摘要
本文围绕着一个符合GB17859第四级《结构化保护级》安全操作系统的设计开发,从理论和实践两个方面研究了高安全等级操作系统研制所涉及的一些关键技术问题。论文取得了以下六个方面的主要成果:第一,首次结合GB17859和GB/T18336,提出了一个符合GB17859《结构化保护级》安全操作系统的保护框架(SPLPP),为系统的开发和将来的评测奠定了基础,并可注册到我国相关安全产品检验、测评、认证部门。第二,对应于安全保护框架SPLPP,首次按照GB/T18336要求,对一个安全功能符合GB17859《结构化保护级》相应要求的安全操作系统进行了详细的安全目标(ST)设计。该安全目标既是系统的一份概要设计说明书,也是系统顶层功能规范的基础。第三,在深入研究多级安全模型、完整性模型、基于角色的授权模型等基础上,首先提出了一个修改BLP模型(MBLP)的方案,并在一个自主开发的安全操作系统中得到了应用;然后通过将BLP模型、Clark-Wilson模型、DTE模型、RBAC模型有机地集成应用,提升出一个支持机密性、完整性和授权等多安全策略的,可实现动态授权的访问控制模型(DAACM)。DAACM符合论文中给出的《结构化保护级》安全操作系统设计的需要,并将实际应用于该系统的设计之中。第四,借助一种受限的句法语言,研究了对系统顶层功能进行半形式化规范的方法和过程,而顶层功能规范则为系统验证、隐蔽通道分析等后继工作奠定了基础。第五,通过研究当前国际上安全操作系统设计新技术——Flask体系结构并采用其先进设计思想,确立了适合《结构化保护级》安全操作系统实现的安全体系结构,该安全体系结构具有安全策略判定与安全实施在系统中的分离以及系统模块化等性质。第六,对高等级安全操作系统设计的其它几个关键问题,包括隐蔽通道分析处理、可信路径等做了有益的探索,给出了其在系统中实现的大致方案。总之,本文探讨和积累了许多《结构化保护级》安全操作系统设计的技术和经验,其研究成果为我国更高安全等级操作系统的设计和开发奠定了基础。
With the practical development of a secure operating system in accordance with the requirements of the fourth level, i.e. Structured Protection Level, of GB 17859, some key technologies of high level secure operating system are conducted both theoretically and practically in this thesis. As a result, six principal achievements have been obtained. First, with the integration of GB17859 and GB/T18336 at the first time, a Structured Protection Level Protection Profile (SPLPP) is presented systematically in accordance with the Structured Protection Level of GB 17859, which lays the ground for the development and evaluation of the system in future, and can be registered in the authorities for inspection, evaluation and verification of the security products. Second, corresponding to SPLPP and according to the requirements of GB/T18336, a security target (ST) design of a secure operating system which is conformant to the security function of the Structured Protection Level of GB 17859 is constructed and presented in detail. This security target is a summary specification of the system and the base for the top level function specification. Third, based on the thorough research of the multilevel security models, integrity models and Role-Based Access Control Models (RBAC), a modified BLP model (MBLP) is designed and applied in a secure operating system developed independently. Then, a well-integrated model of BLP model, Clark-Wilson model, DTE model and RBAC models is proposed, leading to a prominent Dynamic Authorization Access Control Model (DAACM), which supports diverse security policies, including confidentiality, integrity and authorization. DAACM is conformant to the requirements of the secure operating system design of Structured Protection Level, and will be used to the practical system design. Forth, depending on a limited syntax language, a research on the method and process of the semi-formal specification of the top level function is developed. This top level specification paves the way for the system verification and the covert channel analysis. Fifth, assimilating the new idea of system design technology named Flask Security Architecture, we construct a security architecture which meets the requirements of Structured Protection Level, and shows its advantages in separating the security policy decision from the security policy enforcement and in system modularization. Sixth, we introduce some helpful investigations about some key technologies of high level secure operating system design, such as covert channel analysis and trusted path, and describe their coarse-gained implementation in the real system. To sum up, this thesis discusses many helpful technologies, and achieves some experiences for the implementation of Structured Protection Level Secure Operating System and the principal achievements of this thesis establish a firm foundation for the research and design of the high level secure operating
system.
