• The KIPS Transactions:PartC
• /
• v.12C no.7 s.103
• /
• pp.999-1006
• /
• 2005

The Secure OS is an operating system which adds security functions to the existing operating system, in order to secure a system from sorority problems originated from inherent frailty of applications or operating systems. With the existing Secure Oses for it is difficult to set an effective security policy securing personal resources in a multi-user environment system. To solve this problem in this paper we present two Techniques to secure user data efficiently in the RBAC-based Secure OS for a multi-user environment. Firstly we utilizes object's owner information in addition to object's filename. Secondly we make use of meta symbol('$\ast$'), which is able to describe multiple access targets. In addition this paper gives some examples to show advantages from these techniques. And these features are implemented in an solaris-based Secure OS called Secusys.

• The Transactions of The Korean Institute of Electrical Engineers
• /
• v.62 no.9
• /
• pp.1209-1216
• /
• 2013

Recently, there is a rising interest in smart grid operating system which manages various types of distributed generation, smart meters, and electric vehicles with power grid. Considering the features of smart grid environment, the interoperability should be one of the important factors to build smart grid environment successfully. To secure interoperability, smart grid operating system should conform to some standards in terms of the data representation and communication. CIM and OPC-UA are the international standards widely used in smart grid domain for enabling interoperability. They provide common information model and the unified architecture for communicating between each systems or applications. In this paper, we illustrate a smart grid operating system that we have developed to secure interoperability between not only applications but also numerous legacy systems(applications) by implementing CIM based information model and OPC-UA based communication interface services.

• 제어로봇시스템학회:학술대회논문집
• /
• 2003.10a
• /
• pp.2174-2177
• /
• 2003

Internet is exposed to network attacks as Internet has a security weakness. Network attacks which are virus, system intrusion, and deny of service, put Internet in the risk of hacking, so the damage of public organization and banking facilities are more increased. So, it is necessary that the security technologies about intrusion detection and controlling attacks minimize the damage of hacking. Router is the network device of managing traffic between Internets or Intranets. The damage of router attack causes the problem of the entire network. The security technology about router is necessary to defend Internet against network attacks. Router has the need of access control and security skills that prevent from illegal attacks. We developed integrated security management framework for secure networking and kernel-level security engine that filters the network packets, detects the network intrusion, and reports the network intrusion. The security engine on the router protects router or gateway from the network attacks and provides secure networking environments. It manages the network with security policy and handles the network attacks dynamically.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2002.11b
• /
• pp.979-982
• /
• 2002

본 논문에서는 로컬 또는 리모트에서 사용자가 서버 시스템에 접근하기 위해서 가장 먼저 거치게 되는 인증 절차 수행에 관련된 것으로 허가된 사용자의 접근만을 허용하고, 인증요청 메시지의 진위 여부를 확인시켜주는 기능과 사용자가 입력하는 중요 정보가 다른 사용자에게 유출되지 않도록 보장하는 기능을 추가한 신뢰성이 보장되는 인증방법을 소개한다. 본 논문에서는 역할기반의 접근제어 시스템을 커널 내부에 추가하고. 사용자인증에 비밀번호와 하드웨어 장치인 스마트카드를 사용함으로써 강화된 사용자 인증 시스템을 구현하였다.

• 제어로봇시스템학회:학술대회논문집
• /
• 2005.06a
• /
• pp.1594-1597
• /
• 2005

A rapid development and a wide use of the Internet have expanded a network environment. Further, the network environment has become more complex due to a simple and convenient network connection and various services of the Internet. However, the Internet has been constantly exposed to the danger of various network attacks such as a virus, a hacking, a system intrusion, a system manager authority acquisition, an intrusion cover-up and the like. As a result, a network security technology such as a virus vaccine, a firewall, an integrated security management, an intrusion detection system, and the like are required in order to handle the security problems of Internet. Accordingly, a router, which is a key component of the Internet, controls a data packet flow in a network and determines an optimal path thereof so as to reach an appropriate destination. An error of the router or an attack against the router can damage an entire network. This paper relates to a method for RSMS (router security management system) for secure networking based on a security policy. Security router provides functions of a packet filtering, an authentication, an access control, an intrusion analysis and an audit trail in a kernel region. Security policy has the definition of security function against a network intrusion.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.863-872
• /
• 2015

