| With the development of Internet, more and more incidents about the system beingattacked by some programs have become commonplace, hence the application securityissues have increasingly attracted people’s attention. For now, Linux and Windows haveboth put forward some security models such as SELinux, AppArmor and Applockeragainst application security issues. They can achieve the program control to a certainextent, while inevitably have some disadvantages. The configuration rule of SELinux isrelatively cumbersome, thus users cannot understand and use it quickly. SinceAppArmor is path-based, the system could be attacked once the program is replaced,moreover, when it comes to the programs with irregular configuration, AppArmorperforms practically no function, so that bugs or Trojan programs could still have theirown way in the system.Once the system is being attacked by some program, the integrity of the systemwill be destroyed. Based on the problems mentioned above, the article devises a securitymechanism based on IEBC in the LSM framework to maintain system security.In this paper, first of all, we introduce the framework and technology of accesscontrol which is more classical at present, present some security technology aboutprogram control, and then expound their advantages and disadvantages. By analyzingthe security of programs, the drawbacks of Linux operating system are also elaborated.Secondly, we devise a security mechanism based on IEBC, which mainly includesintegrity division of the subject and object in the system, mark of integrity, the rule ofintegrity access control and executive control, and the access checking and designprocess of IBEC. During the design process, in order to achieve more fine-grainedexecutive control to the system resources, we introduce a new attribute for the subjectand object of the system namely attached integrity class, which could better ensure thesecurity of child processes, subprograms or sub files produced by the main system.Thirdly, according to the design requirements, we carry on our work about thespecific implementation of IBEC, the primary tasks are as follows: integrity definitionof the subject and object in the system, relevant data structure, the hook function,loading and unloading of the IBEC security modules, and the design of securitymanagement tools of IBEC.At last, we have done some tests about function and performance to IBEC. Theresult of function testing shows that IBEC can realize the access control and executivecontrol to the subject and object in the system, and the performance testing resultindicates that IBEC has not a significant influence on the overall performance of the system, which is within the acceptable limits. After the testing, we analyze andsummarize the security of IBEC, and then elaborate the advantages of IBEC comparedwith other security models. |
