CN111400723A - Mandatory access control method and system for operating system kernel based on TEE extension - Google Patents
Mandatory access control method and system for operating system kernel based on TEE extension Download PDFInfo
- Publication number
- CN111400723A CN111400723A CN202010251285.1A CN202010251285A CN111400723A CN 111400723 A CN111400723 A CN 111400723A CN 202010251285 A CN202010251285 A CN 202010251285A CN 111400723 A CN111400723 A CN 111400723A
- Authority
- CN
- China
- Prior art keywords
- access control
- tee
- kernel
- access
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种基于TEE扩展的操作系统内核强制访问控制方法及系统,本发明当在REE系统中检测到访问行为时调用TEE系统中访问控制增强验证框架的接口,访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果找到匹配的规则才允许该访问行为继续执行;否则拒绝该访问行为。本发明能够基于TEE的安全扩展操作系统的强制访问控制机制进行增强,具有保护全面、验证级别高、安全可靠、通用性好、扩展性强的优点。
The invention discloses an operating system kernel mandatory access control method and system based on TEE extension. When an access behavior is detected in the REE system, the invention calls the interface of the access control enhanced verification framework in the TEE system, and the access control enhanced verification framework is based on Call the access operation type in the request to call the corresponding processing function. The processing function determines whether the access control enhanced verification is passed according to the access operation type, subject information, and object information in the call request. If the access control enhanced verification is passed, it will be in the REE system. The access behavior matches the preset kernel access control rule base. If a matching rule is found, the access behavior is allowed to continue to execute; otherwise, the access behavior is denied. The invention can be enhanced based on the mandatory access control mechanism of the TEE security extension operating system, and has the advantages of comprehensive protection, high verification level, safety and reliability, good versatility and strong expansibility.
Description
技术领域technical field
本发明涉及计算机操作系统的信息安全领域,具体涉及一种基于TEE扩展的操作系统内核强制访问控制方法及系统。The invention relates to the field of information security of computer operating systems, in particular to a method and a system for controlling mandatory access of operating system kernels based on TEE extension.
背景技术Background technique
操作系统作为信息安全保护基础,系统在运行时能否动态保护系统资源的安全,成为必须要解决的问题。强制访问控制是实现操作系统运行时安全保护的重要技术之一,基于访问控制规则对操作系统中各类主体与系统对象之间的访问行为实施内核级的访问控制,保护系统资源安全。Linux系统为操作系统强制访问控制提供了LSM强制访问控制框架支持,将强制访问控制分为实施与决策两个部分:对象管理器负责在系统中对主客体对象的安全标记与访问行为实施控制管理,通过在访问流程中插入HOOK函数(钩子函数)来获取访问控制策略的安全决策,并根据决策结果确定是否允许访问继续执行;安全策略负责根据访问控制规则来对当前的主客体之间的访问得出决策结果,并且LSM框架为多种安全策略提供可插拔式支持,目前Linux系统中支持的强制访问控制安全策略有SELinux、AppArmor等,已经在Linux、Android等主流操作系统的安全增强方面发挥重要作用。As the operating system is the basis for information security protection, whether the system can dynamically protect the security of system resources during operation has become a problem that must be solved. Mandatory access control is one of the important technologies to realize the security protection of the operating system. Based on the access control rules, it implements kernel-level access control on the access behavior between various subjects and system objects in the operating system to protect the security of system resources. The Linux system provides the LSM mandatory access control framework support for the mandatory access control of the operating system, and divides the mandatory access control into two parts: implementation and decision-making: the object manager is responsible for the control and management of the security marking and access behavior of the subject and object objects in the system. , by inserting the HOOK function (hook function) in the access process to obtain the security decision of the access control policy, and determine whether to allow the access to continue execution according to the decision result; the security policy is responsible for accessing the current subject and object according to the access control rules The decision result is obtained, and the LSM framework provides pluggable support for a variety of security policies. Currently, the mandatory access control security policies supported in Linux systems include SELinux, AppArmor, etc., which have been enhanced in the security enhancement of mainstream operating systems such as Linux and Android. Play an important role.
随着云计算、物联网等技术的推进,信息系统的开放性使操作系统系统安全面临更多的威胁,由于操作系统内核在系统中运行于EL1级,系统中进程、数据等主客体对象以及访问控制机制的核心配置数据等都保存在操作系统内核中,一旦攻击者通过内核漏洞或虚拟机底层攻击等攻破操作系统内核,就可以对上述强制访问控制所依赖的关键信息进行篡改,从而绕过强制访问控制的保护。例如,在进程执行、文件访问等关键操作中,强制访问机制仅根据主客体的安全属性进行访问控制决策,对主客体对象的完整性不做判断,如果攻击者利用系统漏洞对上述对象(如进程执行映像、文件内容等)进行篡改,被篡改后的主客体对象仍然能够通过强制访问控制机制的检查。因此需要针对安全敏感场景下的特定需要对强制访问控制进行更高级别的安全增强验证。同时,强制访问控制机制的执行均以安全策略配置为指导原则,如果对安全策略配置进行了篡改,无异于修改了操作系统世界中安全运行的“法律依据”,导致访问控制机制的失效,访问控制核心数据的完整性成为必须要解决的问题之一。为此,必须设计一种能够从更高运行级别为操作系统提供访问控制增强验证和核心数据完整性保护扩展的操作系统内核强制访问控制方法。With the advancement of cloud computing, Internet of Things and other technologies, the openness of information systems makes the operating system system security face more threats. Since the operating system kernel runs at the EL1 level in the system, the subject and object objects such as processes and data in the system and The core configuration data of the access control mechanism are stored in the operating system kernel. Once an attacker breaches the operating system kernel through kernel vulnerabilities or virtual machine bottom-level attacks, they can tamper with the key information that the above mandatory access control depends on, thereby circumventing the situation. protected by mandatory access control. For example, in key operations such as process execution and file access, the mandatory access mechanism only makes access control decisions based on the security attributes of the subject and object, and does not judge the integrity of the subject and object objects. Process execution image, file content, etc.) are tampered with, and the tampered subject and object objects can still pass the inspection of the mandatory access control mechanism. Therefore, it is necessary to perform higher-level security-enhanced verification of mandatory access control for specific needs in security-sensitive scenarios. At the same time, the implementation of the mandatory access control mechanism is guided by the security policy configuration. If the security policy configuration is tampered with, it is tantamount to modifying the "legal basis" for safe operation in the operating system world, resulting in the failure of the access control mechanism. The integrity of access control core data has become one of the problems that must be solved. To this end, an OS kernel mandatory access control method must be devised that can provide access control enhanced authentication and core data integrity protection extensions to the OS from a higher run level.
当前新兴的TEE(Trusted Execution Environment,可信执行环境)技术利用计算机底层的硬件支持,为上层软件提供CPU、内存、Cache等强隔离的可信执行环境,并且CPU运行级别更高,为上层软件构筑安全可信的计算环境提供信任基础。目前已有基于TEE的操作系统监控、可信计算等方面的安全技术突破,随着技术研究的推进,会有越来越多的操作系统服务及应用依托TEE来进行安全增强。因此,基于TEE的安全扩展,对操作系统的强制访问控制机制进行安全增强具有良好的应用前景,是一项亟待研究的关键技术问题。The emerging TEE (Trusted Execution Environment, Trusted Execution Environment) technology utilizes the hardware support at the bottom of the computer to provide the upper-layer software with a trusted execution environment with strong isolation such as CPU, memory, Cache, etc., and the CPU runs at a higher level, which is the upper-layer software. Build a secure and credible computing environment to provide a foundation of trust. At present, there have been breakthroughs in security technologies such as operating system monitoring and trusted computing based on TEE. With the advancement of technology research, there will be more and more operating system services and applications relying on TEE for security enhancement. Therefore, based on the security extension of TEE, the security enhancement of the mandatory access control mechanism of the operating system has a good application prospect, and is a key technical problem that needs to be studied urgently.
发明内容SUMMARY OF THE INVENTION
本发明要解决的技术问题:针对现有技术的上述问题,提供一种基于TEE扩展的操作系统内核强制访问控制方法及系统,本发明能够基于TEE的安全扩展增强操作系统的强制访问控制机制,具有保护全面、验证级别高、安全可靠、通用性好、扩展性强的优点。The technical problem to be solved by the present invention: in view of the above-mentioned problems of the prior art, a method and system for mandatory access control of an operating system kernel based on TEE extension are provided, and the present invention can enhance the mandatory access control mechanism of the operating system based on the security extension of TEE, It has the advantages of comprehensive protection, high verification level, safety and reliability, good versatility and strong scalability.
