[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118862085A - Manageable operating system based on active immunity - Google Patents

Manageable operating system based on active immunity Download PDF

Info

Publication number
CN118862085A
CN118862085A CN202410892900.5A CN202410892900A CN118862085A CN 118862085 A CN118862085 A CN 118862085A CN 202410892900 A CN202410892900 A CN 202410892900A CN 118862085 A CN118862085 A CN 118862085A
Authority
CN
China
Prior art keywords
security
module
operating system
trusted
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410892900.5A
Other languages
Chinese (zh)
Inventor
戚建淮
徐国前
胡金华
崔宸
唐娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202410892900.5A priority Critical patent/CN118862085A/en
Publication of CN118862085A publication Critical patent/CN118862085A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a manageable operating system based on active immunity, which comprises: the user access management module is used for managing user access; the security kernel module is used for judging and implementing the user access according to preset security information; the trusted communication module is used for ensuring the trusted communication inside the system; the safety mechanism management module is used for managing the safety mechanism; the security reinforcement module is arranged on the application layer and is used for defending attack behaviors; a security audit module; the system comprises a centralized management module, a control module and a control module, wherein the centralized management module is used for providing centralized management, strategy configuration, log management and alarm management for an operating system.

Description

Manageable operating system based on active immunity
Technical Field
The invention relates to the technical field of network security, in particular to an active immunity-based manageable operating system.
Background
Operating system security is an important basis for computer security, and to properly solve the increasingly wide computer security problem, a firm security operating system is required to be used as a rear shield, so that a practical and effective development method is required to be searched for, and a security operating system capable of meeting the actual application needs is developed.
At present, the safety protection level of the operating system in the prior art still stays in the traditional manual reinforcement stage of patching, simple strategy configuration and the like, and the lack of professional-level safety operating system products, especially like the main stream operating system, the back of a huge user base number, hides the increasing potential safety hazard.
Therefore, how to provide an active immune-based manageable operating system, which can implement multiple security policy models and enhance the security of the system is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In order to solve the technical problems, the invention provides an active immunity-based manageable operating system which can realize various security policy models and enhance the security of the system under an architecture supporting a plurality of security policies and dynamic security policy changes.
The technical scheme provided by the invention is as follows:
the invention provides an active immunity-based manageable operating system, which comprises: the system is based on a CentOS basic framework and kernel basic functions, and is obtained by adding and expanding a security mechanism to the kernel;
The system comprises:
the user access management module is used for managing user access;
The security kernel module is used for judging and implementing the user access according to preset security information;
The trusted communication module is used for ensuring the trusted communication in the system;
The safety mechanism management module is used for managing the safety mechanism;
the security reinforcement module is arranged on the application layer and is used for defending attack behaviors;
The security audit module is used for auditing the security event;
and the centralized management module is used for providing centralized management, strategy configuration, log management and alarm management for the operating system.
Further, in a preferred mode of the present invention, the user access management module is configured to perform the following steps: authenticating the identity of the user; based on the forced access control mechanism, implementing confidentiality and integrity double check and verification to the user; after passing, grant is used to access system resources.
Further, in a preferred mode of the present invention, the security kernel module includes: a security judgment module and a judgment implementation module; the safety judging module judges whether the safety related behavior can be executed or not based on the safety information; the decision enforcement module is responsible for executing tasks to be executed by the security-related actions that have been licensed.
Further, in a preferred mode of the present invention, a mutually independent information supporting mechanism is set up inside the security decision module;
The safety information corresponds to the information supporting mechanism one by one;
in the security judgment process, the corresponding mechanism of the security judgment module can determine the security information to be adopted according to the type of the security request, and then transfer the judgment task of the security request to the corresponding information support mechanism for processing.
Further, in a preferred mode of the present invention, the trusted communication module supports a trusted computing dual system; the functions of the trusted communication module include: trusted boot, static metrics, dynamic metrics, trusted metrics management services, and trusted backup services.
Further, in a preferred form of the invention, the trusted boot is a root of trust based on a trusted computing chip TCM; the trust root is composed of a BIOS CRTM module and a trusted chip;
After the TCM is powered on, the CRTM module program is executed to measure and expand the CRTM data, the BIOS data and the platform expansion items into the position of the trusted chip platform configuration register PCR number 0, and record the measurement event into the event log.
Further, in a preferred form of the invention, the static metric comprises: a metrology mechanism and a static metrology target object, the metrology mechanism comprising: an integrity challenge mechanism and an integrity verification mechanism, the static metric target object comprising: the method comprises the steps of an initial kernel, a kernel module, an executable file loaded by a process, a dynamic library loaded by the process and a configuration file of the process;
The dynamic measurement is a dynamic measurement model based on information flow, and the dynamic measurement target object is a process and a kernel module.
Further, in a preferred form of the invention,
The safety mechanism management module is used for adding and expanding a safety mechanism in the kernel space and the user space;
The security mechanism management module is a security mechanism management module subjected to security technology enhancement optimization, wherein the security technology enhancement optimization comprises aspects of autonomous access control, forced access control, marking, identity authentication, object reuse, audit, data integrity, hidden channel analysis, trusted path, trusted recovery and the like.
Further, in a preferred mode of the present invention, the security reinforcement module is configured to defend attack actions specifically:
immunization against "known" and "unknown" aggression;
the security reinforcement module is used for defending attack behaviors and comprises the following steps:
Establishing a white list mechanism;
Protecting based on the white list;
Reconstructing a 'security subsystem' of an operating system by using three access control security model combinations of the enhancement type DTE, RBAC, BLP;
all relevant resource access actions are monitored, forming a stereo guard to ensure implementation of a secure operating system.
Further, in a preferred form of the invention, the security audit module is adapted to perform the steps of: recording and inquiring the log, wherein the types of the log comprise a program log, a peripheral log, a user log, a resource monitoring log and a log of a WEB account and an operation log; the content of the log comprises specific time, log type, user name, event description, response mode and execution object; and auditing the log, and identifying abnormal log data.
