可动态载入的模块化安全Linux内核
|
摘要
本文综合已有安全操作系统方面的实际研究成果和经验,提出了一种能从应用层动态载入、具有模块化结构的操作系统安全内核的构建模型。KNumen就是根据该模型在Linux平台上开发的一个实例,具有结构简单、配置灵活、可移植性强、功能全面、便于维护、易于使用等特点。其基于电子证书的身份认证、可根据实际需要对安全模块进行灵活配置、远程管理等功能尤为突出。
KNumen结构紧凑,主要由执行机构、决策机构、安全策略库三大部分组成。执行机构负责截取来自应用程序的系统调用、形成决策请求和实施决策结果。决策机构提供的回调函数是安全模块实现动态加载和模块化机制的基础,而安全模块是实施各种安全机制的中心。安全策略库存放整个系统的安全策略配置信息,具体的存储方式与文件系统无关。
为提高系统性能,可以在安全内核中创建一个以分裂树为基础的访问控制信息通用缓存。实践证明,缓存的加入能够有效地克服内核执行效率下降的问题。此外,基于电子证书的身份认证机制加强了系统的安全性和可靠性。用户有自己的公、私钥,可以使用证书文件进行远程认证和登陆,建立可信、保密的网络连接。
在KNumen的安全模块中,既有实现普通安全功能的模块,如MAC模块、ACL模块、审计模块等,也有负责完成特殊安全功能的模块,如重要进程保护模块和可信进程授权模块。事实上,可以实现的安全模块远不止这些,系统本身可以扩充和改进的地方还很多,这些都是今后进一步完善和发展的方向。
本文提出的思想是在安全操作系统研究和开发上的一种新的尝试。实践已表明该系统行之有效,达到了预期的效果,因而可以作为今后在这方面进一步深入研究和发展的基础。
Based on various research results and practical experiences, this paper presents a new design model to build a modulized secure OS kernel loadable from the application level. The project named KNumen has been developed to realize this new model on Linux system. Practical experience shows that KNumen is simple, strong, configurable, portable, and at the same time easy to use and maintain. Especially, users are required to authenticate through digital certificate. Security administrator can make flexible combinations of security modules according to practical security requirements, and administrate the system remotely by using graphical interfaces.
Being compact in its architecture, KNumen is devided into three main parts: Enforcement, Decision and Security Policy Database. Enforcement facilities intercept system calls from application programs, transform them into decision requests and enforce the decision results. The kernel mechanisms to be runtime-loadable and modulized are mainly built on the callback function interfaces provided by the decision facility. And various security policies are implemented inside the security modules. Security Policy Database is where security policies are stored, independent of any underlying file systems.
In order to improve system performance, a general cache to preserve access control information is built upon split trees inside the secure kernel. It has been proved that the usage of cache can effectively overcome the performance deficiencies. Further more, the authentication mechanism based on digital certificate intensified the security and reliability of the whole system. Users have their own public and private keys. They can remotely authenticate and login by using certificate files, then buid up a trusted and secure network connection to the target machine.
Among the implemented security modules in KNumen, are well known ones, like Mac, Acl and Audit modules, as well as specially designed ones, like Important Process Protection and Trusted Program Authorization modules. Actually, the potential security modules which can be implemented are far more than these. And there are still many problems to be solved and the whole system is required to be optimized. These are all the work waiting to be done in the future.
The idea put forward by this paper intend to open a new approach to build secure OS kernels. The effectiveness of this approach is proved by practical systems, making it a solid ground for future research and development in this direction.
KNumen结构紧凑,主要由执行机构、决策机构、安全策略库三大部分组成。执行机构负责截取来自应用程序的系统调用、形成决策请求和实施决策结果。决策机构提供的回调函数是安全模块实现动态加载和模块化机制的基础,而安全模块是实施各种安全机制的中心。安全策略库存放整个系统的安全策略配置信息,具体的存储方式与文件系统无关。
为提高系统性能,可以在安全内核中创建一个以分裂树为基础的访问控制信息通用缓存。实践证明,缓存的加入能够有效地克服内核执行效率下降的问题。此外,基于电子证书的身份认证机制加强了系统的安全性和可靠性。用户有自己的公、私钥,可以使用证书文件进行远程认证和登陆,建立可信、保密的网络连接。
在KNumen的安全模块中,既有实现普通安全功能的模块,如MAC模块、ACL模块、审计模块等,也有负责完成特殊安全功能的模块,如重要进程保护模块和可信进程授权模块。事实上,可以实现的安全模块远不止这些,系统本身可以扩充和改进的地方还很多,这些都是今后进一步完善和发展的方向。
本文提出的思想是在安全操作系统研究和开发上的一种新的尝试。实践已表明该系统行之有效,达到了预期的效果,因而可以作为今后在这方面进一步深入研究和发展的基础。
Based on various research results and practical experiences, this paper presents a new design model to build a modulized secure OS kernel loadable from the application level. The project named KNumen has been developed to realize this new model on Linux system. Practical experience shows that KNumen is simple, strong, configurable, portable, and at the same time easy to use and maintain. Especially, users are required to authenticate through digital certificate. Security administrator can make flexible combinations of security modules according to practical security requirements, and administrate the system remotely by using graphical interfaces.
