| As terminal computers are the basic units of network space activities, and the source and destination of information, their integrity protection plays an important role in building secure network environment and information systems. The emergence of trusted computing introduces a new way to improve terminal system’s security. Integrity measurement mechanism as a key technology of trusted computing, establishes an initial trust chain for terminal system, which passes trust from the trusted root to the entire system. However, the existing integrity measurement systems mainly focus on the static integrity measurement on terminal booting and program loading, and lack more effective dynamic integrity measurement on running system. Furthermore, the process of integrity verification is inefficiency which could easily lead to integrity information leak. O n the other hand, itegrity measurement is passive integrity detection and has no active protection mechanism on files.To realize dynamic and comprehensive integrity protection for terminal systems, terminal system’s operating mechanism and security threats faced are studied firstly, and then a secure and efficient dynamic integrity protection framework is proposed which combines integrity measurement technology with access control mechanisms and takes unbalanced hash tree to achieve a safe and efficient storage and integrity verification. It protects the integrity of the terminal system during running, and provides a strong s upport on trusted network access for terminal system. The main contributions of this thesis as follows: 1.A dynamic integrity measurement mechanism is proposed to measure integrity of processes, the kernel module and the kernel critical data structure, detect malicious damage on the integrity of the terminal system and ensure the integrity of the terminals at run-time. 2.Biba access control policies is implemented based on the LSM framework, by combining the dynamic integrity measurement mechanisms with strong access control mechanism, and using integrity measurement mechanisms to provide authentication for the strong access control mechanisms. It binds the policy label on file, which ensures access control policies works effective, prevents illegal modification on files by unauthorized process, and thus ensu res that the integrity of files in the system will not be destroyed. 3.An integrity verification mechanism is proposed based on unbalanced hash tree. Standard values stored in unbalanced hash tree, which can greatly reduce intermediate nodes in hash tree shorten the path of verification and improve the efficiency of integrity verification. It requires less auxiliary authentication information in validation process, the security of private information in terminal is ensured. |
PDF Full Text Request