2.2 Multi-domain security policy model
The basic idea of multi-domain strategy is to give the protected object an abstract data type, indicate the integrity attribute of the protected object, and then stipulate that only authorized active processes can access this integrity attribute instead of users, and limit the activity scope of active processes to minimize their ability to exceed the target.
DTE (Domain and Type Enforcement) model [6] is a model widely used in recent years to realize information integrity protection. The model defines multiple domains and types, assigns subjects in the system to different domains and assigns different objects to different types. By defining the access rights of different domains to different types and the rules of subject transformation in different domains, the purpose of protecting information integrity is achieved.
2.3 Role-based access control model
The purpose of role-based access control model is to ensure the minimum damage to system integrity through domain isolation.
RBAC model [6] is a role-based access control model. This model is mainly used to manage permissions and realize the principle of separation of duties and minimum permissions in competency-based access control. The relationship between its basic elements is shown in figure 1:
Figure 1 RBAC basic element relationship
Figure 1 RBAC basic element relationship
The system will realize role-based authorization and control, support role mutual exclusion, not support role inheritance, and not support multiple roles of the same user.
3. Safety system design
3. 1 Design of security model
The security server in this system will follow the improved BLP model, DTE model and RBAC model to realize the security strategy of the system. Among them, BLP mode protects the confidentiality of information; DTE model protects the integrity of information; RBAC model is an authorization model. Through the interaction and restriction of the three models, the security of the information in the system and the system itself is ensured. Figure 2 shows the relationship between three models and important functions in the system.
Fig. 2 Relationship between models
Fig. 2 Relationship between models
As shown in Figure 2, authorization policy RBAC is the foundation of the whole system. It influences basic functions such as IA control, authority control, multi-domain access control and mandatory access control by setting specific roles for users, so as to achieve the purpose of controlling users/subjects' access to objects/objects in the system. In this system, each user has one and only one role. Giving a user a role is equivalent to giving the user a maximum permission set, a security token range, a DTE domain range and a minimum audit mask. The above attributes of this user can only be specified within the scope of a given role. RBAC is realized through the combination of minimum privilege, mandatory access control (including MAC confidentiality protection and DTE integrity protection) and security audit.
On the other hand, multi-domain policy DTE and multilevel security policy BLP call multi-domain access control and mandatory access control functions on the basis of authorization policy to protect the integrity and confidentiality of object/object information.
This system has made some changes on the basis of BLP mode:
1. restricts the information flow rule of "write on top and read on bottom" in BLP model, and changes "write on top" to: the subject with low security level can create or add information to the object with high security level, but cannot modify or delete the original information in the object with high security level. For example, a subject with low security level can create new files (including subdirectories and named pipes) in a directory with high security level (under the condition of checking by DAC and DTE), but cannot delete the original files (including subdirectories and named pipes) or rewrite the contents of files with high security level;
2. Introduce the concept of trusted subject, that is, the so-called trusted subject is a subject with multiple security levels or a range of security levels;
3. Introduce the concept of trusted object, that is, the so-called trusted object is an object with multiple security levels or a security level range.
In this system, DTE implementation adopts the method of assigning domain/type identification to subject/object (collectively called DTE identification). DTE policy will realize DTE integrity protection by assigning "domain" to the subject and "type" to the object, and define the access rights between "domain" and "type", which will be described by DTEL(DTE language).
The kernel will maintain a "domain" label for each topic and a "type" label for each file. When an operation occurs, the system will judge whether the operation is allowed according to the subject "domain" tab, the file "type" tab and the access control list.
In principle, to build a security system, we must consider the user application system, O/S service system, Linux kernel and hardware subsystems at the same time, so as to effectively protect them. But this system mainly cares about user application system and Linux kernel system, because they are most directly related to the security of Linux system. The ultimate goal of building a secure Linux system is to support various security applications. If the system does not treat different applications differently at the beginning of construction, or does not treat different applications in isolation, then such a system is not practical, because different applications may pose different threats to system security. For the control of user application system, we mainly adopt the combination of role model and DTE technology; The Linux kernel is controlled by capability access control, enhanced BLP model and DTE strategy.
3.2 Structural design of safety system
Figure 3 Structure diagram of Linux structured protection level security server system
Figure 3 Structure diagram of Linux structure protection security server
Fig. 3 shows the architecture of the system. As shown in Figure 3, after the system operation requested by the user enters the kernel, it first passes through the security policy execution point and calls the corresponding security policy execution module. The security policy execution module reads the relevant system security information and the subject/object security attributes, and calls the security policy judgment module to make a security judgment and decide whether to allow the operation requested by the user to continue execution. When the system operation requested by the user is allowed and completed, the relevant security information/attributes are set, and the security audit is conducted again through the security policy enforcement point.
The functional modules in the security server are relatively independent of the original system, and the two sides communicate through the hook function. You can enable different security servers by changing the direction of the hook function. Different security servers can choose different security policies to support multiple security policies.
3.3 Functional characteristics of safety system
Based on the original Linux operating system, the security system has added some new functions, such as mandatory access control, minimum authority management, trusted path, covert channel analysis and encryption card support. The main functions of the system are as follows:
1. Identification and appraisal
Identification and authentication functions are used to ensure that only legitimate users can access system resources. The authentication part of this system includes three parts: role management, user management and user authentication:
Role management is an important part of realizing RBAC mode. Role profile is stored in /etc/security/role file, and role management is the maintenance of role profile.
User management is the maintenance of user attribute files, which is modified and expanded on the basis of the original user management of the system; The system has changed the way of storing user attributes in the original system, and created a attribute file for each user in the /etc/security/ia directory.
