【摘要】：在當今社會,信息已成為一種極其重要的戰(zhàn)略資源,因而一個國家的信息安全保障能力也成為其綜合國力的良好體現(xiàn)。一方面,由于科技水平和信息技術正處于空前繁榮的階段,信息產(chǎn)業(yè)成為當今世界第一大產(chǎn)業(yè)；另一方面,危害信息安全的事件發(fā)生頻率逐漸升高,信息安全方面所面臨的問題迫在眉睫。隨著互聯(lián)網(wǎng)的不斷發(fā)展,尤其是云計算、分布式系統(tǒng)等網(wǎng)絡應用的逐漸興起,人們的生活由于可以從網(wǎng)絡中獲取越來越多的數(shù)據(jù)而變得越來越便捷。隨著人民對網(wǎng)絡的依賴性逐漸增強,人們對其網(wǎng)絡中得到數(shù)據(jù)的安全性要求也日益變高。與此同時,云計算由于虛擬化技術作為構(gòu)建其基礎架構(gòu)的關鍵技術之一,而提供了一種更加開放、交互性更強的網(wǎng)絡環(huán)境,人們逐漸傾向從云計算網(wǎng)絡中獲取各種需要的數(shù)據(jù)和信息。正是由于云計算網(wǎng)絡區(qū)別于傳統(tǒng)的網(wǎng)絡系統(tǒng),而傳統(tǒng)的訪問控制技術如防火墻,難以防止主動泄密及惡意木馬的攻擊,所以傳統(tǒng)的訪問控制技術已不能完全適用于虛擬化環(huán)境。因此,如何使得虛擬化環(huán)境中的數(shù)據(jù)在得到充分共享的同時,又能夠?qū)崿F(xiàn)嚴格的訪問控制已是當下亟待克服的難題。一般來說,用于傳統(tǒng)系統(tǒng)的安全訪問控制模型主要是通過設置用戶權限實現(xiàn)對數(shù)據(jù)訪問的控制。這種訪問控制機制使得數(shù)據(jù)的管理控制過分依賴用戶,導致系統(tǒng)受到的攻擊不僅來源于一些外部攻擊者,有時來自一些內(nèi)部用戶。為了克服這種訪問控制機制的弊端,多級安全模型應運而生。多級安全模型利用用戶和數(shù)據(jù)分離的這種管理機制,將對數(shù)據(jù)的自主訪問控制提升到強制訪問控制,因而在一定程度上,實現(xiàn)數(shù)據(jù)的安全訪問控制。迄今為止,已有很多多級安全模型用于不同的環(huán)境,例如軍隊、商業(yè)等,但是往往由于模型語義的不合理性以及模糊性使得其實用性支持不足,應用不廣泛。本文中,在多級關系模型MLR的基礎上,提出了一種通用的基于實體的多級關系模型E-MLR模型。在E-MLR模型中,我們重新定義了語義以及語句操作,以保證在傳統(tǒng)網(wǎng)絡中不同實體間的安全隔離以及實體內(nèi)部的安全通信。然后,本文以KVM虛擬機作為研究參考環(huán)境,將E-MLR模型延伸于虛擬化環(huán)境中,針對虛擬機間的數(shù)據(jù)訪問安全需求,提出了虛擬化多級分組安全模型V-MGSM。旨在將虛擬機按照其對應的實體進行分組,用于控制不同組、同組內(nèi)虛擬機之間的通信過程和虛擬化環(huán)境中內(nèi)存共享問題。在此基礎上,本文給出了訪問控制機制在虛擬化平臺KVM環(huán)境下的實現(xiàn)過程以及測試結(jié)果。主要包括以下內(nèi)容：1.針對目前普遍流行的多級安全模型所存在的弊端,克服其語義的不合理性和模糊性,在MLR模型基礎上,提出通用的基于實體的多級關系模型E-MLR,重新定義數(shù)據(jù)語義并提出數(shù)據(jù)借用的思想,再此基礎上定義了四條通用的數(shù)據(jù)操作指令以實現(xiàn)低級別用戶無法修改高級別用戶視圖的目標,最終達到系統(tǒng)信息安全的目的；2.將通用的E-MLR模型延伸到虛擬化系統(tǒng)中,制定虛擬化環(huán)境中虛擬機之間通信的安全訪問控制機制,提出V-MGSM模型并給出數(shù)據(jù)解釋、完整性性質(zhì)、操作指令和安全性證明；3.在KVM虛擬機平臺下,給出了虛擬機訪問控制機制的實現(xiàn)過程以及測試結(jié)果,通過演示結(jié)果我們得出結(jié)論：我們提出的V-MGSM模型是正確且安全的。
[Abstract]:In today's society, information has become a very important strategic resource, so the information security and security ability of a country also becomes a good reflection of its comprehensive national strength. On the one hand, since the level of science and technology and information technology are at the stage of unprecedented prosperity, the information industry has become the first-largest industry in the world today; on the other hand, the frequency of the event of information security is increasing, and the problem of information security is urgent. With the development of the Internet, especially the emergence of network applications such as cloud computing and distributed system, people's life becomes more and more convenient because more and more data can be obtained from the network. As the people's dependence on the network is gradually enhanced, the security requirements of the data obtained in the network are becoming more and more high. At the same time, cloud computing provides a more open and more interactive network environment due to virtualization technology as one of the key technologies for building their infrastructure, and people are increasingly inclined to get all the required data and information from the cloud computing network. Because the cloud computing network is different from the traditional network system, and the traditional access control technology such as the firewall is difficult to prevent the attack of the active leakage and the malicious Trojan horse, the traditional access control technology cannot be completely applied to the virtualized environment. Therefore, how to enable the data in the virtualized environment to be fully shared and to realize the strict access control is a difficult problem to be overcome in the present time. In general, the security access control model for a conventional system is mainly controlled by setting user rights for data access. Such an access control mechanism makes the management control of the data excessively dependent on the user, resulting in an attack that causes the system to be attacked not only by some external attackers, but sometimes from some internal users. In order to overcome the disadvantages of this access control mechanism, the multi-level security model comes into being. The multi-level security model utilizes the management mechanism of the user and the data to separate the autonomous access control of the data to the mandatory access control, so that the security access control of the data is realized to a certain extent. So far, many multi-level security models have been used in different environments, such as army, commerce, etc., but often because of the inrationality and fuzziness of the model semantics, the utility support is not enough, and the application is not wide. In this paper, on the basis of multi-level relationship model MLR, a general-purpose entity-based multi-level relationship model E-MLR model is proposed. In the E-MLR model, we re-define the semantics and the statement operations to ensure secure isolation between different entities within a traditional network, as well as secure communications within the entity. Then, using the KVM virtual machine as the research reference environment, the E-MLR model is extended in the virtualized environment, and the virtual multi-level packet safety model V-MGSM is put forward for the data access security requirement between the virtual machines. The purpose of the invention is to group the virtual machine according to the corresponding entity, and is used for controlling different groups, and the communication process between the virtual machines in the same group and the memory sharing problem in the virtualized environment. On the basis of this, this paper gives the implementation of the access control mechanism in the KVM environment of the virtualization platform and the test results. It mainly includes the following contents: 1. Based on the MLR model, a general-purpose entity-based multi-level relationship model, E-MLR, is proposed to re-define the semantic of the data and put forward the idea of data borrowing. then, four general data operation instructions are defined so as to realize that the low-level user cannot modify the target of the high-level user view, and finally the purpose of system information security is achieved; The universal E-MLR model is extended into a virtualization system, and a secure access control mechanism for communication among virtual machines in a virtualized environment is established, a V-MGSM model is proposed and data interpretation, an integrity property, an operation instruction and a security certificate are provided; Under the KVM virtual machine platform, the implementation process and the test result of the virtual machine access control mechanism are given, and the result of the demonstration is that the V-MGSM model we propose is correct and safe.
【學位授予單位】：西安電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【相似文獻】

