高安全级操作系统形式设计的研究
|
摘要
本文主要研究开发高安全等级的操作系统所必需的安全策略形式模型,为此我们从形式设计方法的探讨入手,确定模型设计的基本原则及组织结构,然后根据确定的组织结构逐步展开设计,提出支持多策略的形式框架、实现机密性策略的可动态调节安全级范围的多级安全模型DMLR_MLS(本文把它与DAC模型合在一起形成DBLP模型)、基于DTE技术实现完整性保护的形式模型DTE_IPM及基于权能、角色及DTE的特权控制模型PCM_RBPC。之后,分析整个模型可能存在的隐通道,提出分析模型的设计。最后,结合Linux内核,初步探讨模型的解释。
在这篇学位论文里,提出了八条模型设计的基本原则。构建了三位一体的模型开发模式:形式架构、策略规范语言及分量策略模型。分析了区分实现模型与分析模型的必要性。形式框架支持推理多策略的策略等价,策略冲突及策略协作,在多方面优于目前文献中的形式框架。DBLP模型作为可用于系统设计的形式模型,它在多方面改进了现有文献中的工作,使模型更实用。对于DTE_IPM模型,就我们所知,使用DTE技术构筑一个完整的完整性保护形式模型,是本文第一次进行了这样的尝试,该模型在控制恶意信息流方面有自己特殊的不变量。特权控制是在操作系统中实现安全的关键环节,模型PCM_RBPC通过三层结构,即:管理层、功能层及执行层,有效地实现了极小特权原理,从而成功地控制了特权,这个模型在五个方面有创新。提出了一个模型层次结构,并给出了在这个模型层次结构下系统安全的定义,获得安全的分解定理。给出了抽象安全策略的新定义,并用无干扰理论重新进行了解释。提出了多对象管理器与多安全服务器并存的实现体系。
This thesis focuses on studying security policy formal model, which is indispensable for developing high level secure operating system. For this, based on analyzing formalized design method, principles and architecture for designing formal model are proposed, then according to them, the model is designed hierarchically. First, a formal framework for supporting multipolicy is presented. Second, some component models are constructed, including dynamically mediated security level rang multilevel security model DMLR-MLS, which is used to implement confidentiality policy, and renamed as DBLP model after it is combined with DAC model, based-DTE integrity protection security model DTE-IPM, and privilege control model PCM-RBPC based on capability mechanism, role mechanism and DTE privilege mechanism. Third, an analysis model aiming at finding out potential covert channel existing in implementation model is proposed. At last, model interpretation is discussed elementarily based on Linux kernel.
In this work, eight principles are set out to direct model design. The model development mode with three components: formal framework, model specification language and component models, is figured out. The detailed analysis shows that it is necessary to distinguish implementation model from analysis model. The resulted formal framework reasoning about policy equivalence, policy conflict and policy cooperation has more advantages over ones described in literature. As a model that can be used to develop practical system, DBLP model has been designed based on some researches improving those works described in literature relevant to confidentiality policy models. To our knowledge, DTE-IPM is the first trying to build a whole integrity policy model
based on DTE. It presents some new invariants, used to prevent malicious information flow from jeopardizing system, different from ones in some literatures. As key ingredient implementing secure operating system, effective privilege control is needed, and captured successfully by our model PCM-RBPC by means of the implementation of the least privilege principle with three layers structure, i.e., administration layer, functionality layer and execution layer; five original findings have been used to design this model. A model hierarchy is proposed, and system security under this model hierarchy is defined, and the unwinding theorem of system security is proved. The security policy is abstractly redefined, and made a new interpretation in noninterference theory. An implementation architecture consisted of multiple object managers and multiple security servers is described.
在这篇学位论文里,提出了八条模型设计的基本原则。构建了三位一体的模型开发模式:形式架构、策略规范语言及分量策略模型。分析了区分实现模型与分析模型的必要性。形式框架支持推理多策略的策略等价,策略冲突及策略协作,在多方面优于目前文献中的形式框架。DBLP模型作为可用于系统设计的形式模型,它在多方面改进了现有文献中的工作,使模型更实用。对于DTE_IPM模型,就我们所知,使用DTE技术构筑一个完整的完整性保护形式模型,是本文第一次进行了这样的尝试,该模型在控制恶意信息流方面有自己特殊的不变量。特权控制是在操作系统中实现安全的关键环节,模型PCM_RBPC通过三层结构,即:管理层、功能层及执行层,有效地实现了极小特权原理,从而成功地控制了特权,这个模型在五个方面有创新。提出了一个模型层次结构,并给出了在这个模型层次结构下系统安全的定义,获得安全的分解定理。给出了抽象安全策略的新定义,并用无干扰理论重新进行了解释。提出了多对象管理器与多安全服务器并存的实现体系。
This thesis focuses on studying security policy formal model, which is indispensable for developing high level secure operating system. For this, based on analyzing formalized design method, principles and architecture for designing formal model are proposed, then according to them, the model is designed hierarchically. First, a formal framework for supporting multipolicy is presented. Second, some component models are constructed, including dynamically mediated security level rang multilevel security model DMLR-MLS, which is used to implement confidentiality policy, and renamed as DBLP model after it is combined with DAC model, based-DTE integrity protection security model DTE-IPM, and privilege control model PCM-RBPC based on capability mechanism, role mechanism and DTE privilege mechanism. Third, an analysis model aiming at finding out potential covert channel existing in implementation model is proposed. At last, model interpretation is discussed elementarily based on Linux kernel.
In this work, eight principles are set out to direct model design. The model development mode with three components: formal framework, model specification language and component models, is figured out. The detailed analysis shows that it is necessary to distinguish implementation model from analysis model. The resulted formal framework reasoning about policy equivalence, policy conflict and policy cooperation has more advantages over ones described in literature. As a model that can be used to develop practical system, DBLP model has been designed based on some researches improving those works described in literature relevant to confidentiality policy models. To our knowledge, DTE-IPM is the first trying to build a whole integrity policy model
based on DTE. It presents some new invariants, used to prevent malicious information flow from jeopardizing system, different from ones in some literatures. As key ingredient implementing secure operating system, effective privilege control is needed, and captured successfully by our model PCM-RBPC by means of the implementation of the least privilege principle with three layers structure, i.e., administration layer, functionality layer and execution layer; five original findings have been used to design this model. A model hierarchy is proposed, and system security under this model hierarchy is defined, and the unwinding theorem of system security is proved. The security policy is abstractly redefined, and made a new interpretation in noninterference theory. An implementation architecture consisted of multiple object managers and multiple security servers is described.