Being compact in its architecture, KNumen is devided into three main parts: Enforcement, Decision and Security Policy Database. Enforcement facilities intercept system calls from application programs, transform them into decision requests and enforce the decision results. The kernel mechanisms to be runtime-loadable and modulized are mainly built on the callback function interfaces provided by the decision facility. And various security policies are implemented inside the security modules. Security Policy Database is where security policies are stored, independent of any underlying file systems.
In order to improve system performance, a general cache to preserve access control information is built upon split trees inside the secure kernel. It has been proved that the usage of cache can effectively overcome the performance deficiencies. Further more, the authentication mechanism based on digital certificate intensified the security and reliability of the whole system. Users have their own public and private keys. They can remotely authenticate and login by using certificate files, then buid up a trusted and secure network connection to the target machine.
Among the implemented security modules in KNumen, are well known ones, like Mac, Acl and Audit modules, as well as specially designed ones, like Important Process Protection and Trusted Program Authorization modules. Actually, the potential security modules which can be implemented are far more than these. And there are still many problems to be solved and the whole system is required to be optimized. These are all the work waiting to be done in the future.
The idea put forward by this paper intend to open a new approach to build secure OS kernels. The effectiveness of this approach is proved by practical systems, making it a solid ground for future research and development in this direction.
引文
[1] Dept. of Defense Standard, "Department of Defense Trusted Computer System Evaluation Criteria". DOD 5200.28-STD, GPO 1986-623-963,643 0, Dec. 26, 1985
[2] Commission of the European Communities. "Information Technology Security Evaluation Criteria (ITSEC)". Provisional Harmonized Criteria: Version 1.2, Office for Official Publications of the European Communities, Luxembourg, June 1991
[3] GB 17859-1999,中国人民共和国国家标准.“计算机信息系统安全保护等级划分准则”.中国国家质量技术监督局,1999年9月13日发布,2001年1月1日实
[4] Bell, D. E. and L. J. LaPadula. "Secure Computer Systems: Mathematical Foundations". Technical Report M74-244, The MITRE Corporation, Bedford, Massachussetts, May 1973
[5] Bell, D.E. and L. J. LaPadula. "Secure computer systems: a refinement of the mathematical model". Bedford, MA: MITRE Corp., Apr. 1974(MTR-2547, Vol. Ⅲ, Available as NTIS AD 780 528): pp.30, 31
[6] 卿斯汉,刘文清,刘海峰.“操作系统安全导论”.科学出版社,2003
[7] Schell, R.R. "Security Kernel Design Principles". Auerbach 84-02-07, 1984
[8] Ames, S. R., M. Gasser and R. R. Schell. "Security Kernel Design and Implementation: An Introduction". Computer, July 1983(Vol. 16, No. 7): pp. 14-22
[9] 刘文清,卿斯汉,刘海峰.“一个修改BLP安全模型的设计及在SecLinux的应用”.[J].软件学报,2002(13(4)):pp.567-573
[10] Anonymous, John Ray. "Maximum Linux Security". 2nd Edition. Sams Publishing, 2001
[11] Abrams, M.D. et al. "A Generalized Framework for Access Control: An Informal Description". 13th Nat'l Computer Security Conf., Oct. 1990: pp. 135-143
[12] E.G.Amoroso. "Foundamentals of Computer Security Technology". Upper Saddle River, NJ : Prentice-Hall PTR, 1994
