数据安全是信息系统安全的根本目的。在两类主流安全模型中,访问控制模型侧重系统主、客体间的操作控制,难以直接对数据实施全程保护,而信息流控制模型虽然直接面向信息的传递控制,但其需要映射数据与安全级关系,难以很好地在主流操作系统中应用。提出一种兼有两类模型优点的数据流控制机制DFCM。DFCM以数据为中心,通过控制面向数据状态转换的系统操作,实现对机密数据块的全程、细粒度控制保护。实验结果表明, DFCM能够在主流商用操作系统上,在低开销的前提下实现对信息的保护。%The security of data is the fundamental goal of information system security. In two kinds of main security models, the access control model puts extra emphasis on operation controlling between subjects and objects, which is difficult to protect data at the whole process. While the information flow model aims to transfer the controlling information by mapping data and security levels, and it cannot be used in major operating systems. This paper proposes a method named with DFCM, which combines the access control model and the information flow model to give full play to advantages of both models. DFCM is a data flow oriented security mechanism, and it can control system actions according to state transfer of data and hence can achieve the goal of protecting confidential data at the whole process in a fine-grained way. The experiment results show that DFCM can preserve information with low overhead on the major commercial operating system.
展开▼
