Linux安全增强系统中能力机制的实现与评估

The Implementation and Evaluation of Capability Mechanism for Linux-Based Security Enhancement System

访问控制是安全操作系统中的核心机制,最小授权是安全操作系统必须符合的原则之一,也是研究的难点,文章分析了传统操作系统中信任状模型存在的问题,详细讨论了基于能力机制的信任状模型的内容与优点,给出基于能力的访问控制,改进了Linux中采用能力机制实现最小授权算法,在文章的最后,给出了实现结果的效能评估并展望了下一步工作。

Access control is the core mechanism of security operation system. Least privilege is one of the principles that security operation system must agree with, and it抯 also the difficulty in the research. This paper points out the problem existing in trusted model of traditional operation system and discusses the content and strongpoint of trusted model based on capability mechanism. Then gives the implementation of access control based on capability and improves the arithmetic which was used to implement least privilege in Linux. At the end, the testing result and its evaluation of implementing are presented and the future work is prospected.