为了解决上述技术问题,本发明采用的技术方案为:In order to solve the above-mentioned technical problems, the technical scheme adopted in the present invention is:
一种基于TEE扩展的操作系统内核强制访问控制方法,实施步骤包括:A method for mandatory access control of operating system kernel based on TEE extension, the implementation steps include:
1)当在REE系统中检测到访问行为时调用TEE系统中访问控制增强验证框架的接口,所述访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,所述处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则跳转执行下一步;否则拒绝该访问行为,结束并退出;1) When the access behavior is detected in the REE system, the interface of the access control enhanced verification framework in the TEE system is called, and the access control enhanced verification framework calls the corresponding processing function according to the access operation type in the call request, and the processing function According to the access operation type, subject information, and object information in the call request, it is judged whether the access control enhanced verification is passed. If the access control enhanced verification is passed, it will jump to the next step; otherwise, the access behavior is rejected, and the end and exit;
2)在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果在内核访问控制规则库有匹配的规则,才允许该访问行为继续执行;否则拒绝该访问行为。2) Match the preset kernel access control rule base for the access behavior in the REE system. If there is a matching rule in the kernel access control rule base, the access behavior is allowed to continue to execute; otherwise, the access behavior is rejected.
可选地,步骤1)中调用TEE系统中访问控制增强验证框架的接口之前还包括检测增强验证开关的值,如果增强验证开关的值为开则调用TEE系统中访问控制增强验证框架的接口,否则直接跳转执行步骤2)。Optionally, before calling the interface of the access control enhanced verification framework in the TEE system in step 1), the value of the enhanced verification switch is detected, and if the value of the enhanced verification switch is on, the interface of the access control enhanced verification framework in the TEE system is called, Otherwise, jump directly to step 2).
可选地,还包括通过TEE系统定时对位于共享内存中的内核访问控制规则库进行完整性验证的步骤:通过底层平台的可信时钟中断设置,使得每隔一定时间间隔在TEE系统中生成内核访问控制规则库的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过;如果不一致,则判定完整性验证不通过,输出报警消息。Optionally, it also includes the step of regularly performing integrity verification on the kernel access control rule base located in the shared memory through the TEE system: through the trusted clock interrupt setting of the underlying platform, so that the kernel is generated in the TEE system at regular intervals. Access the integrity measurement value of the control rule base, and match the generated integrity measurement value with the integrity measurement benchmark value stored in the TEE system. If the two are consistent, the integrity verification is determined to pass; if they are inconsistent, the integrity is determined. If the verification fails, an alarm message is output.
可选地,还包括通过TEE系统定时对系统中当前运行的主体关键安全信息进行完整性验证的步骤:通过底层平台的可信时钟中断设置,使得每隔一定时间间隔在TEE系统中读取保存在与TEE系统的共享内存中的各个主体的关键安全信息,生成这些主体的关键安全信息的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过;如果不一致,则判定完整性验证不通过,输出报警消息。Optionally, it also includes a step of regularly performing integrity verification on the key security information of the main body currently running in the system through the TEE system: interrupting the setting through the trusted clock of the underlying platform, so that the TEE system is read and saved at regular intervals. The key security information of each subject in the shared memory with the TEE system, generate the integrity measurement value of the key security information of these subjects, and match the generated integrity measurement value with the integrity measurement benchmark value stored in the TEE system , if the two are consistent, it is determined that the integrity verification is passed; if they are inconsistent, it is determined that the integrity verification is not passed, and an alarm message is output.
可选地,所述REE系统中还包括用于在系统启动过程中生成内核访问控制规则库的安全配置文件,所述安全配置文件位于REE系统中的用户空间中,且在系统启动过程中加载安全配置文件之前还包括通过TEE系统对安全配置文件进行完整性验证的步骤:读取安全配置文件,生成安全配置文件的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过,允许加载安全配置文件;如果不一致,则判定完整性验证不通过,禁止加载安全配置文件并输出报警消息。Optionally, the REE system also includes a security configuration file for generating the kernel access control rule base during the system startup process, the security configuration file is located in the user space in the REE system, and is loaded during the system startup process. Before the security configuration file, it also includes the steps of verifying the integrity of the security configuration file through the TEE system: reading the security configuration file, generating the integrity measurement value of the security configuration file, and comparing the generated integrity measurement value with the data stored in the TEE system. The integrity measurement benchmark values are matched. If the two are consistent, the integrity verification is determined to pass, and the security configuration file is allowed to be loaded; if they are inconsistent, the integrity verification is determined to fail, the security configuration file is prohibited to be loaded and an alarm message is output.
可选地,还包括通过TEE系统检测对安全配置文件写操作的步骤,如果通过REE系统检测到安全配置文件的写操作,则获取对安全配置文件进行写操作的应用程序的信息并推送给TEE进行安全验证,该应用程序的信息包括应用程序的主体和完整性度量值,如果该应用程序的主体不是安全管理员或者完整性度量值与保存的完整性度量基准值不一致,则拒绝对该安全配置文件的写操作,否则允许对该安全配置文件的写操作。Optionally, it also includes the step of detecting the writing operation to the security configuration file by the TEE system, if the writing operation of the security configuration file is detected by the REE system, then obtain the information of the application program that performs the writing operation on the security configuration file and push it to the TEE Carry out security verification, the information of the application includes the subject of the application and the integrity measurement value. If the subject of the application is not a security administrator or the integrity measurement value is inconsistent with the saved integrity measurement benchmark value, the security is rejected. Write operations to the configuration file, otherwise write operations to this security configuration file are allowed.
此外,本发明还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括:In addition, the present invention also provides an operating system kernel mandatory access control system based on TEE extension, including:
对象管理程序模块,用于当在REE系统中检测到访问行为时调用TEE系统中访问控制增强验证框架的接口,所述访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,所述处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则跳转执行访问许可决策程序模块;否则拒绝该访问行为,结束并退出;The object management program module is used to call the interface of the access control enhanced verification framework in the TEE system when the access behavior is detected in the REE system, and the access control enhanced verification framework calls the corresponding processing function according to the access operation type in the call request , the processing function judges whether to pass the access control enhanced verification according to the access operation type, subject information, and object information in the call request, and if the access control enhanced verification is passed, then jump to execute the access permission decision program module; otherwise, the access behavior is rejected, end and exit;
访问许可决策程序模块,用于在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果在内核访问控制规则库有匹配的规则,才允许该访问行为继续执行;否则拒绝该访问行为。The access permission decision program module is used to match the preset kernel access control rule base for the access behavior in the REE system. If there are matching rules in the kernel access control rule base, the access behavior is allowed to continue to execute; otherwise, the access is denied Behavior.
此外,本发明还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括计算机设备,该计算机设备被编程或配置以执行所述基于TEE扩展的操作系统内核强制访问控制方法的步骤。In addition, the present invention also provides a TEE extension-based operating system kernel mandatory access control system, including a computer device programmed or configured to execute the steps of the TEE extension-based operating system kernel mandatory access control method.
此外,本发明还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括计算机设备,该计算机设备的存储器上存储有被编程或配置以执行所述基于TEE扩展的操作系统内核强制访问控制方法的计算机程序。In addition, the present invention also provides a TEE extension-based operating system kernel mandatory access control system, including a computer device, the computer device having a memory that is programmed or configured to execute the TEE extension-based operating system kernel mandatory access control system A computer program of the method.
此外,本发明还提供一种计算机可读存储介质,该计算机可读存储介质上存储有被编程或配置以执行所述基于TEE扩展的操作系统内核强制访问控制方法的计算机程序。In addition, the present invention also provides a computer-readable storage medium storing a computer program programmed or configured to execute the TEE extension-based operating system kernel mandatory access control method.
和现有技术相比,本发明具有下述优点:本发明当在REE系统中检测到访问行为时调用TEE系统中访问控制增强验证框架的接口,所述访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,所述处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则进一步在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果在内核访问控制规则库有匹配的规则,才允许该访问行为继续执行;否则拒绝该访问行为,本发明能够基于TEE的安全扩展增强操作系统的强制访问控制机制,具有保护全面、验证级别高、安全可靠、通用性好、扩展性强的优点。Compared with the prior art, the present invention has the following advantages: the present invention calls the interface of the access control enhanced verification framework in the TEE system when the access behavior is detected in the REE system, and the access control enhanced verification framework is based on the call request. The access operation type calls the corresponding processing function, and the processing function judges whether to enhance the verification through the access control according to the access operation type, subject information, and object information in the call request. The access behavior matches the preset kernel access control rule base. If there are matching rules in the kernel access control rule base, the access behavior is allowed to continue to be executed; otherwise, the access behavior is rejected, and the present invention can enhance the operating system based on the security extension of the TEE. The mandatory access control mechanism has the advantages of comprehensive protection, high verification level, safety and reliability, good versatility and strong scalability.
附图说明Description of drawings
图1为本发明实施例方法的基本流程示意图。FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
图2为本发明实施例系统的架构示意图。FIG. 2 is a schematic structural diagram of a system according to an embodiment of the present invention.
具体实施方式Detailed ways
下文将以国产飞腾CPU的TEE环境(Trusted Execution Environment,可信执行环境)为例对本发明基于TEE扩展的操作系统内核强制访问控制方法及系统进行进一步的详细说明。其中,REE环境(Rich Execution Environment,通用计算环境)下的REE系统中运行的是麒麟操作系统,通过LSM访问控制框架实现强制访问控制模块。The following will take the TEE environment (Trusted Execution Environment, Trusted Execution Environment) of the domestic Feiteng CPU as an example to further describe the method and system for mandatory access control of the operating system kernel based on the TEE extension of the present invention. Among them, the REE system under the REE environment (Rich Execution Environment, general computing environment) runs the Kylin operating system, and the mandatory access control module is implemented through the LSM access control framework.
