摘要: |
作为重要的机密性策略经典模型,BLP模型通过对主体和客体进行分级和标记,并引入高安全等级的引用监视器,实现信息系统的强制访问。随着移动智能终端的普及,Web操作系统因其具有移动性、移植性、高扩展性和跨平台性等优点,成为移动政务系统的主要解决方案之一,并越来越受到研究人员的重视。但现有的Web操作系统对机密性要求不高,无法满足移动政务系统对安全保密的需求。本文从安全模型构建入手,对智能终端的Web操作系统进行抽象建模,并重定义BLP模型的元素,增强主客体的访问控制以提高其机密性。鉴于BLP模型缺乏可信主体的最小权限原则和完整性约束,本文在改进的BLP模型当中重新划分主体、客体的安全级,增加可信级别标记和角色映射函数,并针对现有的Web操作系统进行模型映射,实现了最小权限原则、主体完整性约束和域间隔离机制,可有效提高Web操作系统机密性等级。 |
关键词: Web操作系统 BLP模型 移动终端 操作系统安全 最小权限原则 完整性 隔离 |
DOI:10.19363/j.cnki.cn10-1380/tn.2017.10.002 |
Received:May 06, 2016Revised:September 08, 2016 |
基金项目:中国科学院战略性先导专项项目:重点行业应用系统信息安防关键技术研究(No.XDA06010703)资助。 |
|
Research and Application of Improved BLP Model for Mobile Web Operating System |
ZHU Dali,YANG Ying,JIN Hao,SHAO Jing,FENG Weimiao |
University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Information Engineering, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China |
Abstract: |
BLP modeling of Web operating system, and redefines the model elements, mapping functions, as well as access control policy on both the subject and object to improve its confidentiality. As BLP model is lack of the least privilege principle on trusted subject and integrity constraints, we redraw the security level of the subject and object, add the tag of confidence level and role mapping function which is according to the existing security model of Web operating system. Finally, we implement the principle of least privilege, the integrity constraints on subjects and isolation mechanism between domains, which can effectively improve the security. |
Key words: Web operating system BLP model mobile terminal operation system security principle of least privilege integrity isolation |