Research And Design Of Security Enhancement Mechanism For Container Based Desktop System

Informatization is a computer based intelligent tools as the representative of the new productivity and new direction of development,has become the leading force to promote innovation and transformation.Desktop operating system is one of the most important basic software support of informatization,almost all of the information needed for processing and management through it,so it can get all the information users in the virtual space and virtual space mapping of real space information,at the same time,because of its users throughout the government,military and enterprise groups and large quantities,if it safety cannot be guaranteed,threatened not only the user's privacy and property,or even a threat to national security in cyberspace.Therefore,it is of great value and significance to study the security of desktop operating system.This paper focuses on the research of the security mechanism of the desktop system are summarized as follows:1.Proposed a container-based desktop system security enhancements CellPlatform.CellPlatform enhances desktop system security from both the operating system platform and the application platform,consisting of CellOS-oriented multi-domain isolation security architecture CellOS and enhanced application-aware desktop application repository CellStore.CellOS leverages lightweight virtualization container technology to enhance the isolation between applications and streamline system components to reduce the attack surface of the system.CellStore provides a unified application of image publishing,storage and management mechanisms to ensure that the application of mirror source trustworthy,and application mirroring throughout the life cycle of integrity and confidentiality.2.A Multi-domain Security Model based on First Access(MISMBFA)is proposed.The MISMBFA model is based on the DTE model,multilevel security model and Chinese wall model security thought and theory,combing the business attributes of the subject and object,security attributes of objects and access behavior of subject to object,implementing traffic isolation and multilevel secure access control,and guarantee the usability of the model.In this paper,based on the Linux security framework LSM,the Cell OS access control module(CellController)is designed,which can further enhance the isolation between the application container and prevent the file data from being illegally or unintentionally leaked.3.The privacy and integrity protection mechanism of desktop applications is proposed.According to the privacy requirements of private desktop application image,design of image component encryption scheme to protect user data files or configuration information includes desktop application in the mirror,while the design of image transmission protocol to ensure the security of desktop application image integrity and availability in the publish and download the whole life cycle,to prevent the desktop application the mirror the threat of malicious tampering of the desktop security.4.In order to verify the validity of the desktop system security architecture based on CellPlatform,XUbuntu 16.04 and Docker 1.0 container system implements a prototype system based on CellPlatform,and analyzed the security and performance.The results show that the CellOS with respect to the security of XUbuntu is greatly improved,and the system performance is almost no loss,but the desktop application image of CellOS occupied storage space bigger than XUbuntu's.