引文
[1] [15408-1]Information technology-Security techniques - Evaluation criteria for IT security-Part 1: Introduction and general model, ISO/IEC 15408-1, 1999, International Standards Organization.
[2] [15408-2]Information technology - Security techniques - Evaluation criteria for IT security-Part 2: Security functional requirements, ISO/IEC 15408-2, 1999, International Standards Organization.
[3] [15408-3]Information technology - Security techniques - Evaluation criteria for IT security-Part 3: Security assurance requirements, ISO/IEC 15408-3, 1999, International Standards Organization.
[4] [AJ95] Marshall D. Abrams and Michael V. Joyce,Trusted System Concepts, Computers and Security , Vol. 14 No.1 pp. 45-56,1995.
[5] [ALP02]Myla Archer, Elizabeth Leonard and Matteo Pradella, Towards a Methodology and Tool for the Aaalysis of Security-Enhanced Linux Security Policies, NRL Memoran-dum Report NRL/MR/5540-02-8629, 2002.
[6] [Ande72]J.P.Anderson, Computer security technology planning study, ESD-TR-73-51,Vol.1, Hanscom AFB, Mass, 1972.
[7] [As195]T.Aslam, A taxonomy of security faults in the UNIX operating system, Purdne University, Master Thesis, August 1995.
[8] [Ba190] R.W.Baldwin,Naming and grouping privileges to simplify security management in large database, in Proceedings of IEEE Symposium on Security and Privacy, 1990,pp.116-132.
[9] [BCY95]W.R.Bevier, R.M.Cohn and W.D.Young, Connection policy and controlled interference, in Proceedings of the Computer Security Foundations Workshop Ⅷ, pp: 167-176.IEEE Computer Society, June 1995.
[10] [Bell88] D. E. Bell, Security policy modeling for the next-generation packet switch, in Proceedings of IEEE Symposium on Security and Privacy, 1988,pp.212-216.
[11] [Bell94]D.E. Bell, Modeling the Multipolicy Machine, In Proceedings of the New Security Paradigm Workshop, pages 2-9, Aug. 1994.
[12] [BGM02]M.Bernaschi and E.Gabrielli and L.V.Mancini, REMUS:A security-enhanced operating system, ACM Transactions on Information and System Security, Vol.5, No.1,February 2002 pp.36-61.
[13] IBis95]M.Bishop, A taxonomy of UNIX system and network vulnerabilities, CSE-95-10,Department of Computer Science, University of California, Davis,CA(1995).
[14] [BKY85]W.E.Boebert,R.Y.Kain and W.D.Young, Secure computing:the secure ada target approach, Advance in Computer System Security, Volume 3, edited by Rein Turn,ARTECH HOUSE, INC. 1988.
[15] [BLP76]D.E. Bell,L.J. La Padula, " Secure Computer System: Unified Exposition and Multics Interpretation ", Mitre Report, MTR-2997 Rev. 1,March 1976.
[16] [BLP96]D.E. Bell,L.J. La Padula, " Secure Computer Systems: mathematical foundations ", Mitre Technical Report 2547, Volume I,an electronic reconstruction, November 1996.
[17] [BS95a]D.L.Brinkley and R.R.Schell, What is there to worry about? an introduction to the computer security problem, Essay 1 in:Information Security: An Integrated Collection of Essays, edited by M.D.Abrams, et al, IEEE Computer Society Press, 1995.
[18] [BS95b]D.L.Brinkley and R.R.Schell, Concepts and Terminology for Computer Security, Essay 2 in:Information Security: An Integrated Collection of Essays, edited by M.D.Abrams, et al, IEEE Computer Society Press, 1995.
[19] [BSSWH95]L.Badger, D.F.Sterne,D.L.Sherman, K.M.Walket, and S.A.Haghighat, Practical domain and type enforcement for UNIX, in Proceedings of IEEE Symposium on Security and Privacy, 1995.
[20] [BY94]W.R.Bevier and W.D.Young, A state-based approach to noninterference, in Proceedings of the Computer Security Foundations Workshop Ⅶ, pp: 11-21.IEEE Computer Society, June 1994.
[21] [CBKPWG00]C.Cowan, S.Beattie, et al, SubDomain: parsimonious server security ,14th USENIX Systems Administration Conference (LISA 2000), , New Orleans, LA, December 2000.
[22] [CC03]S.N.Chari and P.C.Cheng, BlueBox: A policy-driven, host-based intrusion detection system, A CM Transactions on Information and System Security, Vol.6, No.2, May 2003, pp.173-200.
[23] [CDSA00]The open group, Technical Standard, Common Security: CDSA and CSSM,Version 2.3, May 2000.
[24] [Cha01]R.Chandramouli. A framework for multiple authorization types in a healthcare application system, Proc. 17th Annual Computer Security Applications Conference,December 2001,pp.137-148.
[25] [Chr94]Panagiotis J. Christias, UNIX ON-LINE Man Pages: Capability(4), 1994. avail-
able at http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?capabilities.
[26] [CL98]Michael Carney and Brian Loe, A Comparison of Methods for hnplementing Adaptive Security Policies, in Proceedings of the 7th USENIX Security Symposium,San Antonio, Texas, January 26-29, 1998.
[27] [Cohen87]F.Cohen, Computer viruses:theory and experiments,Advance in Computer System Security, Volume 3, edited by Rein Turn, ARTECH HOUSE, INC. 1988.
[28] [Cur90] D. A. Curry, Improving the security of your UNIX system, Technology report ITSTD-721-FR-90-21, SRI International, April 1990.
[29] [CV03]Chun Ruan and V.Varadharajan, A formal graph based framework for supporting authorization delegations and conflict resolutions, International Journal of Information Security, Volume 1, Number 4, July 2003, pp.211-222.
[30] [CW87]D.D.Clark and D.R.Wilson, A comparison of commercial and military security policies,in Proceedings of 1987 IEEE Symposium on Research in Security and Pri-vacy,IEEE Computer Society Press, April 1987, pp.184-238.
[31] [DC01]C.Dalton and T.H.Choo, An operating system approach to securing e-services,Communication of the ACM, Volume 44, Issue 2 (2001), pp. 58-66 .
