The Security Model Of The Operating System And The Realization Of Structure Research

The security of the operating system is one of the most important and foundational subjects in information security domain. This dissertation is focus on the research of the model of secure operating system and the implementation architecture of the security policy on UNIX operating system platform.After the analysis of the typical instance of the security attack on the UNIX operating system, it can be concluded that the discretionary accessing mechanism and the implementation of the privileged super-user are both the source of the security problems of the UNIX. In this dissertation the integrated and privilege-role extended UNIX operating system security model, which is based on the BLP model, is discussed. The BLP model lays emphasis on the control of the secrecy, and the information transaction from high security level to lower level is controlled. However, the BLP model lacks the control of the information integrity, unable to master the operation of "write up'", and there are potential problems in the "write up" operation. Therefore the improving method of the integrity in BLP model is brought forward in this dissertation. The title of the integrity level should be added to both the subject and the object. While the security level of the object reigns the level of the subject, this means the low secrecy process wants to write the high secrecy data up, the integrity level of the subject and the object should be judged additionally. At this time the integrity level of the subject must higher than the level of the object.In the implementation of the BLP model, the authority of the credible subject must be controlled. We extended the concepts of the privilege and the role as the second improving to the BLP. The rule of the least privilege is applied. 29 kinds of the privileges for the UNIX process have been defined in the OS kernel. To associate with the subject and the object better, we define the privilege set, which contains one or more privileges. There are 3 privilege sets for one process: the base privilege set, the kernel authorization set and the effective privilege set. 2 privilege sets are defined for an executable file: the potential privilege set and the granted privilege set.The rules for the privilege conversion and the system security state transition are wholly discussed in this dissertation. After the introduction of the basic rule of the privilege conversion, the privilege conversion rule of 3 system call: exec(), setpriv() and chpriv() are presented in detail. The requirements of the initial system state and the secure system state are put forward and 21 transition functions are defined in this dissertation.A new security policy architecture, which based on the UNIX operating system, is presented in this dissertation. The security policy definition, the policy decision and the security policy executing mechanism are independent to each other, and it is the design principle of the new architecture. The security policy driver, the security policy switch, the security policy modules, the security policy daemons and the message passing mechanism are united in this architecture. Thesecurity policy driver, the security policy switch and security policy modules are implemented in system kernel while the security policy daemons are implemented outside of the kernel. The security policy daemon communicates with the security policy driver and the security policy modules through the message passing mechanism. The advantage of this architecture is that different security policies can be supported flexibly. As far as a given security policy, the multiplex policy arguments can be configured without recompiling the kernel or modifying the format of the file system.The functions and relationship of the modules in the security policy architecture are discussed in detail. Not only the scheme of the security access control but also the formation and the functions of the 10 kinds of the message header and message body presented in this paper. The analysis of the communication mechanism betwe...