Towards Access Control Mechanism Of Linux Operating System

Human society is going through a digitized era because of the explosion of information technology. A great lot of information has been digitized and maintained centrally by information systems. More and more valuable and critical information are being managed by information systems. Hence, the security capability of an information system is now becoming bottleneck of an information system. On the other hand, security of an operating system is the precondition to guarantee security of an information system because operating system is the base and kernel of an information system. Therefore, it is very important and necessary to study security mechanism provided by an operating system.The foremost target of information security is to assure data security, which can be protected by enforcing access control. Currently, Linux is becoming one of the most popular operating systems because of its excellent performance and open source philosophy. Since lots of individuals and enterprises are switching to Linux, access control mechanism of Linux has been improved from time to time for new security requirements. For instance, SELinux sub-system can enforce a policy based MAC and provide flexible security policy configuration. However, there are still some defects in current Linux access control mechanism.The main target of this paper is to analyze and improve access control mechanism of current Linux operating system. To achieve this goal, current Linux security mechanism is analyzed at first, Permission Division Principle (PDP) is summarized based on study of some popular information security models. Then a new access control model named LYSLinux Access Control Model (LACM) and Layer Based Permission Assignment (LBPA) conception based on PDP are put forward. Furthermore, a prototype system named LYSLinux, which are based on FLASK architecture, the definition of LACM and Linux kernel security facilities, is designed and implemented to verify the functionality and feasibility of LACM. The prototype system is made up of a Linux kernel module, a security policy compiler and an XML schema for policy configuration. Finally, the prototype is tested and related results are analyzed while further research directions are summarized.