CN106557699A - Operating system security strengthening system based on powers and functions module - Google Patents
Operating system security strengthening system based on powers and functions module Download PDFInfo
- Publication number
- CN106557699A CN106557699A CN201610997445.0A CN201610997445A CN106557699A CN 106557699 A CN106557699 A CN 106557699A CN 201610997445 A CN201610997445 A CN 201610997445A CN 106557699 A CN106557699 A CN 106557699A
- Authority
- CN
- China
- Prior art keywords
- user
- powers
- functions
- operating system
- correspondence table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
The present invention discloses a kind of operating system security strengthening system based on powers and functions module, user's powers and functions correspondence table of configuration user and its powers and functions relation, it is stored in system kernel, during establishment process, user's powers and functions correspondence table is searched according to user, the corresponding powers and functions item of the user is obtained, user corresponding powers and functions are assigned to into the process so that the process is performed according to the powers and functions having;Setting rights management user, safeguards user powers and functions correspondence table in User space by the rights management user;Configuring authority management user does not possess CAP_DAC_OVERRIDE abilities.Power user is configured in user's powers and functions correspondence table there is no CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH abilities.Powers and functions of the present invention by rights management user configuration management different user, can not only limit the authority of power user, domestic consumer can be made again to possess specific authority, reach the purpose of effectively management user right, improve the security of operating system.
Description
Technical field
The present invention discloses a kind of operating system security strengthening system based on powers and functions module, belongs to information security technology neck
Domain.
Background technology
The credential model of traditional UNIX operating system is the model of " power user is to domestic consumer ", in this model,
Whether process is executable depending on its UID, and the power user for possessing root authority can perform any process, including being tied to private
There are the operations such as port, load/unload kernel module, management file system, its too high authority causes huge to operating system
Security threat, and for domestic consumer, when some specific process are performed, the corresponding authority of the process is excessive also will to affect system
The security of system, for example, perform ping orders, although ping orders only need RAW sockets to set up necessary ICMP packets, nothing
Other authorities are needed, but in fact ping orders are run with root authority, are easily utilized by attacker and are obtained operating system
Control.
In view of the system defect of traditional UNIX operating system, from the beginning of 2.2 version of linux kernel, system is by power user
Delineation of power into 32 powers and functions items (can specifically check capability.h files), unlatching and taboo that each powers and functions item can be independent
Only, so, the authority of power user can be not only limited, can gives domestic consumer certain authority again, based on above-mentioned each powers and functions
, still lack a kind of for managing, safeguarding user right at present, it is ensured that the system and method for operating system security.
The content of the invention
In view of the foregoing, it is an object of the invention to provide a kind of operating system security based on powers and functions module strengthens system
System, by configuring user-powers and functions correspondence table, manages the powers and functions that the process of user's establishment has, can both limit power user's
Authority, can make domestic consumer possess specific authority again, can effectively manage the purpose of user right, improve the safety of operating system
Property.
For achieving the above object, the present invention is employed the following technical solutions:
A kind of operating system security strengthening system based on powers and functions module, operating system include multinomial powers and functions item,
The user of configuration user and its powers and functions relation-powers and functions correspondence table, is stored in system kernel,
The user-powers and functions correspondence table is searched according to user, the corresponding powers and functions of the user is obtained, is assigned to what the user created
Process so that the process is performed according to corresponding powers and functions.
Further,
Setting rights management user, safeguards the user-powers and functions correspondence table in User space by the rights management user.
Configure the rights management user and do not possess CAP_DAC_OVERRIDE abilities.
Power user is configured in the user-powers and functions correspondence table there is no CAP_DAC_OVERRIDE and CAP_DAC_
READ_SEARCH abilities.
The user-powers and functions correspondence table is issued to kernel state by interrupt mode.
It is an advantage of the invention that:
The operating system security strengthening system based on powers and functions module of the present invention, by configuring user-powers and functions correspondence table, pipe
The powers and functions that the process that reason user creates has, by the powers and functions of rights management user configuration management different user, can not only limit
The authority of power user processed, can make domestic consumer possess specific authority again, reach the purpose of effectively management user right, improve
The security of operating system
Description of the drawings
Fig. 1 is the structured flowchart of the operating system security strengthening system of the present invention.
Specific embodiment
Below in conjunction with drawings and Examples, the present invention is further detailed explanation.
As shown in figure 1, the operating system security strengthening system based on powers and functions module disclosed by the invention, configuration user and its
The user of powers and functions relation-powers and functions correspondence table, is stored in system kernel, when creating process, searches user-powers and functions pair according to user
Table is answered, obtain the corresponding powers and functions item of the user, user corresponding powers and functions are assigned to into the process so that the process is according to having
Powers and functions are performed.
Setting rights management user, safeguards user-powers and functions correspondence table, including increasing in User space by the rights management user
Plus, delete, obtain user and its corresponding powers and functions etc., the user for configure-powers and functions correspondingly table by interrupt mode (int
0x80 " interrupt modes) kernel state is issued to, the user preserved in updating kernel-powers and functions correspondence table.
For rights management user, which is limited in kernel and does not possess CAP_DAC_OVERRIDE abilities, prevent rights management
User's unauthorized operation.
For power user, the corresponding powers and functions of power user are configured in user-powers and functions correspondence table so as to not with CAP_
DAC_OVERRIDE and CAP_DAC_READ_SEARCH abilities, i.e. prevent which that the file of power user is not belonging to from reading and writing, enter
And cause any user operate one's own file, it is impossible to perform the operation beyond its powers and functions.
The above is presently preferred embodiments of the present invention and its know-why used, for those skilled in the art
For, without departing from the spirit and scope of the present invention, it is any based on technical solution of the present invention on the basis of equivalent change
Change, simply replacement etc. obviously changes, belong within the scope of the present invention.
Claims (5)
1. the operating system security strengthening system based on powers and functions module, operating system include multinomial powers and functions item, it is characterised in that
The user of configuration user and its powers and functions relation-powers and functions correspondence table, is stored in system kernel,
The user-powers and functions correspondence table is searched according to user, the corresponding powers and functions of the user is obtained, is assigned to entering for user's establishment
Journey so that the process is performed according to corresponding powers and functions.
2. the operating system security strengthening system based on powers and functions module according to claim 1, it is characterised in that setting power
Limit management user, safeguards the user-powers and functions correspondence table in User space by the rights management user.
3. the operating system security strengthening system based on powers and functions module according to claim 2, it is characterised in that configuration institute
State rights management user and do not possess CAP_DAC_OVERRIDE abilities.
4. the operating system security strengthening system based on powers and functions module according to claim 1, it is characterised in that in described
Power user is configured in user-powers and functions correspondence table there is no CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH abilities.
5. the operating system security strengthening system based on powers and functions module according to claim 2, it is characterised in that the use
Family-powers and functions correspondence table is issued to kernel state by interrupt mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610997445.0A CN106557699A (en) | 2016-11-11 | 2016-11-11 | Operating system security strengthening system based on powers and functions module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610997445.0A CN106557699A (en) | 2016-11-11 | 2016-11-11 | Operating system security strengthening system based on powers and functions module |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106557699A true CN106557699A (en) | 2017-04-05 |
Family
ID=58443602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610997445.0A Pending CN106557699A (en) | 2016-11-11 | 2016-11-11 | Operating system security strengthening system based on powers and functions module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106557699A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107643982A (en) * | 2017-09-13 | 2018-01-30 | 北京元心科技有限公司 | The ability detection method and device of program process |
| WO2019237867A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method of isolating authority information and performing authority check on basis thereof and computing device |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| WO2019237864A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Security user architecture and authority control method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102034052A (en) * | 2010-12-03 | 2011-04-27 | 北京工业大学 | Operation system architecture based on separation of permissions and implementation method thereof |
| CN104484594A (en) * | 2014-11-06 | 2015-04-01 | 中国科学院信息工程研究所 | Linux system privilege distribution method based on capability mechanism |
-
2016
- 2016-11-11 CN CN201610997445.0A patent/CN106557699A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102034052A (en) * | 2010-12-03 | 2011-04-27 | 北京工业大学 | Operation system architecture based on separation of permissions and implementation method thereof |
| CN104484594A (en) * | 2014-11-06 | 2015-04-01 | 中国科学院信息工程研究所 | Linux system privilege distribution method based on capability mechanism |
Non-Patent Citations (2)
| Title |
|---|
| 李晨等: "《基于多安全机制的 Linux应用沙箱的设计与实现》", 《集成技术》 * |
| 龚育昌等: "《安全操作系统中的权能管理模型》", 《小型微型计算机系统》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107643982A (en) * | 2017-09-13 | 2018-01-30 | 北京元心科技有限公司 | The ability detection method and device of program process |
| WO2019237867A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method of isolating authority information and performing authority check on basis thereof and computing device |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| WO2019237864A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Security user architecture and authority control method |
| CN110598393A (en) * | 2018-06-12 | 2019-12-20 | 杨力祥 | Safe user architecture and authority control method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106557699A (en) | Operating system security strengthening system based on powers and functions module | |
| Xiaohui | Study on security problems and key technologies of the internet of things | |
| CN102375947A (en) | Method and system for isolating computing environment | |
| WO2021012548A1 (en) | Blockchain-based data processing method and system, and electronic apparatus and storage medium | |
| CN105488431A (en) | Authority management method and device for block chain system | |
| WO2014149490A4 (en) | Secure end-to-end permitting system for device operations | |
| CN103220145A (en) | Method and system for electronic signature token to respond to operation request, and electronic signature token | |
| CN105678191A (en) | Method for improving system safety by utilizing SoC Internal memory, terminal and system | |
| US11798327B2 (en) | Universal smart interface for electronic locks | |
| Ahmet et al. | A general view of industry 4.0 revolution from cybersecurity perspective | |
| CN104753857A (en) | Network flow control equipment and security policy configuration method and device thereof | |
| CN105631286A (en) | Methods and apparatuses for storing fingerprint template information and performing authentication by adopting fingerprint information | |
| CN104168264A (en) | Low-cost high-security physical unclonable function | |
| CN106295319A (en) | Operating system safety protecting method | |
| CN101561855B (en) | Method and system for controlling computer to access USB device | |
| CN103729582B (en) | A kind of secure storage management method and system based on separation of the three powers | |
| CN103927803B (en) | Based on the Electrically operated gate lock control system of active radio frequency identification | |
| CN103164789A (en) | Debug circuit structure provided with safety verification and achieving method of debug circuit structure provided with safety verification | |
| CN104680055A (en) | Control method for performing management on U disk after access into industrial control system network | |
| CN105205416A (en) | Mobile hard disk password module | |
| CN107124265A (en) | A kind of identity identifying method based on Hash hash tables | |
| CN113067861A (en) | Distributed extensible access control authorization system and method based on block chain | |
| CN102868521B (en) | Method for enhancing secret key transmission of symmetrical secret key system | |
| CN102622621B (en) | Communication method for improving security of radio frequency identification system | |
| CN105760164A (en) | Method for achieving ACL permission in user space file system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170405 |