引文
[ABRA1990] M.Abrams,L.LaPadula,K.Eggers,and I.Olson.A Generalized Framework for Access Control:an Informal Description.In Proceedings of the 13th National Computer Security Conference,pp. 134-143 ,Oct. 1990.
[ABRA1991a] M.Abrams,etc.Generalized Framework for Access Control: Towards Prototyping the ORGCON Policy,Proceedings of the 14th National Computer Security Conference, Washington, DC, 1-4 October 1991.
[ABRA1991b] M.Abrams,L.Lapadula,M.Lazear,I.Olson,Reconciling a Formal Model and Prototype Implementation-Lessons Learned in Implementing the ORGCON Policy,Mitre Corporation,Bedford,Mass.01730,November 1991.
[AMOR1994] E.GAmoroso.Foundamentals of Computer Security Technology.Prentice-Hall PTR, Upper Saddle River,NJ,1994.
[ANDE1972] J.Anderson.Computer Security Technology Planning.study,ESD-TR-73-51,volume II,USAF Electronic Systems Dir.,Beford Mass.Oct.1972.
[BAKE1996] Dixie B.Baker.Fortresses Built Upon SandProceedings of the UCLA Conference on New Security Paradigms Workshops,Lake Arrowhead,CA,USA,Sep 1996,pp.l48-153.
[BELL1973] D.E.Bell and L.J.Lapadula,Secure Computer Systems:A Mathematical Model, MTR2547-II.AD 771543,The MITRE Corporation,Bedford,Massachusetts,May 1973.
[BELL1976] D.E.Bell and L.J.Lapadula:Secure Computer Systems:Unified Exposition and Multics Interpretation,NTIS AD-A023588,MTR 2997,ESD-TR-75-306,Mitre Corporation, Bedford MA, 1976.
[BERT1996] E.Bertino,S.Jajodia and P.Samarati.Supporting Multiple Access Control Policies in Database Systems.In IEEE Symposium on Security and Privacy,Oakland, 1996.
[BIBA1977] KJ.Biba.Integrity considerations for secure computer systems.Technical Report MTR 3153,The Mitre Corporation,April 1977.
[BIDA 1997] CBidan and V.Issarny.A configuration-based environment for dealing with multiple security policies in open distributed systems.In 2nd European Research Seminar on Advances in Distributed Systems,pp.240-245,Zinal,Switzerland,March 1997.
[BISH2000] M.A.Bishop.The Art and Science of Computer Security.Addison Wesley Longman.znc.Spring,2000,pp 174.
[BOEB1985] W.E.Boebert and R.Y.Kain.A Pratical Alternative to Hierarchical Integrity Policies.In Proceedings of 8th National Computing Security Conference,Gaithersburg,October 1985.
[BREW 1989] D.Brewer and M.Nash.The Chinese Wall security policy.In proceedings of the 1989 IEEE Symposium on Security and Privacy,pp.206-214. IEEE Computer Society Press,May 1989.
[BRIE1991] R.O.Brie and C.Rogers.Developing Applications on LOCK.In Proc. 14th National Computer Security Conference,pp 147-156,Washington,DC,October 1991.
[BS1995] D.L.Brinkley and R.R.Schell.,Concepts and Terminology for Computer Security.in Information Security: An Integrated Collection of Essays, ed.Abrams and Jajodia and Podell,IEEE Computer Society Press,Los Alamitos,CA,pp 40-97,1995.
[CFS1996] Center for Standards.Department of Defence Goal Security Architecture,Version 3. 0. Defense Information Systems Agency,Washington,DC,30 Apr 1996.
[COHEN 1987] F.Cohen,Computer viruses:theory and experiments.Advance in Computer System Security,Volume 3,edited by Rein Turn,ARTECH HOUSE.INC,1988.
