Research On Implementation Technology Of Enhanced Access Control For Operating System

As a core component of computer, operating system provides a unified platform for lots ofapplication services, and security itself plays an important role in evaluating the capability ofcomputer to counter against internal risks and external attacks. As Windows operating systemfamilies are popular in traditional personal computer market all over the world, a new enhancedaccess control mechanism aiming to protect information by confidentiality and integrity isproposed in this dissertation to improve the current security mechanism in Windows and toaccommodate the increasing demands for high-level assurances.The classic access control policy BLP can protect the confidentiality of information whileBiba strengthen the protection of information in integrity. It’s a good idea to combine BLP andBiba simultaneously to enhance protection capability. However, the conflict in authorizing rulesbetween BLP and Biba has drastically reduced the information availability. Therefore, the mainpurpose of this paper is to reconcile the authorizing conflicts between BLP and Biba, aiming tomeet the requirement for information availability. The dissertation‘s main contributionsincludes:(1) The significance of study on operating system security is analyzed by comparativediscussion of domestic and international research progress on operating system security, and thenecessity for research on enhanced access control mechanism is specified through requirementsby both TCSEC and actual projects.(2) Inspired by theoretical innovation of usage control model, a new enhanced accesscontrol policy, which combines BLP and Biba, is proposed to protect information byconfidentiality and integrity after analyzing the pros and cons of DAC and MAC, as well as thekey reason for the failure of a variety of hybrid access control policy.(3) To hook Native API calling sequence by replacing the entry address of functions listedin system service descriptor table, hereafter, the credit index for each process is calculatedrespectively in order to implementing label-alterable access control policy.(4) The prototype system of enhanced access control mechanism, based on file systemfilter device driver, is implemented finally. And a variety of experimental tests on functionalityand performance show that the prototype system successfully promotes the security ofoperating system at the cost of acceptable burden on target machine.Generally speaking, the label-alterable enhanced access control mechanism ensuresprotection for information in confidential, integrity and availability, and it also establishesimportant theoretical basis for future research and the development of secure operating system.