如图1所示,本实施例基于TEE扩展的操作系统内核强制访问控制方法的实施步骤包括:As shown in FIG. 1, the implementation steps of the TEE extension-based operating system kernel mandatory access control method in this embodiment include:
1)当在REE系统(通用操作系统)中检测到访问行为时调用TEE系统(可信执行系统)中访问控制增强验证框架的接口,所述访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,所述处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则跳转执行下一步;否则拒绝该访问行为,结束并退出;1) When the access behavior is detected in the REE system (general-purpose operating system), the interface of the access control enhanced verification framework in the TEE system (trusted execution system) is called, and the access control enhanced verification framework is based on the type of access operation in the call request. to call the corresponding processing function, the processing function judges whether to pass the access control enhanced verification according to the access operation type, subject information, and object information in the call request, and if the access control enhanced verification is passed, then jump to the next step; otherwise, reject the access behavior, end and exit;
2)在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果在内核访问控制规则库有匹配的规则,才允许该访问行为继续执行;否则拒绝该访问行为。2) Match the preset kernel access control rule base for the access behavior in the REE system. If there is a matching rule in the kernel access control rule base, the access behavior is allowed to continue to execute; otherwise, the access behavior is rejected.
本实施例中,TEE系统中访问控制增强验证框架向外提供访问控制接口以便在REE系统中检测到访问行为时进行调用,如图2所示,REE系统调用TEE系统中访问控制增强验证框架的接口需要通过TEE系统中的监控器(monitor)实现,访问控制增强验证框架包含多个处理函数(处理函数1~n),用于处理不同操作类型的访问控制增强验证。In this embodiment, the access control enhanced verification framework in the TEE system provides an access control interface so that it can be called when an access behavior is detected in the REE system. As shown in FIG. 2, the REE system calls the access control enhanced verification framework in the TEE system. The interface needs to be implemented by the monitor (monitor) in the TEE system. The access control enhanced verification framework includes multiple processing functions (processing functions 1 to n), which are used to handle access control enhanced verification of different operation types.
由于TEE系统、REE系统两个世界的安全状态的切换开销大,作为一种可选的实施方式,为了实现控制增强验证框架的可选开启,步骤1)中调用TEE系统中访问控制增强验证框架的接口之前还包括检测增强验证开关的值,如果增强验证开关的值为开则调用TEE系统中访问控制增强验证框架的接口,否则直接跳转执行步骤2)。因此可以通过增强验证开关的值来实现控制增强验证框架的可选开启。为了防止用户自行关闭控制增强验证框架,本实施例还包括通过TEE系统检测对增强验证开关的写操作的步骤,如果检测到增强验证开关的写操作,则获取对增强验证开关进行写操作的应用程序的信息,该应用程序的信息包括应用程序的主体和完整性度量值,如果该应用程序的主体不是安全管理员或者完整性度量值与保存的完整性度量基准值不一致,则拒绝对该增强验证开关的写操作,否则允许对该增强验证开关的写操作。通过上述方式在REE系统方设置了增强验证开关,默认为关,仅对需要进行增强验证的操作打开验证开关。Due to the high overhead of switching the security states of the TEE system and the REE system, as an optional implementation, in order to realize the optional opening of the control enhanced verification framework, the access control enhanced verification framework in the TEE system is called in step 1). The interface also includes the value of detecting the enhanced verification switch. If the value of the enhanced verification switch is on, the interface of the access control enhanced verification framework in the TEE system is called, otherwise, it directly jumps to step 2). Therefore, the optional turn-on of the enhanced verification framework can be controlled by the value of the enhanced verification switch. In order to prevent users from turning off the control enhanced verification framework by themselves, this embodiment further includes a step of detecting a write operation to the enhanced verification switch through the TEE system, and if a write operation to the enhanced verification switch is detected, obtain an application for writing the enhanced verification switch Information about the program, which includes the application's principal and integrity metrics, if the application's principal is not a security administrator or the integrity metrics are inconsistent with the saved integrity metrics benchmarks, reject the enhancement Writes to the verification switch are allowed, otherwise writes to the enhanced verification switch are allowed. The enhanced verification switch is set on the REE system side through the above method, which is off by default, and the verification switch is only turned on for operations that require enhanced verification.
在操作系统运行时,内核访问控制规则库是访问控制机制进行安全决策的依据,如果规则被攻击者恶意篡改,将直接影响访问控制的执行。因此,本实施例中还提供了对内核中的访问控制规则库进行完整性保护。本实施例还包括通过TEE系统定时对位于共享内存中的内核访问控制规则库进行完整性验证的步骤:通过底层平台的可信时钟中断设置,使得每隔一定时间间隔在TEE系统中生成内核访问控制规则库的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过;如果不一致,则判定完整性验证不通过,输出报警消息。在REE系统加载安全策略配置时,首先在REE系统内核中向TEE注册一片共享内存,用于存储内核访问控制规则库。内核访问控制规则库生成完毕后,将通知TEE系统对当前的内核访问控制规则库生成完整性度量值,并作为完整性度量基准值保存在TEE系统中。参见图1,系统运行过程中当访问行为发生时,REE系统将首先调用TEE中访问控制增强验证框架接口,访问控制增强验证框架根据参数中的访问操作类型,调用对应的增强验证处理函数。参数包括当前的操作类型,访问操作的主体信息(用户ID、用户安全属性等)与客体信息(文件名、安全属性等)。通过访问控制增强验证后,REE系统将继续进行内核访问控制规则库的匹配,如果有匹配的规则,才允许操作继续执行。如图2所示,该功能的实现模块为核心数据完整性验证单元的共享内存验证模块实现,且完整性度量基准值为预先存储在完整性度量基准库中。When the operating system is running, the kernel access control rule base is the basis for the access control mechanism to make security decisions. If the rules are maliciously tampered with by an attacker, it will directly affect the execution of access control. Therefore, this embodiment also provides integrity protection for the access control rule base in the kernel. This embodiment also includes the step of regularly performing integrity verification on the kernel access control rule base located in the shared memory through the TEE system: through the trusted clock interrupt setting of the underlying platform, so that kernel accesses are generated in the TEE system at regular intervals Control the integrity measurement value of the rule base, and match the generated integrity measurement value with the integrity measurement benchmark value stored in the TEE system. If the two are consistent, the integrity verification is determined to pass; if they are inconsistent, the integrity verification is determined. If it fails, an alarm message is output. When the REE system loads the security policy configuration, a shared memory is first registered with the TEE in the REE system kernel for storing the kernel access control rule base. After the kernel access control rule base is generated, the TEE system will be notified to generate an integrity measurement value for the current kernel access control rule base, and will be stored in the TEE system as an integrity measurement benchmark value. Referring to Figure 1, when an access behavior occurs during system operation, the REE system will first call the access control enhanced verification framework interface in the TEE, and the access control enhanced verification framework will call the corresponding enhanced verification processing function according to the access operation type in the parameters. The parameters include the current operation type, subject information (user ID, user security attributes, etc.) and object information (file name, security attributes, etc.) of the access operation. After the access control enhancement verification is passed, the REE system will continue to match the kernel access control rule base. If there are matching rules, the operation is allowed to continue. As shown in Fig. 2, the realization module of this function is realized by the shared memory verification module of the core data integrity verification unit, and the integrity measurement benchmark value is pre-stored in the integrity measurement benchmark library.
为了实现对REE系统中正在运行的用户进程主体关键安全信息的保护,本实施例还包括通过TEE系统定时对系统中当前运行的主体关键安全信息进行完整性验证的步骤:通过底层平台的可信时钟中断设置,使得每隔一定时间间隔在TEE系统中读取保存在与TEE系统的共享内存中的各个主体的关键安全信息,生成这些主体的关键安全信息的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过;如果不一致,则判定完整性验证不通过(认为用户进程主体关键信息的完整性被篡改),输出报警消息。此处的主体信息为强制访问主体(进程)的关键信息(例如用户、安全属性标记、执行映像),系统运行时各进程的关键信息(例如用户、安全属性标记、执行映像)等均保存在与TEE系统的共享内存中,TEE系统将在运行时对系统中用户进程主体关键信息的完整性进行定期检测。如图2所示,该功能的实现模块为核心数据完整性验证单元的进程标记验证模块实现,且完整性度量基准值为预先存储在完整性度量基准库中。In order to realize the protection of the key security information of the main body of the user process running in the REE system, this embodiment also includes the step of regularly performing integrity verification on the key security information of the main body currently running in the system through the TEE system: The clock interrupt is set, so that the key security information of each subject stored in the shared memory with the TEE system is read in the TEE system at certain time intervals, the integrity measurement value of the key security information of these subjects is generated, and the generated The integrity measurement value matches the integrity measurement benchmark value stored in the TEE system. If the two are consistent, the integrity verification is determined to pass; if they are inconsistent, the integrity verification is determined to fail (it is considered that the integrity of the key information of the user process subject has been tampering), output an alarm message. The subject information here is the key information of the mandatory access subject (process) (such as user, security attribute tag, execution image), and the key information of each process when the system is running (such as user, security attribute tag, execution image), etc. In the shared memory with the TEE system, the TEE system will periodically check the integrity of the key information of the user process main body in the system at runtime. As shown in Fig. 2, the realization module of this function is realized by the process mark verification module of the core data integrity verification unit, and the integrity metric reference value is pre-stored in the integrity metric reference library.