The invention provides an active immunity-based manageable operating system. Compared with the prior art, the system is based on a central OS basic framework and kernel basic functions, and is obtained by adding and expanding a security mechanism to the kernel; the system comprises: the user access management module is used for managing user access; the security kernel module is used for judging and implementing the user access according to preset security information; the trusted communication module is used for ensuring the trusted communication in the system; the safety mechanism management module is used for managing the safety mechanism; the security reinforcement module is arranged on the application layer and is used for defending attack behaviors; the security audit module is used for auditing the security event; the system comprises a centralized management module, a control module and a control module, wherein the centralized management module is used for providing centralized management, strategy configuration, log management and alarm management for an operating system, and the technical scheme can realize various safety strategy models under the architecture supporting a plurality of safety strategies and dynamic safety strategy changes, so that the safety of the system is enhanced, and compared with the prior art, the system has obvious technical effects.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an architecture of an active immune-based manageable operating system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of QiSOS operating system authentication logic according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating the operation logic of a kernel SD subsystem of a QiSOS secure operating system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of trusted delivery and verification logic for a trust chain of a manageable operating system according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of BIOS-based integrity metrics in accordance with an embodiment of the present invention;
FIG. 6 is a schematic diagram of the operation logic of the static measurement subsystem according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of dynamic metrology subsystem operation logic according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of an application layer security reinforcement logic according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a management side bypass structure based on an active immune manageable operating system according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a security trust token system architecture based on split rights according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of security encryption logic of an access control program according to an embodiment of the present invention;
Fig. 12 is a flowchart of a security policy opening operation according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present invention, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It will be understood that when an element is referred to as being "fixed" or "disposed" on another element, it can be directly on the other element or be indirectly embedded on the other element; when an element is referred to as being "connected to" another element, it can be directly connected to the other element or be indirectly connected to the other element.
It is to be understood that the terms "length," "width," "upper," "lower," "front," "rear," "first," "second," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are merely for convenience in describing and simplifying the description based on the orientation or positional relationship shown in the drawings, and do not indicate or imply that the devices or elements referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus are not to be construed as limiting the invention.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" or "a number" means two or more, unless specifically defined otherwise.
It should be understood that the structures, proportions, sizes, etc. shown in the drawings are for the purpose of understanding and reading the disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, but rather by the claims, unless otherwise indicated, and that any structural modifications, proportional changes, or dimensional adjustments, which would otherwise be apparent to those skilled in the art, would be made without departing from the spirit and scope of the invention.
Referring to fig. 1 to 12, the present invention provides an active immune-based manageable operating system, comprising: the system is based on a CentOS basic framework and kernel basic functions, and is obtained by adding and expanding a security mechanism to the kernel; the system comprises: the user access management module is used for managing user access; the security kernel module is used for judging and implementing the user access according to preset security information; the trusted communication module is used for ensuring the trusted communication in the system; the safety mechanism management module is used for managing the safety mechanism; the security reinforcement module is arranged on the application layer and is used for defending attack behaviors; the security audit module is used for auditing the security event; the system comprises a centralized management module, a control module and a control module, wherein the centralized management module is used for providing centralized management, strategy configuration, log management and alarm management for an operating system, and the technical scheme can realize various safety strategy models under the architecture supporting a plurality of safety strategies and dynamic safety strategy changes, so that the safety of the system is enhanced, and compared with the prior art, the system has obvious technical effects.
Specifically, in an embodiment of the present invention, the user access management module is configured to perform the following steps: authenticating the identity of the user; based on the forced access control mechanism, implementing confidentiality and integrity double check and verification to the user; after passing, grant is used to access system resources.
Specifically, in an embodiment of the present invention, the secure kernel module includes: a security judgment module and a judgment implementation module; the safety judging module judges whether the safety related behavior can be executed or not based on the safety information; the decision enforcement module is responsible for executing tasks to be executed by the security-related actions that have been licensed.
Specifically, in the embodiment of the invention, the security decision module internally sets up mutually independent information support mechanisms;
The safety information corresponds to the information supporting mechanism one by one;
in the security judgment process, the corresponding mechanism of the security judgment module can determine the security information to be adopted according to the type of the security request, and then transfer the judgment task of the security request to the corresponding information support mechanism for processing.
Specifically, in the embodiment of the invention, the trusted communication module supports a trusted computing dual system; the functions of the trusted communication module include: trusted boot, static metrics, dynamic metrics, trusted metrics management services, and trusted backup services.
Specifically, in an embodiment of the present invention, the trusted boot is a root of trust based on a trusted computing chip TCM; the trust root is composed of a BIOS CRTM module and a trusted chip;
After the TCM is powered on, the CRTM module program is executed to measure and expand the CRTM data, the BIOS data and the platform expansion items into the position of the trusted chip platform configuration register PCR number 0, and record the measurement event into the event log.
Specifically, in an embodiment of the present invention, the static metrics include: a metrology mechanism and a static metrology target object, the metrology mechanism comprising: an integrity challenge mechanism and an integrity verification mechanism, the static metric target object comprising: the method comprises the steps of an initial kernel, a kernel module, an executable file loaded by a process, a dynamic library loaded by the process and a configuration file of the process;
The dynamic measurement is a dynamic measurement model based on information flow, and the dynamic measurement target object is a process and a kernel module.
Specifically, in the embodiment of the present invention, the security mechanism management module is configured to add and expand security mechanisms in kernel space and user space;