[13] Bell, D. E. and L.J. LaPadula. "Secure Computer Systems: Unified Exposition and Multics Interpretation". Bedford, Mass: MITRE Corp., July 1975(MTR-2997)
[14] 刘海峰,卿斯汉,刘文清.“安全操作系统审计的设计与实现”.计算机研究与发展,2001年10月(Vol.38,No.10):pp.1262-1268
[15] Flink, Charles W. and J.D. Weiss. "System V/MLS Labeling and Mandatory Policy Alternatives". AT&T Technical J, May/June 1988
[16] 卿斯汉.“密码学与计算机网络安全”.清华大学出版社,2001
[17] Garfinkel, S. and G. Spofford. "Practical Unix Security". Sebastopol, Calif: O'Reilly and Assoc., 1991
[18] Gasser, M. "Building a Secure Computer System ". New York: Van Nostrand Reinhold, 1987
[19] Computer Security Center. "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments". (The Yellow Book, CSC-STD-003-85, June 25, 1985
[20] 贝奇著,陈葆珏等译.“UNIX操作系统设计”.机械工业出版社,2000年4月
[21] Abrams, Marshall D. and Harold J. Podell. "Tutorial: Computer and Network Security". Los Alamitos, Calif: IEEE Computer Society Press, 1987
[22] Abbott, R.P. et al. "Security Analysis and Enhancement of Computer Operating Systems". Gaithersburg, Md: Natl Bureau of Standards, ICST, Apr. 1976(NBSIR 76-1041)
[23] Dept. of Defense Standard. "A Guide to Understanding Audit in Trusted Systems ". National Computer Security Center, July. 28,1988(NCSC-TG-001, Version-2)
[24] Goguen, J.A. and J. Meseguer. "Security Policies and Security Models." Proc. Symp. Security and Privacy, Apr. 1982: pp. 11-20
[25] Kenneth F.Seiden and Jeffrey E Melanson. "The Auditing Facility for a VMM Security Kernel ". IEEE Computer Society Symosium on Research in Security & Privacy, 1990: pp. 262-277
[26] Kohnfelder, L.M. "A Method for Certification". Cambridge, Mass: MIT Laboratory for Computer Science, May 1978
[27] Linde, R.R. "Operating System Penetration". Montvale, N.J.: Proc. Nat'l Computer Conf.,, AMPS Press, 1975(Vol. 44)
[28] Merkle, R. C. "Secrecy, Authentication, and Public Key Systems". Ann Arbor, Mich: UMI Research Press, 1982
[29] Nechvatal, James. "Public-Key Cryptography". Nat'l Inst. of Standards and Technology, US Dept. of Commerce, Apr. 1991 (Special Publication 800-2)
[30] Needham, R.M. and M.D. Schroeder. "Using Encryption for Authentication in Large Networks of Computers". Comm. ACM, Dec. 1978(Vol. 21, No. 12): pp. 993-999
[31] Olson, LM. and M.D. Abrams. "Computer Access Control Policy Choices" Computers and Security, Dec. 1990(Vol. 9, No. 8): pp. 699714
[32] Scott Maxwell. "Linux Core Kernel Commentary". The Coriolis Group LLC, Scottsdale, AZ, 2000
[33] Amon Ott. "The Rule Set Based Access Control(RSBAC) Linux Kernel Security Extension ". Paper for the International Linux Kongress, 2001
[34] 尤晋元,史美林.“Windows操作系统原理”.机械工业出版社,2001
[35] 毛德操,胡希明.“Linux内核源代码情景分析(上、下册)”.浙江大学出版社,2001
[2] Commission of the European Communities. "Information Technology Security Evaluation Criteria (ITSEC)". Provisional Harmonized Criteria: Version 1.2, Office for Official Publications of the European Communities, Luxembourg, June 1991
[3] GB 17859-1999,中国人民共和国国家标准.“计算机信息系统安全保护等级划分准则”.中国国家质量技术监督局,1999年9月13日发布,2001年1月1日实
[4] Bell, D. E. and L. J. LaPadula. "Secure Computer Systems: Mathematical Foundations". Technical Report M74-244, The MITRE Corporation, Bedford, Massachussetts, May 1973
[5] Bell, D.E. and L. J. LaPadula. "Secure computer systems: a refinement of the mathematical model". Bedford, MA: MITRE Corp., Apr. 1974(MTR-2547, Vol. Ⅲ, Available as NTIS AD 780 528): pp.30, 31