本实施例REE系统中还包括用于在系统启动过程中生成内核访问控制规则库的安全配置文件,所述安全配置文件位于REE系统中的用户空间中。在系统启动过程中加载安全配置文件之前还包括通过TEE系统定时对安全配置文件进行完整性验证的步骤:读取安全配置文件,生成安全配置文件的完整性度量值,并将生成的完整性度量值与TEE系统中保存的完整性度量基准值做匹配,如果两者一致则判定完整性验证通过,允许加载安全配置文件;如果不一致,则判定完整性验证不通过,禁止加载安全配置文件并输出报警消息。允许加载安全配置文件后,REE系统将继续读取文件系统上的读取配置文件,在内核中根据配置文件的内容,生成内核访问控制规则库;如果不一致,则说明操作系统的安全配置被非法修改,返回错误,REE系统将报错并中止系统启动。此外,本实施例还包括通过TEE系统检测对安全配置文件写操作的步骤,如果通过REE系统检测到安全配置文件的写操作,则获取对安全配置文件进行写操作的应用程序的信息并推送给TEE进行安全验证,该应用程序的信息包括应用程序的主体和完整性度量值,如果该应用程序的主体不是安全管理员或者完整性度量值与TEE系统中保存的完整性度量基准值不一致,则拒绝对该安全配置文件的写操作,否则允许对该安全配置文件的写操作。如图2所示,该功能的实现模块为核心数据完整性验证单元的配置文件验证模块实现,且完整性度量基准值为预先存储在完整性度量基准库中。The REE system in this embodiment further includes a security configuration file for generating a kernel access control rule base during system startup, where the security configuration file is located in the user space in the REE system. Before loading the security configuration file in the system startup process, it also includes a step of regularly performing integrity verification on the security configuration file through the TEE system: reading the security configuration file, generating the integrity measurement value of the security configuration file, and converting the generated integrity measurement The value matches the integrity measurement benchmark value stored in the TEE system. If the two are consistent, the integrity verification is determined to pass, and the security configuration file is allowed to be loaded; if they are inconsistent, the integrity verification is determined to fail, and the security configuration file is prohibited to be loaded and output. Alarm message. After the security configuration file is allowed to be loaded, the REE system will continue to read the read configuration file on the file system, and generate the kernel access control rule base in the kernel according to the content of the configuration file; if it is inconsistent, it means that the security configuration of the operating system is illegal Modify, return an error, the REE system will report an error and abort the system startup. In addition, this embodiment also includes the step of detecting the writing operation to the security configuration file through the TEE system. If the writing operation of the security configuration file is detected through the REE system, the information of the application program that performs the writing operation to the security configuration file is obtained and pushed to TEE performs security verification. The information of the application includes the subject of the application and the integrity measurement value. If the subject of the application is not a security administrator or the integrity measurement value is inconsistent with the integrity measurement benchmark value saved in the TEE system, then Deny writes to the security profile, otherwise allow writes to the security profile. As shown in FIG. 2 , the realization module of this function is realized by the configuration file verification module of the core data integrity verification unit, and the integrity metric reference value is pre-stored in the integrity metric reference library.
为了实现安全配置文件的保护,本实施例中通过TEE的增强验证功能限制安全配置文件的读写只有指定配置命令才能完成,并在配置命令执行时首先由TEE对执行配置命令的用户合法性与可执行文件完整性进行验证。为了保护安全配置文件的完整性,通过TEE增强验证功能限制REE操作系统中不允许对配置文件直接进行改写,只允许通过特定的安全配置工具进行配置。REE对象管理器检测到配置文件要被修改时,系统将首先获取配置进程的用户信息、可执行文件完整性度量值等信息,发送至TEE,由TEE对用户合法性与配置命令程序完整性进行验证。用户的安全配置包括对访问控制规则的增加、删除、修改等。对配置的修改将首先修改内核访问控制规则库,然后将该修改对应修改到配置文件中。修改完成后,系统切换到TEE状态,对内核访问控制规则库与配置文件重新生成完整性度量基准值。如图2所示,该功能的实现模块为核心数据完整性验证单元的配置进程验证模块实现,且完整性度量基准值为预先存储在完整性度量基准库中。In order to protect the security configuration file, in this embodiment, the enhanced authentication function of the TEE restricts the read and write of the security configuration file to be completed only by the specified configuration command, and when the configuration command is executed, the TEE first checks the validity and the validity of the user who executes the configuration command. Executable file integrity is verified. In order to protect the integrity of the security configuration file, the enhanced authentication function of TEE restricts the direct rewriting of the configuration file in the REE operating system, and only allows configuration through a specific security configuration tool. When the REE object manager detects that the configuration file is to be modified, the system will first obtain the user information of the configuration process, executable file integrity metrics and other information, and send it to the TEE. The TEE will check the user validity and the integrity of the configuration command program. verify. The user's security configuration includes adding, deleting, and modifying access control rules. Modifying the configuration will first modify the kernel access control rule base, and then modify the modification to the configuration file. After the modification is completed, the system switches to the TEE state, and regenerates the integrity measurement benchmark value for the kernel access control rule base and configuration file. As shown in FIG. 2 , the realization module of this function is realized by the configuration process verification module of the core data integrity verification unit, and the integrity metric reference value is pre-stored in the integrity metric reference library.
参见图2可知,本实施例中根据硬件平台的运行模式,将系统区分为REE系统与TEE系统两个部分,本实施例的目标为基于TEE的扩展对REE中运行的操作系统实施安全增强的内核强制访问控制。REE系统中的强制访问控制主要包括位于内核层的对象管理模块、访问许可决策模块、访问规则配置模块,以及位于用户层的核外安全配置管理模块。这些模块的主要作用分别包括:Referring to Figure 2, according to the operating mode of the hardware platform in the present embodiment, the system is divided into two parts: the REE system and the TEE system, and the goal of the present embodiment is to implement a security enhancement for the operating system running in the REE based on the expansion of the TEE. Kernel enforces access control. The mandatory access control in the REE system mainly includes the object management module at the kernel layer, the access permission decision module, the access rule configuration module, and the out-of-core security configuration management module at the user layer. The main functions of these modules include:
对象管理模块,对象管理模块主要负责管理操作系统中的各类主体与客体对象,包括进程、文件、socket等等,为系统中的每一个新生成的对象都维持一个安全属性,并在系统内核各类访问操作中插入HOOK函数,调用TEE访问控制增强验证与REE访问许可决策模块,并根据决策结果实施访问控制。Object management module, the object management module is mainly responsible for managing various subjects and objects in the operating system, including processes, files, sockets, etc., maintains a security attribute for each newly generated object in the system, and is in the system kernel. Insert HOOK functions into various access operations, call TEE access control enhanced verification and REE access permission decision modules, and implement access control according to the decision results.
访问许可决策模块。访问许可决策模块在系统中发生访问行为时,分别获取当次访问所涉及的主体与客体的安全属性,并且查询访问规则配置模块,查看在当前的规则配置下,这样的访问是否允许发生。如果不被配置规则允许,就拒绝该次访问操作。Access the permission decision module. When an access behavior occurs in the system, the access permission decision module obtains the security attributes of the subject and object involved in the current access, and queries the access rule configuration module to check whether such access is allowed under the current rule configuration. If it is not allowed by the configuration rules, the access operation will be denied.
内核访问控制规则库主要保存系统的安全管理员对操作系统中所有安全策略配置,包括系统存在的各类主体、客体的安全属性,以及内核访问控制规则库,规则库中保存着各不同安全属性的主客体之间发生访问时的许可规则。内核访问控制规则库运行在REE与TEE的共享内存中,TEE可以在操作系统运行时直接对内核访问控制规则库进行完整性验证。The kernel access control rule base mainly saves all security policy configurations in the operating system by the security administrator of the system, including the security attributes of various subjects and objects existing in the system, as well as the kernel access control rule base, which stores different security attributes. The permission rules when access occurs between the subject and the object. The kernel access control rule base runs in the shared memory of the REE and the TEE, and the TEE can directly verify the integrity of the kernel access control rule base when the operating system is running.
