Research Design And Implementation Of Windows Access-control Enforcement Facility Framework

Operating system security has attracted the attention of researchers since the very beginning. How to build a secure operating system has become a hot topic of current research. Access control enforcement of the system can effectively enhance system security. The emergence of security models such as BLP, BIBA, DTE, showed research has matured. Various security modules which based on the security models such as Selinux, DTE, Smack, showed that security research has been used as practical application.In order to support these models, each OS offers a variety of realization framework. Linux provides the LSM,and LSM-based realized Selinux, DTE, Smack, Apparmor and many other security modules. FreeBSD also provides TrustedBSD MAC framework to achieve the same functions with the LSM. However, Windows do not support mandatory access control, and lack of generic framework which can support different access control model, resulting in the difficulties of the implementation of access control under Windows.In response to these issues, this paper provided a windows access-control enforcement facility framework which provides a common, secure, efficient platform for research and development of security models by offering multi security module support, windows kernel object security-label and sensitive Hook operation set solution. The main research works include:(1) Requirement Analyses. First of all, we described the importance of security access control mechanisms, the history of access control model and access control enforcement facility framework. After that, we summarized the requirements of Windows access control enforcement facility framework by studying the concept of access control mechanism, the features of discretionary access control and mandatory access control, the general requirement of the enforcement facility access control and the demand for the original windows operating system security mechanisms.(2) Framework design. Thesis provided security model research with a windows access-control enforcement facility framework by studying the framework of LSM, TrustedBSD MAC, the requirement of access control implementation under windows. The framework can load multi security modules and offer them kernel level support.(3) Realization. We designed and realized the solution of security label set function as well as sensitive kernel api hook set.(4) Performance analysis. We analyzed the performance of a WAEF-based security module which hooked all system calls and loaded all-allow policy, as well as the WAEF-based MAC module realized by PFAC program. We also made an analysis according to the data.