[32] [DG96] Data General, Managing security on DG/UX system, manual 093-701138-o4,Data General Corporation,Westboro, MA01580, Nov. 1996.
[33] [DPAJ90]Benedetto L. DiVito, P. H. Palmquist, E. R. Anderson, M. L. Johnston,Specification and Verification of the ASOS Kernel. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1990.pp.61-75.
[34] [DTOS95] Secure Computing Corporation. DTOS Composability Study. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, September 1995. DTOS CDRL A020.
[35] [DTOS97]Secure Computing Corporation, DTOS Generalized Security Policy Specification, CDRL Seguence NO.A019.
[36] [FB98]Timothy Fraser and L.Badger,Ensueing continuity during dynamic security policy reconfiguration in DTE, in Proceedings of 1998 IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press,Oakland, CA, April 1998, pp.15-26.
[37] [FBK99] D.F.Ferraiolo, J.F.Barkley, and D.R.Kuhn, A role-based access control model and reference implementation within a corporate intranet,ACM Transactions on Infoe-marion and System Security, Vol.2, No.1, February 1999.pp.34-64.
[38] [FHBT89]T.Fine, J.T.Haigh, R.C.O'Brien and D.L.Toups, Noninterference and unwinding for LOCK.in1989 Proceedings of the Computer Security Foundation Workshop, pp.22-
28, Franconia, NH, USA. IEEE Computer Society.
[39] [FiHu01] Simone Fischer-Hubner, IT-Security and Privacy, LNCS 1958, Springer Verlag,2001.
[40] [Fine90]T.Fine, Coastructively Using Noninterference to Analyze Systems,IEEE Symposium on Security and Privacy,May 1990, Oakland, CA.pp.162-169.
[41] [Fra00]Timothy Fraser,LOMAC: Low Water-Mark Integrity Protection for COTS Envi-ronments, NAI Labs report 0775, 2000.
[42] [Frai86]L.J.Fraim, Scomp:a solution to the multilevel security problem, in Tutorial Computer and Network security, M.D.Abrams and H.J.Podell, IEEE Computer Society Press,1986. pp.220-227.
[43] [FSGKC01] D.F.Ferraiolo,R.Sandhu,S.Gavrila, D.R.Kuhn and R.Chandramouli, Proposed NIST standard for role-based access control, A CM Transactions on Information and System Security, Vol.4, No.3, August 2001. pp.224-274.
[44] [GB98]S. I. Gavrila and J. F. Barkley, Formal specification for role based access control user/role and role/role relationship management. InProceedings of the 3nd ACM Workshop on Role-Based Access Control, ,ACM Press, New York, NY, 1998,pp.81-90.
[45] [GCCDHJJLV87]V.D.Gligor,et al., Design and implementation of secure Xenix,Trans.Softw.Eng.,13,2(February 1987),pp.208-221.
[46] [GHR03] Joshua.D. Guttman, Amy L. Herzog, and John D. Ramsdell, Information Flow in Operating Systems: Eager Formal Methods? available at www.dsi.unive.it/IFIPWG1-7/WITS2003/papers/9.ps.
[47] [GM82]J.Goguen and J.Meseguer, Security policies and security models, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, May 1982.
[48] [HKMY87]J.T.Haigh, R.A.Kemmerer, J.Mchugh, and W.D.Young, An experience using two covert channel analysis techniques on a real system design, IEEE Transactions on Software Engineering,VOL.13, NO. 2. February 1987. pp.157-168.
[49] [Hof97] J.Hoffman." Implementing RBAC on a type enforced system "Proc. 13th Annual Computer Security Applications Conference,pp.158-163 December 1997.
[50] [Hos93]H.H.Hosmer, The Multipolicy Paradigm for Trusted Systems, Proceedings of the New Security Paradigms Workshop, Little Compton, R.I., 1992-1993, IEEE Press.
[51] [HYS6]J.Haigh and W.Young, Extending the noninterference model of MLS for SAT.inProceedings of the Symposium on Security and Privacy, pp.232-239, Oakland, CA,April 1986. IEEE Computer Society.
[52] [IBM00]IBM server group,Addressing secrity issues in Linux, A Linux White Paper,
2000.
[53] [JT01]T.Jaeger and J.E.Tidswell, Practical safety in flexible access control models, A CM Transactions on information and system security, Vol.4,No.2,May 2001,pp.158-190.
[54] [Ju88] R. R. Jueneman, Integrity controls for military and commercial applica-tions,Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.298-322.
[55] [JZE03]TRENT JAEGER, XIAOLAN ZHANG, and ANTONY EDWARDS, Policy Management Using Access Control Spaces,A CM Transactions on Information and System Security, Vol. 6, No. 3, August 2003, Pages 327-364.
[56] [KAT00]P.A.Kargar,V.Austel and D.Toll, A new mandatory security policy combining secrecy and integrity, IBM research report RC21717,2000.
[57] [Kni02]G.Knight, LinSec-Linux Security Protection System, April 2002. available athttp://www.linsec.org/doc/final/final, pdf.
[58] [KO95]Winfried E Kuhnhauser and Michael yon Kopp Ostrowski, A Formal Framework to Support Multiple Security Policies, In Proceedings of the 7th Canadian Computer Security Symposium, Ottawa, Canada, May,1995.
[59] [Kuhn97]D.R.Kuhn, Mutual exclusion as a means of implementing separation of duty requirements in role-based access control systems. InProceedings of the 2nd A CM Workshop on Role-Based Access Control, ACM Press, New York, NY, 1997,pp.23-30.
[60] [LaP95]L.J.LaPadula,Rule-set modelling of a trusted computer system, Essay 9 in Information Security:An Integrated Collection of Essays ,Marshall D. Abrams, Sushil Jajodia and Harold J. Podell, IEEE Computer Society Press,Los Alamitos, California, USA, 1995.
[61] [LDSHS90]T.Lunt,D.Denning,R.Schell,M.Heckman and W.Shockley, The SeaView security model, Trans. Softw. Eng., 16,6(June), 1990.pp.593-607.
[62] [Lee88] T.M.P.Lee, Using mandatory integrity to enforce 'commercial' security, in Pro- ceedings of IEEE Symposium on Security and Privacy, 1988,pp.140-146.
[63] [LHM84]Carl E.Landwehr, C.L. Heitmeyer, and J. McLean, A Security Model for Military Message Systems, ACM Trans. on Computer Systems, Vol. 9, No. 3 (Aug. 1984),pp. 198-222.
