摘要
很多安全操作系统都是基于类UNIX系统开发的,并按照TCSEC或CC的要求引入了强制访问控制和审计等安全机制,但是并未保证用户账号的唯一性,从而可能造成审计记录的混乱和用户权限的不正确重用,这就要求改变原来的类UNIX系统的账号管理方式。提出了在系统调用层截取修改系统账号文件这类事件以保证用户UID唯一性的方案,使得即使超级用户(包括通过成功的攻击而获取的超级用户权限)也无法任意修改用户账号数据库。这种机制已经在SLINUX系统中得到了实现。最后给出了该机制在SLINUX系统上的性能测试结果。
Many secure operating systems are developed based upon UNIX-like systems and many access control mechanisms and audit mechanism are introduced, but the system account file does not assure unique UID and might lead to confusion in audit trails. Users’ access rights in some security mechanisms are generally managed quite independently of account management and should also be deleted when one user is removed from the account file to avoid unintended reuse by another user. All those things require that the account file should be administrated in a way different from the traditional one in UNIX. Puts forward a mechanism to keep unique UID and to capture user account alteration in system call level. Puts the mechanism into practice in SLINUX, a variant of LINUX, and provide the performance analysis.
出处
《中国科学院研究生院学报》
CAS
CSCD
2004年第1期95-100,共6页
Journal of the Graduate School of the Chinese Academy of Sciences
基金
supportedbytheNational 863High techProgramofChina(863 3 0 6 ZD 12 14 2),theNationalNaturalScienceFoundationofChina(60 0 73 0 2 2 )andtheKnowledgeInnovationEngineeringProgramoftheChineseAcademyofSciences(KGCX 1 0 9)
