| As the internet technology develops, embedded devices represented by wearable products and smart phones exert a far-reaching influence in the whole world. Beyond that, the devices are widely applied to any other area, which makes the security of embedded system more and more important. But it seems that a lot of system security techniques only cover the application layer, unfortunately fail to provide powerful protection and verification for the system itself. For instance, system replacement, malicious code and overlarge root privilege are common occurrences. Thus, to establish a set of security protection scheme from bottom to top is extremely urgent.Starting from integrity, the most fundamental element in security, combined with Trusted Computing, integrity authentication and Mandatory Access Control technologies, this thesis protects and checks the integrity and security of the system from three aspects, the trusted boot, Mandatory Access Control technique as well as integrity check of file and application program. All of this will complete the integrity authentication of the system.Trusted boot: utilizing the building principle of establishment of chain of trust and root of trust in TCG, together with Digital Signature Algorithm, the combination of Hash and asymmetric cryptographic algorithm, it solves the problem that practical embedded system has no Trusted Platform Module guaranteeing the integrity and authentication of start-up system; Mandatory Access Control technique: It realizes the security enhancement technology of embedded Linux by means of SELinux security module, then split traditional root users into system administrator, security administrator and audit administrator, achieving separation of privilege, three management roles separation mechanism and security policy; Integrity check of data and application program: The integrity check is completed through rechecking the Hash in Linux Kernel by making use of the standard value(the Hash) stored intact in the extended attribute of the file system, meanwhile, in the process of which the file standard value in the file is protected through SELinux technique.The experimental result indicates that trusted boot accomplished integrity authentication of the Linux system start-up and SELinux implemented fine grained access to system resource, preventing the key modules and vital data form being tempered and keeping the integrity of the system. Meanwhile, the integrity check of file and application program further enhanced that of the system and finally verified the system integrity, creating a trusted execution environment for users and allowing them simultaneously to accept its performance. |
PDF Full Text Request