[64] [Lip82]S.Lipner, Non-discretionary control for commercial applications,in Proceedings of IEEE 1982 Symposium on Research in Security and Privacy,pp.2-10,April 1982.
[65] [LS01]P. A. Loscocco, and S. D. Smalley,, Integrating flexiable support for security policies into the Linux operating system, Technical report, NAI Labs, April 2001.
[66] [LSMTTF98]P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J.
Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments.In Proceedings of the 21st National Information Systems Security Conference, pages 303-314, Oct. 1998.
[67] [Man00]H. Mantel, Possibilistic Definitions of Security - An Assembly Kit,in13th IEEE Computer Security Foundations Workshop (CSFW'00),3 - 5 July 2000,Cambridge, England. pp.
[68] [May88] F. L. Mayer, An interpretation of refined Bell-LaPadula model for the TMach kernel,Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.368-378.
[69] [MBW91]T. Mayfield, J.M.Boore, and S.R.Welke,Integrity-oriented control objectives:proposed revivions to the trusted computer systems evaluation criteria (TC-SEC,DoD5200.28.STD),IDA document D-967.
[70] [McC88] Daryl McCullough, Noninterference and the composability of security properties. In Proceedings of the 1988 Symposium on Security and Privacy, pages 177-186.IEEE, April 1988.
[71] [Mc187]J.McLean, Reasoning about security models,in Proceedings of IEEE 1987 Symposium on Research in Security and Privacy,pp.123-131,April 1987.
[72] [Mc188]J.McLean, The algebra of security,in Proceedings of IEEE 1988 Symposium on Research in Security and Privacy, pp.2-7,April 1988.
[73] [Mc194]J. McLean, Security models, In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley Press, 1994.
[74] [Mil187]J. K. Millen, Covert Channel Capacity. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, April 1987.
[75] [MP97] D.Mackenzie and G.Pottinger, Mathematics, Technology, and Trust:formal verification, computer security and the U.S. military, IEEE Annals of the History of Computing,Vol.19, No.3, 1997, pp:41-59. Science, University of California, Davis,CA(1995).
[76] [MRWB91]Terry Mayfield, J. Eric Roskos, Stephen R. Welke,and John M. Boone,INTEGRITY IN AUTOMATED INFORMATION SYSTEMS,NCSC Technical Report,National Computer Security Center,1991.
[77] [NASA95]Formal methods specification and verification guidebook for software and computer systems, Volume I: planning and technology insertion. Volume Ⅱ: A practi-tioner's companion. NASA Office of Safety and Mission Assurance, Washington DC, July 1995,NASA-GB-002-95, Release 1.0.
[78] [NCSC92]National Computer Security Center, A guide to understanding security rood-
eling in trusted system, October 1992.
[79] [Neu86]P.G.Neumann, Oa hierarchical design of computer systems for critical applications, IEEE Transactions on Software Engineering, VOL.12, NO. 9. september 1986. pp.905-920.
[80] [NIST500-168]Zella G. Ruthberg and William T. Polk, Report of the Invitational Work-shop on Data Integrity, National Institute of Standards and Techonology, September 1989.NIST Special Publication 500-168.
[81] [NRLBS75]P.G.Neumann, L.Robinson, K.N.Levitt, R.S.Boyer and A.R.Saxena, A provably secure operating sysytem, SRI project 2581, final report, 13 June 1975.
[82] [NT96] Steve Sutton,Susan Hinrichs and Todd Inskeep, MISSI B-Level Windows NT Feasibility Study, final report, MISSI, MISSI contract MDA904-95-C-4088, Dec. 1996.
[83] [Nya94]M.Nyanchama, Commercial integrity, roles and object orientation, Ph.D dissertation, The University of Western Ontario, London, Ontario, 1994.
[84] [Ott97]Amon Ott, Regel-basierte zugriffskontrolle nach dem 'Generalized framework for access control'ansatz am beispiel Linux, Diplomarbeit Universitat Hamburg, November 1997.
[85] [Ott01]Amon Ott, The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension,in 8th International Linux Kongress, Enschede, November 2001.
[86] [Par89] T.J.Parenty, The incorporation of multi-level IPC into UNIX, in Proceedings of IEEE Symposium on Security and Privacy, 1989,pp.94-99.
[87] [PHH02] Alessandra Di Pierro, Chris Hankin, and Herbert Wiklicky, Approximate non-Interference,in15th IEEE Computer Security Foundations Workshop (CSFW'02), June 24- 26, 2002. pp.3-17.
[88] [Pin95]S.Pinsky, Absorbing covers and intransitive non-interference,in Proceedings of IEEE 1995 Symposium on Research in Security and Privacy, pp.lO2-113,April 1995.
[89] [Rush81] J.Rushby, Design and verification of secure systems,ACM Operating Sysstem Review, Vol. 15 No.5 pp. 12-21,1981.
[90] [Rush92]J. Rushby. Noninterference, transitivity and channel-control security policies.Technical Report SRI-CSL-92-02, SRI International, Menlo Park, CA., December 1992.
[91] [San93]R.S.Sandhu, On five definitions of data integrity, in Proceedings of the IFIP WGll.3 Workshop on Database Security, Lake Guntersville,Alabama,1993.
[92] [Sayd02]O.S.Saydjari, LOCK:an historical perspective,in Proceedings 18th Annual Com- puter Security Applications Conference, December 2002, San Diego California pp.96-108.
[93] [SCC99]Secure Computing Corporation,Assurance in the Fluke microkernel: Formal top-
level specification, CDRL A004, Technical report, Secure Computing Corporation, 1999.
[94] [SCFY96]R.S.Sandhu, E.J.Coyne, H.L.Feinstein and C.E.Youman, Role Based Access Control Models,IEEE Computer, vol 29, Num 2, February 1996, p38-47
[95] [Sch89]M.Schaefer, Symbol security condition considered harmful,in Proceedings of IEEE 1989 Symposium on Research in Security and Privacy,pp.20-46,April 1989.
[96] [Shap99]J. S. Shapiro, EROS: A Capability System, Ph.D. dissertation, University of Pennsylvania, 1999.
[97] [shi01]石文昌,安全操作系统开发方法的研究与实施,中国科学院软件研究所,博士学位论文,2001年.
[98] [Smalley02] S. D. Smalley, Configuring the SELinux policy, Technical report#02-007, NAI Labs, June 2002.