核外安全配置管理模块。核外安全配置管理模块主要在用户层提供对安全策略的配置接口,以及对安全策略配置在文件系统中进行保存等等。该强制访问控制的安全策略配置以文件的形式保存在操作系统的文件系统中。配置文件中保存了该策略的强制访问控制规则集合,以及系统中的主体(进程、socket等)以及客体(文件等)的安全属性。在操作系统启动时,将这些配置加载到内核中,在内核中生成内核访问控制规则库。为了实现对配置文件的安全保护,系统基于TEE的检测来限制仅有授权用户(安全管理员)可以通过指定的安全配置工具可以对安全配置文件进行修改。Out-of-core security configuration management module. The out-of-core security configuration management module mainly provides a configuration interface for the security policy at the user layer, and saves the security policy configuration in the file system, etc. The security policy configuration of the mandatory access control is saved in the file system of the operating system in the form of a file. The configuration file saves the mandatory access control rule set of the policy, as well as the security attributes of subjects (processes, sockets, etc.) and objects (files, etc.) in the system. When the operating system starts, these configurations are loaded into the kernel, and the kernel access control rule base is generated in the kernel. In order to realize the security protection of the configuration file, the system based on TEE detection restricts that only authorized users (security administrators) can modify the security configuration file through the specified security configuration tool.
本实施例在REE系统内核中,实现强制控制内核实体访问权限的访问控制接口,通过调用TEE访问控制增强验证与匹配内核访问控制规则库得出控制决策;在核外安装强制访问控制安全策略文件(安全配置文件),强制访问控制的设置步骤包括:1.1)分别为操作系统内核中的实体分配安全属性标记,实体包括操作系统内核访问操作相关的主体和客体。本实施例中,安全属性标记包括角色属性、类型属性、密级属性,组成一个完整的安全属性标记系统。本实施例的操作系统环境为国防科技大学计算机学院研制开发的麒麟操作系统,麒麟操作系统能够支持实体的扩展安全属性标记,此外,本实施例同样也能够支持其它支持扩展属性的操作系统,支持平台的多样性,具有通用性好、扩展性强的优点;此外,也可以根据需要采用文件、数据库、内存等形式存储应用程序分类的标记,并且可优选采用加密的方式进行存储。本实施例利用操作系统支持的扩展属性存储实体的安全标记,扩展属性空间被命名为security.secattr,安全属性标记存储在扩展属性空间security.secattr中。1.2)操作系统内核中的客体按照其属性分别进行分类得到多个客体类,针对每一个客体类,定义针对该客体类用以访问权限检查的可实施访问操作集。1.3)在操作系统内核中维护内核访问控制规则库,通过内核访问控制规则库存储基于操作系统内核中的实体以及客体类定义主体对客体的内核访问控制规则,通过内核访问控制规则约定具有某安全属性标记的主体对具有某安全属性标记的客体具有何种访问操作权限,访问操作权限在该客体类所定义的可实施访问操作集的访问操作范围内。内核访问控制规则库保存在与TEE的共享内存中。1.4)为操作系统内核中实现强制控制内核实体访问权限的内核访问控制接口,在操作系统内核的主体申请访问客体时,内核访问控制接口根据当前内核访问操作的主体的安全属性标记、客体的安全属性标记以及客体类检查访问控制规则链表,根据访问控制规则链表的检查结果控制当前内核访问操作的权限。本实施例中,将操作系统内核中的实体类定位为包括process、file、dir、inode、msg等实体类,实体对应的访问操作与实体类密切相关,如file实体类的访问操作包括:open、read、write、getattr、setattr、link、unlink、rename等操作,dir实体类的访问操作包括:addname、unlink、read、getattr、setattr等访问操作。主体对客体申请访问操作时,要检查系统维护的内核访问控制规则库,以确定当前主体是否具有对当前客体所申请的访问操作权限。In this embodiment, in the REE system kernel, an access control interface for forcibly controlling the access authority of the kernel entity is implemented, and control decisions are obtained by calling the TEE access control enhanced verification and matching kernel access control rule base; the mandatory access control security policy file is installed outside the kernel (Security configuration file), the setting steps of mandatory access control include: 1.1) respectively assign security attribute tags to entities in the operating system kernel, and the entities include subjects and objects related to operating system kernel access operations. In this embodiment, the security attribute mark includes role attribute, type attribute, and secret level attribute, forming a complete security attribute mark system. The operating system environment of this embodiment is the Kylin operating system developed by the School of Computer Science, National Defense University of Science and Technology. The Kylin operating system can support the extended security attribute marking of entities. In addition, this embodiment can also support other operating systems that support extended attributes. The diversity of the platform has the advantages of good versatility and strong scalability; in addition, the tags of application classification can also be stored in the form of files, databases, memory, etc. as required, and encryption can be preferably used for storage. This embodiment uses the extended attribute supported by the operating system to store the security tag of the entity, the extended attribute space is named security.secattr, and the security attribute tag is stored in the extended attribute space security.secattr. 1.2) Objects in the operating system kernel are classified according to their attributes to obtain multiple object classes, and for each object class, an implementable access operation set for the access permission check for the object class is defined. 1.3) Maintain the kernel access control rule base in the operating system kernel, store the kernel access control rules based on the entities and object classes in the operating system kernel to define the subject-to-object kernel access control rules through the kernel access control rule base, and agree to have a certain security through the kernel access control rules. What kind of access operation authority the subject of the attribute mark has to the object with a certain security attribute mark, the access operation authority is within the access operation scope of the implementable access operation set defined by the object class. The kernel access control rule base is stored in the shared memory with the TEE. 1.4) Implement the kernel access control interface in the operating system kernel that enforces the access rights of the kernel entity. When the subject of the operating system kernel applies to access the object, the kernel access control interface marks the security attribute of the subject of the current kernel access operation and the security of the object. The attribute tag and the object class check the access control rule list, and control the permission of the current kernel access operation according to the check result of the access control rule list. In this embodiment, the entity classes in the operating system kernel are positioned to include entity classes such as process, file, dir, inode, and msg, and the access operations corresponding to the entities are closely related to the entity classes. For example, the access operations of the file entity class include: open , read, write, getattr, setattr, link, unlink, rename and other operations. The access operations of the dir entity class include: addname, unlink, read, getattr, setattr and other access operations. When a subject applies for an access operation to an object, it needs to check the kernel access control rule base maintained by the system to determine whether the current subject has the right to access the current object.
本实施例在TEE中实现访问控制增强验证框架与强制访问控制核心数据完整性验证,并提供相应接口。访问控制增强验证框架为所有REE中的所有被控制的访问行为在TEE中实现了对应的验证处理函数。具体实现时,由于两个世界的安全状态的切换开销很大,因此在REE方设置了增强验证开关,默认为关,仅对需要进行增强验证的操作打开验证开关,并在TEE方按照验证逻辑实现相应的验证处理函数。在本实施例中,重点实现进程管理相关接口(如fork、execve、mmap等)与文件访问相关接口(如open、read、write、getattr、setattr、link、unlink、rename等),例如针对execve的处理,将由TEE来验证算本进程可执行文件Hash值与完整性度量基准库中相关记录是否匹配。强制访问控制核心数据包括REE中的主客体安全标记、安全配置文件、内核访问控制规则库、以及系统安全配置工具。This embodiment implements the access control enhanced verification framework and mandatory access control core data integrity verification in the TEE, and provides corresponding interfaces. The access control enhanced authentication framework implements corresponding authentication processing functions in the TEE for all controlled access behaviors in all REEs. In the specific implementation, due to the high cost of switching the security states of the two worlds, an enhanced verification switch is set on the REE side, which is off by default. The verification switch is only turned on for operations that require enhanced verification, and the TEE side follows the verification logic. Implement the corresponding validation handler. In this embodiment, it focuses on implementing process management related interfaces (such as fork, execve, mmap, etc.) and file access related interfaces (such as open, read, write, getattr, setattr, link, unlink, rename, etc.), for example, for execve Processing, the TEE will verify whether the hash value of the executable file of this process matches the relevant records in the integrity measurement benchmark library. Mandatory access control core data includes subject and object security flags in REE, security configuration files, kernel access control rule base, and system security configuration tools.
在系统启动过程加载安全配置文件时,由TEE首先对安全配置文件的完整性进行验证,验证通过才能加载。本实施例中包括系统启动过程中的配置文件完整性度量:在本实施例中,将首先基于TEE对强制访问控制策略配置文件的完整性进行验证。只有通过完整性验证的配置文件才是合法的安全配置,系统才能够对其进行加载。当操作系统启动时,将向TEE发出完整性验证请求,向TEE传送当前配置文件的完整性度量值。TEE将接收到的当前配置文件完整性度量值与在TEE中保存的配置文件完整性度量值进行比对,如果一致,则返回通过。REE系统将继续读取文件系统上的读取配置文件,在内核中根据配置文件的内容,生成内核访问控制规则库;如果不一致,则说明操作系统的安全配置被非法修改,返回错误,REE系统将报错并中止系统启动。本实施例中包括系统根据安全配置文件在内核中生成内核访问控制规则库:在操作系统运行时,内核访问控制规则库是访问控制机制进行安全决策的依据,如果规则被攻击者恶意篡改,将直接影响访问控制的执行。因此,本实施例对内核中的访问控制规则库进行完整性保护。在REE系统加载安全策略配置时,首先在REE系统内核中向TEE注册一片共享内存,用于存储内核访问控制规则库。内核访问控制规则库生成完毕后,将通知知TEE对当前的内核访问控制规则库生成完整性度量值,并作为完整性度量基准值保存在TEE中。When the security configuration file is loaded in the system startup process, the TEE first verifies the integrity of the security configuration file, and the security configuration file can be loaded only after the verification. This embodiment includes the configuration file integrity measurement during the system startup process: in this embodiment, the integrity of the mandatory access control policy configuration file is first verified based on the TEE. Only a configuration file that has passed the integrity verification is a legitimate security configuration, and the system can load it. When the operating system starts, an integrity verification request will be issued to the TEE, and the integrity measurement value of the current configuration file will be transmitted to the TEE. The TEE compares the received current configuration file integrity metric with the configuration file integrity metric saved in the TEE, and returns a pass if they are consistent. The REE system will continue to read the read configuration file on the file system, and generate the kernel access control rule base in the kernel according to the content of the configuration file; if it is inconsistent, it means that the security configuration of the operating system has been illegally modified, and an error is returned. An error will be reported and the system startup will be aborted. In this embodiment, the system generates a kernel access control rule base in the kernel according to the security configuration file: when the operating system is running, the kernel access control rule base is the basis for the access control mechanism to make security decisions. Directly affects the enforcement of access control. Therefore, this embodiment performs integrity protection on the access control rule base in the kernel. When the REE system loads the security policy configuration, a shared memory is first registered with the TEE in the REE system kernel for storing the kernel access control rule base. After the kernel access control rule base is generated, it will notify the TEE to generate an integrity measurement value for the current kernel access control rule base, and save it in the TEE as the integrity measurement benchmark value.
