| 基于可信计算的策略标签保护架构 | |
| 刘孜文 ; 冯登国 ; 于爱民 | |
| 刊名 | 计算机研究与发展
 |
| 2011 | |
| 卷号 | 48期号:12页码:2219-2226 |
| 关键词 | 策略标签保护 可信计算 访问控制 加密文件系统 完整性度量 |
| ISSN号 | 1000-1239 |
| 其他题名 | a trusted computing-based security architecture for policy-label protection |
| 中文摘要 | 策略和标签是访问控制技术中的核心内容,决定了一个访问控制系统的实施内容.现今的大部分安全系统对策略的保护较为严格,但对标签的保护却缺乏一个完善、系统的保护方案,这导致即使策略本身是安全的、完备的,恶意者仍然可以通过篡改用作策略实施判断的标签来危害系统,系统安全仍然无法保证.为此提出了一个保护架构,着重保护系统中的安全标签.它通过使用加密文件系统、完整性度量等机制扩展可信计算芯片的控制范围,将标签置于可信计算的保护范围内,从而防止标签遭受篡改,确保其安全性.最后给出其基于Linux操作系统的原型实现. |
| 英文摘要 | Policies and labels are the most important parts in access control technique. Labels present some security properties of the subject and the object, meanwhile policies present some logical algorithms based on the security properties carried by labels. The enforcement of access control system can be mainly decided by these two factors. Nowadays most security systems can give a well protection to the policies, but almost none of them have systemic and well-defined methods to protect labels. They just believe that the operation system can do the work itself. The lack of label protection leads to a result that even the policies are secure and well-defined, malwares can still do harms to the system by tempering the labels. Then the system is unsafe in the end. An architecture mainly to protect the security labels in the system by using TPM (trusted computing module) chip is proposed. TPM chip is a kind of hardware provided by TCG (Trusted Computing Group). It can be used to build a TCB (trusted computing base) in a secure system. But the TCB here is too small to hold labels. By using some mechanisms such as encrypting file system and integrity measurement, we extend the edge of the TPM chip's control area and keep the labels into this area in order to enhance the safety of access control system. Implementation of a prototype system on the Linux OS is given and the experiments show the security and efficiency of our implementation. |
| 收录类别 | CNKI ; EI ; WANFANG |
| 资助信息 | 国家科技支撑计划基金项目(2008BAH22B06)|国家“八六三”高技术研究发展计划基金项目(2007AA01Z412,2007AA01Z465)|国家自然科学基金项目(60970028) |
| 语种 | 中文 |
| 公开日期 | 2013-10-08 |
| 内容类型 | 期刊论文 |
| 源URL | [http://ir.iscas.ac.cn/handle/311060/16131]  |
| 专题 | 软件研究所_软件所图书馆_期刊论文 |
| 推荐引用方式 GB/T 7714 | 刘孜文,冯登国,于爱民. 基于可信计算的策略标签保护架构[J]. 计算机研究与发展,2011,48(12):2219-2226. |
| APA | 刘孜文,冯登国,&于爱民.(2011).基于可信计算的策略标签保护架构.计算机研究与发展,48(12),2219-2226. |
| MLA | 刘孜文,et al."基于可信计算的策略标签保护架构".计算机研究与发展 48.12(2011):2219-2226. |
| 个性服务 |
| 查看访问统计 |
| 相关权益政策 |
| 暂无数据 |
| 收藏/分享 |
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论