Research And Implementation Of Dynamic Attribute Based Mandatory Access Control On Linux Platform

With the rapid development of information technology, especially the Internet,information security problem is more and more prominent. No matter in personalcomputers, or enterprise servers, there stored a large number of sensitive data. Thisis directly related to the enterprise business interests and personal privacy protection.In RFC2828, the definition of computer security is: Measures that implement andassure security services in a computer system, particularly those that assure accesscontrol service. Broadly speaking, all computer security is related to access control.The main access control policy includes Discretionary Access Control (DAC),Mandatory Access Control (MAC) and Role-based Access Control (RBAC). TheDAC is flexible, but the protection of sensitive information is not strong, and thepermission management is dispersed. The MAC uses centralized authorization, theprotection of information is strick, often used in military and governmentorganizations. The RBAC is generally used in complicated logic system and Internetenvironment.Linux is an open source operation system, in order to keep its efficient andcompatible with UNIX, Linux adopts the DAC based on the permission bits anddoes not support complex access control policy.In Addition, gradually increasedACL and Capabilityes. The Linux Security Module (LSM) is an universal accesscontrol framework of Linux. The LSM framework itself does not enhance thesystem security, but it provides a set of module programming mechanism, allowingthe security policy load into kernel in the form of module.This paper studies the Linux access control mechanism and the LSMframework, analyzes its insufficiency, proposed a new access control strategy basedon dynamic properties, and implements a security module on Linux platform. Thismodule enforces access control based on system dynamic attributes and limitdconcitions of files. Through the functional testing and performance testing, achievedthe expected design goal, provides more abundant and flexible security accesscontrol for the system.