The Design And Implementation Of An Object Management System Based On Access Control

With the high-speed development of information society, Internet has become an indispensable part in real life. Although people can enjoy convenient and rapid communication with each other, the problem of network security has attracted more and more attentions. To achieve access control, we need to design some security strategies to guarantee that unauthorized users can only access specified network resources. If some kinds of routers are available, we can take advantage of their access control lists to realize the function of firewall, selectively allow data packets to pass routers, and thus protect the network in a simple and efficient way. In this paper, we design and implement an object management system, which can be used by the inter-domain policy and access control lists to effectively realize the protection of network security.Specifically, we define an address object group for the set of IP addresses to be configured by users, an IPV6address object group, a service object group and a port object group. These object groups can be used in the inter-domain policy as the condition of message matching. When there are many decentralized rules, this method transforms the order of magnitude of multiplication operation to that of addition operation, and thus improves the processing speed. Meanwhile, we make the matching between these object groups and the cores under them through a red-black tree, which effectively reduces the time of matching.The main contributions of this paper can be summarized as:(1) We review some principles used in the system, such as access control and socket communication;(2) We design and implement some fundamental functions for object groups and objects;(3) We design and implement the matching of object groups and objects in the cores.The author participated in.the design and implementation of the core part of the object management system, including the command line module in user mode, its communication with the daemon process, the communication between user mode and kernel mode, and the specific matching algorithms in kernel mode. In addition, in the unit testing phrase, the author was in charge of the matching part of the kernel, and in the system testing phrase, she tested all the functions of the systems, debugged and analyzed the encountered problems through GDB, and solved these problems.