Kernel rootkit is recognized as one of the most severe and widespread threats to corrupt the integrity of an operating system. Without an external monitor as a root of trust, it is not easy to detect kernel rootkits which can intercept and modify communications at the interfaces between operating system components. To provide such a monitor isolated from an operating system that can be compromised, most existing solutions are based on external hardware. Unlike those solutions, we develop a kernel introspection system based on the ARM TrustZone technology without incurring extra hardware cost, which can provide a secure memory space in isolation from the rest of the system. We particularly use a secure timer to implement an autonomous switch between secure and non-secure modes. To ensure integrity of reference, this system measured reference from vmlinux which is a kernel original image. In addition, the flexibility of monitoring block size can be configured for efficient kernel introspection system. The experimental results show that a secure kernel introspection system is provided without incurring any significant performance penalty (maximum 6% decrease in execution time compared with the normal operating system).

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.05c
• /
• pp.2253-2256
• /
• 2003

인터넷이 가지고 있는 보안 취약성 때문에 바이러스, 해킹, 시스템 침입, 시스템 관리자 권한 획득, 침입사실 은닉, 서비스거부공격 등과 같은 다양한 형태의 네트워크 공격에 노출되어 있다. 이러한 네트워즈 공격으로 인해 인터넷에 대한 침해가 증가하고 있어 공공기관과 사회기반시설 및 금융 기관은 피해 규모와 영향이 크다. 따라서, 인터넷 침해를 최소화하기 위해 동적으로 침입을 감지하고 제어할 수 있는 보안 기술이 필요하다. 본 논문에서는 네트워크의 패킷을 필터링하고 침입을 탐지하며 불법 침입을 통보하는 커널 수준의 통합 보안 엔진을 설계하고 구현하여 안전한 네트워킹 환경을 제공하며, 보안 환경의 변화에 민첩하게 유기적으로 대처할 수 있는 통합된 관리 방법을 제시한다.

• Journal of Appropriate Technology
• /
• v.7 no.2
• /
• pp.172-187
• /
• 2021

In remote villages without access to modern IT technology, simple devices such as smartcards can be used to carry out business transactions. These devices typically store multiple business applications from multiple vendors. Although devices must prevent malicious or accidental security breaches among the applications, a secure communication channel between two applications from different vendors is often required. In this paper, first, we propose a method of establishing secure communication channels between applications in embedded operating systems that run on multi-applet smart cards. Second, we enforce the high assurance using an intransitive noninterference security policy. Thirdly, we formalize the method through the Z language and create the formal specification of the proposed secure system. Finally, we verify its correctness using Rushby's unwinding theorem.

• The Journal of Korea Institute of Information, Electronics, and Communication Technology
• /
• v.3 no.4
• /
• pp.35-42
• /
• 2010

This paper reviews the current studies about the current secure OS, security module and SELinux, and suggests Linux access control module that uses the user discriminating authentication, security authority inheritance of subjects and objects, reference monitor and MAC class process and real-time audit trailing using DB. First, during the user authentication process, it distinguishes the access permission IP and separates the superuser(root)'s authority from that of the security manager by making the users input the security level and the protection category. Second, when the subjects have access to the objects through security authority inheritance of subjects and objects, the suggested system carries out the access control by comparing the security information of the subjects with that of the objects. Third, this system implements a Reference Monitor audit on every current events happening in the kernel. As it decides the access permission after checking the current MAC security attributes, it can block any malicious intrusion in advance. Fourth, through the real-time audit trailing system, it detects all activities in the operating system, records them in the database and offers the security manager with the related security audit data in real-time.

• Proceedings of the KSR Conference
• /
• 2002.10a
• /
• pp.357-366
• /
• 2002

In this paper the cases on accidents/incidents and the reporting/responding procedures of high-speed rail operating countries will be reviewed and what these suggest us will be identified, and those countries' efforts to secure the prompt rescue system will be reviewed and the plan to secure the more customized rescue and rehabilitation system taking account into circumstances of our high-speed railway accident/incident will be presented.