[CW1987] D.D.Clark and D.R.Wilson.A Comparison of Commercial and Military Computer Security Policity.Proceedings of the IEEE Symposium on Security and Privacy,184-194,Oakland, CA.1987.
[DEN1976] D.Denning, A Lattice Model of Secure Information Flow, Communication of the ACM,Vol.19,No.5, 1976
[DEN1977] D.Denning and P.J.Denning, Certification of Programs for Secure Information Flow, Communication of the ACM, Vol.20, No.7, 1977
[DEN1983] D.Denning, Cryptography and Data Security Addison-Wesley, Reading, Massachusetts, 1983
[DISA1996] Defense Information Systems Agency.Technical Architecture Framework for Information Management,Volume 6:Department of Defense Goal Security Architecture,30. April 1996.
[DIVI1990] Ben L.Di Vito,Paul H.Palmquist,Eric R.Anderson and Michael L.Johnston. Specification and Verification of the ASOS kernel. 1990 IEEE Computer Society Symposium on Research in Security and Privacy, 1990,pp.61-74.
[DOD1983] DoD Computer Security Center,DoD Trusted Computer System Evaluation Criteria, CSC-STD-001-83,August 1983.
[FCP1992a]Federal Criteria Project.Federal Criteria for Information Technology Security,Volume I,Protection Profile Development.Version l.O.National Institute of Standards and Technology and National Security Agency,Dec 1992.
[FCP1992b]Federal Criteria Project.Federal Criteria for Information Technology Security, Volume II,Registry of Protection Profiles,Version l.O.National Institute of Standards and Technology and National Security Agency,Dec 1992.
[FEIE1979] RJ.Feiertag and P.GNeumann,The Foundations of a Provably Secure Operating System(PSOS),Proceedings of the National Computer Conference 48. pp.329-334,1979
[FERR 1992] David Ferraiolo and Richard Kuhn.Role-based access controls.In 15th NIST-NCSC National Computer Security Conference.pp.554-563,Baltimore,MD,October 1992.
[FERR2001] David Ferraiolo.An Argument for the Role-Based Access Control Model.ACM
SIGSAC,Proc of Sixth ACM Symposium on Access Control Models and Technologies,May 2001 ,chantilly, Virginia, USA, pp. 142-143.
[FEUS 1998] Feustel,Mayfield:The DGSA:Unmet Information Security Challenges for Operating System Designers,Operating System Review, ACM SIGOP, January, 1998,pp.3-22.
[FGNUI991] France,Germany,the Netherlands,the United Kingdom.Information Technology Security Evaluation Criteria,Version 1.2.Office for Official Publication of the European Communities,Jun 1991.
[FICS2001] Simone Fischer-Hubner, IT-Security and Privacy:design and use of privacy enhancing mechanisms.Lecture Notes in Computer Science,Vol. 1958,Springer 2001.
[FLIN1988] Ch.Flink,J.D.Weiss,System V/MLS Labelling and Mandatory Policy Alternative, AT&T Technical Journal,May/June 1988,pp.53-64.
[FM1999] David Ferraiolo and Peter Mell.Operating System Security:Adding to the Arsenal of Security Techniques.ITL Bulletin,Dec. 1999.
[FORD1978] Ford Aerospace and Communications Corporation.Secure Minicomputer Operating System(KSOS) Executive Summary:Phase Ⅰ:Design of the Department of Defense Kernelized Secure Operating System.WDL-781,Palo Alto,CA 94303,March 1978.
[FSG2000] D. F. Ferraiolo, R. Sandhu, S. Gavrila. A proposed standard for role-based access control. December, 2000.
[GALI2000] Pablo Galiasso,O.Bremer, John Hale,Sujeet Shenoi,David F.Ferraiolo,Vincent C.Policy Mediation for Multi-Enterprise Environments.ACSAC,2000,pp. 100-106.
[GASSER1988] M.Gasser, Building A Secure Computer System, Van Nostrand Reinhold, New York,1988
[GAVR1998] Serban Gavrila and John Barkley.Formal specification for role based access control user/role and role/role relationship management.In Proceedings of the Third ACM Workshop on Role-Based Access Control.ACM,October 1998.
