èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽæ¨¡åž‹æ£€æµ‹çš„å®‰å…¨æ“ä½œç³»ç»ŸéªŒè¯æ–¹æ³•ç ”ç©¶

Research on Verification of Secure Operating System Based on Model Checking

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ ç¨‹äº®ï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ ä¸å›½ç§‘å¦æŠ€æœ¯å¤§å¦ ï¼Œ ä¿¡æ¯å®‰å…¨ï¼Œ 2009ï¼Œ åšå£«

ã€æ‘˜è¦ã€‘ å®‰å…¨æ“ä½œç³»ç»Ÿçš„å½¢å¼åŒ–éªŒè¯,ä½œä¸ºé«˜ç‰çº§å®‰å…¨æ“ä½œç³»ç»Ÿè¯„ä¼°å‡†åˆ™çš„ä¸€é¡¹é‡è¦æŒ‡æ ‡å’Œæ“ä½œç³»ç»Ÿå®‰å…¨æ€§èƒ½æœ€æœ‰æ•ˆçš„è¯æ˜Žæ‰‹æ®µ,å…·æœ‰é‡è¦æ„ä¹‰ä¸Žå®žç”¨ä»·å€¼ã€‚ç›®å‰å½¢å¼åŒ–éªŒè¯ä¸»è¦åˆ†ä¸ºæ¨¡åž‹æ£€æµ‹å’Œå®šç†è¯æ˜Žä¸¤å¤§ç±»æ–¹æ³•ã€‚æœ¬è®ºæ–‡é›†ä¸æŽ¢è®¨äº†æ¨¡åž‹æ£€æµ‹æŠ€æœ¯åœ¨å®‰å…¨æ“ä½œç³»ç»ŸéªŒè¯å„ä¸ªå±‚æ¬¡ä¸çš„ä¸€äº›å…³é”®é—®é¢˜,ä¸»è¦å·¥ä½œå’Œåˆ›æ–°æˆæžœå¦‚ä¸‹:é¦–å…ˆ,é’ˆå¯¹SELinuxç–ç•¥é…ç½®å¤æ‚éš¾ä»¥åˆ†æžçš„é—®é¢˜,æå‡ºäº†ä¸€ç§åŸºäºŽæ¨¡åž‹æ£€æµ‹çš„SELinuxç–ç•¥åˆ†æžæ–¹æ³•,ä»¥éªŒè¯ç–ç•¥å®žæ–½ä¸Žå®‰å…¨éœ€æ±‚ä¹‹é—´çš„ä¸€è‡´æ€§é—®é¢˜ã€‚é‡‡ç”¨æ‰©å±•çš„æ ‡ç¾è¿ç§»ç³»ç»Ÿ,å°†MLSç–ç•¥å’Œæ™®é€šTE-RBACç–ç•¥çš„æè¿°èžå…¥åˆ°ç»Ÿä¸€çš„æè¿°æ¡†æž¶ä¸‹,å¹¶å®Œæ•´å®šä¹‰äº†ç–ç•¥é…ç½®è¯å¥çš„ä¿¡æ¯æµå±žæ€§,ä¸ä»…è€ƒè™‘äº†åž‹è®¿é—®è§„åˆ™é€ æˆçš„ä¿¡æ¯æµåŠ¨,ä¹Ÿå…¼é¡¾äº†åž‹è½¬ç§»ä»¥åŠMLSçº¦æŸå¯¹ç–ç•¥æ¨¡åž‹ä¿¡æ¯æµçš„å½±å“ã€‚è®¾è®¡äº†ä¸€ç§æ–°åž‹çš„å®‰å…¨éœ€æ±‚æè¿°è¯è¨€,å°†å®‰å…¨éœ€æ±‚ä¸Žå’Œç–ç•¥é…ç½®å‰¥ç¦»å¼€,ä½¿å®‰å…¨éœ€æ±‚çš„æè¿°ä¸ä¾èµ–äºŽå¯¹å®žæ–½ç»†èŠ‚çš„äº†è§£,æ‰©å±•äº†æ¨¡åž‹æ£€æµ‹å™¨æŽ¢ç´¢æœªçŸ¥æ¼æ´žçš„èƒ½åŠ›ã€‚å…¶æ¬¡,æå‡ºäº†å®‰å…¨æ¨¡åž‹ä¸Žå®‰å…¨éœ€æ±‚çš„ä¸€è‡´æ€§éªŒè¯æ–¹æ³•ã€‚åˆ©ç”¨UMLç±»å›¾å’ŒçŠ¶æ€æœºå›¾åœ¨ç³»ç»ŸåŠ¨ã€é™æ€å»ºæ¨¡æ–¹é¢çš„è¡¨è¾¾èƒ½åŠ›,è®¾è®¡äº†ä¸€ç§æ–°çš„å®‰å…¨æ¨¡åž‹UMLæè¿°æ–¹å¼ã€‚å¹¶åœ¨æ¤åŸºç¡€ä¸Šç»™å‡ºäº†UMLå›¾çš„çŠ¶æ€æœºè¯ä¹‰,å°†UMLæ¨¡åž‹ç¼–è¯‘æˆæ¨¡åž‹æ£€æµ‹å™¨çš„è§„èŒƒè¯è¨€,ä½¿ç”¨æ¨¡åž‹æ£€æµ‹åˆ†æžå®‰å…¨æ¨¡åž‹çš„æ€§èƒ½ã€‚è¿™ä¸€æˆæžœä½¿åˆ©ç”¨è‡ªåŠ¨åŒ–å·¥å…·è¾…åŠ©å®‰å…¨æ¨¡åž‹çš„æ£ç¡®æ€§éªŒè¯æˆä¸ºå¯èƒ½,å‡å°‘äº†ä¼ ç»Ÿå®‰å…¨æ¨¡åž‹éªŒè¯æ–¹æ³•ä¸å¯¹éªŒè¯äººå‘˜å½¢å¼åŒ–ç†è®ºçš„è¿‡é«˜è¦æ±‚ä»¥åŠç¹é‡çš„æ‰‹å·¥æŽ¨å¯¼è¿‡ç¨‹ã€‚æœ€åŽ,æŽ¢è®¨äº†å®‰å…¨éªŒè¯ä¸æµ‹è¯•é›†çš„ä¼˜åŒ–é—®é¢˜ã€‚æå‡ºç®€å¹¶æµ‹è¯•é›†çš„æ¦‚å¿µ,å°†æµ‹è¯•å†—ä½™ä»ŽçŠ¶æ€æ‰©å±•åˆ°çŠ¶æ€è¿ç§»,å°†æµ‹è¯•é›†ä¸çš„å†—ä½™å½’ä¸ºæœ€å°ã€‚åœ¨æ¤å®šä¹‰çš„åŸºç¡€ä¸Š,æˆ‘ä»¬ä»¥æ¨¡åž‹æ£€æµ‹ä½œä¸ºåŽç«¯çš„æœç´¢å¼•æ“Ž,ç»™å‡ºç®€å¹¶æµ‹è¯•é›†çš„ç”Ÿæˆç®—æ³•ã€‚é¦–æ¬¡è®¨è®ºäº†åœ¨æµ‹è¯•é›†å’Œç³»ç»Ÿå®žçŽ°ç›¸æ‚–æ—¶å¯¹æµ‹è¯•ç»“æžœçš„åˆ¤å®šã€‚å¹¶æ®æ¤å¯¹ç®—æ³•åŠ ä»¥æ”¹è¿›,ä½¿å¾—åœ¨ä¸å½±å“æµ‹è¯•é›†ç”Ÿæˆçš„å‰æä¸‹,å³ä½¿æµ‹è¯•å¤±è´¥,æµ‹è¯•äººå‘˜ä¹Ÿå¯ä»¥å‡†ç¡®åœ°å¯¹å¤±è´¥ä½ç½®è¿›è¡Œå®šä½ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ As an important index of high-level operating system evaluation criterion,and the most effective proof of the security property of the operating system,formal verification of secure operating system has great significance and practical value.In the current stage,formal verification can be divided mainly into two classes:model checking and theory proving.This thesis focuses on some key issues of model checking,in each hierarchy of the formal verification framework of the secure operating system. The main work and innovations are listed as follows:Fist,to the problem that