| The system security research in computer system is a gradual process. We can not attain absolute security, but can only achieve more and more security. With the security problems continuously appeared from computer systems, especially from terminal computer systems in network, information systems are confronted with the serious crisis of trust. It is challenged that research the trusted security-enhanced method using existing technologies at low cost, and help the users to use computer systems in trusted and controllable mode.To realize above goals, a good mode must be found which can make the state of computer verified. The new method can not only distribute the privilege in a reasonable way, but also guarantee the computer to run in an authorized state. To make computer trusted, the trust measurement and verification method need to be studied firstly, for users only can learn about the state of computer by a verified way. Secondly, we must distribute rights reasonably in order to satisfy the principle of the least privileges. The technology of trusted computing platform supports the authentication between entities of softwares and hardwares in the general computer by adding a physical chip which acts as the root of trust. In trusted computing platform, all kinds of applications can be protected by the sub-system built from the bottom chip. On the other side, the take-grant model can distinguish the conditions which subject can access the objects with some right. Referring the designs of above methods, this paper deeply researches the trust verification technology, and expects that the control measures could not only make system run in authorized way, but also guarantee their owner safety.Based on the trusted take-grant model, this paper proposes a security-enhanced architecture for general systems, and researches many key technologies of this architecture, designs and implements an Enterprise Inner Security Management System in the end. The paper's main works and efforts are:1. It researches the method of trust verification, and proposes a trusted take-grant model.The paper researches the method of trust verification in four sides: identity trust, action trust, content trust and environment trust. It integrates this method into the take-grant model to propose a new trusted take-grant model by importing trusted subjects, restricting the privilege of"take"and"grant"operation within the capability of trusted subjects, adding a trust check rule. This new model has more tidy architecture but more intuitionistic explanation.2. It proposes the security-enhanced architecture of terminal system and distributed system.This paper makes full use of secure chip in system control, and proposes the security-enhanced architecture of terminal system by referring to the existent architecture of operating system. Based on the security-enhanced terminal systems, it proposes the security-enhanced architecture of typical distributed system. The proposed architectures have advantages such as trusted control, flexible policies and self-protected mechanism.3. It proposes the architecture of secure chip with the capability of supporting flexible algorithms, and designs and implements a secure chip named SUP320.Different systems need different security algorithms. To support all kinds of algorithms, and get the same performance at almost the same cost, this paper researches the key technique of speeding secure algorithms which implements the frequent operations by hardware, but organizes the algorithm flow by software. It proposes an architecture of secure chip composed of a RISC processor and some coprocessors. Based on this architecture, it implements a kind of secure chip consistent of TPM specification version 1.2.4. It deeply researches many key techniques on trusted security-enhanced system, and proposes the scheme of building trust chain, trusted protection method for process, and an algorithm on user identity authentication based on keystroke characteristics.Based on the security model, architecture and chip, aiming at enhancing the security of general system, this paper deeply researches the key techniques of trusted security-enhanced method, such as building trust chain, identity recognition, process protection, security-enhanced storage and connection authentication. It proposes the scheme of building trust chain, trusted protection for process, and an algorithm on user identity authentication based on keystroke characteristics.5. It designs and implements a valuable prototype system.Using above research results, this paper designs and implements a valuable prototype system named EISMS in the end. The test results denote the security-enhanced method is valid.All these researches aim at the goal of building trusted and controllable computer system. Every method makes full use of the functions of secure chip, and combines the measures of right control and trust verification. The security-enhanced system can overcome the weak point that the secure mechanism of traditional system can not protect itself.
|
PDF Full Text Request