【作者】 李勇；

【导师】 沈昌祥；

【作者基本信息】 解放军信息工程大学 ， 密码学， 2011， 博士

【摘要】 应用环境是“三纵三横两个中心”信息安全保障技术框架中的关键环节。作为用户的工作环境,它既是合法用户与信息系统交互的直接窗口,同时又是非法用户窃取权限进行破坏的重要途径。因此,对应用环境的安全保护是信息安全战略防御的关键环节,应用环境是否安全直接关系到信息系统的安全性。目前,针对应用环境安全的研究主要存在以下问题：一是系统安全和应用安全脱节,系统层安全机制没有对应用层安全机制提供有力的支撑；二是可信和安全结合不紧密,TCB (Trusted Computing Base,可信计算基)可信扩展缺少理论支撑。上述原因导致目前的应用层安全在很大程度上还依赖应用软件本身的安全措施(如身份认证、权限控制等),应用层安全问题成为整个应用环境安全的短板。针对上述问题,本文重点研究了如何构建安全的应用环境,目的是提出应用环境安全保障框架,探讨相关的理论模型和技术问题,为构建安全的应用环境提供理论支撑。本文的研究思路是：从可信机制、安全机制和安全策略三个方面入手解决应用环境安全保障问题,首先通过TCB可信扩展将系统中所有安全机制和策略纳入TCB的保护范畴,保证其不被篡改和旁路;其次通过可信管道实现系统层和应用层安全机制的无缝连接,解决系统安全和应用安全脱节的问题；最后通过层次化设计的访问控制策略实现对应用层越权访问的有效控制。最终目标是在应用环境内达到可信机制支持下的硬件安全、系统安全和应用安全的统一在论文研究过程中取得了以下四个方面的成果：第一,提出基于可信计算的应用环境安全保障框架,明确了应用环境安全保障的思路。首先,分析了应用环境安全保障涉及的关键环节,明确了可信机制、安全机制和安全策略的关系；其次,建立了应用环境安全保障框架,通过系统层和应用层关联的访问控制机制和层次化的安全策略实现对应用层访问行为的有效控制。第二,提出TCB可信扩展模型,解决TCB扩展的理论支撑问题。TCB边界的可信扩展是应用环境安全安全保障的基础和前提,目前关于TCB扩展的理论研究相对滞后。本文提出了基于TCB子集的TCB可信扩展模型,该模型依据安全策略将TCB层次化分割为TCB子集,形式化描述了TCB子集之间的时间隔离关系和空间隔离关系,在此基础上描述了TCB子集之间的可信支撑关系,最终给出了TCB可信扩展的必要条件,并证明了判定定理。第三,提出可信管道形式化模型,解决系统层引用监视器和应用层引用监视器之间的无缝连接问题,使系统层安全机制对应用层安全机制形成有力的支撑。可信管道是应用环境安全保障框架中访问控制机制的核心组件,同时也是TCB可信扩展模型成立的关键因素。本文对可信管道进行了深入的研究,给出了可信管道的定义和分类,采用形式化方法研究了可信管道的构成元素及其建立、传输和撤销规则,并利用非传递无干扰模型分析了其安全性,最后给出了可信管道的实施方案和工作流程。第四,提出面向应用对象的访问控制模型,解决缺乏适用的应用层访问控制策略问题。该模型将面向对象思想引入基于任务的访问控制模型,并从“用户-角色-应用-任务”的角度重新建模,通过应用对象的状态转换关系实现了将环境上下文纳入访问控制要素的目的,通过临时权限实现了逆向信息流,相对十同类其他模型具有更好的安全性和适用性。更多还原

【Abstract】 Application environment which is the working environment of the users of the information system is the key tache of the "Information Security Assurance Framework". The lawful users communicate with the information system through the application environment while the unlawfull users destroy the secureity of the system mainly through the application environment. So the safeguard of the application environment is the leading edge of the information secureity recovery. Whether the application environment is secure or not has directly relation to the security of the information system. At present the researches on the secureity of application environment are focused on trusted hardware designing secure OS and network security etc. But there are at least two problems. Firstly, the safequard of OS and that of application system are out of joint. Secondly, combination of trust and security is not closely. All of these problems result in that the security of application layer is depended on the safeguard of the application software (such as authorization and privilege). The secure problem of application layer has become the shot board of the application environment security.According to the hereinbefore problems, this paper is focused on how to make up a secure application environment. The purpose of this paper is to discuss the theories and key technologies about application environment security, bring forward the application environment security assurance framework, and provide academic and technicall support for making up the secure application environment. This paper is following the route of that resolve the problem application environment security assurance on the base of TCB expanding. We will work on the TCB trusted expanding model based on the TCB subsets, inorder to expand the TCB from the hardware layer to the system layer and to the application layer. We will study the trusted pipeline mechanicsm based on the supporting of hardware trusted root, in order to ensure the space-isolating relation of the TCB subsets and conjunct the reference monitor of system layer and application layer. We will study the access control model which is suit the application layer, in order to guarantee the consistence of the system layer access control strategy and the application layer acess control strategy.Eventually, results are obtained in the following four areas:Firstly, the application environment security assurance framework based on the trusted computing technology is studied. A model of application environment securety assurance is proposed, in which the relations of secure safeguard secure mechanicsm and secure policy are formally described, this is important for make up secure application environment. On the base of this model, the application environment security assurance is come down to three aspects which are TCB trusted expanding layering designed access control mechanicsm and hierarchily secure policy. Via resolving these three problems the safeguard mechanicsm and policy of application environment are hang together. These form the entirely project of making up secure application environment.Secondly, TCB trusted expanding model is studied. According to the actuality that there is almost no theory of TCB expanding, this paper proposed TCB trusted expanding model based on TCB subsets. In this model, TCB is divided into some TCB subsets according to the hierarchy of the secure policy, and the time-isolation and space-isolation relations between TCB subsets are formally described. On the base of trusted surporting relations of TCB subsets, the sufficient condition for judging whether the processs of TCB expanding is trusted or not is put forward and proved.Thirdly, the formal model of trusted pipeline is studied. The trusted pipeline is the logic path of information flow. The definition and sort of trusted pipeline are informally described in this paper. The trusted pipeline for TCB expanding which is the sufficient condition for the space-isolation relation between two TCB subsets comes into being is one type of the trusted pipeline and it is the object which is mainly studied. In order to study the basic attribute of the TCB expanding pipeline, we bring forward the formal definition of the trusted pipeline and the roles for making up transmiting and withdrawing the trusted pipeline. At last, the theory of noninterference is imported to discuss the security of this model, and a project is proposed.Fourthly, Application Object Oriented Access Control model is studied. This model which integrates the predominance task based access control model (TBAC) object oriented access control model and role based access control model (RBAC) can be used in production-oriented information system to enhance the secure level. In this model the task of workflow is abstracted as application class and the instance of task is abstracted as application object. The inside character and outside relations of application object are formally described. A set of security rules is brought forward to achieve granular access control, which restricts the operation of application object considering the context.更多还原