The security mechanism management module is a security mechanism management module subjected to security technology enhancement optimization, wherein the security technology enhancement optimization comprises aspects of autonomous access control, forced access control, marking, identity authentication, object reuse, audit, data integrity, hidden channel analysis, trusted path, trusted recovery and the like.
Specifically, in the embodiment of the present invention, the security reinforcement module is configured to defend attack behaviors specifically:
immunization against "known" and "unknown" aggression;
the security reinforcement module is used for defending attack behaviors and comprises the following steps:
Establishing a white list mechanism;
Protecting based on the white list;
Reconstructing a 'security subsystem' of an operating system by using three access control security model combinations of the enhancement type DTE, RBAC, BLP;
all relevant resource access actions are monitored, forming a stereo guard to ensure implementation of a secure operating system.
Specifically, in an embodiment of the present invention, the security audit module is configured to perform the following steps: recording and inquiring the log, wherein the types of the log comprise a program log, a peripheral log, a user log, a resource monitoring log and a log of a WEB account and an operation log; the content of the log comprises specific time, log type, user name, event description, response mode and execution object; and auditing the log, and identifying abnormal log data.
It should be noted that, the security of the operating system is an important basis for computer security, so to properly solve the increasingly wide computer security problem, a firm security operating system is necessary to be used as a rear shield, which requires us to find a practical and effective development method to develop a security operating system capable of meeting the actual application needs.
It should be noted that fig. 4 is a schematic diagram of trusted delivery and verification logic of a trust chain of a manageable operating system according to an embodiment of the present invention; wherein TCM DRIVER LIB is a driving Library of a trusted computing chip, TCM FIRMWARE LIB is a firmware Library of the trusted computing chip, kernel is a system kernel, and LIB is a Library for short; FIG. 6 is a schematic diagram of the operation logic of the static measurement subsystem according to an embodiment of the present invention; wherein, the files represent user files, systemd systems, TCMProvider trusted computing chip management service program/process, TCM DRIVER LIB is a driver library of the trusted computing chip; FIG. 7 is a schematic diagram of dynamic metrology subsystem operation logic according to an embodiment of the present invention; wherein process represents a process of user space; modules denotes a kernel module; FIG. 8 is a schematic diagram of an application layer security reinforcement logic according to an embodiment of the present invention; wherein, the sequence number in the figure indicates the process steps of the application security reinforcement; FIG. 9 is a schematic diagram of a management side bypass structure based on an active immune manageable operating system according to an embodiment of the present invention; wherein initlog is denoted as a start-up process, klogd is denoted as a daemon for intercepting and recording Linux kernel messages, adduser is denoted as an add user process, passwd is denoted as a password of a new user, arp is denoted as an address resolution protocol, insmod is denoted as a load module; FIG. 12 is a security policy opening workflow diagram according to an embodiment of the present invention; wherein SSI is denoted as host security identifier and OSI is denoted as guest security identifier.
At present, the safety protection level of the operating system in the prior art still stays in the traditional manual reinforcement stage of patching, simple strategy configuration and the like, and the lack of professional-level safety operating system products, especially like the main stream operating system, the back of a huge user base number, hides the increasing potential safety hazard.
It should be noted that, TCM DRIVER LIB is a driver Library of a trusted computing chip, TCM FIRMWARE LIB is a firmware Library of a trusted computing chip, kernel is a system kernel, and LIB is a Library for short; wherein, the files represent user files, systemd systems, TCMProvider trusted computing chip management service program/process, TCM DRIVER LIB is a driver library of the trusted computing chip; wherein process represents a process of user space; modules denotes a kernel module; wherein initlog is denoted as a start-up process, klogd is denoted as a daemon for intercepting and recording Linux kernel messages, adduser is denoted as an add user process, passwd is denoted as a password of a new user, arp is denoted as an address resolution protocol, insmod is denoted as a load module; wherein SSI is denoted as host security identifier and OSI is denoted as guest security identifier.
More specifically, the technical solution according to the embodiments of the present invention provides an active immunity-based implementation of a manageable operating system, which aims to develop a security manageable operating system (QiSOS), support a trusted computing 3.0 dual-system architecture, and improve and expand the original kernel of a CentOS operating system by adopting an improvement/enhancement method according to the criteria of network security protection level division, and implement multiple security policy models under an architecture supporting multiple security policies and dynamic security policy changes, so as to enhance the security of the system. The active immune manageable operating system is based on a central OS basic framework and kernel basic functions, adopts improvement, enhancement and expansion of the safe operating system according to a safe operating system evaluation standard, and supports an enhanced BLP multistage safety confidentiality model and a Biba integrity protection model; and support availability assurance models.
The following scheme of the invention is further described with more specific emphasis:
First, the user view is improved QiSOS.
After the user accesses the resource and the first task needs identity authentication, the user process can implement confidentiality and integrity dual checking and verification through a forced access control mechanism of the security kernel after the user passes the identity authentication.
Second, qiSOS's system calls are modified, including security-related system calls, security system calls, and general system calls. A security-related system call, qiSOS system call (e.g., open) modified according to the security kernel mechanism; secure system calls, system calls of the newly added secure kernel (e.g., GETSECATTR), and general system calls refer to other system calls of Linux (e.g., read).
Third, adding trusted management computation, supporting trusted computing dual systems, including trusted boot, static metrics, dynamic metrics, trusted metrics management services, trusted backup services, etc., supporting multiple security policy models to enhance the security of the system.
Fourth, security features are enhanced, including security functional requirements in terms of autonomous access control, mandatory access control, tagging, identity authentication, object reuse, auditing, and data integrity, according to functional requirements of third level security operations.
Fifthly, a kernel SD subsystem of a safe operating system is newly added QiSOS, which comprises main mechanisms of access arbitration, security management, security audit, a plurality of information supports and the like, and mainly comprises:
Access control, including autonomous access control (DAC), mandatory Access Control (MAC), and Integrity Access Control (IAC).
User authorization management including user authentication, user authorization, role management, role-based access control, tag-based access control, and the like.
Security audit, which strictly restricts unauthorized user access, including recording operations of operators, system administrators, and system security administrator processes; an audit trail is created and maintained for access to the protected object, protecting the audit trail from unauthorized access, modification and destruction.
Backup recovery: and after the system fails in operation, the backup data is restored by using an identification data backup and recovery mechanism.
Data encryption: the authentication data is stored, transmitted or processed in an encrypted manner, and the key management service interface function is provided, so that confidentiality of user data is guaranteed.
