CN100498816C - Reference monitor implementing method of high safety grade operating system - Google Patents
Reference monitor implementing method of high safety grade operating system Download PDFInfo
- Publication number
- CN100498816C CN100498816C CNB2007101900021A CN200710190002A CN100498816C CN 100498816 C CN100498816 C CN 100498816C CN B2007101900021 A CNB2007101900021 A CN B2007101900021A CN 200710190002 A CN200710190002 A CN 200710190002A CN 100498816 C CN100498816 C CN 100498816C
- Authority
- CN
- China
- Prior art keywords
- message
- access control
- server
- object manager
- reference monitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates a method which can realize reference monitors of high level secure operating system, mainly comprising: (1) the structure of a reference monitor; (2) the realization of the controlling of microkernel IPC communications; (3) the initiated process according to the security services needed by the reference monitor. The structure of the reference monitor comprises that the structure reference monitor bases on a microkernel with enhanced security while all service procedures and user applications are out of the microkernel; the inter-process communication (IPC) is the only way for applications to acquire service and access resources and for the interactions between servers. Making use of the structure of the reference monitor to limit the communications between users and acquire system service, the invention enforces of the security verification strategy of access control to avoid authentification bypass, having guaranteed the validity of the utilization and protection of the system resources by the reference monitor and thus improved the safety and service ability of the system. The invention satisfies the security requirements of high-level operating system.
Description
Technical field
The present invention relates to the security kernel of high safety grade operating system, the particularly a kind of reference monitor implementation method that can not walk around.
Background technology
Secure operating system is the basis of whole information system security.The common-denominator target of secure operating system provides strong as far as possible access control and Audit Mechanism, carries out the scheduling that meets security strategy between application program and system's hardware and software resource, limits illegal visit.The reference monitor that can not walk around is the important assurance of secure operating system, can be used for the infosystem of key areas such as government, military affairs, national defence, improves the supportability of important information system.
Legacy operating system designs and realizes from the functional requirement of various practicalities and performance requirement mostly, strengthens by safety subsequently, adds the relevant functional module of safety and improves security.In fact, security is not the simple superposition of security function, can not guarantee that like this its reference validation mechanism can not be bypassed.High safety grade operating system need just take into full account safe demand at the beginning of design, guarantee security of system by the Security Architecture that designs tight science.According to this requirement, the invention provides a kind of simplifying and effective reference monitor, make its reference validation mechanism always be in active state and can not be bypassed, to guarantee the correct enforcement of security strategy.
Summary of the invention
The present invention is primarily aimed at high safety grade operating system; especially reach the requirement of GB17859-1999 " the computer information system class of security protection criteria for classifying " fourth stage and above secure operating system to security kernel; a kind of reference monitor implementation method is provided; can carry out supervision and the arbitration that to walk around to visits all between the Subjective and Objective, and deposit safety significant incident in audit document.
For realizing purpose of the present invention, the invention provides a kind of reference monitor implementation method that can not walk around.The reference monitor implementation method of high safety grade operating system, (1) reference monitor structure; The micro-kernel that the reference monitor structure strengthens based on a safety, all service routines and user application all are positioned at outside the nuclear, interprocess communication (IPC) is that application program obtains service, between access resources and the server mutual unique by way of, interprocess communication service by strengthening micro-kernel and introducing put teeth in device and IPC is communicated by letter control and verify, cooperate the enforcement of security server and object manager again to security strategy, realize the reference monitor that to walk around: 1) monitor the territory field, be arranged to quoting of a sky or an arbitrator by in the address space of process, increasing by one; If be empty, represent that the IPC communication of this process is not monitored; Otherwise the IPC communication of this process can be redirected to an arbitrator, realizes monitoring control; 2) add " real source " field in the form of message, this field is responsible for assignment by kernel when message is initialized; No matter be redirected through how many times, original sender's field in the just message of change, " real source " field remains unchanged, and its value is that the source sends; (2) to the realization of micro-kernel IPC Control on Communication; Step 20 is initial actuatings; Step 21 transmission process generates message, and the real source of kernel message is set to the transmission process; Step 22 judges whether the supervision territory field of the current process of holding message is empty, if be empty, then changes step 25, otherwise, change step 23; The supervision territory field that the current process of message is held in step 23 expression is certain service processes, then message is sent to the territory process that monitors; Step 24 supervision territory process is received message, changes step 22 continuation process and monitors territory field judgement; The supervision territory field that the current process of message is held in step 25 expression is sky, and communication just can directly be carried out, and then message is sent to real purpose process; Whether step 26 sends successful according to the real source field notification message of message; Step 27 is done states;
(3) flow process of the required security service startup of reference monitor; Step 31 at first loads safe micro-kernel, and kernel provides follow-up all services required service mechanism, comprising the IPC communication service of can not the property the walked around required enhancing of reference monitor; Step 32 loads the safe storage server; Step 33 load server loading bin; The checking of step 34 server loading bin also starts audit server, and after audit server loaded, the logout that safety is relevant in the system got off; Checking of step 35 server loading bin and startup put teeth in device; The checking of step 36 server loading bin also starts security server, and it is responsible for loading corresponding security strategy, for the object manager provides decision service; Checking of step 37 server loading bin and startup object manager (according to the judgement of security server, are specifically implemented corresponding access control request; The checking of step 38 server loading bin also starts authentication server, and it is responsible for the identity of main body in the authentication-access control; Step 39 starts other operating system modules subsequently.