SELinux policy configuration is complicated and hard to analyze,a unified information flow analysis of SELinux policies is proposed,which is based on the techniques of model checking.It can be used to verify the coherence of the security requirement and the policy implementations.A labeled transition system is adopted to merge MLS policies and TE-RBAC policies into a unified description framework.A complete definition of information flow property of the policy configuration is given,including the information flow caused by type access rules, type transition rules and especially MLS constraint rules in SELinux policy configuration. Also,a new security requirement description language is designed to strip off the high-level security requirement description from the low-level policy implementation, which makes the requirement representation independent of the detail of policy language and extends the capability to explore unknown vulnerability.Secondly,a coherence verification of security model and requirement is proposed. In the use of the expression of UML class diagram and state machine diagram in the static and dynamic modeling,a new security model description method of UML is designed.The UMLized model is compiled to model checkerâ€™s specification language after given the UML diagramâ€™s state machine semantics.Then the requirement,which is also translated to the model checkerâ€™s input,can be checked accordingly against to the security model.This achievement makes it possible to verify the correctness of security model semi-automatically and reduces the high requirement of formal methods and the heavy work in the traditional security model verification.Finally,about optimization of test sets in the security verification,the concept of degenerate test set is proposed,considering not only the redundant state,but also the state transition.The generation algorithm is represented then.A discussion is made to determine the algorithmâ€™s effectiveness when test case fails for the first time. After that,an improved DTS generation algorithm is given,which can show the failure location accurately without affecting the efficiency of the algorithm.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ å®‰å…¨æ“ä½œç³»ç»Ÿï¼› å½¢å¼åŒ–éªŒè¯ï¼› å®‰å…¨æ¨¡åž‹ï¼› å®‰å…¨ç–ç•¥ï¼› ä¿¡æ¯æµåˆ†æžï¼› æ¨¡åž‹æ£€æµ‹ï¼›
ã€Key wordsã€‘ Secure Operating Systemï¼› Formal Verificationï¼› Security Modelï¼› Security Policyï¼› Information Flow Analysisï¼› Model Checkingï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ ä¸å›½ç§‘å¦æŠ€æœ¯å¤§å¦

ã€åˆ†ç±»å·ã€‘TP316
ã€è¢«å¼•é¢‘æ¬¡ã€‘7
ã€ä¸‹è½½é¢‘æ¬¡ã€‘837
æ”»è¯»æœŸæˆæžœ

çŸ¥ç½‘èŠ‚ä¸‹è½½

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

æœ¬æ–‡çš„å¼•æ–‡ç½‘ç»œ

èŠ‚ç‚¹æ–‡çŒ®

èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽæ¨¡åž‹æ£€æµ‹çš„å®‰å…¨æ“ä½œç³»ç»ŸéªŒè¯æ–¹æ³•ç ”ç©¶

Research on Verification of Secure Operating System Based on Model Checking

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

åŸºäºŽæ¨¡åž‹æ£€æµ‹çš„å®‰å…¨æ“ä½œç³»ç»ŸéªŒè¯æ–¹æ³•ç ”ç©¶