| 引用本文: |
-
刘宏伟,夏豪骏,涂碧波,王晓彤.基板管理控制器轻量级动态权限管控机制研究[J].信息安全学报,已采用 [点击复制]
- Liu Hongwei,Xia Haojun,Tu Bibo,Wang Xiaotong.Research on Lightweight Dynamic Authorization Mechanism for BMC System[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 基于基板管理控制器的服务器带外管理已成为数据中心运维的行业标准。然而作为带外管理中的核心控制单元,基板管理控制器一直存在着权限过大和权限滥用等安全风险。鉴于其作为嵌入式设备不仅计算资源与存储资源极为有限,还需要对外支持多类管理协议接口,直接对其部署已有的权限管控机制既会极大的增加系统负载、导致部分管理功能响应异常,而且针对不同管理协议还需定制专有的管控机制,又会极大的增加了权限管控机制的设计复杂性。对此本文提出针对基板管理控制器的轻量级动态权限管控机制,该机制包括对管理权限的统一定义规则和动态权限管控引擎。统一定义规则将不同协议中互不兼容的管理权限表示成统一的权限描述符,达到对管理权限的统一细粒度划分。在此基础上,使用动态管控引擎截获用户的会话请求和管理请求,完成对用户权限的生命周期维护、访问控制决策、动态功能变更以及操作记录审计。鉴于基板管理控制器资源受限的特性,动态权限管控机制使用基板管理控制器系统提供的DBus框架实现快速且标准化的进程间通信,以降低程序的逻辑复杂度;使用Linux Inotify机制对所需文件进行实时缓存以减少系统级I/O负载,同时精简管控流程,保证动态权限管控机制的的轻量级和高效性。实验结果表明,本文所提机制实现了对用户权限的动态管控,且对系统性能影响较小,能够保证全部管理功能得到及时响应。 |
| 关键词: 基板管理控制器 嵌入式设备 统一定义规则 动态权限管控 操作记录审计 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.10 |
| 投稿时间:2021-11-04修订日期:2022-02-28 |
| 基金项目: |
|
| Research on Lightweight Dynamic Authorization Mechanism for BMC System |
|
Liu Hongwei, Xia Haojun, Tu Bibo, Wang Xiaotong
|
| (Institute of Information Engineering,Chinese Academy of Science,Beijing) |
| Abstract: |
| The baseboard management controller-based out-of-band management of servers has become an industry standard for data center operation and maintenance. However, as the core control unit in out-of-band management, the base-board management controller has long been plagued by security risks such as excessive privileges and authorization abuse. Considering that it is an embedded device with constrained computing and storage resources while needing to support multiple types of management protocol interfaces. Directly deploying the existing authorization mecha-nism will significantly increase the system load and cause an abnormal response of some management functions. Besides, each management protocol needs its proprietary scheme, which dramatically increases the authorization mechanism"s complexity. In this paper, we have proposed a lightweight dynamic authorization mechanism consist-ing of a definition rule and a dynamic authority management engine. The definition rule redefined the incompatible management privileges of different protocols into a unified privilege descriptor, achieving the unified and fi-ne-grained division of management privileges. Based on the definition rule, the authority management engine can maintain the life cycle of user privileges, control user access, dynamically modify the user privileges, and audit user operations by intercepting user session requests and management requests. Considering the resource-constrained nature of the baseboard management controller, in order to reduce the complexity of the implemented program, the dynamic authorization mechanism uses the DBus framework that is provided by the system running on the base-board management controller for fast and standardized inter-process communication. The proposed mechanism also uses the Linux Inotify mechanism to cache the required files so as to reduce system-level I/O load. Meanwhile, the access control process is simplified to keep the dynamic authorization mechanism lightweight and efficient. Ex-perimental results show that our proposed mechanism achieves the dynamic management of user privileges. In the meantime, it has a much lower overhead on the system performance and can ensure the timely response of any management functions. |
| Key words: baseboard management controller embedded device definition rule dynamic authority management audit user operations |