(4) the concrete implementing procedure of an access control in the reference monitor; Step 40 is initial actuatings.Step 41 consumer process sends the access control request to the object manager.The access control request of step 42 consumer process is redirected to by the IPC mechanism of kernel and puts teeth in device.Step 43 puts teeth in device the object manager is handed in user's access control request, can carry out corresponding record of the audit according to setting in advance simultaneously.Step 44 object manager generates access control message according to the access control request of consumer process.Step 45 object manager is submitted access control message to security server, because object manager and security server all are trusted servers, message is directly sent to without putting teeth in device.Step 46 security server is received the access control message of object manager, the query safe policy database, and the access control that desire is carried out makes decisions.Step 47 security server is returned to the object manager with the result of decision, and this decision information by putting teeth in device, is not directly sent to.Step 48 object manager is analyzed the result of decision of security server, if the grant access control request is then changeed step 49, otherwise changes step 4a.Step 49 object manager is implemented the access control request that the user submits to.Step 4a object manager refusal is implemented the access control request that the user submits to.Step 4b object manager will be returned to consumer process to the result of implementation of access control request.Step 4c result of implementation message is redirected to by the IPC mechanism of kernel and puts teeth in device.Step 4d puts teeth in device result of implementation message is passed to consumer process, carries out corresponding record of the audit according to setting in advance simultaneously.Step 4e is a done state.
The invention has the beneficial effects as follows: by the telex network of reference monitor structural limitations, obtain system service; thereby put teeth in the security strategy checking of access control; avoid authentication mechanism by bypass; guaranteed the validity of reference monitor to system resource utilization and protection; and then improve the security and the service ability of system, satisfy the safety requirements of high level operations system.
Description of drawings
Fig. 1 reference monitor structural representation
The realization key diagram of Fig. 2 IPC Control on Communication
Fig. 3 security service starts process flow diagram
Figure is implemented in Fig. 4 access control
Embodiment
As shown in Figure 1, in the reference monitor structure of the present invention, each security service is interrelated, realizes arbitration and the supervision that can not walk around access control, being described as follows of each Service Design purpose and function.Consumer process proposes the access control request to the object manager, and receives the result of implementation of object manager to access control.Authentication server is responsible for verifying the identity of the main body of consumer process representative.After carrying out completeness check, secure and trusted ground starts each server to important security server by the server loading bin, and the server loading bin also is responsible for configuration, the management of trusted servers.Putting teeth in utensil has control all sends to the ability of server requests, can intercept all user request, realizes the characteristic of checking comprehensively, is the basis of access control sub (comprising object manager, security server) and audit subsystem.The object manager is responsible for receiving all Subjective and Objective request of access, proposes inquiry to security server, and according to the decision-making of security server, carries out concrete security strategy, and request of access is carried out ruling.Security server is according to the security strategy of current loading, and the request that the object manager is submitted to makes decisions, and result of determination is returned to the object manager, makes the object manager can specifically carry out related security policies.Audit server is in charge of the audit agreement, and the management of audit log etc. put teeth in the audit information source that device and object manager can provide granularity not wait.The safe storage server is realized the safe and reliable storage to the policy data in the security server, audit log data with a kind of special file system.The micro-kernel that safety strengthens, by revising intercommunication primitive, the communication of all untrusted process all is redirected to putting teeth in device, thereby make that do not have the user to ask to walk around puts teeth in device because in the system of micro-kernel IPC communication be application program obtain service, access resources unique by way of.
