Research On The Optmization Technologies In TrustZone-based AppArmor Security Policy Management

Operating system security is the basis for the legal and efficient use of software and hardware resources in computing systems.As the critical security mechanism of the operating system,Mandatory Access Control(MAC)systems such as AppArmor and SELinux protect the system security by restricting the subject’s access rights or the ability of accessing data resources in the system.The security policy is the key basis to restrict the subject’s behaviors and authority arbitration in MAC system,which is essential to system security.However,there are many problems in the management of security policy in MAC mechanism,such as complex security policy configuration,high professional requirements,high security requirements,and the unadaptable to dynamic scenarios like Docker.Firstly,since the generation and configuration of security policy rely on specific user-mode applications,its security relies on the security of the kernel.Once the kernel is compromised,the generation and configuration are easily monitored,hijacked or tampered by attackers.Secondly,the users cannot always predict the changes of the operating system environment and configure the security policy accordingly in advance.Usually,the security policy is updated after access failures,which results in a long cycle of generation and deployment with low efficiency and low automation.Therefore,security policy management needs to solve the problem of dynamic update in dynamic changing scenarios.Finally,the support provided by AppArmor for cloud computing environment is weak.Security policy cannot be migrated with the container during migration,which affects the efficiency of the container deployment and the continuity of the protection.In practice,these problems greatly limit the effect of the MAC mechanism.It is urgent to study the automatic security policy generation and management technology to meet the security requirements of different application scenarios.To solve the problems above,this thesis introduces TrustZone technology that owns hardware protection capabilities proposed by ARM.Starting from security improvement of security policy management,dynamic update of security policy and security policy consistency in cloud computing scenarios,the research on the optmization technologies in TrustZone-based AppArmor security policy management is proposed with the goal of security,automation and availability.Firstly,a TrustZone-based AppArmor security policy automated management framework is proposed to solve the security issues during the generation and management of security policy.By using the hardware isolation mechanism of TrustZone,the security policy automated generating module is developed into a trusted application in the TEE and placed in Secure World,which not only protects the security policy configuration from being monitored,hijacked or tampered,but also improves the security of security policy management.Secondly,the current security policy management does not support dynamic update,which affects the continuously security protection.On the foundation of the TrustZone-based AppArmor security policy automated management framework,a TrustZone-based AppArmor security policy dynamic update approach is further proposed.This approach further improves the security and automation of security policy management.Finally,to solve the problems of security policy consistency and continuously security protection during Docker migration,a security policy consistency protocol for Docker migration is proposed.With the help of this protocol,the security policy of the Docker container is safely transmitted to the new node and deployed automatically.And a localized adjustment method for security policy is also proposed to adapt to the variation of the environment.By the protocol,the migrated container can be more quickly deployed and run,which improves the security and availability of Docker.The study in the thesis has improved the security,automation and continuously security protection of AppArmor security policy management,and strengthened its applicability to the cloud computing environment.