[GB1999]GB17859-1999,中华人民共和国国家标准.计算机信息系统安全保护等级划分准则.中国国家质量技术监督局,1999年9月13日发布,2001年1月1日实施.
[GBT2001]GB/T18336-2001,中华人民共和国推荐标准.信息技术 安全技术 信息技术安全性评估准则.中国国家质量技术监督局,2001年3月8日发布,2001年12月1日实施.
[GLIGI986] V.D.Gligor, On the Design and the Implementation of Secure Xenix Workstations, 1986 Symposium on Security and Privacy.pp. 102-117,April 1986.
[GLIG1987a] V.D.Gligor, C.Chandersekaran,R.Chapman,L.Dotterer, M.Hecht, W.Jiang,A. Johri, G.Luckenbaugh and N.Vasudevan,Design and Implementation of Secure Xenix,IEEE Transactions on Software Engineering SE-13(2),Feb 1987,pp.208-220.
[GLIG1987b] V.D.Gligor, C.S.Chandersekaran,W.Jiang,A.Johri,G.L.Luchenbaugh and L.E.Reich. A new security testing method and its application to the secure xenix kernel.IEEE Transactions on Software Engineering,SE-13(2),pp.169-183.February 1987.
[GOGU1982] Josegh Goguen and Jos'e Mesegure.Security policies and security models.In Marvin Schafer and Dorothy.Proceedings,1982 Symposium on Security and Privacy, pp. 11-22. IEEE Computer Society, 1982.
[GOOD1984] D.I.Good,et al.Using the Gypsy Methodology.Institute for Computing Science, University of Texas at Austin,Jun 1984.
[GRAH1972] GS.Graham and P.J.Denning.Protection:Principles and Practices.Proc of the AFIPS Spring Joint Computer Conference 1972,pp.417-429.
[GREN1989] Guy L.Grenier,Richard C.Holt,Mark Funkenhauser.Policy vs Machanism in the Secure TUNIS Operating System. 1989 IEEE Symposium on Security and Privacy, 1989,pp. 84-93.
[HALF 1999] Udo Halfmann and Winfried E.Kuhnhauser.Embedding Security Policies into a Distrbuted Computing Environment. Operating Systems Review,33(2) ,pp.51-64,April 1999. [HARR1976] M.H.Harrison, W.L.Ruzzo and J.D.Ullman.Protection in operating systems. Communications of the ACM, 19(8) ,pp.461-471 , 1976.
[HE1999] 何海云,张春,赵战生,基于角色的访问控制模型分析,计算机工程,vol.25,No.8,1999 年8月,pp.39-44.
[ISO 1999] International Standards Organization,Information technology-security techniques-evaluation criteria for IT security.ISO/IEC15408,1999. URL:http://csrc.nist.gov/cc
[JAJO1997] S.Jajodia,P.Samarati,V.Subrahmanian and E.Bertino.A unified framework for enforcing multiple access control policies.In SIGMOD'97,pp.474-485,Tucson,AZ,May 1997.
[JI2002] 季庆光,刘文清等,一个实现安全操作系统结构化保护的安全模型框架设计,课题技 术文档,2002年9月。
[JUEN1988] R.R.Jueneman.Integrity controls for military and commercial applications,Fourth Aerospace Computer Security Application Conference,IEEE Computer Society Press,Florida,1988,pp.298-322.
[KAR2000] P.A.Kargar,V.Austel and D.Toll.A new mandatory security policy combining secrecy and integrity,IBM research report.R.C21717,2000.
[KARG1974] P.Karger and R.Schell,MULTICS Security Evaluation: Vulnerability Analysis, Technical Report ESD-TR-74-193,Air Force Electronic Systems Division,Hanscom Air Force Base,MA(1974) of 32.
[KEMM 1983] R.Kemmerer, Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing channels, ACM Trans. On Computer Systems, vol. 1 no.3, 1983
[KEMM 1996] R. A. Kemmerer and T. Taylor, A Modular Covert Channel Analysis Methodology for Trusted DG/UX? IEEE Trans, on Software Engineering, Vol. 22, 1996
[KOLM1996] Bernard Kolman,Rebert C.Busby,Sharon Ross. Discrete Mathematical Structures, Third Edition.Prentice Hall International,Inc,.1996,pp.246-247.