Resource limitation: the authorized user is prevented from using database server resources such as a host processor (CPU), a shared cache, a database storage medium and the like without control, and the functions such as limiting the parallel session number of each authorized user/authorized manager and the like are limited.
In more detail, the specific technical scheme of the invention is as follows:
s1: the functional architecture of the operating system security enhancement may be managed.
The manageable security operating system (QiSOS) is based on a centOS basic framework and kernel basic functions, and adds and expands security mechanisms to the kernel, including security technology enhancement requirements in aspects of autonomous access control, mandatory access control, marking, identity authentication, object reuse, audit, data integrity, hidden channel analysis, trusted path, trusted recovery and the like.
Meanwhile, supporting an enhanced BLP multi-level security model and a Biba integrity protection model; and support availability assurance models.
Further, as shown in FIG. 2, S1-1: qiSOS operating system user managed window, after user access to resource, first task, need identity authentication, user process can implement confidentiality and integrity dual check and verification through security kernel forced access control mechanism, then access to system resource.
Still further S1-1-1: qiSOS are divided into three types: security related system calls, security system calls, and general system calls.
The security related system call refers to QiSOS system call (such as open) modified according to security kernel mechanism, the security system call refers to newly added system call (such as GETSECATTR) of the security kernel, and the general system call refers to other system call (such as read) of Linux.
Still further S1-1-2: security features, in accordance with functional requirements of third level security operations, include security functional requirements in terms of autonomous access control, mandatory access control, tagging, identity authentication, object reuse, auditing, and data integrity, among others.
In the logical structure of QiSOS secure operating system, the system security kernel is divided into two parts, namely Security Decision (SD) and decision implementation (DE), the SD depends on security information, and is responsible for judging whether a security-related action can be executed, the DE is irrelevant to the security information, and is responsible for executing a task to be executed by an action which has been licensed.
The SD is internally provided with mutually independent information supporting mechanisms, the safety information corresponds to the information supporting mechanisms one by one, and in the safety judging process, the corresponding mechanism of the SD can determine the safety information to be adopted according to the type of the safety request and then transfer the judging task to the corresponding information supporting mechanism.
Meanwhile, from the perspective of the kernel, the security-related behavior is triggered by a system call, taking open system call to open a file as an example, which is the security-related behavior, and firstly submits a request for opening the file to the SD subsystem, and the access arbitration mechanism accepts the request and makes a judgment by the corresponding information support mechanism. The final authorized or forbidden access result information is returned to the open system call by the SD subsystem. The open system call determines the next action based on this security decision. If authorized, the subsequent open file operation (which pertains to the enforcement of the security decision) is completed by the remainder of the kernel other than the SD subsystem.
As in fig. 3, S1-2: qiSOS the secure operating system kernel SD subsystem comprises main mechanisms such as access arbitration, security management, security audit and a plurality of information supports, and specifically:
Access control, including autonomous access control (DAC), mandatory Access Control (MAC), and Integrity Access Control (IAC).
User authorization management including user authentication, user authorization, role management, role-based access control, tag-based access control, and the like.
Security audit, which strictly restricts unauthorized user access, including recording operations of operators, system administrators, and system security administrator processes; an audit trail is created and maintained for access to the protected object, protecting the audit trail from unauthorized access, modification and destruction.
Backup recovery: and after the system fails in operation, the backup data is restored by using an identification data backup and recovery mechanism.
Data encryption: the authentication data is stored, transmitted or processed in an encrypted manner, and the key management service interface function is provided, so that confidentiality of user data is guaranteed.
Resource limitation: the authorized user is prevented from using database server resources such as a host processor (CPU), a shared cache, a database storage medium and the like without control, and the functions such as limiting the parallel session number of each authorized user/authorized manager and the like are limited.
S2: manageability operating system trust chain trusted delivery and verification
As shown in FIG. 4, an operating system (QiSOS) may be managed, supporting trusted computing dual systems, including trusted boots, static metrics, dynamic metrics, trusted metrics management services, trusted backup services, and the like.
Wherein, as shown in FIG. 5, S2-1: trusted boot, based on a trusted root of a trusted computing chip (TCM), consisting of a BIOS CRTM module and a trusted chip, executes a CRTM module program after TCM power-up, which is the first sub-module of the platform BIOS system, which measures and extends CRTM data, BIOS data, and platform extension entries into a trusted chip Platform Configuration Register (PCR) number 0 location, and records measurement events into an event log.
Still further, S2-1-1: the CRTM module is protected by integrity write, the measurement sequence is guaranteed to be untampered, and if the measurement expansion is successful, the creditable chip saves the unique description of the platform CRTM.
The residual boot phase of the BIOS is recorded to the 1-6 bit platform configuration register by means of the metric extension mechanism.
Still further, S2-1-2: and (3) the trusted boot workflow, the BIOS is booted, a shim component is started, the shim component provides measurement service and password service for the OS-LOADER, and the measurement expansion mechanism BIOS is utilized to record shim component data to a No. 7 platform configuration register.
(1) The shim component ends the boot, starts the grub2 component, which is an operating system boot (OS-LOADER) responsible for booting the operating system, and records grub2 component data to platform configuration register number 8 using the metric extension mechanism shim component.
(2) The grub2 component finishes booting, starts the operating system kernel, and records kernel data to the No. 9 platform configuration register by using the metric extension mechanism grub2 component.
(3) The kernel finishes booting, starts systemd the process, systemd the system user state root process, and records systemd data to platform configuration register number 10 by using the kernel static measurement module measurement function.
(4) And finally, starting TCMProvider a service process by the system, wherein the TCMProvider service process is responsible for interfacing with cloud trusted management service, and recording TCMProvider data to a No. 10 platform configuration register by utilizing a measurement function of the kernel static measurement module.
As in fig. 6, S2-2: a static metrology subsystem comprising a metrology mechanism: integrity challenge mechanisms and integrity verification mechanisms, including metrology target objects: the method comprises an initial kernel, a kernel module, executable files loaded by a process, a dynamic library loaded by the process and configuration files of the process.
S2-2-1: when an application program is started, the subsystem utilizes a measurement extension mechanism to submit an application program measurement value to a trusted chip platform configuration register so as to support the trust chain extension of a trusted computing platform from an OS to an application program level.
S2-2-2: the static metrics subsystem creates and maintains a metrics list ML, aided by TCMProvider service processes, that can provide trusted certificates for computing platforms.
As in fig. 7, S2-3: dynamic metrics, a dynamic metrics model based on information flow, comprising a metrics target object: and a process and a kernel module.
