoring rate, and coverage of system scanning, but also keeps better monitoring performance in system resources occupancy rate and several parameters.
出处
《计算机应用》
CSCD
北大核心
2009年第9期2369-2374,共6页
journal of Computer Applications
基金
四川省重点实验室项目