Fig. 2 represents the realization flow of IPC Control on Communication.To the realization of IPC Control on Communication is by to the redirected realization of IPC message, and improve main points and comprise: (1) monitors the territory field by increase by one in the address space of process, can be arranged to quoting of a sky or an arbitrator.If be empty, represent that the IPC communication of this process is not monitored; Otherwise the IPC communication of this process can be redirected to an arbitrator, has realized monitoring control; (2) add " real source " field in the form of message, this field is responsible for assignment by kernel when message is initialized.No matter be redirected through how many times, original sender's field in the just message of change, " real source " field remains unchanged, and its value is the source sender.Step 20 is initial actuatings.Step 21 transmission process generates message, and the real source of kernel message is set to the transmission process.Step 22 judges whether the supervision territory field of the current process of holding message is empty, if be empty, then changes step 23, otherwise, change step 25.The supervision territory field that the current process of message is held in step 23 expression is certain service processes, then message is sent to the territory process that monitors.Step 24 supervision territory process is received message, changes step 22 continuation process and monitors territory field judgement.The supervision territory field that the current process of message is held in step 25 expression is sky, and communication just can directly be carried out, and then message is sent to real purpose process.Whether step 26 sends successful according to the real source field notification message of message.Step 27 is done states.
Fig. 3 represents the startup flow process of each security service of reference monitor.Step 31 at first loads safe micro-kernel, and kernel provides follow-up all services required service mechanism, comprising the IPC communication service of can not the property the walked around required enhancing of reference monitor among the present invention.Step 32 loads safe storage server (also have some infrastructure services before, need to load such as name server, I/O driving etc., stress the loading of each ingredient of reference monitor here), because it is the basis of audit server work.Step 33 load server loading bin, it is responsible for all the other security services in the reference monitor are verified, loads then, guarantees that the security service that starts is believable.The checking of step 34 server loading bin also starts audit server, and after audit server loaded, the incident that safety is relevant in the system can be noted.Step 35 server loading bin checking also starts and puts teeth in device, and this is the key service that guarantees that access control can not be walked around, and its validity is strengthened by the IPC communication of kernel and guarantees.The checking of step 36 server loading bin also starts security server, and it is responsible for loading corresponding security strategy, for the object manager provides decision service.The checking of step 37 server loading bin also starts object manager (more than one of possibility), and they are responsible for all Subjective and Objective request of access service is provided, and according to the judgement of security server, specifically implement corresponding access control request.The checking of step 38 server loading bin also starts authentication server, and it is responsible for the identity of main body in the authentication-access control.Step 39 starts other operating system modules subsequently.
Fig. 4 represents the concrete implementing procedure of an access control in the reference monitor.Step 40 is initial actuatings.Step 41 consumer process sends the access control request to the object manager.The access control request of step 42 consumer process is redirected to by the IPC mechanism of kernel and puts teeth in device.Step 43 puts teeth in device the object manager is handed in user's access control request, can carry out corresponding record of the audit according to setting in advance simultaneously.Step 44 object manager generates access control message according to the access control request of consumer process.Step 45 object manager is submitted access control message to security server, because object manager and security server all are trusted servers, message is directly sent to without putting teeth in device.Step 46 security server is received the access control message of object manager, the query safe policy database, and the access control that desire is carried out makes decisions.Step 47 security server is returned to the object manager with the result of decision, and this decision information by putting teeth in device, is not directly sent to.Step 48 object manager is analyzed the result of decision of security server, if the grant access control request is then changeed step 49, otherwise changes step 4a.Step 49 object manager is implemented the access control request that the user submits to.Step 4a object manager refusal is implemented the access control request that the user submits to.Step 4b object manager will be returned to consumer process to the result of implementation of access control request.Step 4c result of implementation message is redirected to by the IPC mechanism of kernel and puts teeth in device.Step 4d puts teeth in device result of implementation message is passed to consumer process, carries out corresponding record of the audit according to setting in advance simultaneously.Step 4e is a done state.