S2-3-1: and periodically measuring the memory segments with read-only property of the process and the kernel module according to the measurement strategy, and verifying the trusted state of the platform execution environment in real time.
S2-3-2: and detecting that the read-only memory area is tampered or destroyed in the periodic measurement link, and immediately triggering audit or stopping the running of the process and the kernel module. The first activity metric values of the process and kernel modules are extended to trusted chip platform configuration registers.
S3: enhancement of manageable operating system security mechanisms
As in fig. 8, S3-1: the manageable secure operating system (QiSOS) performs security technology enhancement requirements on the aspects of adding and expanding security mechanisms in kernel space and user space, including 10 aspects of autonomous access control, forced access control, marking, identity authentication, object reuse, auditing, data integrity, hidden channel analysis, trusted path, trusted recovery and the like.
S3-1-1: the security mechanism features include user data integrity and confidentiality, identity identification and authentication, user authorization, role management, multi-mechanism authentication, re-authentication, three-member management, support for access control, resource control, data security, security audit, etc.
1. The forced control mechanism realizes the principle of minimum special authority, only grants each special authority user or process the minimum capability of completing the function, eliminates any user or process with unrestricted capability in the system, and reduces the potential safety hazard of the system.
2. The forced operation control mechanism is used for realizing a sandbox filtering mechanism of the process operation environment and monitoring the operation environment of the process; specific process protection is provided to prevent a particular authority user from removing a process without restriction, and key services are protected from being affected.
3. And the forced access control mechanism enhances the privacy protection of the information, ensures the controllability and the security of information flow and prevents the secret information from being revealed to unauthorized users.
4. The multi-factor identity authentication function can prevent illegal login and use of the system through multiple authentication mechanisms such as passwords, PAM modules, digital certificates, host feature codes and the like.
5. The magnetic disk is used for secret storage, and provides high-strength encrypted storage space for users. And realizing a unified encryption and decryption middle layer on the virtual file system layer, carrying out encryption processing on the written file blocks, and carrying out decryption operation on the read file blocks. When a user operates the encrypted storage space, the user must pass the protection password authentication, and the unreadable characteristic of the disk data is ensured under the condition of no password confirmation.
6. The structured security mechanism can realize the access control of the security authentication equipment based on the PKCS#11 interface by a PKI/CPK public key basic system. And the transmission encryption of the file system and the network data is supported, and the confidentiality of the user data is protected. Supporting a certificate-based identity authentication mechanism;
7. Based on the running mode of the memory, the system is supported to restore a key system, no data residue is ensured after running, and the privacy of a user is protected; the strong autoimmune function can effectively prevent the invasion and the spread of viruses and trojans based on a sandbox mechanism limited by the running environment;
8. the security audit function is enhanced, and support is provided for the functions of potential infringement analysis, anomaly detection, attack detection and the like.
As in fig. 8, S3-2: the application layer is used for security reinforcement, and immunity of known and unknown attack behaviors, such as Trojan horse, backdoor, shock wave, lux virus and other virus invasion are resisted, immunity is aimed at an operating system, malicious attack behaviors and the like, so that important data resources of the operating system are prevented from being illegally stolen, deleted and tampered, and normal application of the operating system is prevented from being illegally terminated.
S3-2-1: and the white list mechanism starts from the kernel driving layer of the operating system, judges whether the behavior characteristics of the file are in compliance with a white behavior characteristic library, and if the behavior characteristics are not in compliance, refuses the execution of the file, thereby fundamentally avoiding the occurrence and the diffusion of the security problem.
S3-2-2: performing white list protection, performing full-disk scanning on each executable file, and performing digital signature to generate a white list database; the digital signature ensures the uniqueness of the file, ensures the normal operation of the white list file and prevents the operation of unauthorized executable files.
When the scanning is completed, the working mode can be switched by one key, white list deployment is carried out, when the working mode is in the alarm mode, the abnormal program can carry out real-time alarm but not be blocked when the protected executable program is executed, and when the working mode is in the protection mode, the abnormal program can carry out alarm and be blocked at the same time, and can not run.
After deployment is completed, when white list software updating is needed, the white list release can be performed by adding the catalog or the file, and the trust path can be set for complete trust and release.
S3-2-3: the "security subsystem" of the operating system is reconstructed using the enhanced DTE, RBAC, BLP three access control security model combinations.
S3-2-4: the security subsystem of the operating system monitors all relevant resource access behaviors, realizes the security policy of the operating system through three access control models, ensures the security of system information and the system itself, so as to ensure the confidentiality, the integrity, the availability and the reliability of the operating system, and forms three-dimensional protection aiming at control points (such as identity authentication, sensitive marks, forced access control, security audit, residual information protection, intrusion protection, malicious code protection, resource control and the like) related to the security of the host system so as to ensure the realization of the security operating system.
S3-3: and (5) auditing the security event.
S3-3-1: the log record and query function is provided comprehensively and abundantly, and comprises a program log, a peripheral log, a user log, a resource monitoring log, and a log-in and operation log of a WEB account, wherein the log comprises specific time, log type, user name, event description, response mode, execution object and the like, and a user can export the formats of CSV, TXT, XLSX and the like according to the log type.
S3-3-2: the access to the equipment and the running of the program can generate corresponding log records, and the log records can not be deleted or changed.
S3-4: the system supports the centralized management function, and the centralized management, the policy configuration, the log management, the alarm management and the like of an operating system.
Further, as shown in fig. 9, the present invention is embodied as follows:
And the first step, shunting, including configuration, authorization and audit.
1. And (3) shunting, namely setting up special authority users such as a trusted system programmer, a system security manager, a system account manager, a system security auditor and the like, and limiting the special authority of each special authority user through different operating environments and operating interfaces. One of them: and a system administrator comprising system monitoring, network configuration and system management authority. Two of them: security administrators, including system monitoring, application analysis, policy configuration, network configuration, user management, and system management. Three of which: audit administrators, including system monitoring, application analysis, rights configuration, rights patterns, and the like.
2. The trusted system programmer has all special authorities of super users, but can only work in a maintenance mode of the system and is responsible for the configuration and maintenance of the whole system.
3. The system security administrator is responsible for managing the security attributes involved in the system. The system account administrator is responsible for the setup, withdrawal, and related management of user accounts.
