LIU Jia,ZI Xiaochao,PAN Li,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.018

2005-01-01

Abstract:This paper discusses how to develop the audit module for secure operating system based on the Linux kernel. This audit subsystem cancollect all the core-level information by mounting audit points in the kernel, and provide secure audit management with automate analysis fromremote terminal through website.

程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Tao Zhang,Yang Yu,Yi Li

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.005

2014-01-01

Abstract:With the penetration of Linux technology,lots of Linux servers have been deployed in distributed systems.It becomes a big problem to carry out effective security auditing for those server resources at present.We design and implement a security auditing system applicable to complex distributed environments according to the characteristics of Linux servers.Our solution adopts component-based, modular architecture to support multi-layer deployment.Based on the audits at kernel level and application level,our system achieves the comprehensive audit on Linux servers including system resources,terminal accesses,file,database and network resources,etc.Meanwhile, our system uses data mining techniques to thoroughly analyse the audit message,and realises the intelligent auditing on Linux servers.Our system has been deployed in a real system,and shows very good effect.

LIU Jia,ZI Xiaochao,PAN Li,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.06.025

2006-01-01

Abstract:Based on the theory of audit only security involved,this paper presents a new way of logging which can greatly reduce the volume of BSM while same audit target is supported at the same time.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

XUE Zhi-ping,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.01.031

2008-01-01

Abstract:A Unix security auditing system based on dynamic tracing is described in this paper, and the design and realization are discussed. In the system, the detectors, set by dynamic tracing DTrace in the kernel, are used to collect audit information, and the audit logs are written in a standard format. Meanwhile, the secure storage and automatic analysis for the logs are realized in C/S mode.

Jingyu Zhou,Giovanni Vigna

DOI: https://doi.org/10.1109/csac.2004.17

2004-01-01

Abstract:Host security is achieved by securing both the operating system kernel and the privileged applications that run on top of it. Application-level bugs are more frequent than kernel-level bugs, and, therefore, applications are often the means to compromise the security of a system. Detecting these attacks can be difficult, especially in the case of attacks that exploit application-logic errors. These attacks seldom exhibit characterizing patterns as in the case of buffer overflows and format string attacks. In addition, the data used by intrusion detection systems is either too low-level, as in the case of system calls, or incomplete, as in the case of syslog entries. This paper presents a technique to enforce nonbypassable, application-level auditing that does not require the recompilation of legacy systems. The technique is implemented as a kernel-level component, a privileged daemon, and an offline language tool. The technique uses binary rewriting to instrument applications so that meaningful and complete audit information can be extracted. This information is then matched against application-specific signatures to detect attacks that exploit application-logic errors. The technique has been successfully applied to detect attacks against widely-deployed applications, including the Apache Web server and the OpenSSH server.

Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.

LIU Wei-peng,HU Jun,LV Hui-jun,LIU Yi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.07.056

2008-01-01

Abstract:This paper analyses the main design idea of Linux Security Module(LSM) and the problem of the intrinsic access control mechanism of Linux executable program, and discusses the design of Mandatory Access Control(MAC) mechanism of executable program based on LSM. As the demonstration, it implements a MAC system prototype based on Linux kernel 2.6.11. The illumination that how to implement MAC of executable program in operating system is given.

ZHANG Ning,LIU Jin-gang

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.12.035

2010-01-01

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

LU Quan-fang,TANG Jie,WEN Hong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.10.024

2013-01-01

Abstract:Android OS(Operating System) is an operating system for mobile intelligent terminal based on Linux kernel.With the development of mobile internet,Android is widely used. At the same time the security of Android OS becomes more and more important. As the security audit strategy is an important part of the whole security strategy,it is necessary to evaluate the security audit system of Android mobile intelligent terminal OS. This paper firstly analyzes the logging systems of Android and Linux,then presents some methods in evaluating the security audit system of Android OS with the information security standard for assessment. Examples are also designed to verify the feasibility of these evaluation methods.