[99] [Smi00]Richard E. Smith, Sidewinder: Defense in Depth using Type Enforcement, Secure Computing Corporation report,2000.
[100] [Smi01]Richard E. Smith, Cost profile of a highly assured, secure operting system, A CM Transactions on Information and System Security,Vol.4, No.l, 2001, pp.72-101.
[101] [Spen99]R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau.The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the Eighth USENIX Security Symposium, pages 123-139, Aug. 1999.
[102] [SRS00]G.Schellhorn,W.Reif and A.Schairer, Verification of a formal security model for multiapplicative smartcards, in Proc. ESORICS 2000, LNCS 1895, Oakland, CA.pp.17-36.
[103] [Sta01] W.Stallings, Operating systems: Internals and design principles-fourth edition, Prentice-Hall, Inc., 2001.
[104] [Ste99]W.R.Stevens, UNIX NETWORK PROGRAMMING, Volume 2: Interprocess Communications, Prentice-Hall, Inc., 1999.
[105] [STH85]R.R.Schell,T.F.Tao and M.Heckman, Designing the GEMSOS security kernel for security and performance,Proceedings of the 8th National Computer Security Conference, 1985. pp. 108-119.
[106] [STMSSPS99] D.F.Sterne, G.W.Tally, et al, Scalable access control for distributed object systems,Proceedings of the 8th USENIX Security Symposium,, Washington,D.D.,USA, August 1999.
[107] [TH90] THOMSEN, D.J. and HAIGH, J.T., A comparison of type enforcement and Unix setuid implementation of well-formed transactions. In Proceedings of Sixth Annual Computer Security Applications Conference ,Tucson, Arizona, December 1990, pp.304-
312.
[108] [Tho88] T. Thomas, A mandatory access control mechanism for the UNIX file system Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.173-177.
[109] [ThoYl] THOMSEN, D.J., Role-based application design and enforcement. In S.Jajodia and C.E.Landwehr, editors,Database Security, IV:Status and Prospects, North-Holland, 1991, pp.151-168.
[110] [TIS96]Trusted Information System, Inc, Trusted Mach Mathematical Model,Technical Report TIS tmach EDOC-0017-96B,Trusted Information System, Inc, October 1996.
[111] [TOGAF01]The open group, The Open Group Architectural Framework(TOGAF), Version 7, December 2001.
[112] [TP97] J.E.Tidswell,and J.M.Potter, An approach to dynamic domain and type enforcement,in Proceedings of the 2th Australasian Conference on Information Security and Privacy, July 1997.
[113] [Tresys03] http://www.tresys.com/selinux/index.html
[114] [Wag99] D. A. WAGNER, Janus: An approach for confinement of untrusted applications. Tech. Rep. CSD-99-1056, University of California at Berkeley. 1999.
[115] [Wa196]K.M.Walker, et al., Confining root programes with domain and type enforce-ment (DTE),in Proceedings of 1996 Usenix Security Symposium, San Jose,CA.
[116] [Wreski]Dave Wreski, Linux Capabilities FAQ v0.2,available at ftp.guardian.no/pub/free/capabilities/capfaq.txt.
[117] [XENIX3.0]NATIONAL COMPUTER SECURITY CENTER, Final evaluation report, Trusted Information System, Inc., Trusted XENIX Version 3.0, Report No. 92/001, April 1992.
[2] [15408-2]Information technology - Security techniques - Evaluation criteria for IT security-Part 2: Security functional requirements, ISO/IEC 15408-2, 1999, International Standards Organization.
[3] [15408-3]Information technology - Security techniques - Evaluation criteria for IT security-Part 3: Security assurance requirements, ISO/IEC 15408-3, 1999, International Standards Organization.
[4] [AJ95] Marshall D. Abrams and Michael V. Joyce,Trusted System Concepts, Computers and Security , Vol. 14 No.1 pp. 45-56,1995.
[5] [ALP02]Myla Archer, Elizabeth Leonard and Matteo Pradella, Towards a Methodology and Tool for the Aaalysis of Security-Enhanced Linux Security Policies, NRL Memoran-dum Report NRL/MR/5540-02-8629, 2002.
[6] [Ande72]J.P.Anderson, Computer security technology planning study, ESD-TR-73-51,Vol.1, Hanscom AFB, Mass, 1972.
[7] [As195]T.Aslam, A taxonomy of security faults in the UNIX operating system, Purdne University, Master Thesis, August 1995.
[8] [Ba190] R.W.Baldwin,Naming and grouping privileges to simplify security management in large database, in Proceedings of IEEE Symposium on Security and Privacy, 1990,pp.116-132.
[9] [BCY95]W.R.Bevier, R.M.Cohn and W.D.Young, Connection policy and controlled interference, in Proceedings of the Computer Security Foundations Workshop Ⅷ, pp: 167-176.IEEE Computer Society, June 1995.
[10] [Bell88] D. E. Bell, Security policy modeling for the next-generation packet switch, in Proceedings of IEEE Symposium on Security and Privacy, 1988,pp.212-216.
[11] [Bell94]D.E. Bell, Modeling the Multipolicy Machine, In Proceedings of the New Security Paradigm Workshop, pages 2-9, Aug. 1994.
[12] [BGM02]M.Bernaschi and E.Gabrielli and L.V.Mancini, REMUS:A security-enhanced operating system, ACM Transactions on Information and System Security, Vol.5, No.1,February 2002 pp.36-61.
[13] IBis95]M.Bishop, A taxonomy of UNIX system and network vulnerabilities, CSE-95-10,Department of Computer Science, University of California, Davis,CA(1995).
[14] [BKY85]W.E.Boebert,R.Y.Kain and W.D.Young, Secure computing:the secure ada target approach, Advance in Computer System Security, Volume 3, edited by Rein Turn,ARTECH HOUSE, INC. 1988.
[15] [BLP76]D.E. Bell,L.J. La Padula, " Secure Computer System: Unified Exposition and Multics Interpretation ", Mitre Report, MTR-2997 Rev. 1,March 1976.
[16] [BLP96]D.E. Bell,L.J. La Padula, " Secure Computer Systems: mathematical foundations ", Mitre Technical Report 2547, Volume I,an electronic reconstruction, November 1996.
[17] [BS95a]D.L.Brinkley and R.R.Schell, What is there to worry about? an introduction to the computer security problem, Essay 1 in:Information Security: An Integrated Collection of Essays, edited by M.D.Abrams, et al, IEEE Computer Society Press, 1995.
