一种新的Capability实现机制

A Novel Realization Mechanism for Capability in Trusted Operating System

下载PDF

导出

摘要 1 引言信息安全,除CPU、编译器和网络安全外,最重要的组成部分就是操作系统的安全核心.POSIX.1e[1]和POSIX.2c[2]分别定义了操作系统安全核心中可选的(alternative)和附加的(additional)安全机制Capability(命令与系统功能调用控制),MAC (Mandatory Access Control,强制访问控制),Audi (Security Auditing,安全审计),ACL(Access Control Lists,访问控制表),IL(Information Labeling,信息标签)的C接口和shell命令接口.但是对各种安全机制的精确语义和完全实现机制未做出定义.此外,文[1,2]还允许对各种安全机制所包含的内容进行扩充. Generally the realization of the capability in trusted OS needs rewriting lots of the kernel code related to the syscalls. This paper introduces a new kind of realization mechanism for the trusted OS capability. Using the mechanism,not only the root user is removed,the root privileges are decomposed and can be issued to the common user,but also some user rights such as calling the syscall and taking use of shell commands related to root privilege,and the processes requesting the syscall,etc. can be controlled by system secure capability set. The new realization mechanism of the capability doesn't change lots of the kernel code and has been implemented successfully on Linux-based trusted OS.

作者李毅周明天虞厥邦

机构地区电子科技大学光电子技术系计算机学院

出处《计算机科学》 CSCD 北大核心 2001年第4期91-94,共4页 Computer Science

关键词操作系统 Capbility 进程权限控制 Capability,Trusted OS, POSIX,DAC,MAC, LINUX Security

分类号 TP316 [自动化与计算机技术—计算机软件与理论]

引文网络
相关文献

参考文献4

1[1]Portable Applications Standards Committee of the IEEE Computer Society. Draft Standard for Information Tech nology-Portable Operating System Interface(POSIX)-Part 1:System Application Program Interface (API)-Amendment #:Protection,Audit and Control Interface [C Language]. New York: the Institute of Electrical and Electronics Engineers,Inc.,1997.163～194
2[2]Technical Committee on Operating Systems and Application Environments of the IEEE Computer Society. Draft Standard for Information Technology-Portable Operating System Interface(POSIX)-Part 2: Shell and Utilities-Amendment #:Protection and Control Interface. New York: the Institute of Electrical and Electronics Engineers,Inc. ,1997.25～33
3[3]Morgan A G. DEPARTJIMENT OF DEFENSE STAN DARD: DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (Aka. The Orange Book). DoD 5200. 28-STD; Supersedes; CSC-STD-001-83, dtd 15 Aug 83; Library No.S225,711 ,December 1985
4[4]Sutton S A. TST. The Hewlett-Packard Compartmented Mode Workstation HP-UX CMW Volume Ⅱ :Administration Tutorial. Urbara,Illinois: Trusted Systems Training,Inc., 1995,chapter 3,chapter 4

1谢赛英,邹景云.POSIX.2草案九简介[J].中国计算机用户,1991(6):14-17.
2耿彤.多处理机操作系统结构分析[J].山西大学学报（自然科学版）,1999,22(3):232-236.
3张华忠.在局域网上进行分布式文件系统开发的研究[J].计算机应用研究,1996,13(5):33-34.
4熊虎.防止黑客入侵无线网络的十大对策[J].信息系统工程,2002(8):23-23.
5胡明.浅谈网络信息安全[J].空军电讯工程学院学报,1999,8(3):21-23.
6梁志强.网络用户权限设置和映射盘动态管理的系统设计与开发[J].福建电脑,2005,21(12):107-108. 被引量：1
7曾庆军,徐涛,徐晶晶,宋爱国,田小峰.时延力觉临场感遥操作机器人系统预测控制研究[J].东南大学学报（自然科学版）,2004,34(B11):160-164. 被引量：1
8严谨.也谈用户程序调用DOS可执行文件[J].计算机技术与发展,1991,13(1):47-48.
9王宏浩,富强,徐东晨.PC机下实现java对文件系统功能调用[J].无线互联科技,2014,11(7):56-56.
10NIU Zhongying ZHOU Ke FENG Dan YANG Tianming.Access Control Lists for Object-Based Storage Systems[J].Chinese Journal of Electronics,2010,19(3):431-436.

计算机科学

2001年第4期

浏览历史

内容加载中请稍等...

一种新的Capability实现机制

参考文献4

相关作者

相关机构

相关主题

浏览历史