Claims (1)
1, the reference monitor implementation method of high safety grade operating system is characterized in that being:
(1) reference monitor structure; The micro-kernel that the reference monitor structure strengthens based on a safety, all service routines and user application all are positioned at outside the nuclear, interprocess communication IPC is that application program obtains service, between access resources and the server mutual unique by way of, interprocess communication service by strengthening micro-kernel and introducing put teeth in device and IPC is communicated by letter control and verify, cooperate the enforcement of security server and object manager again to security strategy, realize the reference monitor that to walk around: 1) monitor the territory field, be arranged to quoting of a sky or an arbitrator by in the address space of process, increasing by one; If be empty, represent that the IPC communication of this process is not monitored; Otherwise the IPC communication of this process can be redirected to an arbitrator, realizes monitoring control; 2) add " real source " field in the form of message, this field is responsible for assignment by micro-kernel when message is initialized; No matter be redirected through how many times, original sender's field in the just message of change, " real source " field remains unchanged, and its value is that the source sends;
(2) to the realization of micro-kernel IPC Control on Communication; Step 20 is initial actuatings; Step 21 transmission process generates message, and the real source of micro-kernel message is set to the transmission process; Step 22 judges whether the supervision territory field of the current process of holding message is empty, if be empty, then changes step 25, otherwise, change step 23; The supervision territory field that the current process of message is held in step 23 expression is certain service processes, then message is sent to the territory process that monitors; Step 24 supervision territory process is received message, changes step 22 continuation process and monitors territory field judgement; The supervision territory field that the current process of message is held in step 25 expression is sky, and communication just can directly be carried out, and then message is sent to real purpose process; Whether step 26 sends successful according to the real source field notification message of message; Step 27 is done states;
(3) flow process of the required security service startup of reference monitor; Step 31 at first loads the micro-kernel that safety strengthens, and micro-kernel provides follow-up all services required service mechanism, comprising the IPC communication service of can not the property the walked around required enhancing of reference monitor; Step 32 loads the safe storage server; Step 33 load server loading bin; The checking of step 34 server loading bin also starts audit server, and after audit server loaded, the logout that safety is relevant in the system got off; Checking of step 35 server loading bin and startup put teeth in device; The checking of step 36 server loading bin also starts security server, and it is responsible for loading corresponding security strategy, for the object manager provides decision service; The checking of step 37 server loading bin also starts the object manager, according to the judgement of security server, specifically implements corresponding access control request; The checking of step 38 server loading bin also starts authentication server, and it is responsible for the identity of main body in the authentication-access control; Step 39 starts other operating system modules subsequently;
(4) the concrete implementing procedure of an access control in the reference monitor; Step 40 is initial actuatings; Step 41 consumer process sends the access control request to the object manager; The access control request of step 42 consumer process is redirected to by the IPC mechanism of micro-kernel and puts teeth in device; Step 43 puts teeth in device the object manager is handed in user's access control request, can carry out corresponding record of the audit according to setting in advance simultaneously; Step 44 object manager generates access control message according to the access control request of consumer process; Step 45 object manager is submitted access control message to security server, because object manager and security server all are trusted servers, message is directly sent to without putting teeth in device; Step 46 security server is received the access control message of object manager, the query safe policy database, and the access control that desire is carried out makes decisions; Step 47 security server is returned to the object manager with the result of decision, and this result of decision by putting teeth in device, is not directly sent to; Step 48 object manager is analyzed the result of decision of security server, if the grant access control request is then changeed step 49, otherwise changes step 4a; Step 4a object manager refusal is implemented the access control request that the user submits to, changes step 4b; Step 49 object manager is implemented the access control request that the