Design And Implementation Of Secure Filesystem

Information theft refers to unauthorized disclosure of confidential data to non-trusted parties,either unintentionally or deliberately,which always leads to leakage of private information and even financial loss.Besides of traditional methods for securing data such as firewalls and intrusion detection,there are two standard solutions that intends to provide high assurance against information leakage.One is Multilevel Security System,in which data and users are assigned to one of many security levels,and data can only be accessed by a user whose security level is at least as high as the data's classification.The other is Digital Rights Management which aims to safeguard digital intellectual property from unauthorized access.Unfortunately,in many cases the attacker has the proper authority to access the confidential data,and these methods are invalid.In this paper,we describe the design,principle,implementation and evaluation of a Secure File System(SFS),which can transparently and effectively stop information theft by insiders in most cases,even if the insiders have proper authorities to read/write the protected information.This paper will accomplish creative work in three aspects.1:The rapid development of virtualization technology brings new concept to imformaiton security.So I think we can use this technology to restrict the user's behavior,and the critical thing is to choose a virtual machine software with high performance and security to isolate sensitive data and user OS.When implementing the system,I consider the stability and resource occupancy of Xen0. Because I want to use a tiny and simple OS to virtualize another OS,I test many operating systems and choose a very stable combination.2:Focus on the file sharing and security enhancement for the virtual OS and network without the help of tool such as firewalls and IDS.In this paper,I reinforce the classic linux file attributes,use a mature file sharing protocol NFS, and enhance its security. 3:When users read sensitive data,all access to the hardware that may cause information leakage will be prohibited.The SFS bases on virtual machine technology XEN to store sensitive files in onc virtual opcration systcm(OS),and acccss thcsc filcs from the other virtual OS.We uses Linux extended attributes and posix kernel capabilities to enforce the standard ext2/3 filesystem attributes.We modified ACL of NFS server to control access list and user's rights.Specially,we moved the system usb-module when the sensitive files was accessed and resume the state when access process is over. The SFS architecture ensures that only the authorized user can read/write these files,and all users can never transfer these file to out world from the computer.At last we analysis the security of SFS,compare the performance to the native ext3 file system and find that the performance cost is reasonable considering the security benefits.