Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

An Access Control Security Architecture for Secure Operating System supporting Flexible Access Control

유연한 접근통제를 제공하는 보안 운영체제를 위한 접근통제 보안구조

  • Kim Jung-Sun (Dept. of Computer Science, Chonnam National University) ;
  • Kim Min-Soo (Dept. of Information Security, Mokpo National University) ;
  • No Bong-Nam (School of Electronics, Computer and Information Engineering, Chonnam National University)
  • 김정 (순전남대학교 전산학과) ;
  • 김민수 (목포대학교 정보보호학과) ;
  • 노봉남 (전남대학교 전자컴퓨터정보통신공학부)
  • Published : 2006.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose a new access control security architecture for supporting flexibility in Secure Operating Systems. By adding virtual access control system layer to the proposed security architecture, various access control models such as MAC, DAC, and RBAC can be applied to Secure Operating Systems easily. The proposed security architecture is designed to overcome the problem of Linux system's base access control system. A policy manager can compose various security models flexibly and apply them to Operating Systems dynamically. Also, the proposed architecture is composed of 3 modules such as access control enforcement, access control decision, and security control. And access control models are abstracted to hierarchy structure by virtual access control system. And, we present the notation of policy conflict and its resolution method by applying various access control model.

본 논문에서는 유연한 접근통제를 제공하는 보안 운영체제에 적합한 새로운 접근통제 보안구조를 제안한다. 제안된 보안구조는 가상 접근통제 시스템을 추가하여 다양한 접근통제모델을 보안 운영체제에 쉽게 적용할 있는 특성을 제공한다. 또한, 기존의 리눅스 시스템의 표준 접근통제의 단점을 극복하기 위해 설계되었으며, 유연하게 보안모델들을 조합할 수 있을 뿐만 아니라 동적으로도 보안모델들을 적용할 수 있다. 제안된 접근통제 보안구조는 접근통제집행부분과 접근통제결정 부분, 보안제어부분으로 분리되고, 가상 접근통제 시스템에 의해 접근통제 모델들은 계층적 구조로 추상화된다. 그리고 다양한 접근통제 모델을 적용함으로써 발생하는 정책충돌의 개념과 해결방법을 제시한다.

Keywords

References

  1. 김정녀, 손승원, 이철훈, '안전한 운영체제 접근 제어 정책에 대한 보안성 및 성능 시험', 정보처리학회논문지, 제 10-D권 제 5호, Aug. 2003
  2. 홍기융, 김재명, 홍기완, 'Secure OS 보안정 책 및 메커니즘', 정보보호학회지, 제 15권 제 4호, Aug. 2003
  3. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, 'Proposed NIST Standard for Role-Based Access Control,' ACM Transactions on Information and Systems Security, Vol. 4, No. 3, pp. 224-274, Aug 2001 https://doi.org/10.1145/501978.501980
  4. A. Ott, 'The Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension,' 8th Int. Linux Kongress, Enschede 2001
  5. P. Loscocco and S. Smalley, 'Integrating Flexible Support for Security Policies into the Linux Operating System,' In Proceedings of the FREENIX Track: 2001 USENIX Annual Tec. Conference, June 2001
  6. R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau, 'The Flask Security Architecture: System Support for Diverse Security Policies,' In Proceedings of the Eighth USENIX Security Symposium, pp. 123- 139, Aug. 1999
  7. A. Ott, 'Rule Set Based Access Control as Proposed in the Generalized Framework for Access Control approach in Linux,' Master's thesis, University of Hamburg, pp. 157, Nov. 1997
  8. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, 'Role-Based Access Control Models,' IEEE Computer, Vol 29, No 2 , pp. 38-47, 1996
  9. L. Mcvoy and C. Staelin, 'lmbench: Portable Tools for Performance Analysis,' In Proceedings of USENIX Annual Technical Conference, Jan. 1996
  10. M. D. Abrams, K. W. Eggers, L. J. L. Padula, and I. M. Olson, 'A Generalized Framework for Access Control: An Informal Description,' In Proceedings of the Thirteenth National Computer Security Conference, pp. 135-143, Oct. 1990
  11. M. D. Abrams, L. J. L. Padula, and I. M. Olson, 'Building Generalized Access Control On UNIX,' In Proceedings of the 2nd USENIX Security Workshop, pp. 65-70, Aug. 1990
  12. C. P. Pfleeger and S. Lawrence Pfleeger, Security in Computing, PRENTICE HALL, 2002
  13. D. Gollmann, Computer Security, John Wiley & SONS, 1999
  14. S. Smalley, Configuring the SELinux Policy, Technical report, NSA, Feb. 2002
  15. S. Smalley, C. Vance, and W. Salamon, Implementing SELinux as a Linux Security Module, Technical report, NAI Labs, May 2002
  16. Medusa DS9, http://medusa.fornax.sk
  17. The Linux Test Project http://ltp.sourceforge.net
  18. The LMbench Project http://lmbench.sour ceforge.net