[6] 卿斯汉,刘文清,刘海峰.“操作系统安全导论”.科学出版社,2003
[7] Schell, R.R. "Security Kernel Design Principles". Auerbach 84-02-07, 1984
[8] Ames, S. R., M. Gasser and R. R. Schell. "Security Kernel Design and Implementation: An Introduction". Computer, July 1983(Vol. 16, No. 7): pp. 14-22
[9] 刘文清,卿斯汉,刘海峰.“一个修改BLP安全模型的设计及在SecLinux的应用”.[J].软件学报,2002(13(4)):pp.567-573
[10] Anonymous, John Ray. "Maximum Linux Security". 2nd Edition. Sams Publishing, 2001
[11] Abrams, M.D. et al. "A Generalized Framework for Access Control: An Informal Description". 13th Nat'l Computer Security Conf., Oct. 1990: pp. 135-143
[12] E.G.Amoroso. "Foundamentals of Computer Security Technology". Upper Saddle River, NJ : Prentice-Hall PTR, 1994
[13] Bell, D. E. and L.J. LaPadula. "Secure Computer Systems: Unified Exposition and Multics Interpretation". Bedford, Mass: MITRE Corp., July 1975(MTR-2997)
[14] 刘海峰,卿斯汉,刘文清.“安全操作系统审计的设计与实现”.计算机研究与发展,2001年10月(Vol.38,No.10):pp.1262-1268
[15] Flink, Charles W. and J.D. Weiss. "System V/MLS Labeling and Mandatory Policy Alternatives". AT&T Technical J, May/June 1988
[16] 卿斯汉.“密码学与计算机网络安全”.清华大学出版社,2001
[17] Garfinkel, S. and G. Spofford. "Practical Unix Security". Sebastopol, Calif: O'Reilly and Assoc., 1991
[18] Gasser, M. "Building a Secure Computer System ". New York: Van Nostrand Reinhold, 1987
[19] Computer Security Center. "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments". (The Yellow Book, CSC-STD-003-85, June 25, 1985
[20] 贝奇著,陈葆珏等译.“UNIX操作系统设计”.机械工业出版社,2000年4月
[21] Abrams, Marshall D. and Harold J. Podell. "Tutorial: Computer and Network Security". Los Alamitos, Calif: IEEE Computer Society Press, 1987
[22] Abbott, R.P. et al. "Security Analysis and Enhancement of Computer Operating Systems". Gaithersburg, Md: Natl Bureau of Standards, ICST, Apr. 1976(NBSIR 76-1041)
[23] Dept. of Defense Standard. "A Guide to Understanding Audit in Trusted Systems ". National Computer Security Center, July. 28,1988(NCSC-TG-001, Version-2)
[24] Goguen, J.A. and J. Meseguer. "Security Policies and Security Models." Proc. Symp. Security and Privacy, Apr. 1982: pp. 11-20
[25] Kenneth F.Seiden and Jeffrey E Melanson. "The Auditing Facility for a VMM Security Kernel ". IEEE Computer Society Symosium on Research in Security & Privacy, 1990: pp. 262-277
[26] Kohnfelder, L.M. "A Method for Certification". Cambridge, Mass: MIT Laboratory for Computer Science, May 1978
[27] Linde, R.R. "Operating System Penetration". Montvale, N.J.: Proc. Nat'l Computer Conf.,, AMPS Press, 1975(Vol. 44)
[28] Merkle, R. C. "Secrecy, Authentication, and Public Key Systems". Ann Arbor, Mich: UMI Research Press, 1982
[29] Nechvatal, James. "Public-Key Cryptography". Nat'l Inst. of Standards and Technology, US Dept. of Commerce, Apr. 1991 (Special Publication 800-2)
[30] Needham, R.M. and M.D. Schroeder. "Using Encryption for Authentication in Large Networks of Computers". Comm. ACM, Dec. 1978(Vol. 21, No. 12): pp. 993-999
[31] Olson, LM. and M.D. Abrams. "Computer Access Control Policy Choices" Computers and Security, Dec. 1990(Vol. 9, No. 8): pp. 699714
[32] Scott Maxwell. "Linux Core Kernel Commentary". The Coriolis Group LLC, Scottsdale, AZ, 2000
[33] Amon Ott. "The Rule Set Based Access Control(RSBAC) Linux Kernel Security Extension ". Paper for the International Linux Kongress, 2001
[34] 尤晋元,史美林.“Windows操作系统原理”.机械工业出版社,2001
[35] 毛德操,胡希明.“Linux内核源代码情景分析(上、下册)”.浙江大学出版社,2001