[18] [BS95b]D.L.Brinkley and R.R.Schell, Concepts and Terminology for Computer Security, Essay 2 in:Information Security: An Integrated Collection of Essays, edited by M.D.Abrams, et al, IEEE Computer Society Press, 1995.
[19] [BSSWH95]L.Badger, D.F.Sterne,D.L.Sherman, K.M.Walket, and S.A.Haghighat, Practical domain and type enforcement for UNIX, in Proceedings of IEEE Symposium on Security and Privacy, 1995.
[20] [BY94]W.R.Bevier and W.D.Young, A state-based approach to noninterference, in Proceedings of the Computer Security Foundations Workshop Ⅶ, pp: 11-21.IEEE Computer Society, June 1994.
[21] [CBKPWG00]C.Cowan, S.Beattie, et al, SubDomain: parsimonious server security ,14th USENIX Systems Administration Conference (LISA 2000), , New Orleans, LA, December 2000.
[22] [CC03]S.N.Chari and P.C.Cheng, BlueBox: A policy-driven, host-based intrusion detection system, A CM Transactions on Information and System Security, Vol.6, No.2, May 2003, pp.173-200.
[23] [CDSA00]The open group, Technical Standard, Common Security: CDSA and CSSM,Version 2.3, May 2000.
[24] [Cha01]R.Chandramouli. A framework for multiple authorization types in a healthcare application system, Proc. 17th Annual Computer Security Applications Conference,December 2001,pp.137-148.
[25] [Chr94]Panagiotis J. Christias, UNIX ON-LINE Man Pages: Capability(4), 1994. avail-
able at http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?capabilities.
[26] [CL98]Michael Carney and Brian Loe, A Comparison of Methods for hnplementing Adaptive Security Policies, in Proceedings of the 7th USENIX Security Symposium,San Antonio, Texas, January 26-29, 1998.
[27] [Cohen87]F.Cohen, Computer viruses:theory and experiments,Advance in Computer System Security, Volume 3, edited by Rein Turn, ARTECH HOUSE, INC. 1988.
[28] [Cur90] D. A. Curry, Improving the security of your UNIX system, Technology report ITSTD-721-FR-90-21, SRI International, April 1990.
[29] [CV03]Chun Ruan and V.Varadharajan, A formal graph based framework for supporting authorization delegations and conflict resolutions, International Journal of Information Security, Volume 1, Number 4, July 2003, pp.211-222.
[30] [CW87]D.D.Clark and D.R.Wilson, A comparison of commercial and military security policies,in Proceedings of 1987 IEEE Symposium on Research in Security and Pri-vacy,IEEE Computer Society Press, April 1987, pp.184-238.
[31] [DC01]C.Dalton and T.H.Choo, An operating system approach to securing e-services,Communication of the ACM, Volume 44, Issue 2 (2001), pp. 58-66 .
[32] [DG96] Data General, Managing security on DG/UX system, manual 093-701138-o4,Data General Corporation,Westboro, MA01580, Nov. 1996.
[33] [DPAJ90]Benedetto L. DiVito, P. H. Palmquist, E. R. Anderson, M. L. Johnston,Specification and Verification of the ASOS Kernel. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1990.pp.61-75.
[34] [DTOS95] Secure Computing Corporation. DTOS Composability Study. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, September 1995. DTOS CDRL A020.
[35] [DTOS97]Secure Computing Corporation, DTOS Generalized Security Policy Specification, CDRL Seguence NO.A019.
[36] [FB98]Timothy Fraser and L.Badger,Ensueing continuity during dynamic security policy reconfiguration in DTE, in Proceedings of 1998 IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press,Oakland, CA, April 1998, pp.15-26.
[37] [FBK99] D.F.Ferraiolo, J.F.Barkley, and D.R.Kuhn, A role-based access control model and reference implementation within a corporate intranet,ACM Transactions on Infoe-marion and System Security, Vol.2, No.1, February 1999.pp.34-64.
[38] [FHBT89]T.Fine, J.T.Haigh, R.C.O'Brien and D.L.Toups, Noninterference and unwinding for LOCK.in1989 Proceedings of the Computer Security Foundation Workshop, pp.22-
28, Franconia, NH, USA. IEEE Computer Society.
[39] [FiHu01] Simone Fischer-Hubner, IT-Security and Privacy, LNCS 1958, Springer Verlag,2001.
[40] [Fine90]T.Fine, Coastructively Using Noninterference to Analyze Systems,IEEE Symposium on Security and Privacy,May 1990, Oakland, CA.pp.162-169.
[41] [Fra00]Timothy Fraser,LOMAC: Low Water-Mark Integrity Protection for COTS Envi-ronments, NAI Labs report 0775, 2000.
[42] [Frai86]L.J.Fraim, Scomp:a solution to the multilevel security problem, in Tutorial Computer and Network security, M.D.Abrams and H.J.Podell, IEEE Computer Society Press,1986. pp.220-227.
[43] [FSGKC01] D.F.Ferraiolo,R.Sandhu,S.Gavrila, D.R.Kuhn and R.Chandramouli, Proposed NIST standard for role-based access control, A CM Transactions on Information and System Security, Vol.4, No.3, August 2001. pp.224-274.
[44] [GB98]S. I. Gavrila and J. F. Barkley, Formal specification for role based access control user/role and role/role relationship management. InProceedings of the 3nd ACM Workshop on Role-Based Access Control, ,ACM Press, New York, NY, 1998,pp.81-90.
[45] [GCCDHJJLV87]V.D.Gligor,et al., Design and implementation of secure Xenix,Trans.Softw.Eng.,13,2(February 1987),pp.208-221.
[46] [GHR03] Joshua.D. Guttman, Amy L. Herzog, and John D. Ramsdell, Information Flow in Operating Systems: Eager Formal Methods? available at www.dsi.unive.it/IFIPWG1-7/WITS2003/papers/9.ps.
[47] [GM82]J.Goguen and J.Meseguer, Security policies and security models, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, May 1982.
[48] [HKMY87]J.T.Haigh, R.A.Kemmerer, J.Mchugh, and W.D.Young, An experience using two covert channel analysis techniques on a real system design, IEEE Transactions on Software Engineering,VOL.13, NO. 2. February 1987. pp.157-168.
[49] [Hof97] J.Hoffman." Implementing RBAC on a type enforced system "Proc. 13th Annual Computer Security Applications Conference,pp.158-163 December 1997.
[50] [Hos93]H.H.Hosmer, The Multipolicy Paradigm for Trusted Systems, Proceedings of the New Security Paradigms Workshop, Little Compton, R.I., 1992-1993, IEEE Press.
[51] [HYS6]J.Haigh and W.Young, Extending the noninterference model of MLS for SAT.inProceedings of the Symposium on Security and Privacy, pp.232-239, Oakland, CA,April 1986. IEEE Computer Society.
[52] [IBM00]IBM server group,Addressing secrity issues in Linux, A Linux White Paper,
2000.
[53] [JT01]T.Jaeger and J.E.Tidswell, Practical safety in flexible access control models, A CM Transactions on information and system security, Vol.4,No.2,May 2001,pp.158-190.
[54] [Ju88] R. R. Jueneman, Integrity controls for military and commercial applica-tions,Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.298-322.
[55] [JZE03]TRENT JAEGER, XIAOLAN ZHANG, and ANTONY EDWARDS, Policy Management Using Access Control Spaces,A CM Transactions on Information and System Security, Vol. 6, No. 3, August 2003, Pages 327-364.
[56] [KAT00]P.A.Kargar,V.Austel and D.Toll, A new mandatory security policy combining secrecy and integrity, IBM research report RC21717,2000.
[57] [Kni02]G.Knight, LinSec-Linux Security Protection System, April 2002. available athttp://www.linsec.org/doc/final/final, pdf.
[58] [KO95]Winfried E Kuhnhauser and Michael yon Kopp Ostrowski, A Formal Framework to Support Multiple Security Policies, In Proceedings of the 7th Canadian Computer Security Symposium, Ottawa, Canada, May,1995.
[59] [Kuhn97]D.R.Kuhn, Mutual exclusion as a means of implementing separation of duty requirements in role-based access control systems. InProceedings of the 2nd A CM Workshop on Role-Based Access Control, ACM Press, New York, NY, 1997,pp.23-30.
[60] [LaP95]L.J.LaPadula,Rule-set modelling of a trusted computer system, Essay 9 in Information Security:An Integrated Collection of Essays ,Marshall D. Abrams, Sushil Jajodia and Harold J. Podell, IEEE Computer Society Press,Los Alamitos, California, USA, 1995.
[61] [LDSHS90]T.Lunt,D.Denning,R.Schell,M.Heckman and W.Shockley, The SeaView security model, Trans. Softw. Eng., 16,6(June), 1990.pp.593-607.
[62] [Lee88] T.M.P.Lee, Using mandatory integrity to enforce 'commercial' security, in Pro- ceedings of IEEE Symposium on Security and Privacy, 1988,pp.140-146.
[63] [LHM84]Carl E.Landwehr, C.L. Heitmeyer, and J. McLean, A Security Model for Military Message Systems, ACM Trans. on Computer Systems, Vol. 9, No. 3 (Aug. 1984),pp. 198-222.
[64] [Lip82]S.Lipner, Non-discretionary control for commercial applications,in Proceedings of IEEE 1982 Symposium on Research in Security and Privacy,pp.2-10,April 1982.
[65] [LS01]P. A. Loscocco, and S. D. Smalley,, Integrating flexiable support for security policies into the Linux operating system, Technical report, NAI Labs, April 2001.
[66] [LSMTTF98]P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J.
Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments.In Proceedings of the 21st National Information Systems Security Conference, pages 303-314, Oct. 1998.
[67] [Man00]H. Mantel, Possibilistic Definitions of Security - An Assembly Kit,in13th IEEE Computer Security Foundations Workshop (CSFW'00),3 - 5 July 2000,Cambridge, England. pp.
[68] [May88] F. L. Mayer, An interpretation of refined Bell-LaPadula model for the TMach kernel,Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.368-378.
[69] [MBW91]T. Mayfield, J.M.Boore, and S.R.Welke,Integrity-oriented control objectives:proposed revivions to the trusted computer systems evaluation criteria (TC-SEC,DoD5200.28.STD),IDA document D-967.
[70] [McC88] Daryl McCullough, Noninterference and the composability of security properties. In Proceedings of the 1988 Symposium on Security and Privacy, pages 177-186.IEEE, April 1988.
[71] [Mc187]J.McLean, Reasoning about security models,in Proceedings of IEEE 1987 Symposium on Research in Security and Privacy,pp.123-131,April 1987.
[72] [Mc188]J.McLean, The algebra of security,in Proceedings of IEEE 1988 Symposium on Research in Security and Privacy, pp.2-7,April 1988.
[73] [Mc194]J. McLean, Security models, In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley Press, 1994.
[74] [Mil187]J. K. Millen, Covert Channel Capacity. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, April 1987.
[75] [MP97] D.Mackenzie and G.Pottinger, Mathematics, Technology, and Trust:formal verification, computer security and the U.S. military, IEEE Annals of the History of Computing,Vol.19, No.3, 1997, pp:41-59. Science, University of California, Davis,CA(1995).
[76] [MRWB91]Terry Mayfield, J. Eric Roskos, Stephen R. Welke,and John M. Boone,INTEGRITY IN AUTOMATED INFORMATION SYSTEMS,NCSC Technical Report,National Computer Security Center,1991.
[77] [NASA95]Formal methods specification and verification guidebook for software and computer systems, Volume I: planning and technology insertion. Volume Ⅱ: A practi-tioner's companion. NASA Office of Safety and Mission Assurance, Washington DC, July 1995,NASA-GB-002-95, Release 1.0.
[78] [NCSC92]National Computer Security Center, A guide to understanding security rood-
eling in trusted system, October 1992.
[79] [Neu86]P.G.Neumann, Oa hierarchical design of computer systems for critical applications, IEEE Transactions on Software Engineering, VOL.12, NO. 9. september 1986. pp.905-920.
[80] [NIST500-168]Zella G. Ruthberg and William T. Polk, Report of the Invitational Work-shop on Data Integrity, National Institute of Standards and Techonology, September 1989.NIST Special Publication 500-168.
[81] [NRLBS75]P.G.Neumann, L.Robinson, K.N.Levitt, R.S.Boyer and A.R.Saxena, A provably secure operating sysytem, SRI project 2581, final report, 13 June 1975.
