A Policy Flexible Architecture for Secure Operating System

摘要

As the fundamental software to guarantee information security, operating system is desired to support various security policies flexibly and to control the propagation and revocation of access rights efficiently. This paper presents a design and implementation of Policy Flexible Architecture (PFA) for secure operating system to achieve the coordination, extensibility, consistency and dynamic configuration of security policies. Through a thorough analysis of all related facilities, PFA classifies policy constructions into several levels according to their effects on security status; PFA emphasizes on centralized management of security policy as well as on centralized maintainability of security attributes; for the first time PFA gives revocation rules to specify how and when to revoke permissions. PFA has been applied to our Secure Enhanced Linux Operating System, and the experiment shows that the system holds at least three advantages. First, it helps users to choose intended security policies flexibly. Besides it supports users to add new security policies according to specific security requirements easily. Finally it sets permission revocations immediately and gets no significant performance penalty.