李俊,李海涛,王波

DOI: https://doi.org/10.3321/j.issn:0479-8023.2002.01.007

2002-01-01

Abstract:In Unix system,it is necessary to add module of control and audit based on users.By adding a net module called iplog in Solaris, the goal is fulfilled and therefore the safety of operation system is strengthened.It is shown that the method is effective solution with not very heavy load.

Wenhui Zhang,Trent Jaeger,Peng Liu

DOI: https://doi.org/10.48550/arXiv.2101.11611

2021-01-27

Cryptography and Security

Abstract:Over the years, the complexity of the Linux Security Module (LSM) is keeping increasing, and the count of the authorization hooks is nearly doubled. It is important to provide up-to-date measurement results of LSM for system practitioners so that they can make prudent trade-offs between security and performance. This work evaluates the overhead of LSM for file accesses on Linux v5.3.0. We build a performance evaluation framework for LSM. It has two parts, an extension of LMBench2.5 to evaluate the overhead of file operations for different security modules, and a security module with tunable latency for policy enforcement to study the impact of the latency of policy enforcement on the end-to-end latency of file operations. In our evaluation, we find opening a file would see about 87% (Linux v5.3) performance drop when the kernel is integrated with SELinux hooks (policy enforcement disabled) than without, while the figure was 27% (Linux v2.4.2). We found that performance of the above downgrade is affected by two parts, policy enforcement and hook placement. To further investigate the impact of policy enforcement and hook placement respectively, we build a Policy Testing Module, which reuses hook placements of LSM, while alternating latency of policy enforcement. With this module, we are able to quantitatively estimate the impact of the latency of policy enforcement on the end-to-end latency of file operations by using a multiple linear regression model and count policy authorization frequencies for each syscall. We then discuss and justify the evaluation results with static analysis on our enhanced syscalls' call graphs.

Soo Yee Lim,Bogdan Stelea,Xueyuan Han,Thomas Pasquier

DOI: https://doi.org/10.48550/arXiv.2111.02481

2021-11-03

Cryptography and Security

Abstract:Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.

ZENG Jianping,GUO Donghui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.06.051

2006-01-01

Abstract:Audit mechanism provides a main way to get the users’ operation record,but there still exists some deficiency in audit mechanism.So a new audit mechanism is proposed based on Markov model.The mechanism can predict the access mode and log files are grouped into three grades according the prediction result,and this can lead to smaller storage and shorter time to get witness.

Chen Weidong,Wang Chao,Zhang Li,Xu Zheng,Xing Xishuang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.03.080

2013-01-01

Abstract:Information security of server is encountering increasingly serious security menace.Viruses,worms,Trojans and other malicious programs impose the threat on the security of server system.The operating system has the needs to identify and control from kernel layer the subjects and objects imperilling the security.Mandatory access control has to be executed on files,registry,process,etc.in kernel layer.We study and address the implementation of operating system security kernel in terms of system resources and networks covert communication in this paper.The system has been applied to the corporate websites,various types of servers and other network security applications that have higher security requirement.The mandatory access control and each process,file,registry and network communications,etc.are all endued the appropriate security attributes systematically.Security attributes are set by the administrator strictly in accordance with the rules.Combined with the principle of least privilege and security auditing,security control is conducted at the application layer on the server or server cluster.

Liye Tian,Xing Rong,Tingting Liu

DOI: https://doi.org/10.1007/978-3-642-35211-9_3

2012-01-01

Abstract:To control file access in Linux, Linux Security Module (LSM) and Virtual Filesystem are analyzed. Based on the LSM security field & hooks, a file mandatory access control system is designed and implemented on Linux2.6.26. This system meets GB 17859-1999's requirements by preserving subject and object labels. Kernel hooks are widely used in the system to get labels and judge if an access is legal. In a simplified environment the system is tested, test result shows that the system is able to complete file mandatory access control according to security policy.

L. Jin-gang

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

Computer Science,Engineering

Tu Wenjie,Guan Haibing,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.02.047

2006-01-01

Abstract:This paper analyzes the architecture and the access control mechanism of Linux file system,and provides two feasible methods to implement ACL in kernel to enhance access control function in Linux file system,which then can provide access control based on individual user and group.A detailed implementation of one method is given.