[KCRA1984] S.Kcramer, Linus Ⅳ—An Experiment in Computer Security, Proceedings of the 1984,Symposium on Security and Privacy, Apr 1984,pp.24-31.
[KUHN1997] D.R.Kuhn.Mutual exclusion as a means of implementing separation of duty requirements in role based access control systems.In Proceedings Second ACM Workshop on Role based access control, 1997.
[LAMP1973] B.Lampson, A note on the Confinement Problem, Comm. Of the ACM, vol.16, no.10, 1973
[LAPA1993] L.Lapadula,A Rule-Set Approach to Formal Modeling of a Trusted Computer System.The MITRE Corporation,Burlington Road,Bedford,Massachusetts 01730,Feb 1993.
[LAPA1995] L.Lapadula,Rule-Set Modelling of Trusted Computer System, Essay 9 in:M.Abrams, S.Jajodia,H.Podell,Information Security—An integrated Collection of Essays,IEEE Computer Society Press, 1995.
[LEE1988] T.M.P.Lee.Using mandatory integrity to enforce commercial security.In Proceedings of IEEE Symposium on Security and Privacy, 1988,pp. 140-146.
[LEPR1996] J.Lepreau,B.Ford and M.Hibler, The persistent relevance of the local operating system to global applications.In Proceedings of the 1996 SIGOPS European Workshop, 1996.
[LEVI1975] R.Levin, et al.Policy Mechanism Separation Separation in Hydra.Proceedings of the Fifth Symposium on Operating System Principles,ACM, 1975,pp. 132-140.
[LI1996] 李军,孙玉芳,计算机安全与安全模型,计算机研究与发展,Vol.33,No.4,1996年4月,pp.312-320.
[LILL2000] Peter Lilley.Common Criteria and International Recognition,5th Australian Conference on Information Security and Provacy, Australia,2000.
[LIPN1975] S.B.Lipner, A Comment on the Confinement Problem, Operating System Review, vol.9, no.5, 1975
[LIN1992] T.Y.Lin.Bell and Lapadula Axioms:A "New" Paradigm for an "Old" Model.Paper of the 1992 NSPW, Sep 1992,in Proceedings on the 1992-1993 ACM SIGSAC New Security Paradigms Workshop,Little Compton,Rhode Island,USA,Aug 1993,pp 82-93.
[LIU2000] 刘文清.SecLinux v3安全性分析报告,课题技术文档,2000年10月.
[LIU2001a] 刘文请,刘海峰,卿斯汉.基于Linux开发安全操作系统的研究,计算机科学, 2001,28(2),pp.52-54.
[LIU2001b] 刘文请,刘海峰,卿斯汉.基于安全操作系统的多级安全TCP/IP的研究与实现,计算机工程,2001,27(2),pp.34-36.
[LIU2001c] 刘文请.一个安全操作系统SecLinux的实现,解放军电子技术学院学报,2001,13(3),pp.1-7.
[LIU2001d] 刘文清.《结构化保护级》安全操作系统项目可行性报告,课题技术文档,2001年10月.
[LIU2002a]刘文清,卿斯汉,刘海峰等.一个修改BLP安全模型的设计及在SecLinux的应用[J].软件学报,2002,13(4),pp.567-573.
[LIU2002b]刘文请,卿斯汉,刘海峰.一种用于操作系统安全内核的多级分层文件系统的研究与实现,电子学报,2002,30(5),pp.763-765.
[LIU2002c]刘文清.《结构化保护级》安全操作系统总体规划,课题技术文档,2002年1月.
[LIU2002d]刘文清.《结构化保护级》安全操作系统保护框架(SPLPP),课题技术文档,2002年3月.
[LIU2002e]刘文清.《结构化保护级》安全操作系统SecLinux v4安全目标,课题技术文档,2002年5月.