Wherein: the system security auditor is responsible for configuring and maintaining audit mechanisms and audit information.
4. Roles and authorities, all special authorities are decomposed into a group of fine-grained special authority subsets, defined as different 'roles', respectively given to different users, each user only has the minimum special authorities necessary for completing the work of the user, and respectively given to different system operators, administrators and security administrators, thereby meeting the minimum special authority management. And the classical BLP security model is improved, a multi-level security Model (MBLP) and a system security policy are realized, and confidentiality and integrity of information are ensured.
(1) Autonomous access control is improved, with access control granularity refined to a single user.
(2) The forced access control is improved, corresponding security levels are given to the processes, the files and the access resources in the system, and the security levels of the processes and the security levels of the files are compared according to the security identification and the access mode of the processes during access, so that whether the processes are allowed to access the files is determined.
(3) The security audit executes a complete and efficient audit mechanism, and audit events comprise identification and authentication; introducing the object into a user address space; deleting the object; the system particularly grants the user's actions, etc.
5. The shell instructions can be managed, respective manager shell is designed for each administrator (audit administrator sysaud, security administrator syssec, system administrator sysadm) and general users, and users with different identities are pointed to different shells by modifying etc/passwd files.
6. After registration (log) of a user of a different identity, a corresponding shell can be started for him to restrict his rights. Meanwhile, setting a security context structure list conforming to the identity of each user with different identities, and when each shell executes the operation, judging whether the operation is in the security context structure list of the corresponding user or not; if not, refusing the operation; if in the list.
7. Further determinations are made based on access control policies (DAC, MAC, ACL, etc.) of the secure operating system.
Second, as in FIG. 10, the security trust token system based on the split rights is applied.
8. Based on the strong control of the trust token, the authentication method comprises the steps of identity trusted authentication, account password authentication, UKey card of login application and authentication certificate, and the security token identifies the identities of a user and an administrator.
One of them is a network authentication management center, which centrally manages the issuing of identity cards and performs verification, and the user can access the application of permission after one-time login authentication.
And two, a security operating system can be managed, and special authority users can be authorized, wherein the security operating system comprises a security manager, a security auditor and a system manager, and security tokens are respectively set up.
9. Based on the access control of the roles, users are induced into roles in the system, applications are divided into application groups, the corresponding relation between the roles and the application groups is established, rights management is established, access without the rights is eliminated, access security levels of the roles and the application groups are compared in the allowed user access, and fine-grained control is implemented.
10. The security audit of the operating system carries out audit on various events, including the issuing of tokens, the login of users and the occurrence of various events in the process of accessing information resources, and provides various audit modes such as audit according to time intervals and audit according to user objects.
11. The access control mechanism is used for executing the management of the minimum authority of the access control, namely, identity authentication and verification, preventing illegal occupation and illegal use of legal user account numbers and passwords, and further, whether to access the application and the resource according to the authority.
Third step, enhancement of security mechanism
Access control is implemented according to a multi-level security Model (MBLP), where the subject is a process, and the objects are processes, files, special files (devices), directories, pipes, semaphores, shared memory segments and messages.
12. An Access Control Program (ACP) paradigm, in a client/server-based distributed environment, the ACP may provide fine-grained access authorization to an intermediary entity acting as a proxy for a client. An ACP is a program that clients always bind with a request to a server. An ACP describes the rights granted by a client to an intermediate entity for each request. The ACP is accompanied by a digital signature that prevents intermediate entities from tampering with it. At the server side, as part of the rights checking work, the server runs the ACP received with the request, and if the ACP allows, grants access rights to the intermediate entity.
In an Access Control Program (ACP) bound to a request, as shown in fig. 11, an advanced ACP constitutes a container that holds a complete security message. In a system, each entity submitted to a security information implementation component is bound to a corresponding advanced ACP, and when the entity communicates, the advanced ACP is transferred to a target object together with communication information, and at the target object end, security information in the ACP is executed to check consistency between operation of the entity and the security information. If multiple entities are submitted to the same all-information-implementing component, all of the entities are bound to the same advanced ACP, and all of the entities submitted to a secure information-implementing component in this manner constitute the domain of the secure information-implementing component.
13. Identity authentication, authentication is performed by using a password, and authentication is performed every time a user logs in the system.
Besides supporting authentication of the identity of the requester when the user logs in the system each time, more strict authentication needs to be provided, such as authentication by adopting special information such as a smart IC card, fingerprint, retina and the like, and authentication needs to be performed before the user logs in the system each time. The intelligent IC card identity authentication is based on cryptographic technology and accords with X.509 protocol.
During information exchange, the authenticity of the identities of the passing parties and the non-repudiation authentication of the two parties on the information exchange behavior should be carried out.
14. And the forced access control is carried out by a system administrator, a system security administrator and a system auditor to complete the minimum authority required by the tasks born by the system administrator, the system security administrator and the system auditor according to the minimum authority principle, and a mutually restricted relation is formed among the system administrator, the system security administrator and the system auditor.
The forced access control should be closely matched with the security functions of user identity authentication, marking and the like, so that the security control of the system to the user comprises the whole process from the user entering the system to the user exiting the system.
In the network environment, the forced access control function is uniformly realized.
15. The authentication mechanism uses this user's authentication data to verify the user's identity by the trusted Token (TCB) before the TCB establishes a session, and the login mechanism does not allow the authentication mechanism itself to be bypassed.
(1) To provide the user with information about the system login activity, let the user recognize the attempt of the intrusion, take action to prevent possible unauthorized use, and after successful login to the system, the TCB should display the following data to the user:
date, time, source and last successful login to the system;
-a failure of the identification since the last successful access to the system;
-days when the password should be displayed to expire;
The display of the number of successful or unsuccessful events can be expressed in terms of integer counts, a list of time stamps, etc.