The process of user identity authentication is to control the user to establish a session with the system; This system will modify the pam module of the original system and the program of establishing session, increase the strong identity authentication of administrator users (using encryption cards), and increase the function of setting initial security attributes (permission set, security label, domain, audit mask) for users.
2. discretionary access control (DAC)
Which is used for access control according to the user's wishes. Using DAC, users can explain which users in the system their resources allow to enjoy * * * and which rights.
The system adds ACL mechanism to the discretionary access control. Using ACL, users can selectively grant other users certain access rights to protect information and prevent it from being illegally extracted.
3. Mandatory access control (MAC)
A resource access control method based on data confidentiality is provided. MAC is a concrete application of multilevel security and autonomous access strategy. By restricting the user from reading access information only at a low level and writing access information only at his own level, the ability to control resources is strengthened, thus providing stricter access constraints than DAC.
4. Safety audit
Audit is a mechanism that simulates social supervision mechanism, introduces computer system, and monitors and records system activities. The main goal of the audit mechanism is to detect and judge the penetration of the system, and identify the safety activities of the operation and recording process.
Audit events in this system are divided into trusted events and system calls. The audit content of each user is different, so it is necessary to set the audit event mask of the system and the audit event mask of the user. When an audit record is formed, the core will make a selection according to the audit mask.
5. Object reuse
Object reuse means that TSF must ensure that when resources are reused, no information in protected resources will be leaked.
When important object media is redistributed to other subjects, the object reuse function can prevent information leakage. In this system, for the sake of system efficiency and reliability, only the residual information of the core important data structure is automatically cleared, and the file content is manually cleared.
6. Minimum authority management
According to the principle of least privilege proposed by TESCE B2 layer, each process in the system should only have the minimum privilege needed to complete its tasks and functions. Therefore, this system has developed a flexible authority management mechanism, which divides the authority of the super user into a group of fine-grained authorities. By controlling the distribution, inheritance and transmission of user and process permissions in the system, some of these permissions are given to a user in the system, so that ordinary users in the system can also have some permissions to operate and manage the system.
7. Trusted path
Trusted path requires providing users with a trusted channel to interact with the system. The implementation method of trusted path is to monitor the security key through the core, exit all applications under the current terminal, and start a new trusted login program.
According to the requirements of B2 TESEC for trusted access, this system has developed a trusted access mechanism to prevent the occurrence of fraudulent acts such as Trojan horses. No matter what state the system is in, users can enter the secure login interface by activating a security key (generally set to Ctrl-Alt-A). In addition, the system also adopts the strong identity authentication of administrator users and the establishment of encryption channels, which can also ensure the security of user interaction with the system.
8. Hidden channel analysis
China's "Classification Standard for Computer Information System Security Protection" [1] requires that the hidden channels must be analyzed and handled for the products of security information systems with level 4 and above. The masking channel analysis of this system will be based on source code, and the following methods will be adopted:
Analyze all operations and list the operations and the * * * enjoyment resources (object attributes) involved.
List the relationship between operation and * * * resources.
Find out all possible hidden storage channels.
Analyze and identify each storage covert channel and give the bandwidth.
9. Encryption card support
The system is based on domestic cryptographic hardware resources, and the cryptographic services realized mainly include three aspects:
File storage encryption and decryption: provide users with a set of SHELL commands at the command layer to protect the confidentiality and integrity of files, and provide a windows sockets library function for users to program.
Strong authentication of privileged users: combining RBAC and DTE strategies, strong authentication is realized for privileged (role) users.
Data transmission encryption and decryption: provide a set of functional interfaces in the core to realize the confidentiality and integrity of data.
4. Conclusion
By studying the core structure of Linux and the hierarchical structure of the outer security system of the operating system domain, this scheme organically combines three security policy models with existing advanced technologies, and adds security functions such as mandatory access control, minimum privilege and trusted path. It has been successfully implemented on Linux operating system, basically reaching the structural protection level specified in GB 17859- 1999.
As an important part of information security, operating system security enhancement technology has been widely concerned at home and abroad. In the field of security, the security of the system is always relative. Therefore, the research and modeling of security model and the research of information security architecture and scheme design need to be further deepened. The design scheme has been implemented on Linux operating system, and needs to be further tested and improved in practical application.
refer to
[1] GB17859-1999, computer information system security protection classification standard [S].
[2] Department of Defense 5200. 28-STD, Department of Defense Trusted Computer System Evaluation Standard [S]. Washington State Department of Defense, DC, 1985.
Shi Wenchang, Sun Yufang. Evolution of computer security standards and development of security products [J]. Guangxi Science, 200 1, 8 (3):168-171.
Bell D E, Lapadula L J. Secure computer system: mathematical basis and model [R]. Bedford, Massachusetts: Mite Company, 1973. M74-244。
Wenchang, Fangshi, Yu Sun, Liang Hongliang. Self-adaptive marking method of classical BLP security axiom and its correctness [J]. Computer R&D, 200 1,1(38):1366 ~13765438.
[6] Tang. "Structured Protection Level" Security Policy Model of Security Operating System [R]. Beijing: Information Security Technology Engineering Research Center of China Academy of Sciences, ChinaSoft Network Technology Co., Ltd., 2002.
Research and Design of Security Model
Hu Zhi-Xing
(School of Information Engineering, University of Science and Technology Beijing, Beijing 100083)
Through the study of BLP model, DTE model and RBAC model, combined with the three security models, this paper puts forward a security system and its composition and function realization scheme, and realizes the structural protection of GB 17859 (B2 level as TCSEC standard). This scheme has been successfully implemented on Linux operating system.
Keywords: security technology; Security model; Linux operating system