[LOSC1998]P.Loscocco,et al,The Inevitability of Failure:The Flawed Assumption of Security in Modern Computing Security Conference.Proceedings of the 21st National Information Systems Security Conference,Oct 1998,pp.303-314.
[LOSC2001]P.Loscocco,Stephen Smalley.Integrating Flexible Support for Security Policies into the Linux Operating System.Technical report,NSA and NAI labs,Jan 2,2001.
[MCC1988]D.McCullough, Noninterference and the composability of security properties,1988 IEEE Symposium on Security and Privacy, pp. 177-186,IEEE Computer Society Press, 1988.
[MCCA1979]E.J.Mccauley and P.J.Drongowski,KSOS—The design of a secure operating system, in proc.AFIPS 1979 Nat, Comput.Conf.,June 1979,pp.345-353.
[McH1995]J.McHugh, Covert Channel Analysis: A Chapter of the Handbook for the Computer Security Certification of Trusted System, Naval Research Laboratory Report, 1995.
[MILLEN1989]J. Millen, Finite-State Noiseless Covert Channels, Proceedings of the 1989 Computer Security Foundations Workshop.
[MILLEN1999]J. Millen, 20 Years of Covert Channel Modeling and Analysis. 1999 IEEE Computer Society Symposium on Security and Privacy
[MINS 1998] N.H.Minsky and V.Ungureanu,Unified support for heterogenous security policies in distributed systems.In 7th USENIX Security Symposium,Jan 1998.
[NCSC1993]National Computer Security Center, A Guide to Understanding Covert Channel Analysis of Trusted Systems NCSC-TG-030, 1993
[NEUM1975]P.G.Neumann,A Provably Secure Operating System:Final Report. DAAB03-73-C-1454,Stanford Research Institute,Menlo Park,California 94025,Jun 1975.
[NYAN1994]M.Nyanchama.Commercial integrity, roles and object orientation.Ph.D dissertation.The University of Western Ontario,London,Ontario. 1994
[NYAN1995]M.Nyanchama and S.Osborn,Modelling mandatory access control in role-based security systems.In Proceedings of the IFIP WG 11.3 ninth annual working conference on database security.Chapman and Hall, 1995.
[OLAW 1996]D.Olawsky, T.Fine,E.Schneider and R.Spencer, Developing and Using a "Policy
Neutral" Access Control Policy.In Proceedings of the New Security Paradigms Workshop,Sep 1996.
[OSBO2000] S.Osbom,R.Sandhu and Q.Munawer, Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies,ACM Transctions on Information and System Security, Vol.3,No.2,pp.85-106,May 2000.
[POPE1979] G.J.Popek, M.Kampe,C.S Kline and et al.UCAL Secure Unix.In Proceedings of the National Computer Conference,pp.335-364,1979.
[PORR1991] P.A.Porras and R.Kemmerer, Covert Flow Trees: A Technique for Identifying and Analyzing Covert Storage Channels, IEEE Trans. On Software Engineering, Vol. 17. no. 11, 1991
[QING1999] 卿斯汉,冯登国.信息和通信安全——CCICS’99.北京:科学出版社,1999.
[QING2001] 卿斯汉,密码学与计算机网络安全,清华大学出版社,广西科学技术出版社,2001年7月.
[QING2002] 卿斯汉,刘文清.国家信息安全保障体系建设应当从安全操作系统抓起,2002年中国信息安全产业与技术发展高峰论坛会刊,2002年,PP.19-22.
[RABI1991] F.Rabitti,E.Bertino,W.Kim and D.Woelk,A Model of authorization for next-generation database systems.ACM TODS, 16(1),pp.89-131,March 1991.
[SAND1996] R.S.Sandhu,et al.Role-Based Access Control Models,IEEE Computer 29(2), pp.38-47,IEEE Press, 1996.
[SAND1998] R.Sandhu,Q.Munawer.How to do Discretionary Access Control Using Roles.In Proc. Of 3rd ACM Workshop on Role Based Access Control(RBAC-98),Fairfax,VA,USA,Oct 1998,ACM Press.
