本文選題：安全操作系統(tǒng) + SELinux　； 參考：《北京交通大學(xué)》2014年碩士論文

【摘要】：操作系統(tǒng)是計算機資源的直接管理者,位于整個信息系統(tǒng)的最底層,其安全問題是信息安全的核心問題。SELinux是Linux系統(tǒng)的安全增強模塊,能夠有效實施強制訪問機制,保證系統(tǒng)安全。安全策略配置是SELinux安全保護(hù)實施的關(guān)鍵所在,但由于安全策略復(fù)雜繁多、管理困難,一定程度上制約了SELinux的推廣應(yīng)用。因此,研究構(gòu)建SELinux安全策略自動化分析工具,進(jìn)而保證SELinux安全策略配置的正確性是很有必要和頗有意義。論文工作主要包括以下三方面： (1)對SELinux安全策略及其分析方法進(jìn)行了討論和研究。簡要介紹了SELinux安全機制的發(fā)展演化、體系結(jié)構(gòu)及Linux操作系統(tǒng)整體訪問控制,討論了SELinux安全模型、安全策略配置語言及實施機制,并重點就國內(nèi)外現(xiàn)有SELinux安全策略分析方法進(jìn)行了歸納分類和分析比較。特別地,針對現(xiàn)有有色Petri網(wǎng)分析法只是嘗試性研究、需要借助數(shù)學(xué)軟件工具完成分析并未獨立實現(xiàn)的問題,確定了基于有色Petri網(wǎng)開展SELinux安全策略自動化分析方法研究的主題。 (2)系統(tǒng)研究了基于有色Petri網(wǎng)的SELinux安全策略自動化分析方法。圍繞安全策略有效性分析目標(biāo),詳細(xì)討論了從SELinux安全策略配置文件集中提取安全策略要素的步驟和流程以及服務(wù)于SELinux安全策略自動化分析的有色Petri網(wǎng)模型的設(shè)計、構(gòu)建和查詢分析方案,另外還給出了相關(guān)的仿真驗證案例。特別地,論文試圖通過將安全策略配置中各安全要素和訪問控制關(guān)系形式化為相關(guān)集合及映射,進(jìn)而將訪問控制關(guān)系映射及BNF查詢語句轉(zhuǎn)化為有色Petri網(wǎng)中的相關(guān)庫所及變遷,從而通過變遷的發(fā)生來實現(xiàn)安全目標(biāo)有效性的檢測。 (3)設(shè)計和實現(xiàn)了基于有色Petri網(wǎng)的SELinux安全策略自動化分析工具原型。給出了原型系統(tǒng)的總體設(shè)計方案,并重點就描述安全策略要素和有色Petri網(wǎng)的相關(guān)數(shù)據(jù)結(jié)構(gòu)及安全策略要素提取模塊、有色Petri網(wǎng)構(gòu)建模塊、有色Petri網(wǎng)查詢分析模塊等核心模塊的詳細(xì)設(shè)計進(jìn)行了討論。原型系統(tǒng)由C語言編寫,用83個函數(shù)實現(xiàn)了相關(guān)功能模塊。通過采用學(xué)生-教師教學(xué)管理系統(tǒng)及實際SELinux應(yīng)用場景的一套安全策略配置文件運行該原型系統(tǒng)進(jìn)行驗證分析,初步測試結(jié)果比較滿意。
[Abstract]:Ensure system security.Security policy configuration is the key to the implementation of SELinux security protection. However, because of the complexity of security policy and the difficulty of management, it restricts the popularization and application of SELinux to some extent.Therefore, it is necessary and meaningful to study and construct SELinux security policy automatic analysis tool to ensure the correctness of SELinux security policy configuration.The work of the thesis mainly includes the following three aspects:1) the SELinux security policy and its analysis method are discussed and studied.This paper briefly introduces the development and evolution of the SELinux security mechanism, the architecture and the overall access control of the Linux operating system, and discusses the SELinux security model, security policy configuration language and implementation mechanism.The existing SELinux security policy analysis methods at home and abroad are summarized, classified and compared.In particular, aiming at the problem that the existing colored Petri net analysis method is only a tentative study and needs to be implemented independently with the help of mathematical software tools, the research topic of SELinux security policy automation analysis method based on colored Petri net is determined.The automatic analysis method of SELinux security policy based on colored Petri net is studied systematically.Around the goal of security policy effectiveness analysis, this paper discusses in detail the steps and processes of extracting security policy elements from the SELinux security policy configuration file set and the design of a colored Petri net model for SELinux security policy automation analysis.The scheme of query and analysis is constructed, and the relevant simulation cases are given.In particular, this paper attempts to formalize the security elements and access control relationships in security policy configuration into the related set and mapping, and then transform the access control relation mapping and BNF query statements into the relative libraries and transitions in colored Petri nets.In order to achieve the effectiveness of the security target detection through the occurrence of changes.The prototype of SELinux security policy automatic analysis tool based on colored Petri net is designed and implemented.This paper presents the overall design of the prototype system, and focuses on the description of the security policy elements and colored Petri net related data structure and security policy elements extraction module, colored Petri net construction module.The detailed design of the core modules such as the query analysis module of colored Petri net is discussed.The prototype system is written in C language, and 83 functions are used to realize the related function modules.A set of security policy configuration files based on the student-teacher teaching management system and the practical SELinux application scenario are used to run the prototype system for verification and analysis. The preliminary test results are satisfactory.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 王靜;;SELinux的訪問控制模型的分析與研究[J];計算機安全;2008年11期

2 崔繼;;基于SELinux的Samba服務(wù)器的設(shè)計[J];計算機安全;2011年04期

3 徐寧;劉文清;孟凱凱;王亞弟;;SELinux特權(quán)用戶管理的設(shè)計與應(yīng)用[J];計算機工程;2011年10期

4 張陽;;帶敏感標(biāo)簽的SELinux安全策略信息流分析方法[J];計算機學(xué)報;2009年04期

5 肖永康;紀(jì)翠玲;謝寶恂;何s，

本文編號：1758589