| People can obtain more and more information via computer due to the evolvement of Internet. On the other hand, the open network system exposes more and more security hidden trouble. New holes and new viruses can be discovered inn the main computer platform almost everyday. Also, the new information technology makes the security of the computer system harder to control than before. Network and computer system's evolution indicate that information security becomes no time to delay. With the development of computer remote access, communication and network engineering, hardware security can be attained. Software security plays an important role in the field of information security.Operating system is the only system software interacting with computer hardware, whose security is the basis of other application software's security. Without it, the security of information system has no guarantee. Other network security techniques, such as, intrusion detection, are also key to the design of a secure operating system. To enhance its security, operating system needs the following security functions: authentication, access control, security audit, intrusion detection, etc. Access control is central to secure operating system; program behavior-based anomaly detection has been proved to be perhaps the most successful and effective host-based anomaly detection method.Constructing an efficient and precise program behavior model is pivotal to accurate program behavior-based anomaly detection. Based on dynamic learning or static analysis or combination of both, researchers have proposed several program behavior-based anomaly detection models, which are either context-insensitive or context-sensitive. They are studied from three dimensions: the information extracted from system call, the system call level used in anomaly detection and the information recorded by anomaly detector. Also, they are compared based on convergence time, false positive, detection capability, space requirement and runtime overhead.The classical access control models of secure operating system consist of BLP model, DTE model and RBAC model, etc. But, single security model can only meet one aspect of security requirement. BLP is an efficient security model for system's confidentiality protection. DTE is a good way to protect the system's integrity. RBAC is better to manage the system's security policy authorization. Also, in realization, user label is inherited from UID without taking into account process reliability, which can't ensure trusted path between user and reference monitor, so therefore could be information disclosure or modification threat. In real network environment, security requirement for secure operating system is multi-aspects, such as confidentiality, integrity, reliability and availability due to its complex applications, there is need to develop a new access control method. A new access control method, called MACM, is proposed after deeply studying above models. The new method makes use of virtues of single security model, at the same time the system's reliability and availability are also taken into account. Formal description of the new method is given and its implementation on Linux kernel is investigated. Performance tests on Linux show that there is little overhead introduced by the method.In the context of context-sensitive models constructed from static analysis, there is tradeoff between accuracy and efficiency. Several models have been proposed. They include Abstract Stack model, VpStatic model, Dyck model, and HPDA model, etc. The disadvantages of them are: each of them alone has no sufficient context information, and deals only with statically-linked program code, which may lead to extraneous behaviors. A new accurate efficient anomaly detection model, called Combined Pushdown Automaton (CPDA) model is presented. It generates by analyzing the binary executable code of a program. It combines optimized call stack walk and limited code instrumentation to gain complete context information. According to its construction, it can efficiently operate. Experiments on Linux show that CPDA model has high efficiency.To detect more attacks aiming at key security data attacks, it is necessary to take into account data flow information pertaining system call arguments. We concentrate on learning the more complex binary relations because they focus on the property between two system call arguments. Dynamic learning based approach of Improving and MCC methods are able to utilize control-flow context to improve the precision of data flow relationships. There are also static analysis techniques incorporating system call arguments information into control flow model, such as Dyck and Environment-Sensitive methods. An efficient data flow attribute analyzing method, called 2PA (Two-Phrase Analyzing), is proposed. It analyzes data flow attributes through two phases: offline static analysis and online dynamic learning. Static analysis is to recover the statically determined arguments through symbolic execution and analyzes the dependency between arguments according to Data Dependency Graph; Dynamic learning is to get arguments values which can't be determined statically and learns specified binary relations according to the results of static analysis. In 2PA method, it proposes the notion of unrelated event and useless relation. Also, it presents an algorithm to construct relation dependency graph from data dependency graph. Performance evaluations on Linux programs show that anomaly detection based on 2PA method can efficiently operate, while introduces low overhead.
|
PDF Full Text Request