本实施例中系统运行过程中,当访问行为发生时,REE系统将首先调用TEE中访问控制增强验证框架接口,访问控制增强验证框架根据参数中的访问操作类型,调用对应的增强验证处理函数。参数包括当前的操作类型,访问操作的主体信息(用户ID、用户安全属性等)与客体信息(文件名、安全属性等)。通过访问控制增强验证,REE将继续进行内核访问控制规则库的匹配,如果有匹配的规则,才允许操作继续执行。During system operation in this embodiment, when an access behavior occurs, the REE system will first call the access control enhanced verification framework interface in the TEE, and the access control enhanced verification framework will call the corresponding enhanced verification processing function according to the access operation type in the parameters. The parameters include the current operation type, subject information (user ID, user security attributes, etc.) and object information (file name, security attributes, etc.) of the access operation. Through access control enhanced verification, REE will continue to match the kernel access control rule base. If there are matching rules, the operation is allowed to continue.
系统运行过程中,TEE定期对REE的内核访问控制规则库进行完整性验证;系统运行时TEE将在运行时对该共享内存的完整性进行定期检测。通过底层平台的可信时钟中断设置,每隔一定时间间隔,将会在TEE启动对内核访问控制规则库的完整性验证。由TEE对当前共享内存中的内核访问控制规则库生成完整性度量值,并与TEE系统中保存的完整性度量基准值做匹配,如果一致,则验证通过;如果不一致,则认为内核访问控制规则库的完整性被篡改,验证不通过,系统报警。During the running of the system, the TEE regularly verifies the integrity of the REE's kernel access control rule base; when the system is running, the TEE will periodically check the integrity of the shared memory at runtime. Through the trusted clock interrupt setting of the underlying platform, the integrity verification of the kernel access control rule base will be started in the TEE at regular intervals. The integrity metric value is generated by the TEE for the kernel access control rule base in the current shared memory, and matches the integrity metric benchmark value saved in the TEE system. If it is consistent, the verification is passed; if it is inconsistent, the kernel access control rule is considered to be The integrity of the library is tampered with, the verification fails, and the system alarms.
系统运行过程中,TEE定期对REE系统中主客体安全标记进行完整性验证;在本实施例中,我们主要对系统中的进程主体的安全关键信息(例如用户、安全属性标记、执行映像)进行验证。在进程空间中,将上述信息等均保存在与TEE的共享内存中,TEE将在运行时对系统中用户进程主体的安全关键信息的完整性进行定期检测。通过底层平台的可信时钟中断设置,每隔一定时间间隔,将会在TEE启动对各用户进程主体关键信息的完整性验证。由TEE对当前共享内存中的用户进程主体关键信息生成完整性度量值,并与保存的完整性度量基准值做匹配,如果一致,则验证通过;如果不一致,则认为用户进程主体关键信息的完整性被篡改,验证不通过,系统报警。During the operation of the system, the TEE regularly performs integrity verification on the security tags of the subject and object in the REE system; in this embodiment, we mainly carry out security-critical information (such as users, security attribute tags, and execution images) of the process subjects in the system. verify. In the process space, the above information is stored in the shared memory with the TEE, and the TEE will periodically check the integrity of the security-critical information of the user process subject in the system at runtime. Through the trusted clock interrupt setting of the underlying platform, at certain time intervals, the TEE will start the integrity verification of the key information of each user process subject. The TEE generates an integrity metric value for the key information of the user process body in the current shared memory, and matches with the saved integrity metric benchmark value. If they are consistent, the verification is passed; if they are inconsistent, it is considered that the key information of the user process body is complete. If the sex is tampered with, the verification fails, and the system alarms.
本实施例中还通过TEE的增强验证功能限制安全配置文件的读写只有指定配置命令才能完成,并在配置命令执行时首先由TEE对执行配置命令的用户合法性与可执行文件完整性进行验证。为了保护安全配置文件的完整性,通过TEE增强验证功能限制REE系统中不允许对配置文件直接进行改写,只允许通过特定的安全配置工具进行配置。REE对象管理器在fork、execve等调用中检测到配置工具的执行时,系统将首先获取该进程的用户信息、可执行文件完整性度量值等信息,通过SMC指令调用TEE访问控制增强验证框架与fork、execve操作对应的处理函数,验证执行进程的用户是否为安全管理员,并验证配置命令程序的完整性度量值是否与完整性度量基准库中的值向匹配。此外,还要通过对write、getattr、setattr、link、unlink、rename等文件操作进行TEE增强验证,如果操作的目标是强制访问控制的核外安全配置文件,就需要对进程主体进行上述验证,即验证执行进程的用户是否为安全管理员,并验证配置命令程序的完整性度量值是否与完整性度量基准库中的值向匹配。安全配置包括对访问控制规则的增加、删除、修改等。对配置的修改将首先修改内核访问控制规则库,然后将该修改对应修改到配置文件中。修改完成后,系统切换到TEE状态,对内核访问控制规则库与配置文件重新生成完整性度量基准值,作为后续判断的基准。In this embodiment, the enhanced verification function of the TEE is used to restrict the read and write of the security configuration file to be completed only by the specified configuration command, and when the configuration command is executed, the TEE first verifies the validity of the user executing the configuration command and the integrity of the executable file . In order to protect the integrity of the security configuration file, the enhanced verification function of TEE restricts the direct rewriting of the configuration file in the REE system, and only allows configuration through a specific security configuration tool. When the REE object manager detects the execution of the configuration tool during fork, execve, etc. calls, the system will first obtain the user information of the process, executable file integrity metrics and other information, and use the SMC instruction to call the TEE access control enhanced verification framework and The processing functions corresponding to the fork and execve operations verify whether the user executing the process is a security administrator, and whether the integrity measurement value of the configuration command program matches the value in the integrity measurement benchmark library. In addition, it is necessary to perform TEE enhanced verification on file operations such as write, getattr, setattr, link, unlink, rename, etc. If the target of the operation is an out-of-core security configuration file with mandatory access control, the above verification of the process body is required, that is, Verify that the user executing the process is a security administrator, and verify that the integrity metrics of the configuration command program match those in the integrity metrics benchmark library. Security configuration includes adding, deleting, and modifying access control rules. Modifying the configuration will first modify the kernel access control rule base, and then modify the modification to the configuration file. After the modification is completed, the system switches to the TEE state, and regenerates the integrity measurement benchmark value for the kernel access control rule base and configuration file, which is used as the benchmark for subsequent judgments.
