| In recent years, along with the development of distribution computing system and communication skills, the mobile code technology had make very huge progress. Especially with Internet's appearance and Java, There is no one else can instead the mobile code's place. The mobile code has the enormous flexibility and extendibility specialty, bring the Internet great rich functions rather than t other technologies. However the code mobility brings security problem also obviously prominent. In these questions, how to guarantee the code which from the untrusted side and safety execute on local host is one of the most important research subjects.The Model-Carrying Code (MCC) method is one kind which the recent years proposed is quite systematic solves the safety execution of mobile codes problems. Java is suitable in the enterprise network and the Internet environment, now has become a most welcome and influential programming language.Our main contribution in this article is to combine the MCC method under Java language environment, includes the following several points specifically:Firstly, we provided a consistent character solution between the model verification and the enforcement. The model verification needs to use the model and the security policy, the enforcement needs to use the security policy, now the model generation problem already solved, and the defining of the security policy is only left as a question. If we explain the model verification progress like is: whether the model executing could violate the security policy, then the model verification and the enforcements might use the similar way to understand. But before the definition of security policy, we need to think about the character uniform problem.(1) Based on the system call (syscall) level's consistent event collection, the confirmation and the implementation will be done on the syscall plane.(2) Based on the Java Native Call (JNC) level's consistent event collection, the confirmation and the implementation will carry on the JNC level.(3) Establish a consistent event collection, called Basic Event Collection (BEC), be independent from syscall and JNC, but simultaneously gives reference to syscall and JNC, may understand as their semantic in commons. The security policy define on BEC, the model extends to JNC level. Then maps the BEC on JNC for confirmation, when, and maps it on syscall for implementation.The three methods are feasible if we looked from security policy's definition and implementation, moreover, there are not too many differences regarding security policy description. Because security policy's definition according to the event collection, so long as event collection determination, and is accurate to event's description, security policy compiler will work will; While at the implementation progress, we needs different ways on different level. For the event on syscall level, we obtain the system call information through process level monitoring based on Linux system; For the event on JNC level, we get the information through the virtual machine which some tricks have be done on it.Secondly, We define a kind of Security Policy Description Language (SPDL) as a tool to descript security policy, and we have given the Extended Finite State Automaton (EFSA) internal expression method and the compilation process from security policy script to EFSA. Several basic concepts have been redefined in SPDL:Event: Is the basest concept in security policy, the pattern constituent, also a simple pattern, belongs to a certain event collection, including event name and parameter. You may treat JNC or syscall as well as their returns as event.Event collection: Event's finite set which gives by the security policy definition. The event concentrates includes three contents at least: event sum, each event's description, each event's meaning shows to the security policy decision makers. We provide two kinds of event collections: The system call event collection and the JNC event collection, they respectively are subsets of all system call collection and all JNC collection.The variable mainly uses for recording information of events and parameters, which is also the security policy implementation environment. The variable effect is to display the data flow relations between the event parameters.The pattern is the regular expression based on events, to be specific, pattern is a expression compose with event uses the symbol sequence (.), parataxis (||), closure (*) and the parenthesis connects in together, of course single event is also a pattern.The rule is the unification of patterns and movements. When some routine's execution has been matched by some patterns which has custom-made for it, the monitor routine will adopt some step to protect system security including terminates its execution.The security policy is composed of all the rules. The rules can only keep the relations between each other through the global variable.These basic concepts's introduction causes the security policy formalize into a system, in addition, some other aspect improvement has been adopt to facilitate the user formulation security policy, for instance, set form variable and implicit rule and so on. Finally, we introduced two kind of compulsion implementation mechanism,respectively is the process level surveillance and trick on the Java virtual machine, both of which need two processes and a special Java virtual machine Kaffe.We talk about the process level monitoring first, the monitoring process may obtain the system call information by the monitored process: The monitoring process starts first, after reads security policy and translates it to EFSA form, run kaffe using fork() and exec() system call. At the moment, the moni process and the Kaffe process work concurrently: Kaffe explains the Java byte code, dealing with possibly input and output comes from the user; The father process's task is monitoring the child process's movement, implementing security policy, possibly sending enforcement instruction to the child process, and writing audit log. Father process ended until the child process terminated.While implementing the surveillance mechanism on Java virtual machine is mainly aims at that the event in the security policy which is the situation of JNC. The father process after translating the security policy enters the waiting status, until child process withdrawal. By now, Kaffe loads the EFSA model before explaining Java main method, security policy's implementation engine will execute on Kaffe as the dynamic link library form.The separation of the enforcement strategy and the monitoring mechanism is another main innovation point in this article. Security policy's formulation possibly has two kind of situations based on the event collection, therefore the monitoring mechanism must make concrete to the system related situation, the process level's or the JVM inside's. Including fork the kaffe process, registers signals and the supervisory system call and so on, right faces the system call or the JNC. Although enforcement has the direct correlation with the surveillance mechanism, what the enforcement module faces is event, abstract of the system call or JNC. The enforcement module mainly maintains the automaton and its transfer, the executable sentences in security policy, the current statement table and so on. The enforcement module obtains the event include the parameter and the returns value through the monitoring mechanism, after completes automaton's transfer, sends the enforcement instruction to the implementation mechanism. In all, we first discussed the implements of several parts of MCC frame under Java language environment, and how could these parts organically work together. As the most essential part of MCC frame at the code consumer's point - security policy formulation, we have defined SPDL. The SPDL makes the definition of security policy more systematized, not only simplified the security policy's description, and moreover enhanced the descriptive power. At the enforcement aspect, empowering Java execution monitoring through revises the Kaffe source code and process level monitoring technology based on the Linux operating system synthesis, causes the surveillance technology and the security policy formulation corresponds, both similarly tend to consummation. |
PDF Full Text Request