(2) After a defined unused time limit, the system should disconnect the session or re-authenticate the user, and the system should provide a default value for the time limit.
(3) The system should provide a mechanism to lock the user's keypad and the keypad unlocking process should require authentication of the user.
(4) When the incorrect number of user authentication processes reaches the system specified number, the system should exit the login process and terminate interaction with the user. The system should provide a threshold default value. When the threshold value is exceeded, the system should immediately notify the system administrator, while the system may specify a dwell time after which the login procedure is allowed to resume. The system should have the ability to increase the time interval under successive intrusion attempts, thereby extending the time the system is breached.
(5) The system should ensure that even if the entered user identification is invalid, the complete user authentication process should be performed and that the erroneous feedback information should not expose what part of the authentication information is erroneous.
(6) The system provides a mechanism for defining which users can enter the system and which users cannot enter the system according to the conditions of hours, days of the week, years, months and days.
(7) The system provides a mechanism to reject or accept users according to the manner of entry or location. The system provides a mechanism to restrict access to the system by authorized users through either the dial-up device or the network device.
(8) The system provides a mechanism to limit the user's access to the system at a designated network address or port. For example, system administrators are restricted from accessing the system only through the system console.
(9) The system provides a mechanism to restrict access to a specified user or group of users to no modification.
16. As shown in fig. 12, in the security policy opening workflow, multi-level security (MLS) information, identification-based access control (IBAC) policy and type arbitration, etc. are implemented through cooperation with a security server.
(1) The type of access includes tasks, threads, and ports. Tasks and threads represent active principals, i.e., processes, in a system, each task containing a set of threads. The implementation of the server in the system is embodied as one or more tasks. A port is a unidirectional communication channel for task delivery messages.
(2) The tasks name the ports using capabilities, each capability describing the rights to send or receive messages to or from a particular port, which capabilities can be transferred from one task to another by way of the sent messages.
The security server receives the request from the microkernel through the microkernel security port or receives the request from other servers through the universal security port, and sends response information to the request through the response port.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An active immunity-based manageable operating system, comprising:
the user access management module is used for managing user access;
The security kernel module is used for judging and implementing the user access according to preset security information;
the trusted communication module is used for trusted communication in the system;
The safety mechanism management module is used for managing the safety mechanism;
the security reinforcement module is arranged on the application layer and is used for defending attack behaviors;
The security audit module is used for auditing the security event;
and the centralized management module is used for providing centralized management, strategy configuration, log management and alarm management for the operating system.
2. The active immune-based manageable operating system according to claim 1, wherein,
The user access management module is used for executing the following steps:
Authenticating the identity of the user;
Based on the forced access control mechanism, implementing confidentiality and integrity double check and verification to the user;
After passing, grant is used to access system resources.
3. The active immune-based manageable operating system according to claim 2, wherein,
The security kernel module includes: a security judgment module and a judgment implementation module;
The safety judging module judges whether the safety related behavior can be executed or not based on the safety information;
the decision enforcement module is responsible for executing tasks to be executed by the security-related actions that have been licensed.
4. The active immune-based manageable operating system according to claim 3, wherein,
An independent information supporting mechanism is arranged in the safety judging module;
The safety information corresponds to the information supporting mechanism one by one;
in the security judgment process, the security judgment module determines the adopted security information according to the type of the security request and then processes the corresponding information support mechanism of the judgment task of the security request.
5. The active immune-based manageable operating system according to claim 1, wherein,
The trusted communication module supports a trusted computing dual system;
the functions of the trusted communication module include: trusted boot, static metrics, dynamic metrics, trusted metrics management services, and trusted backup services.
6. The active immune-based manageable operating system according to claim 5, wherein,
The trusted boot is a trust root based on a trusted computing chip TCM;
the trust root consists of a BIOS CRTM module and a trusted chip;
After the TCM is powered on, the CRTM module program is executed to measure and expand the CRTM data, the BIOS data and the platform expansion items into the position of the trusted chip platform configuration register PCR number 0, and record the measurement event into the event log.
7. The active immune-based manageable operating system according to claim 6, wherein,
The static metrics include: a metrology mechanism and a static metrology target object, the metrology mechanism comprising: an integrity challenge mechanism and an integrity verification mechanism, the static metric target object comprising: the method comprises the steps of an initial kernel, a kernel module, an executable file loaded by a process, a dynamic library loaded by the process and a configuration file of the process;
The dynamic measurement is a dynamic measurement model based on information flow, and the dynamic measurement target object is a process and a kernel module.
8. The active immune-based manageable operating system according to any one of claim 1 to 7, wherein,
The safety mechanism management module is used for adding and expanding a safety mechanism in the kernel space and the user space;
The safety mechanism management module is optimized by safety technology enhancement; the security technology enhancement optimization includes: autonomous access control, mandatory access control, tagging, identity authentication, object reuse, auditing, data integrity, covert channel analysis, trusted path, trusted recovery.
9. The active immune-based manageable operating system according to claim 8, wherein,
The security reinforcement module is used for defending attack actions, and specifically comprises the following steps:
immunization against "known" and "unknown" aggression;
the security reinforcement module is used for defending attack behaviors and comprises the following steps:
Establishing a white list mechanism;
Protecting based on the white list;
Reconstructing a 'security subsystem' of an operating system by using three access control security model combinations of the enhancement type DTE, RBAC, BLP;
all relevant resource access actions are monitored, forming a stereo guard to ensure implementation of a secure operating system.
10. The active immune-based manageable operating system according to claim 8, wherein,
The security audit module is used for executing the following steps:
recording and inquiring the log, wherein the types of the log comprise a program log, a peripheral log, a user log, a resource monitoring log and a log of a WEB account and an operation log;
the content of the log comprises specific time, log type, user name, event description, response mode and execution object;
and auditing the log, and identifying abnormal log data.
CN202410892900.5A 2024-07-04 2024-07-04 Manageable operating system based on active immunity Pending CN118862085A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410892900.5A CN118862085A (en) 2024-07-04 2024-07-04 Manageable operating system based on active immunity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410892900.5A CN118862085A (en) 2024-07-04 2024-07-04 Manageable operating system based on active immunity