[82] [NT96] Steve Sutton,Susan Hinrichs and Todd Inskeep, MISSI B-Level Windows NT Feasibility Study, final report, MISSI, MISSI contract MDA904-95-C-4088, Dec. 1996.
[83] [Nya94]M.Nyanchama, Commercial integrity, roles and object orientation, Ph.D dissertation, The University of Western Ontario, London, Ontario, 1994.
[84] [Ott97]Amon Ott, Regel-basierte zugriffskontrolle nach dem 'Generalized framework for access control'ansatz am beispiel Linux, Diplomarbeit Universitat Hamburg, November 1997.
[85] [Ott01]Amon Ott, The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension,in 8th International Linux Kongress, Enschede, November 2001.
[86] [Par89] T.J.Parenty, The incorporation of multi-level IPC into UNIX, in Proceedings of IEEE Symposium on Security and Privacy, 1989,pp.94-99.
[87] [PHH02] Alessandra Di Pierro, Chris Hankin, and Herbert Wiklicky, Approximate non-Interference,in15th IEEE Computer Security Foundations Workshop (CSFW'02), June 24- 26, 2002. pp.3-17.
[88] [Pin95]S.Pinsky, Absorbing covers and intransitive non-interference,in Proceedings of IEEE 1995 Symposium on Research in Security and Privacy, pp.lO2-113,April 1995.
[89] [Rush81] J.Rushby, Design and verification of secure systems,ACM Operating Sysstem Review, Vol. 15 No.5 pp. 12-21,1981.
[90] [Rush92]J. Rushby. Noninterference, transitivity and channel-control security policies.Technical Report SRI-CSL-92-02, SRI International, Menlo Park, CA., December 1992.
[91] [San93]R.S.Sandhu, On five definitions of data integrity, in Proceedings of the IFIP WGll.3 Workshop on Database Security, Lake Guntersville,Alabama,1993.
[92] [Sayd02]O.S.Saydjari, LOCK:an historical perspective,in Proceedings 18th Annual Com- puter Security Applications Conference, December 2002, San Diego California pp.96-108.
[93] [SCC99]Secure Computing Corporation,Assurance in the Fluke microkernel: Formal top-
level specification, CDRL A004, Technical report, Secure Computing Corporation, 1999.
[94] [SCFY96]R.S.Sandhu, E.J.Coyne, H.L.Feinstein and C.E.Youman, Role Based Access Control Models,IEEE Computer, vol 29, Num 2, February 1996, p38-47
[95] [Sch89]M.Schaefer, Symbol security condition considered harmful,in Proceedings of IEEE 1989 Symposium on Research in Security and Privacy,pp.20-46,April 1989.
[96] [Shap99]J. S. Shapiro, EROS: A Capability System, Ph.D. dissertation, University of Pennsylvania, 1999.
[97] [shi01]石文昌,安全操作系统开发方法的研究与实施,中国科学院软件研究所,博士学位论文,2001年.
[98] [Smalley02] S. D. Smalley, Configuring the SELinux policy, Technical report#02-007, NAI Labs, June 2002.
[99] [Smi00]Richard E. Smith, Sidewinder: Defense in Depth using Type Enforcement, Secure Computing Corporation report,2000.
[100] [Smi01]Richard E. Smith, Cost profile of a highly assured, secure operting system, A CM Transactions on Information and System Security,Vol.4, No.l, 2001, pp.72-101.
[101] [Spen99]R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau.The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the Eighth USENIX Security Symposium, pages 123-139, Aug. 1999.
[102] [SRS00]G.Schellhorn,W.Reif and A.Schairer, Verification of a formal security model for multiapplicative smartcards, in Proc. ESORICS 2000, LNCS 1895, Oakland, CA.pp.17-36.
[103] [Sta01] W.Stallings, Operating systems: Internals and design principles-fourth edition, Prentice-Hall, Inc., 2001.
[104] [Ste99]W.R.Stevens, UNIX NETWORK PROGRAMMING, Volume 2: Interprocess Communications, Prentice-Hall, Inc., 1999.
[105] [STH85]R.R.Schell,T.F.Tao and M.Heckman, Designing the GEMSOS security kernel for security and performance,Proceedings of the 8th National Computer Security Conference, 1985. pp. 108-119.
[106] [STMSSPS99] D.F.Sterne, G.W.Tally, et al, Scalable access control for distributed object systems,Proceedings of the 8th USENIX Security Symposium,, Washington,D.D.,USA, August 1999.
[107] [TH90] THOMSEN, D.J. and HAIGH, J.T., A comparison of type enforcement and Unix setuid implementation of well-formed transactions. In Proceedings of Sixth Annual Computer Security Applications Conference ,Tucson, Arizona, December 1990, pp.304-
312.
[108] [Tho88] T. Thomas, A mandatory access control mechanism for the UNIX file system Fourth Aerospace Computer Security Applications Conference, IEEE Computer Society Press, Florida, 1988. pp.173-177.
[109] [ThoYl] THOMSEN, D.J., Role-based application design and enforcement. In S.Jajodia and C.E.Landwehr, editors,Database Security, IV:Status and Prospects, North-Holland, 1991, pp.151-168.
[110] [TIS96]Trusted Information System, Inc, Trusted Mach Mathematical Model,Technical Report TIS tmach EDOC-0017-96B,Trusted Information System, Inc, October 1996.
[111] [TOGAF01]The open group, The Open Group Architectural Framework(TOGAF), Version 7, December 2001.
[112] [TP97] J.E.Tidswell,and J.M.Potter, An approach to dynamic domain and type enforcement,in Proceedings of the 2th Australasian Conference on Information Security and Privacy, July 1997.
[113] [Tresys03] http://www.tresys.com/selinux/index.html
[114] [Wag99] D. A. WAGNER, Janus: An approach for confinement of untrusted applications. Tech. Rep. CSD-99-1056, University of California at Berkeley. 1999.
[115] [Wa196]K.M.Walker, et al., Confining root programes with domain and type enforce-ment (DTE),in Proceedings of 1996 Usenix Security Symposium, San Jose,CA.
[116] [Wreski]Dave Wreski, Linux Capabilities FAQ v0.2,available at ftp.guardian.no/pub/free/capabilities/capfaq.txt.
[117] [XENIX3.0]NATIONAL COMPUTER SECURITY CENTER, Final evaluation report, Trusted Information System, Inc., Trusted XENIX Version 3.0, Report No. 92/001, April 1992.