user submits to; Step 4b object manager will be returned to consumer process to the result of implementation of access control request; Step 4c result of implementation message is redirected to by the IPC mechanism of micro-kernel and puts teeth in device; Step 4d puts teeth in device result of implementation message is passed to consumer process, carries out corresponding record of the audit according to setting in advance simultaneously; Step 4e is a done state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007101900021A CN100498816C (en) | 2007-11-19 | 2007-11-19 | Reference monitor implementing method of high safety grade operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007101900021A CN100498816C (en) | 2007-11-19 | 2007-11-19 | Reference monitor implementing method of high safety grade operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101174293A CN101174293A (en) | 2008-05-07 |
| CN100498816C true CN100498816C (en) | 2009-06-10 |
Family
ID=39422801
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007101900021A Expired - Fee Related CN100498816C (en) | 2007-11-19 | 2007-11-19 | Reference monitor implementing method of high safety grade operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100498816C (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9588803B2 (en) | 2009-05-11 | 2017-03-07 | Microsoft Technology Licensing, Llc | Executing native-code applications in a browser |
| US9323921B2 (en) * | 2010-07-13 | 2016-04-26 | Microsoft Technology Licensing, Llc | Ultra-low cost sandboxing for application appliances |
| US9495183B2 (en) | 2011-05-16 | 2016-11-15 | Microsoft Technology Licensing, Llc | Instruction set emulation for guest operating systems |
| US9389933B2 (en) * | 2011-12-12 | 2016-07-12 | Microsoft Technology Licensing, Llc | Facilitating system service request interactions for hardware-protected applications |
| US9413538B2 (en) | 2011-12-12 | 2016-08-09 | Microsoft Technology Licensing, Llc | Cryptographic certification of secure hosted execution environments |
| CN103620606B (en) * | 2013-06-20 | 2017-10-10 | 华为技术有限公司 | Store detection means, system and storage detection method |
| CN111596962B (en) * | 2019-02-20 | 2023-05-30 | 中标软件有限公司 | Real-time microkernel system based on high-speed protocol channel and initialization method thereof |
| CN111125793B (en) * | 2019-12-23 | 2022-03-11 | 北京工业大学 | Trusted verification method and system for object memory in access control |
| CN114697162A (en) * | 2022-03-26 | 2022-07-01 | 浪潮云信息技术股份公司 | Method and system for realizing gateway of Internet of things based on microkernel architecture |
-
2007
- 2007-11-19 CN CNB2007101900021A patent/CN100498816C/en not_active Expired - Fee Related
Non-Patent Citations (2)
| Title |
|---|
| 操作系统安全增强技术研究进展. 訾小超,姚立红,曾庆凯,茅兵,谢立.高技术通讯,第13卷第7期. 2003 |
| 操作系统安全增强技术研究进展. 訾小超,姚立红,曾庆凯,茅兵,谢立.高技术通讯,第13卷第7期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101174293A (en) | 2008-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100498816C (en) | Reference monitor implementing method of high safety grade operating system | |
| Uddin et al. | A dynamic access control model using authorising workflow and task-role-based access control | |
| US7568218B2 (en) | Selective cross-realm authentication | |
| US8032920B2 (en) | Policies as workflows | |
| CN110310205B (en) | Block chain data monitoring method, device, equipment and medium | |
| US20120311696A1 (en) | Override for Policy Enforcement System | |
| US20140007179A1 (en) | Identity risk score generation and implementation | |
| CN111447222A (en) | Distributed system authority authentication system and method based on micro-service architecture | |
| US20150341362A1 (en) | Method and system for selectively permitting non-secure application to communicate with secure application | |
| CN106650418A (en) | Android access control system and method based onmulti-strategy | |
| Schiavo et al. | Faas: Federation-as-a-service | |
| CN109688162B (en) | Multi-tenant database implementation method and system | |
| CN106537873B (en) | Establish the secure computing devices for virtualization and management | |
| Chandersekaran et al. | Use case based access control | |
| Cuppens et al. | Availability enforcement by obligations and aspects identification | |
| Bai et al. | On cloud computing security | |
| Ziebermayr et al. | Web service authorization framework | |
| US20220255970A1 (en) | Deploying And Maintaining A Trust Store To Dynamically Manage Web Browser Extensions On End User Computing Devices | |
| CN105653928B (en) | A kind of refusal service detection method towards big data platform | |
| CN114154193A (en) | Cross-domain access control method based on block chain | |
| CN113691539A (en) | Enterprise internal unified function authority management method and system | |
| Obelheiro et al. | Role-based access control for CORBA distributed object systems | |
| WO2012163587A1 (en) | Distributed access control across the network firewalls | |
| US20090259757A1 (en) | Securely Pushing Connection Settings to a Terminal Server Using Tickets | |
| Hameed et al. | A Blockchain-based Decentralised and Dynamic Authorisation Scheme for the Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090610 Termination date: 20111119 |