综上所述,本实施例基于TEE扩展的操作系统内核强制访问控制方法针对现有操作系统内核强制访问控制实现了扩展,包括在REE系统中构建内核访问控制机制,在TEE中构建访问控制增强验证框架与访问控制核心数据验证模块;REE系统启动加载访问控制功能时由TEE对其访问控制核心数据进行完整性验证;REE系统运行时,对于受控制的访问操作,首先由TEE实施访问控制增强验证,通过后再进行REE访问控制安全决策,通过后才允许操作执行;REE系统运行期间,TEE将定期对REE中的访问控制核心数据进行完整性验证;在REE中对访问控制核心数据的动态修改时,必须首先通过TEE的合法性验证。通过上述方式,使得本实施例基于TEE扩展的操作系统内核强制访问控制方法具有保护全面、验证级别高、安全可靠、通用性好、扩展性强的优点。本实施例基于TEE扩展的操作系统内核强制访问控制方法在传统的操作系统内核强制访问控制的基础上,借助TEE的高运行级别的隔离验证功能,对操作系统内核强制访问控制进行安全增强验证,并对强制访问控制的核心数据进行完整性验证,保证操作系统强制访问控制机制的各部分不被恶意攻击者篡改,能够正确的完成访问控制功能。在系统中,实施强制访问控制的操作系统运行在REE中,在操作系统中实现对主客体对象的访问控制机制,在TEE中实现了对REE操作系统的强制访问控制增强验证框架,用户可以根据需要在TEE中实施增强验证,只有通过TEE增强验证和REE中强制访问规则验证双重检查的操作才能够在系统中继续执行。同时,在REE系统启动和运行期间,TEE的完整性验证功能还将对强制访问控制相关的核心数据完整性进行验证,保证访问控制机制的安全、正确执行。To sum up, the operating system kernel mandatory access control method based on the TEE extension in this embodiment implements an extension for the existing operating system kernel mandatory access control, including building a kernel access control mechanism in the REE system, and building an access control enhancement in the TEE. Verification framework and access control core data verification module; when the REE system starts and loads the access control function, the TEE will verify the integrity of its access control core data; when the REE system is running, for the controlled access operation, the TEE will first implement access control enhancement After verification, the REE access control security decision is made after passing the verification, and the operation is allowed to be executed after passing the verification; during the operation of the REE system, the TEE will periodically verify the integrity of the access control core data in the REE; the dynamic information of the access control core data in the REE When modifying, it must first pass the legality verification of TEE. Through the above manner, the TEE extension-based operating system kernel mandatory access control method in this embodiment has the advantages of comprehensive protection, high verification level, safety and reliability, good versatility, and strong expansibility. The operating system kernel mandatory access control method based on the TEE extension in this embodiment is based on the traditional operating system kernel mandatory access control, and uses the high-level isolation verification function of the TEE to perform enhanced security verification on the operating system kernel mandatory access control, The integrity of the core data of mandatory access control is verified to ensure that each part of the mandatory access control mechanism of the operating system is not tampered with by malicious attackers, and the access control function can be completed correctly. In the system, the operating system that implements mandatory access control runs in REE, the access control mechanism for the subject and object objects is implemented in the operating system, and the enhanced authentication framework for mandatory access control of the REE operating system is implemented in the TEE. Enhanced verification needs to be implemented in the TEE, and only operations that pass the double-check of TEE enhanced verification and mandatory access rule verification in the REE can continue to be executed in the system. At the same time, during the startup and operation of the REE system, the integrity verification function of the TEE will also verify the integrity of the core data related to mandatory access control to ensure the safe and correct execution of the access control mechanism.
此外,本实施例还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括:In addition, this embodiment also provides an operating system kernel mandatory access control system based on TEE extension, including:
对象管理程序模块,用于当在REE系统中检测到访问行为时调用TEE系统中访问控制增强验证框架的接口,所述访问控制增强验证框架根据调用请求中的访问操作类型来调用对应的处理函数,所述处理函数根据调用请求中的访问操作类型、主体信息、客体信息来判断是否通过访问控制增强验证,如果通过访问控制增强验证则跳转执行访问许可决策程序模块;否则拒绝该访问行为,结束并退出;The object management program module is used to call the interface of the access control enhanced verification framework in the TEE system when the access behavior is detected in the REE system, and the access control enhanced verification framework calls the corresponding processing function according to the access operation type in the call request , the processing function judges whether to pass the access control enhanced verification according to the access operation type, subject information, and object information in the call request, and if the access control enhanced verification is passed, then jump to execute the access permission decision program module; otherwise, the access behavior is rejected, end and exit;
访问许可决策程序模块,用于在REE系统中针对该访问行为匹配预设的内核访问控制规则库,如果在内核访问控制规则库有匹配的规则,才允许该访问行为继续执行;否则拒绝该访问行为。The access permission decision program module is used to match the preset kernel access control rule base for the access behavior in the REE system. If there are matching rules in the kernel access control rule base, the access behavior is allowed to continue to execute; otherwise, the access is denied Behavior.
此外,本实施例还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括计算机设备,该计算机设备被编程或配置以执行前述基于TEE扩展的操作系统内核强制访问控制方法的步骤。In addition, this embodiment also provides a TEE extension-based operating system kernel mandatory access control system, including a computer device programmed or configured to execute the steps of the aforementioned TEE extension-based operating system kernel mandatory access control method.
此外,本实施例还提供一种基于TEE扩展的操作系统内核强制访问控制系统,包括计算机设备,该计算机设备的存储器上存储有被编程或配置以执行前述基于TEE扩展的操作系统内核强制访问控制方法的计算机程序。In addition, this embodiment also provides a TEE extension-based operating system kernel mandatory access control system, including a computer device whose memory is programmed or configured to execute the aforementioned TEE extension-based operating system kernel mandatory access control system. A computer program of the method.
此外,本实施例还提供一种计算机可读存储介质,该计算机可读存储介质上存储有被编程或配置以执行前述基于TEE扩展的操作系统内核强制访问控制方法的计算机程序。In addition, this embodiment also provides a computer-readable storage medium, where a computer program programmed or configured to execute the foregoing TEE extension-based mandatory access control method for an operating system kernel is stored thereon.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The present application refers to flowcharts of methods, apparatus (systems), and computer program products according to embodiments of the present application and/or processor-executed instructions generated for implementing a process or processes and/or block diagrams in a flowchart. A means for the function specified in a block or blocks. These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions An apparatus implements the functions specified in a flow or flows of the flowcharts and/or a block or blocks of the block diagrams. These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.
以上所述仅是本发明的优选实施方式,本发明的保护范围并不仅局限于上述实施例,凡属于本发明思路下的技术方案均属于本发明的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理前提下的若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are only the preferred embodiments of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions under the idea of the present invention belong to the protection scope of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principle of the present invention should also be regarded as the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010251285.1A CN111400723A (en) | 2020-04-01 | 2020-04-01 | Mandatory access control method and system for operating system kernel based on TEE extension |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010251285.1A CN111400723A (en) | 2020-04-01 | 2020-04-01 | Mandatory access control method and system for operating system kernel based on TEE extension |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111400723A true CN111400723A (en) | 2020-07-10 |
Family
ID=71429340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010251285.1A Pending CN111400723A (en) | 2020-04-01 | 2020-04-01 | Mandatory access control method and system for operating system kernel based on TEE extension |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111400723A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111859394A (en) * | 2020-07-21 | 2020-10-30 | 中国人民解放军国防科技大学 | TEE-based software behavior active measurement method and system |
| CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | A method and system for ensuring data security of a collection terminal of a power generation unit in a new energy power plant |
| CN112187739A (en) * | 2020-09-11 | 2021-01-05 | 苏州浪潮智能科技有限公司 | Configuration method, system, terminal and storage medium of mandatory access rule |
| CN112231694A (en) * | 2020-10-27 | 2021-01-15 | 北京人大金仓信息技术股份有限公司 | Database detection method, device, equipment and medium |
| CN113190869A (en) * | 2021-05-27 | 2021-07-30 | 中国人民解放军国防科技大学 | TEE-based mandatory access control security enhancement framework performance evaluation method and system |
| US20220092196A1 (en) * | 2021-12-08 | 2022-03-24 | Intel Corporation | Mechanism for secure library sharing |
| CN114462041A (en) * | 2021-12-24 | 2022-05-10 | 麒麟软件有限公司 | Dynamic trusted access control method and system based on dual-architecture |
| CN114611098A (en) * | 2022-03-24 | 2022-06-10 | 联想(北京)有限公司 | Information processing method and device and electronic equipment |
| CN115688198A (en) * | 2022-10-09 | 2023-02-03 | 南方电网数字电网研究院有限公司 | Trusted execution system of electric power internet of things intelligent terminal |
| CN115694943A (en) * | 2022-10-25 | 2023-02-03 | 中国人民解放军国防科技大学 | Behavior-based dynamic mandatory access control method, system and medium for operating system |
| CN116340243A (en) * | 2023-03-29 | 2023-06-27 | 广东工业大学 | Dual-core trusted execution security chip architecture |
