基于属性的操作系统动态强制访问控制机制  被引量：5

作　　者：丁滟[1] 王鹏[1] 王闯[1] 李志鹏 宋连涛 冯了了 DING Yan;WANG Peng;WANG Chuang;LI Zhi-peng;SONG Lian-tao;FENG Liao-liao(College of Computer Science and Technology,National University of Defense Technology,Changsha 410073,China)

机构地区：[1]国防科技大学计算机学院,湖南长沙410073

出　　处：《计算机工程与科学》2023年第10期1770-1778,共9页Computer Engineering & Science

基　　金：国家自然科学基金(U19A2060,62172431)。

摘　　要：操作系统强制访问控制技术因运行在高特权级,为系统带来较强的安全性保障。然而,由于经典操作系统强制访问控制仅支持静态安全策略,当应用场景安全需求发生变化时,必须重新配置与加载安全策略,难以满足高敏感应用状态转换、云原生动态调度以及BYOD等场景访问权限动态调控的需求。基于属性的访问控制具有强扩展性、高度灵活性和强大的表达能力,为提高安全策略的动态性和灵活性提供了解决思路。首先,提出了基于属性的操作系统动态强制访问控制理论模型与系统架构模型;然后,结合Linux经典强制访问控制机制设计实现了原型系统,验证了模型的可行性;最后,针对引入属性可能带来的性能影响,从时间和空间2个方面展开访问控制的优化研究。Mandatory access control(MAC)for operating system(OS)brings strong security guarantee for the system because it runs at high privilege level.However,the classical OS MAC only supports static security policies.When the security requirements change,the security policies must be reconfigured and reloaded.Therefore,it is difficult to meet the requirements of dynamic regulation of access permissions in scenarios such as high-sensitivity application state transition,cloud native dynamic scheduling,and BYOD.Attributes-based access control has strong extensibility,flexibility and expression ability,which provides a solution to improve the dynamic and flexibility of the security policy of MAC in OS.In this paper,the theoretical model and system architecture model of attributes-based dynamic mandatory access control for operating systems are proposed.Then,the prototype system is designed and implemented by combining with the classic MAC mechanism of Linux,and the feasibility of the model is verified.Finally,in view of the possible performance impact of the introduction of attribute factors,the optimization research of access control is carried out from two aspects of time and space.

关 键 词：属性 操作系统 动态强制访问控制 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]