[SCC1997] Secure Corporation DTOS Lessons Learned Report.Technical Report DTOS CDRL A008,Secure Computing Corporation,2675 Long Lake Road,Roseville,Minnesota 55113-2536, June 1997.
[SCC1999] Secure Computing Corporation.Assurance in the Fluke Microkemel:Final Report.CDRL Sequence NO.A002,Secure Computing Corporation,2675 Long Lake Road, Roseville,Minnesota 55113,Apr 1999.
[SCHI1973] W.L.Schiller.The Design and Specification of a Security Kemel for the PDP-11/45, MTR-2709,The MITRE Corporation,Bedford,MA,USA,Jun 1973.
[SCHI1975] W.L.Schiller.Design of a Security Kernel for the PDP 11/45.MTR-2934,The MITRE Corporation,Bedford,MA,USA,Mar 1975.
[SHI2001] 石文昌,安全操作系统开发方法的研究与实施,博士论文,中国科学院软件研究所,2001年11月.
[SHl2002] 施军,朱鲁华,沈昌祥,尤晋元,专用安全操作系统,计算机研究与发展,Vol.39,No.5, May 2002,pp.561-567.
[SIBE1987] W.O.Siber, et al.UNIX and B2:Are They Compatible? Proceeding of the 10th
National Computer Security Conference,Baltimore,MD,USA,Sep 1987,pp.l42-149.
[SMAL2001] Septhen Smalley,Timothy Fraser.A Security Policy Configuration for the Security-Enhanced Linux,Technical report,NAI Labs, Jan 2001.
[SMIT1997] Jean E.Smith and Fred W.Weingarten.Research challenges for the next generation intemet,May 1997,Report from the Workshop on Research Directions for NGI.
[SMIT2000] Richard E.Smith.Trends in Government Endorsed Security Product Evaluations23rd National Information Systems Security Conference,Baltimore,Maryland,USA,Oct 2000.
[SPEN1998] Ray Spencer,Stephen Smalley.Peter Loscocco,Mike Hibler,David Anderson.Jay Lepreau,The Flask Security Architecture:System Support for Diverse Security Policies Univ. of Utah Technical Report UUCS-98-014,August 1998.
[TSAI1988] C.RTsai and V.D.Gligor, A Bandwidth Computation Model for Covert Storage Channels and Its Applications, Proc.of IEEE Symposium on Security and Privacy, Oakland, 1988
[TSAI1990] C.R.Tsai, V.D.Gligor and C.S.Chandersekaran, A Formal Method for the Identification of Covert Storage Channels in Source Code, IEEE Trans. On Software Engineering, vol.16,no.6, 1990
[TTRP1999] The Trust Technology Assessment Program.The Computer Security Evaluation Freauently Asked Questions(v4) .National Security Agency, http://www.radium.ncsc.mil/tpep/ process/fdq.html, 1999.
[WALD1990] Neil A.Waldhart.The Army Secure Operating System. 1990 IEEE Computer Society Symposium on Research in Security and Privacy, 1990,pp.50-60.
[WALK1980] Bruce J.Wallker,Richard A.Kemmerer and Gerald J.Popek.Specification and Verification of the UCLA Unix Security Kemel.Communications of the ACM,23(2) ,pp. 118-131, Feb 1980.
[WEIS1969] C.Weissman,Security controls in the ADEPT-50 timesharing system.In Proceedings of the 1969 AFIPS Fall Joint Computer Conference,Vol.35,pp. 119-133,1969.
[WHIT 1973] Jerold Whitmore,Andre Bensoussan,Paul Green,Douglas Hunt,Andrew Kobziar and Jerry Stem.Design for MULTICS Security Enhancements,ESD-TR-74-176,Electronic Systems Division,Air Force System Command,Hanscom Field,Bedford,MA,USArDec 1973.
[WRAY1991] J.C.Wray, An Analysis of Covert Timing Channels, Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, 1991.
[ZHU2002] 朱继峰,刘文清等,高安全等级操作系统隐蔽通道研究,课题技术文档,2002年8月。