| CN118821139A (en) * | 2024-03-25 | 2024-10-22 | 中移(杭州)信息技术有限公司 | Security management methods, devices, equipment, storage media and products |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005085026A (en) * | 2003-09-09 | 2005-03-31 | Ntt Data Corp | Access control device and program thereof |
| CN103281339A (en) * | 2013-06-21 | 2013-09-04 | 上海辰锐信息科技公司 | Safety controlling system of mobile terminal |
| CN103971067A (en) * | 2014-05-30 | 2014-08-06 | 中国人民解放军国防科学技术大学 | Operating system nucleus universal access control method supporting entities inside and outside nucleus |
| CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | A Mandatory Access Control Method for Operating System Based on Security Tag Randomization |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
| WO2016192774A1 (en) * | 2015-06-02 | 2016-12-08 | Huawei Technologies Co., Ltd. | Electronic device and method in an electronic device |
| CN106411814A (en) * | 2015-07-27 | 2017-02-15 | 深圳市中兴微电子技术有限公司 | Strategy management method and system |
| CN106815494A (en) * | 2016-12-28 | 2017-06-09 | 中软信息系统工程有限公司 | A kind of method that application security certification is realized based on CPU space-time isolation mech isolation tests |
| CN106990972A (en) * | 2017-04-13 | 2017-07-28 | 沈阳微可信科技有限公司 | Method and apparatus for running trusted user interface |
| CN107612929A (en) * | 2017-10-18 | 2018-01-19 | 南京航空航天大学 | A kind of multilevel security access control model based on information flow |
| CN107609410A (en) * | 2017-09-11 | 2018-01-19 | 厦门市美亚柏科信息股份有限公司 | Android system data guard method, terminal device and storage medium based on HOOK |
| CN108540442A (en) * | 2018-02-08 | 2018-09-14 | 北京豆荚科技有限公司 | A kind of control method accessing credible performing environment |
| CN109522754A (en) * | 2018-11-28 | 2019-03-26 | 中国科学院信息工程研究所 | A kind of credible isolation environment core control method of mobile terminal |
| CN110381068A (en) * | 2019-07-23 | 2019-10-25 | 迈普通信技术股份有限公司 | Forced access control method, device, the network equipment and storage medium |
| CN110851870A (en) * | 2019-11-14 | 2020-02-28 | 中国人民解放军国防科技大学 | Block chain privacy protection method, system and medium based on trusted execution environment |
-
2020
- 2020-04-01 CN CN202010251285.1A patent/CN111400723A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005085026A (en) * | 2003-09-09 | 2005-03-31 | Ntt Data Corp | Access control device and program thereof |
| CN103281339A (en) * | 2013-06-21 | 2013-09-04 | 上海辰锐信息科技公司 | Safety controlling system of mobile terminal |
| CN103971067A (en) * | 2014-05-30 | 2014-08-06 | 中国人民解放军国防科学技术大学 | Operating system nucleus universal access control method supporting entities inside and outside nucleus |
| WO2016192774A1 (en) * | 2015-06-02 | 2016-12-08 | Huawei Technologies Co., Ltd. | Electronic device and method in an electronic device |
| CN106411814A (en) * | 2015-07-27 | 2017-02-15 | 深圳市中兴微电子技术有限公司 | Strategy management method and system |
| CN105245543A (en) * | 2015-10-28 | 2016-01-13 | 中国人民解放军国防科学技术大学 | A Mandatory Access Control Method for Operating System Based on Security Tag Randomization |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
| CN106815494A (en) * | 2016-12-28 | 2017-06-09 | 中软信息系统工程有限公司 | A kind of method that application security certification is realized based on CPU space-time isolation mech isolation tests |
| CN106990972A (en) * | 2017-04-13 | 2017-07-28 | 沈阳微可信科技有限公司 | Method and apparatus for running trusted user interface |
| CN107609410A (en) * | 2017-09-11 | 2018-01-19 | 厦门市美亚柏科信息股份有限公司 | Android system data guard method, terminal device and storage medium based on HOOK |
| CN107612929A (en) * | 2017-10-18 | 2018-01-19 | 南京航空航天大学 | A kind of multilevel security access control model based on information flow |
| CN108540442A (en) * | 2018-02-08 | 2018-09-14 | 北京豆荚科技有限公司 | A kind of control method accessing credible performing environment |
| CN109522754A (en) * | 2018-11-28 | 2019-03-26 | 中国科学院信息工程研究所 | A kind of credible isolation environment core control method of mobile terminal |
| CN110381068A (en) * | 2019-07-23 | 2019-10-25 | 迈普通信技术股份有限公司 | Forced access control method, device, the network equipment and storage medium |
| CN110851870A (en) * | 2019-11-14 | 2020-02-28 | 中国人民解放军国防科技大学 | Block chain privacy protection method, system and medium based on trusted execution environment |
Non-Patent Citations (3)
| Title |
|---|
| DIMING ZHANG ET AL.: "T-MAC: Protecting Mandatory Access Control System Integrity from Malicious Execution Environment on ARM-Based Mobile Devices" * |
| JINAN SHEN;DEQING ZOU;HAI JIN;KAI YANG;BIN YUAN;WEIMING LI;: "A Protective Mechanism for the Access Control System in the Virtual Domain" * |
| 王高祖;李伟华;徐艳玲;史豪斌;: "基于TrustZone技术和μCLinux的安全嵌入式系统设计与实现" * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111859394A (en) * | 2020-07-21 | 2020-10-30 | 中国人民解放军国防科技大学 | TEE-based software behavior active measurement method and system |
| CN111859394B (en) * | 2020-07-21 | 2023-09-29 | 中国人民解放军国防科技大学 | Software behavior active measurement method and system based on TEE |
| CN111988328A (en) * | 2020-08-26 | 2020-11-24 | 中国电力科学研究院有限公司 | A method and system for ensuring data security of a collection terminal of a power generation unit in a new energy power plant |
| CN112187739B (en) * | 2020-09-11 | 2022-12-20 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for configuring mandatory access rules |
| CN112187739A (en) * | 2020-09-11 | 2021-01-05 | 苏州浪潮智能科技有限公司 | Configuration method, system, terminal and storage medium of mandatory access rule |
| CN112231694A (en) * | 2020-10-27 | 2021-01-15 | 北京人大金仓信息技术股份有限公司 | Database detection method, device, equipment and medium |
| CN113190869A (en) * | 2021-05-27 | 2021-07-30 | 中国人民解放军国防科技大学 | TEE-based mandatory access control security enhancement framework performance evaluation method and system |
| US20220092196A1 (en) * | 2021-12-08 | 2022-03-24 | Intel Corporation | Mechanism for secure library sharing |
| US12061710B2 (en) * | 2021-12-08 | 2024-08-13 | Intel Corporation | Mechanism for secure library sharing |
| CN114462041A (en) * | 2021-12-24 | 2022-05-10 | 麒麟软件有限公司 | Dynamic trusted access control method and system based on dual-architecture |
| CN114611098A (en) * | 2022-03-24 | 2022-06-10 | 联想(北京)有限公司 | Information processing method and device and electronic equipment |
| CN115688198A (en) * | 2022-10-09 | 2023-02-03 | 南方电网数字电网研究院有限公司 | Trusted execution system of electric power internet of things intelligent terminal |
| CN115694943A (en) * | 2022-10-25 | 2023-02-03 | 中国人民解放军国防科技大学 | Behavior-based dynamic mandatory access control method, system and medium for operating system |
| CN115694943B (en) * | 2022-10-25 | 2024-05-14 | 中国人民解放军国防科技大学 | Behavior-based operating system dynamic mandatory access control method, system and medium |
| CN116340243A (en) * | 2023-03-29 | 2023-06-27 | 广东工业大学 | Dual-core trusted execution security chip architecture |
| CN116340243B (en) * | 2023-03-29 | 2025-09-02 | 广东工业大学 | A secure chip architecture with dual-core trusted execution |
| CN118821139A (en) * | 2024-03-25 | 2024-10-22 | 中移(杭州)信息技术有限公司 | Security management methods, devices, equipment, storage media and products |
| CN118821139B (en) * | 2024-03-25 | 2025-11-11 | 中移(杭州)信息技术有限公司 | Security management method, device, equipment, storage medium and product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111400723A (en) | Mandatory access control method and system for operating system kernel based on TEE extension | |
| US12149623B2 (en) | Security privilege escalation exploit detection and mitigation | |
| CN103020515B (en) | Application program execution permission control method for operating system | |
| US7437766B2 (en) | Method and apparatus providing deception and/or altered operation in an information system operating system | |
| Bratus et al. | TOCTOU, traps, and trusted computing | |
| CN111159762B (en) | A method and system for subject trusted authentication under mandatory access control | |
| KR101565590B1 (en) | A system for expanding the security kernel with system for privilege flow prevention based on white list | |
| Martin | The ten-page introduction to Trusted Computing | |
| CN104462950A (en) | Application program executing permission control method used for operating system | |
| CN111859394A (en) | TEE-based software behavior active measurement method and system | |
| CN107908958A (en) | SE L inux security identifier tamper-proof detection method and system | |
| KR102714421B1 (en) | Method, apparatus and computer-readable medium for admission control of container platform based on accessor role | |
| Almohri et al. | Process authentication for high system assurance | |
| Xu et al. | Condo: enhancing container isolation through kernel permission data protection | |
| CN120162837A (en) | MCU information protection method, device, electronic device and readable storage medium | |
| KR101099310B1 (en) | Integrated access authorization | |
| KR102086375B1 (en) | System and method for real time prevention and post recovery for malicious software | |
| CN117436079A (en) | Integrity protection method and system for Linux system | |
| CN117851990A (en) | LD_PRELOAD-based application program authorization method, system, electronic equipment and medium | |
| Toffalini et al. | Careful-packing: A practical and scalable anti-tampering software protection enforced by trusted computing | |
| Zimmermann et al. | Introducing reference flow control for detecting intrusion symptoms at the os level | |
| Ding et al. | SLR‐SELinux: Enhancing the Security Footstone of SEAndroid with Security Label Randomization | |
| CN114462041A (en) | Dynamic trusted access control method and system based on dual-architecture | |
| Mundada et al. | Practical data-leak prevention for legacy applications in enterprise networks | |
| CN111538990B (en) | An Internet analysis system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200710 |