摘要
在Linux环境设计与实现一款轻量级的安全沙箱,在占用资源少、损失较小的基础上实现对程序的安全控制访问。使用Linux内核Seccomp提供的安全性API接口,结合白名单、权限控制等多种安全机制,仅允许使用常见的非高危性系统调用,可限制程序运行时的时间和内存占用,以免产生恶意占用系统资源的行为。通过对沙箱进行安全程序和不安全程序的对比测试,结果证明,该设计能阻止危险程序的运行,并且额外开销不大,可满足实际需求。
A lightweight security sandbox is designed and implemented in the Linux environment,it can control the access of the program safely on the basis of less resource and less loss.Using the security API interface provided by Seccomp in Linux kernel,combined with a variety of security mechanisms such as white list mechanism and permission control mechanism,only common non-high-risk system calls are allowed,and high-risk system calls are limited to use in the program.Also,it can limit the time and memory occupation of program runtime to avoid malicious occupation of system resources.Through the experiment,the sandbox is tested by comparing the security program and the unsafe program.The results show that the design can prevent the dangerous program from running,and the extra cost is small,which can meet the actual needs.
作者
崔晓龙
简川杰
刘欣
张敏
CUI Xiaolong;JIAN Chuanjie;LIU Xin;ZHANG Min(School of Computer and Communication Engineering,University of Science and Technology Beijing,Beijing 100083,China)
出处
《实验室研究与探索》
CAS
北大核心
2023年第9期83-87,共5页
Research and Exploration In Laboratory
基金
国家自然科学基金项目(61971033)
北京科技大学重大教学改革项目(JG2019ZD02)
北京科技大学教学改革项目(JG2021M32)。
关键词
沙箱
LINUX内核
多安全机制
隔离机制
轻量级
sandbox
Linux kernel
multi-security mechanisms
isolation mechanism
lightweight