相關期刊論文 前10條

1 鈕小勇;韓桂明;;訪問控制機制在數(shù)據(jù)庫中的應用研究[J];科技傳播;2010年21期

2 徐小龍;竇孝晨;;一種對等社區(qū)網(wǎng)絡多層次可靠訪問控制機制[J];計算機技術與發(fā)展;2011年04期

3 關德君;王吉;;基于角色的訪問控制機制在考試系統(tǒng)中的研究與應用[J];科技信息;2013年09期

4 鄭衛(wèi)斌,張德運,李勝磊;防火墻的動態(tài)訪問控制機制[J];計算機工程與應用;2003年32期

5 雷蕓;劉恒;;用動態(tài)代理實現(xiàn)網(wǎng)上考試系統(tǒng)的訪問控制機制[J];玉林師范學院學報(自然科學版);2007年03期

6 張志軍;郭淵博;劉偉;呂金娜;袁順;;容忍入侵服務器中組通信認證與訪問控制機制[J];計算機工程與設計;2009年21期

7 劉波;郭少輝;陳暉;王海濤;陳磊;;數(shù)據(jù)統(tǒng)一訪問中訪問控制機制的研究[J];軍事通信技術;2013年03期

8 趙洪彪;;訪問控制機制概述[J];計算機安全;2002年12期

9 韓蘭勝,劉輝;基于角色的訪問控制中角色的劃分[J];湖北工學院學報;2002年03期

10 黃昆;;認證和授權體系趨于統(tǒng)一[J];中國計算機用戶;2007年42期

相關會議論文 前4條

1 周鋼;;操作系統(tǒng)訪問控制機制的安全性分析和測試[A];第14屆全國計算機安全學術交流會論文集[C];1999年

2 尚衛(wèi)衛(wèi);張衛(wèi)民;;一種氣象領域的安全模型及其訪問控制機制[A];2010年全國通信安全學術會議論文集[C];2010年

3 吳波;戴躍發(fā);顧亞強;;SOA環(huán)境下訪問控制機制研究[A];中國電子學會第十六屆信息論學術年會論文集[C];2009年

4 周集良;王正華;;基于CIST的訪問控制器設計與實現(xiàn)[A];第十九次全國計算機安全學術交流會論文集[C];2004年

相關重要報紙文章 前4條

1 ;發(fā)布新框架以改善云服務[N];網(wǎng)絡世界;2013年

2 《網(wǎng)絡世界》記者 于翔;CA AppLogic 3.0快速構(gòu)建云應用[N];網(wǎng)絡世界;2012年

3 李瀛寰;3Com推出第三層無線LAN安全解決方案[N];中國計算機報;2000年

4 CPW記者　曾憲勇;Sinfor M5100-AC訪問控制機制完善[N];電腦商報;2005年

相關博士學位論文 前3條

1 程勇;云存儲中密文訪問控制機制性能優(yōu)化關鍵技術研究[D];國防科學技術大學;2013年

2 顏學雄;Web服務訪問控制機制研究[D];解放軍信息工程大學;2008年

3 涂山山;云計算環(huán)境中訪問控制的機制和關鍵技術研究[D];北京郵電大學;2014年

相關碩士學位論文 前10條

1 薛瑩芳;虛擬化環(huán)境下安全多級訪問控制機制研究與實現(xiàn)[D];西安電子科技大學;2014年

2 馬佳敏;基于固件的虛擬化系統(tǒng)集成訪問控制機制研究與實現(xiàn)[D];上海交通大學;2014年

3 李y浻，

本文編號：2363530