Publications (1)

Publication Number Publication Date
CN118862085A true CN118862085A (en) 2024-10-29

Family

ID=93172357

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410892900.5A Pending CN118862085A (en) 2024-07-04 2024-07-04 Manageable operating system based on active immunity

Country Status (1)

Country Link
CN (1) CN118862085A (en)

Similar Documents

Publication Publication Date Title
CN109923548B (en) Method, system and computer program product for implementing data protection by supervising process access to encrypted data
US9665708B2 (en) Secure system for allowing the execution of authorized computer program code
US7461249B1 (en) Computer platforms and their methods of operation
JP2686218B2 (en) Alias detection method on computer system, distributed computer system and method of operating the same, and distributed computer system performing alias detection
US20030041250A1 (en) Privacy of data on a computer platform
TWI494785B (en) System and method for providing a system management command
WO2013090314A1 (en) Secure operating system/web server systems and methods
CN112784258A (en) Trusted computing system and safety protection system
CN118862085A (en) Manageable operating system based on active immunity
KR20100067383A (en) Server security system and server security method
CN117235818A (en) Encryption authentication method and device based on solid state disk, computer equipment and medium
CN118821233A (en) Trusted computer storage system based on TPCM technology
Wittinger et al. Tivoli Access Manager for Operating Systems 5.1 Security Target
Benantar Foundations of Security and Access Control in Computing
RCW06D-ASE Security Target for RedCastle v2. 0 for Windows
Taylor The Last Line of Defense
Taylor et al. A Comparison of Authentication, Authorization and Auditing in Windows and Linux

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination