CN103020512A - Realization method and control system for safe control flow of system - Google Patents
Realization method and control system for safe control flow of system Download PDFInfo
- Publication number
- CN103020512A CN103020512A CN2012104890041A CN201210489004A CN103020512A CN 103020512 A CN103020512 A CN 103020512A CN 2012104890041 A CN2012104890041 A CN 2012104890041A CN 201210489004 A CN201210489004 A CN 201210489004A CN 103020512 A CN103020512 A CN 103020512A
- Authority
- CN
- China
- Prior art keywords
- security
- control
- attribute
- strategy
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A realization method for a safe control flow of a system comprises the following steps: S1, the system is configured with a security policy, wherein the monitoring main body of the system comprises an operating system; S2, the monitoring main body continuously monitors the monitoring points of the system according to the security policy, so as to form a control data flow. The realization method for the safe control flow of the system solves the problems of absence of an operating system main body and absence of behavior restriction in the traditional access control model; and through adoption of the method provided by the embodiment of the invention to analyze application software running on a mobile terminal, the continuous and changeable behavior of the application software can be controlled, so that the behavior of the application software is more credible and safer.
Description
Technical field
The present invention relates to electronic information technical field, particularly a kind of implementation method and control system thereof of security of system control stream.
Background technology
Security is an important goal of operating system.Along with technical development, security of system threatens and is also continuing to increase.Studies show that only on the Android platform, 800,000 people's infected with malware are just arranged in per month, 2011.The security mechanisms such as traditional anti-virus, intrusion detection all rely on the safety of underlying operating system and support.Access control is by realizing security model and policy control, the access control in the realization system between master, the object in operating system nucleus.The access control of safety is the important foundation that realizes high-grade security system.There is the problem of " operating system absenceofsubject " in traditional access control model, the i.e. powers and functions matrix control mode of this " main object ", main body mainly adopts process that object is monitored, do not embody the working control mode of " main body is to operating system; operating system is again to object " in the reality system, in powers and functions, do not embody the service ability of operating system yet.Also there is the problem of " the discontinuous and constraint disappearance of behavior " in traditional access control model, namely be the control to constantly behavior of system mostly, do not embody system action characteristics continuous and that mutually retrain, the yet dynamic change of each attribute and condition in the not embodiment system.And introduce operating system as one of main body, and can expand the function of main body, effectively embody this dynamic change.Research can be supported the user security demand, can carry out stepless control for the attribute of operating system, powers and functions, environment, constraint etc., can overcome the control flow model of " operating system absenceofsubject " and " the discontinuous and constraint disappearance of behavior ", significant to improving operating system security.
Summary of the invention
The invention provides a kind of implementation method and control system thereof of security of system control stream, when being used for solving the prior art system monitoring, the main body of monitoring only comprises process, do not comprise operating system itself, thereby the characteristic that does not take full advantage of operating system participates in security of system control, does not have fully to improve security of system and credible problem.
The implementation method of a kind of security of system control stream provided by the invention comprises:
The security strategy of step S1, configuration-system, the supervision subjects of described system comprises operating system;
Step S2, supervision subjects carry out continuous monitoring, the formation control data stream according to described security strategy to each control point of system.
Further, the implementation method of security of system control stream of the present invention, the supervision subjects of described step S1 also comprises process.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S101, described security strategy also comprise the main body attribute configuration, and according to security strategy the main body attribute are controlled, then will be to the control information access control data stream of main body attribute.
Further, the implementation method of security of system control stream of the present invention, the main body attribute of described step S101 comprises main body static attribute and main body dynamic attribute;
The main body static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The main body dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S102, described security strategy also comprise the object attribute configuration, and according to security strategy the object attribute are controlled, then will be to the control information access control data stream of object attribute.
Further, the implementation method of security of system control stream of the present invention, the object attribute of described step S102 comprises object static attribute and object dynamic attribute;
The object static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The object dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S103, described security strategy also comprise the environmental baseline configuration, and environmental baseline is controlled, then will be to the control information access control data stream of environmental baseline.
Further, the implementation method of security of system control stream of the present invention, the environmental baseline of described step S103 comprises environment static attribute and environment dynamic attribute;
The environment static attribute comprises following at least one: configuration, script, code integrity, data integrity;
Whether the environment dynamic attribute comprises following at least one: whether credible startup, safety, Disk State, cycle, frequency.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S104, described security strategy also comprise the configuration of powers and functions condition, and the powers and functions condition is controlled, then will be to the control information access control data stream of powers and functions condition.
Further, the implementation method of security of system control stream of the present invention, the powers and functions condition of described step S104 comprise following at least one: reading and writing, execution, mandate, printing, network send, use camera, termination process.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S105, described security strategy also comprise the constraint condition configuration, and constraint condition is controlled, then will be to the control information access control data stream of constraint condition.
Further, the implementation method of security of system control stream of the present invention, the constraint condition of described step S105 comprise following at least one: dependence, triggering relation, antagonistic relations, relation of inclusion, restriction relation.
Further, the implementation method of security of system control stream of the present invention, described step S1 also comprises:
Step S111, described security strategy also comprise Stratified Strategy, and Stratified Strategy is divided into global system strategy and single application strategy with security strategy;
Global system policy deployment and being implemented in the security of system kernel;
Single application policy deployment and being implemented in the application of system.
In addition, the control system of a kind of security of system control stream provided by the invention comprises:
The security strategy module is used for management and control security strategy;
Main body property control module is controlled the main body attribute according to security strategy, then will be to the control information access control data stream of main body attribute;
Object property control module is controlled the object attribute according to security strategy, then will be to the control information access control data stream of object attribute;
The environmental baseline control module is controlled environmental baseline according to security strategy, then will be to the control information access control data stream of environmental baseline;
Powers and functions condition control module is controlled the powers and functions condition according to security strategy, then will be to the control information access control data stream of powers and functions condition;
The constraint condition control module is controlled constraint condition according to security strategy, then will be to the control information access control data stream of constraint condition;
The stepless control module, the sequencing of the specific behavior of main body in the control native system, formation control stream.
Further, the control system of security of system control stream of the present invention also comprises:
The Stratified Strategy module is divided into global system strategy and single application strategy with security strategy, with global system policy deployment and being implemented in the security of system kernel, with the single application policy deployment be implemented in the application of system.
Implementation method and the control system thereof of a kind of security of system control stream provided by the invention, solved the problem of " operating system absenceofsubject " and " behavior constraint disappearance " in traditional access control model, by the application software that runs on the portable terminal is analyzed, can control using the continuous and changeable behavior of software, make the more credible and safety of behavior of application software.
Description of drawings
Fig. 1 is the implementation method process flow diagram according to the security of system control stream of the embodiment of the invention;
Fig. 2 is implementation method according to the security of system of the embodiment of the invention control stream control synoptic diagram during take the control time as transverse axis;
Fig. 3 is take the control synoptic diagram of information flow direction between master, object during as transverse axis according to the implementation method of the security of system of embodiment of the invention control stream;
Fig. 4 is the implementation method Stratified Strategy organization and implement synoptic diagram according to the security of system control stream of the embodiment of the invention;
Fig. 5 is the functional structure chart according to the control system of the security of system control stream of the embodiment of the invention.
Embodiment
In order to understand better the present invention, the invention will be further described below in conjunction with accompanying drawing and embodiment.
Each nominal definition among the present invention is as follows:
Described security strategy refers to be specified by the user set of the rule of being controlled by system.The rule here refers to the constraint requirements based on conditions such as main body attribute, object attribute, environmental baseline, powers and functions condition, constraint conditions.
Described attribute refers to the various features descriptions in operating system of system body and/or object, comprises static attribute and dynamic attribute.Static attribute refers to system's feature that can not change in service, comprises configuration, script, code integrity, data integrity etc.Dynamic attribute refers to that meeting comprises role, state, quantity, interval, cycle, frequency etc. along with the system features that operation changes in system's operational process.State refers to system occur expected in service but uncertain system features.For example, comprise at supervision subjects in the situation of operating system (being that operating system is also monitored system), can dispose for the process main body of system the security strategy of " only having the process that satisfies the integrality requirement to conduct interviews to the particular safety file ", increase " code integrity " this main body attribute for the process main body this moment, during subsequently system body monitoring, when certain process of discovery does not have the main body attribute of code integrity, then do not allow this process that the particular safety file is conducted interviews.Again for example, in the situation of operating system at supervision subjects, can increase " reading times " this object attribute for certain image file in the system, the security strategy of configuration " certain image file can only be play 10 times ", system will implement continuous monitoring to this image file according to this security strategy, when finding the situation of this image file broadcast more than 10 times, then by security strategy, forbid playing this image file.
Described environmental baseline refers to the various features that operating system is in operation, and comprises static attribute and dynamic attribute.Static attribute refers to system's feature that can not change in service, comprises configuration, script, code integrity, data integrity etc.Dynamic attribute refers in system's operational process the system features that can change along with operation, comprises whether credible startup, whether safety, Disk State, cycle, frequency etc.State refers to system occur expected in service but uncertain system features.The environment here is exactly the attribute of operating system during as main body in fact.For example, include at supervision subjects in the situation of operating system, configuration condition " starts the integrity detection of whether having passed through operating system nucleus " as environmental baseline, the configuration security strategy " only has the system of credible startup just can carry out the higher level service operation ", supervision subjects is monitored the operating system main body according to environmental baseline and security strategy, when detection discovery system is credible startup, namely start the integrity detection of having passed through operating system nucleus, then allow operating system to carry out the higher level service operation; Otherwise the quiescing system carries out the higher level service operation.This moment, environmental baseline was expressed the current state of operating system.
Described powers and functions condition refers to that system body is to the access ability of object.Main body in this relation comprises traditional main bodys such as process, also comprises operating system self.The ability here comprises the reading and writing, execution, mandate of traditional access control etc., also comprises the system capability of operating system, comprises that printing, network send, use camera, termination process etc.For example, in the powers and functions condition, except traditional authority settings such as reading and writing, the configuration security strategy, increase printing, network transmission, use the first-class capabilities limits of shooting, make the system of the present invention can be to certain file after strategy is set, even by after certain high-level process obtains in the system, also can't file be leaked out by network.
Described constraint condition refers to the relation between each main body in a subtask.The task here refer to by user's appointment for finishing a series of process behaviors that a certain purpose sets and the safety requirements of configuration.The relation here refers to comprise dependence, triggering relation, antagonistic relations, relation of inclusion, restriction relation etc. for satisfying the particular safety needs by the relation condition between the process behavior of user's appointment.For example, when " only having the specific secure network of connection just can carry out business handling " this class strategy was set at needs, supervision subjects included two, and one is system terminal, and another one is network-side; That is to say at first whether network-side is monitored safely as supervision subjects by system terminal, when determining that network-side is in the safe situation, whether the environment of system terminal is monitored safely as supervision subjects by network-side, at this moment, has dependence between two supervision subjectses, then relation disposes security strategy according to this, according to this constraint condition supervisory system.Described Stratified Strategy is the strategy combination method that unification is specified, layering is implemented of taking for the information gap between resolution system kernel and the application.The generation of Stratified Strategy is formulated according to the security of system demand is unified by system management facility.
Fig. 1 is the implementation method process flow diagram according to the security of system control stream of the embodiment of the invention, as shown in Figure 1,
The implementation method of a kind of security of system control stream that the embodiment of the invention provides comprises:
The security strategy of step S1, configuration-system, the supervision subjects of described system comprises operating system;
Step S2, supervision subjects carry out continuous monitoring, the formation control data stream according to described security strategy to each control point of system.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the supervision subjects of described step S1 also comprises process.
Operating system mainly is to realize by the environmental baseline in the configuration security strategy as the supervision subjects of system.By configuration surroundings condition and corresponding security strategy, make operating system when satisfying environmental baseline, can monitor system, after this be operating main body configuration powers and functions condition, the service ability that far surpasses process around operating system, service ability to supervision subjects is expanded, and just can bring main body attribute, object attribute, constraint condition in the security strategy at last, thereby significantly improve the security of system service ability.
Traditional with the situation of process as supervision subjects under, be " certain classified papers can only be read, but can not be sent by network " when setting security strategy, in this strategy, certain process of obtaining this document does not have network capabilities in fact.Suppose to occur this moment viral code and inject, cause this process to enter into the system kernel service, this process has namely possessed the network operation ability by the kernel of operating system so, classified papers can be leaked out by network.And comprise at supervision subjects in the situation of operating system, even viral code occurs to be injected, cause this process to enter into system kernel, this process has possessed the network operation ability, because the security of system policy control, the operating system supervision subjects can forbid that also this process leaks out classified papers by network.
Fig. 2 is implementation method according to the security of system of the embodiment of the invention control stream control synoptic diagram during take the control time as transverse axis, has embodied the characteristics of continuous, changeable in system's control procedure and mutual constraint.Control stream security system has changed the restriction based on the authority relation matrix between master, object of traditional access control, leading, increasing the operating system main body in the latitude of " control stream " between the visitor, by increase environmental baseline as operating system the attribute during as main body, expand the powers and functions condition by increasing the operating system service ability, by increasing constraint condition between the journey different subjects is flow through in the control of tasks carrying, support the control of more complicated user behavior security strategy.By this control stream security system towards behavioral strategy, can make system in the control that keeps traditional access control model to the subject and object static attribute, for example to the user agent role, outside the file object data integrity etc., increase is to the more dynamic control of abundant dynamic and static attribute of master, object and operating system, for example the execution number of times of process main body, makes control can satisfy continuous, the changeable characteristics of system at the effective time of certain file etc.By this control stream security system towards behavioral strategy, can make system's increase to the control of interconnection constraint between the subject behavior, such as carrying out strategies such as " only when being connected in secure network, just can carry out handling of certain key business ", make control can satisfy the characteristics that system retrains mutually.
Method shown in Figure 2 can also the realization system in " main body is to operating system ", and then by the asynchronous access control of " operating system is to object ".The operating systems such as most of real systems, especially Windows are based on event-driven, are based on the round-robin mode to work, and the message that a lot of processes are sent not is to obtain immediately system responses.Also there is the initiation that repeats of " operating system is to object " at real system, the problem of repeatedly carrying out.In real system, after the principal access request that has was sent, when its " execution " to object occured, main body is " disappearance ".Control stream security system is by controlling operating system as " disappearance " main body of system, and by refinement with the control strategy to object of operating system as main body, can realize the security control of asynchronous access between actual master, the object.
Method shown in Figure 2 can also the realization system in owing to environmental baseline changes the access control that causes.In the system of reality, the main body attribute of operating system, namely environmental baseline can change.Control stream security system realizes that by the stepless control to environmental baseline the control that is caused by environmental change changes.
Method shown in Figure 2 can also the realization system in access control in the powers and functions information change situation.In the system of reality, the powers and functions between master, the object can often not change, but situation about can cancel.Control stream security system realizes that by expansion powers and functions condition is carried out stepless control changing the control that causes by powers and functions changes.
Fig. 3 is take the control synoptic diagram of information flow direction between master, object during as transverse axis according to the implementation method of the security of system of embodiment of the invention control stream, having embodied the each time access control of master, object, all is that system is to the synthetic determination of main body attribute, object attribute, environmental baseline, powers and functions condition and constraint condition.These decision factor all comprise static attribute and dynamic attribute, especially environmental baseline, constraint condition and master, object attribute.
Method shown in Figure 3 is by two shown on transverse axis control triangles, realizes respectively to the main body determined property with to the synthetic determination of other all properties.
Method shown in Figure 3 realizes the stepless control to control stream by introducing time shaft T.In the control flow of reality, result of determination changes along with the variation of main body attribute, object attribute, environmental baseline, powers and functions condition and constraint condition, makes last instruction character share the family to the safety requirements of system action.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S101, described security strategy also comprise the main body attribute configuration, and according to security strategy the main body attribute are controlled, then will be to the control information access control data stream of main body attribute.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the main body attribute of described step S101 comprises main body static attribute and main body dynamic attribute;
The main body static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The main body dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S102, described security strategy also comprise the object attribute configuration, and according to security strategy the object attribute are controlled, then will be to the control information access control data stream of object attribute.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the object attribute of described step S102 comprises object static attribute and object dynamic attribute;
The object static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The object dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S103, described security strategy also comprise the environmental baseline configuration, and environmental baseline is controlled, then will be to the control information access control data stream of environmental baseline.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the environmental baseline of described step S103 comprises environment static attribute and environment dynamic attribute;
The environment static attribute comprises following at least one: configuration, script, code integrity, data integrity;
Whether the environment dynamic attribute comprises following at least one: whether credible startup, safety, Disk State, cycle, frequency.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S104, described security strategy also comprise the configuration of powers and functions condition, and the powers and functions condition is controlled, then will be to the control information access control data stream of powers and functions condition.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the powers and functions condition of described step S104 comprises following at least one: reading and writing, execution, mandate, printing, network send, use camera, termination process.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S105, described security strategy also comprise the constraint condition configuration, and constraint condition is controlled, then will be to the control information access control data stream of constraint condition.
Further, the implementation method of the described security of system control of embodiment of the invention stream, the constraint condition of described step S105 comprises following at least one: dependence, triggering relation, antagonistic relations, relation of inclusion, restriction relation.
After the implementation method of the described security of system control of embodiment stream is finished, the security of system strategy has been finished the control configuration to main body attribute, object attribute, powers and functions condition, environmental baseline, constraint condition, then, operation for process, multiple spot at operating system carries out Comprehensive Control to main body attribute, object attribute, powers and functions condition, environmental baseline, constraint condition, formation control stream, the behavior of application processes is monitored and is comprised:
The multiple spot of described operating system refer to task the term of execution, operating system provides a plurality of reference mark of system service.
Described main body property control refers to that system judges according to the main body attribute specification in the security strategy and main body actual characteristic whether behavior meets safety requirements.
Described object property control refers to that system judges according to the object attribute specification in the security strategy and objective actuality feature whether behavior meets safety requirements.
Described powers and functions condition is controlled the system that refers to and is judged according to restriction and the agenda to the powers and functions condition in the security strategy whether behavior meets safety requirements.
Described environmental baseline is controlled the system that refers to and is judged according to restriction and the operating system environment condition to environmental baseline in the security strategy whether behavior meets safety requirements.
Described constraint condition is controlled the system that refers to and is judged according to restriction and the agenda to constraint condition in the security strategy whether behavior meets safety requirements.
Described Comprehensive Control refers to that system is based on the synthetic determination of main body property control, object property control, the control of powers and functions condition, environmental baseline control and constraint condition control.
Described control stream refers to that the operating system of time-based axle formation is to the control set of certain task.
Further, the implementation method of the described security of system control of embodiment of the invention stream, described step S1 also comprises:
Step S111, described security strategy also comprise Stratified Strategy, and Stratified Strategy is divided into global system strategy and single application strategy with security strategy;
Global system policy deployment and being implemented in the security of system kernel;
Single application policy deployment and being implemented in the application of system.
Fig. 4 is that the layering that embodies security strategy is worked out, unification is deposited and separate the characteristics of implementing according to the implementation method Stratified Strategy organization and implement synoptic diagram of the security of system control stream of the embodiment of the invention.Stratified Strategy is the strategy combination method that unified appointment, layering are implemented, and refers to that the same strategy divides two parts according to Stratified Strategy, is implemented in respectively in application and the operating system nucleus.The unified formulation of the global policies of system refers in the security of system kernel global system strategy be made an explanation and policy control.The safety requirements of using is separately separately worked out as the single application strategy, makes an explanation and policy control in the application of system.The global system strategy is more preferential than single application strategy.Strategy carries out tactful integrity checking in the formulation process, guarantees to revise strategy and can not conflict with Existing policies.
Fig. 5 is the functional structure chart according to the control system of the security of system control stream of the embodiment of the invention, as shown in Figure 5,
The control system of a kind of security of system control stream that the embodiment of the invention provides comprises:
The security strategy module is used for management and control security strategy;
Main body property control module is controlled the main body attribute according to security strategy, then will be to the control information access control data stream of main body attribute;
Object property control module is controlled the object attribute according to security strategy, then will be to the control information access control data stream of object attribute;
The environmental baseline control module is controlled environmental baseline according to security strategy, then will be to the control information access control data stream of environmental baseline;
Powers and functions condition control module is controlled the powers and functions condition according to security strategy, then will be to the control information access control data stream of powers and functions condition;
The constraint condition control module is controlled constraint condition according to security strategy, then will be to the control information access control data stream of constraint condition;
The stepless control module, the sequencing of the specific behavior of main body in the control native system, formation control stream.
Further, the control system of the described security of system control of embodiment of the invention stream also comprises:
The Stratified Strategy module is divided into global system strategy and single application strategy with security strategy, with global system policy deployment and being implemented in the security of system kernel, with the single application policy deployment be implemented in the application of system.
Below only be the preferred embodiments of the present invention; certainly; the present invention can also have other various embodiments; in the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection domain of the appended claim of the present invention.
Claims (15)
1. the implementation method of a security of system control stream is characterized in that, comprising:
The security strategy of step S1, configuration-system, the supervision subjects of described system comprises operating system;
Step S2, supervision subjects carry out continuous monitoring, the formation control data stream according to described security strategy to each control point of system.
2. the implementation method of security of system control stream according to claim 1 is characterized in that the supervision subjects of described step S1 also comprises process.
3. security of system according to claim 1 is controlled the implementation method of stream, it is characterized in that described step S1 also comprises:
Step S101, described security strategy also comprise the main body attribute configuration, and according to security strategy the main body attribute are controlled, then will be to the control information access control data stream of main body attribute.
4. the implementation method of security of system control stream according to claim 3 is characterized in that the main body attribute of described step S101 comprises main body static attribute and main body dynamic attribute;
The main body static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The main body dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
5. security of system according to claim 1 is controlled the implementation method of stream, it is characterized in that described step S1 also comprises:
Step S102, described security strategy also comprise the object attribute configuration, and according to security strategy the object attribute are controlled, then will be to the control information access control data stream of object attribute.
6. the implementation method of security of system control stream according to claim 5 is characterized in that the object attribute of described step S102 comprises object static attribute and object dynamic attribute;
The object static attribute comprises following at least one: configuration, script, code integrity, data integrity;
The object dynamic attribute comprises following at least one: role, state, quantity, interval, cycle, frequency.
7. security of system according to claim 1 is controlled the implementation method of stream, it is characterized in that described step S1 also comprises:
Step S103, described security strategy also comprise the environmental baseline configuration, and environmental baseline is controlled, then will be to the control information access control data stream of environmental baseline.
8. the implementation method of security of system control stream according to claim 7 is characterized in that the environmental baseline of described step S103 comprises environment static attribute and environment dynamic attribute;
The environment static attribute comprises following at least one: configuration, script, code integrity, data integrity;
Whether the environment dynamic attribute comprises following at least one: whether credible startup, safety, Disk State, cycle, frequency.
9. security of system according to claim 1 is controlled the implementation method of stream, it is characterized in that described step S1 also comprises:
Step S104, described security strategy also comprise the configuration of powers and functions condition, and the powers and functions condition is controlled, then will be to the control information access control data stream of powers and functions condition.
10. the implementation method of security of system control stream according to claim 9 is characterized in that, the powers and functions condition of described step S104 comprises following at least one: reading and writing, execution, mandate, printing, network send, use camera, termination process.
11. the implementation method of security of system control stream according to claim 1 is characterized in that described step S1 also comprises:
Step S105, described security strategy also comprise the constraint condition configuration, and constraint condition is controlled, then will be to the control information access control data stream of constraint condition.
12. the implementation method of security of system control stream according to claim 11 is characterized in that, the constraint condition of described step S105 comprises following at least one: dependence, triggering relation, antagonistic relations, relation of inclusion, restriction relation.
13. to the implementation method of the described security of system control of 12 any one stream, it is characterized in that described step S1 also comprises according to claim 1:
Step S111, described security strategy also comprise Stratified Strategy, and Stratified Strategy is divided into global system strategy and single application strategy with security strategy;
Global system policy deployment and being implemented in the security of system kernel;
Single application policy deployment and being implemented in the application of system.
14. the control system of a security of system control stream is characterized in that, comprising:
The security strategy module is used for management and control security strategy;
Main body property control module is controlled the main body attribute according to security strategy, then will be to the control information access control data stream of main body attribute;
Object property control module is controlled the object attribute according to security strategy, then will be to the control information access control data stream of object attribute;
The environmental baseline control module is controlled environmental baseline according to security strategy, then will be to the control information access control data stream of environmental baseline;
Powers and functions condition control module is controlled the powers and functions condition according to security strategy, then will be to the control information access control data stream of powers and functions condition;
The constraint condition control module is controlled constraint condition according to security strategy, then will be to the control information access control data stream of constraint condition;
The stepless control module, the sequencing of the specific behavior of main body in the control native system, formation control stream.
15. the control system of security of system control stream according to claim 14 is characterized in that, also comprises:
The Stratified Strategy module is divided into global system strategy and single application strategy with security strategy, with global system policy deployment and being implemented in the security of system kernel, with the single application policy deployment be implemented in the application of system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210489004.1A CN103020512B (en) | 2012-11-26 | 2012-11-26 | Realization method and control system for safe control flow of system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210489004.1A CN103020512B (en) | 2012-11-26 | 2012-11-26 | Realization method and control system for safe control flow of system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103020512A true CN103020512A (en) | 2013-04-03 |
| CN103020512B CN103020512B (en) | 2015-03-04 |
Family
ID=47969108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210489004.1A Active CN103020512B (en) | 2012-11-26 | 2012-11-26 | Realization method and control system for safe control flow of system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103020512B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108352843A (en) * | 2015-11-05 | 2018-07-31 | 阿姆Ip有限公司 | Data flow assembling control |
| CN109684824A (en) * | 2014-12-29 | 2019-04-26 | 北京奇虎科技有限公司 | The authority configuring method and device of process |
| CN109829308A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The management method and device of control strategy, storage medium, electronic device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633085A (en) * | 2004-12-29 | 2005-06-29 | 北京邮电大学 | An access control method based on non-grade inter-role mapping |
| CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
| CN101329708A (en) * | 2008-07-29 | 2008-12-24 | 中科方德软件有限公司 | Safe business course management system |
-
2012
- 2012-11-26 CN CN201210489004.1A patent/CN103020512B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633085A (en) * | 2004-12-29 | 2005-06-29 | 北京邮电大学 | An access control method based on non-grade inter-role mapping |
| CN1854961A (en) * | 2005-04-28 | 2006-11-01 | 中国科学院软件研究所 | Strategy and method for realizing minimum privilege control in safety operating system |
| CN101329708A (en) * | 2008-07-29 | 2008-12-24 | 中科方德软件有限公司 | Safe business course management system |
Non-Patent Citations (2)
| Title |
|---|
| 林植: "基于策略的访问控制关键技术研究", 《华中科技大学博士学位论文》, 31 March 2008 (2008-03-31) * |
| 罗鑫: "访问控制技术与模型研究", 《北京邮电大学博士研究生学位论文》, 31 March 2010 (2010-03-31) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109684824A (en) * | 2014-12-29 | 2019-04-26 | 北京奇虎科技有限公司 | The authority configuring method and device of process |
| CN108352843A (en) * | 2015-11-05 | 2018-07-31 | 阿姆Ip有限公司 | Data flow assembling control |
| CN109829308A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The management method and device of control strategy, storage medium, electronic device |
| CN109829308B (en) * | 2018-05-04 | 2022-02-15 | 奇安信安全技术(珠海)有限公司 | Control policy management method and device, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103020512B (en) | 2015-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fovino et al. | Integrating cyber attacks within fault trees | |
| RU2477929C2 (en) | System and method for prevention safety incidents based on user danger rating | |
| CN103324500B (en) | A kind of method and device reclaiming internal memory | |
| CN104794374B (en) | A kind of application rights management method and apparatus for Android system | |
| CN102236764B (en) | Method and monitoring system for Android system to defend against desktop information attack | |
| Wen et al. | Asa: Adversary situation awareness via heterogeneous graph convolutional networks | |
| CN105022628A (en) | Extendable software application platform | |
| CN106295355A (en) | A kind of active safety support method towards Linux server | |
| CN103905468A (en) | XACML frame extension system and method for network access control system | |
| CN106022128A (en) | Method and device for detecting process access right and mobile terminal | |
| Cao et al. | A topology and risk-aware access control framework for cyber-physical space | |
| CN103020512A (en) | Realization method and control system for safe control flow of system | |
| Shahraki et al. | Social ethics in Internet of Things: An outline and review | |
| Hamad et al. | Red-Zone: Towards an Intrusion Response Framework for Intra-vehicle System. | |
| Nazari Cheraghlou et al. | New fuzzy-based fault tolerance evaluation framework for cloud computing | |
| CN110138780A (en) | A method of internet-of-things terminal threat detection is realized based on probe technique | |
| Martinelli et al. | Enhancing android permission through usage control: a BYOD use-case | |
| Wadhwa | Smart cities: toward the surveillance society? | |
| CN115694943B (en) | Behavior-based dynamic forced access control method, system and medium for operating system | |
| Mohamed et al. | Middleware to support cyber-physical systems | |
| Hou et al. | An ontology-based dynamic attack graph generation approach for the internet of vehicles | |
| Omoronyia et al. | Caprice: a tool for engineering adaptive privacy | |
| CN111988383B (en) | Method and device for verifying application opening micro-service treatment condition | |
| CN102238037A (en) | Cooperative target strategy detailing method | |
| Kenyon | Transportation cyber-physical systems security and privacy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |