WO2019237864A1 - Architecture d'utilisateur de sécurité et procédé de contrôle d'autorité - Google Patents

Architecture d'utilisateur de sécurité et procédé de contrôle d'autorité Download PDF

Info

Publication number
WO2019237864A1
WO2019237864A1 PCT/CN2019/086496 CN2019086496W WO2019237864A1 WO 2019237864 A1 WO2019237864 A1 WO 2019237864A1 CN 2019086496 W CN2019086496 W CN 2019086496W WO 2019237864 A1 WO2019237864 A1 WO 2019237864A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
msu
role
administrator
maintainer
Prior art date
Application number
PCT/CN2019/086496
Other languages
English (en)
Chinese (zh)
Inventor
杨力祥
Original Assignee
杨力祥
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杨力祥 filed Critical 杨力祥
Publication of WO2019237864A1 publication Critical patent/WO2019237864A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates to the field of information technology, and in particular, to a permission control technology and a user in an operating system and a method for controlling user permissions.
  • the existing operating systems have some characteristics in terms of user authorization management. These characteristics will bring some disadvantages, including:
  • the full design of the root user that is, the root user has full control of all resources in the computer. Once the attacker obtains root permissions, he can easily reach the target of the attack.
  • the kernel does not have its own authority over user data management.
  • the management unit is a process. Once the process is created, all the power-related judgments of the operating system are based on the attributes of the process. Constrain the process.
  • Power is based on process.
  • a process can have two user attributes (uid, euid) at the same time, and is passed on by process creation, and the user can create a process with higher privileges than his own for some special reasons.
  • a process has two user attributes at the same time. One is used to judge power and is often of high privilege level. The other is used to indicate the belonging relationship and is the actual user. The permissions of the two are different, and this difference can be created by the parent and child processes. Passed on, the child process can also have both powers.
  • the present invention establishes a secure user architecture, which is characterized by:
  • the process capability set refers to the capability set of the user to which the process belongs.
  • the user role refers to dividing computer users into different categories, and each category is called a role, and each role has its own maximum power range.
  • Each user belongs to and can only belong to a specific role, and the range of capabilities of each user cannot exceed the range of capabilities of the role to which they belong.
  • the capability set of the user refers to a set of power and capability of the user.
  • the capability belongs to a range of functions included in the process of the user and has a right to enable the kernel to support the actions performed by the user.
  • the capability refers to the functions included in the executable program and the available system call interface;
  • the power refers to a range of objects that can be operated by the user's process capability.
  • the power refers to a range of operable files, accessible system port numbers, and the like.
  • the full authority refers to a kind of authority that includes all the capabilities and powers present in the current system, for example, the root authority that is common in existing operating systems.
  • the set for controlling the process capability set includes: the operating system sets up its operable behavior and operable object range for different roles respectively; during the execution of the process, the operation of the process is judged to determine whether its behavior is in Its corresponding user's role capabilities are within the scope.
  • a preferred method for dividing user roles divide roles according to user types.
  • the user types include:
  • the above users are divided into two types of users: one is the user, whose purpose is to use the computer to complete their application requirements, and the use target is the application software on the computer; the other is the maintainer, whose purpose is It is to maintain the normal use of the computer, and to maintain and manage the computer to support the user to use the computer normally and conveniently;
  • computer maintainers can be divided into maintainers of computer service software (such as low-level support for common computer software and applications that do not directly face users), and maintainers of the computer itself;
  • the maintainer of the computer itself can be divided into: management and maintenance of computer hardware, management and maintenance of computer users, and handling and maintenance of abnormal situations when a computer problem occurs.
  • the user roles divided are: user role and maintainer role.
  • the role of the maintainer is divided into a service maintainer and a computer maintainer.
  • the computer's own maintainers are divided into hardware administrators, user administrators, and abnormal situation administrators.
  • a root node of a file management structure corresponding to the role is established for each role.
  • FIG. 1 shows a specific implementation manner of the present invention, in which a file management structure is respectively established for a user, a service maintainer, a hardware manager, a user manager, and an exception manager under a root node of the file management structure.
  • the root node and on this basis, set the range of files that can be accessed by each specific user.
  • the user can only access files below the root node of the user's file management structure, and the kernel does not support user calls to system calls that can only be used by the maintainer.
  • the service maintainer can only access files below the root node of the service maintainer's file management structure.
  • the kernel does not support service maintainers to use system calls that are only used by user administrators, hardware administrators, and exception administrators.
  • the user administrator can only access the files below the root node of the user administrator's file management structure, including: user login programs, user management programs, and other applications used to manage user rights and files that cooperate with them; used in the kernel to Makes system calls related to user management and is only available to users in the user administrator role.
  • the user administrator can only execute the applications preset by the system, and cannot add, modify, or delete these applications. Further, the parameters of the application program are preferably set only for selective input.
  • the hardware administrator can only access the files below the root node of the hardware administrator's file management structure, including: adding and removing driver management programs, disk management programs, and other applications that manage system hardware and the files that cooperate with them; used in the kernel Used to make system calls related to hardware management, and is only available to users in the hardware administrator role.
  • the hardware administrator can only execute the applications preset by the system, and cannot add, modify, or delete these applications. Further, the parameters of the application program are preferably set only for selective input.
  • the exception administrator can only access the files below the root node of the exception administrator's file management structure, including: deleting specified files, closing specified processes, and other applications that manage the system under abnormal conditions and the files that cooperate with them; etc. Is used to make system calls related to exception management and is only available to users in the exception administrator role.
  • an abnormal administrator operates a file
  • the user administrator needs to temporarily authorize the file.
  • the exception administrator can only execute the applications preset by the system, and cannot add, modify, or delete these applications by himself.
  • the accessible user roles, accessible users, and user groups of the file are indicated in the management structure of the file.
  • a method for successively completing a user operation by processes of different roles is set: when the user's power cannot meet the user's request, and the user and its program of the service maintainer role need to assist in completing the operation, the user's
  • the application program applies a specific format to the maintenance program of the service maintainer. After the maintenance program finishes processing, the processing result is returned to the user's application program.
  • the MSU refers to a memory system unit, and the memory system unit is a specific unit in a memory system device; the memory system device refers to a set of specific access controls and an access area controlled by the specific access control.
  • the abbreviation MSU in the present invention corresponds to a memory system unit.
  • the area includes a CPU-addressable storage space surrounded by a set of boundaries.
  • the area must be identified by an access control set.
  • the identification refers to recording the information of the area in the MSU information.
  • the access control set includes: MSU information, a permission mechanism for accessing the area, and / or a mechanism for prohibiting access to the area.
  • the addressable storage space may store data and / or instructions.
  • the data and codes of all software are put into designated MSUs separately according to design requirements, that is, no codes and data are placed outside the MSU.
  • the CPU refers to a central processing unit.
  • the area is composed of one or more continuous storage areas in the same linear address space, and each continuous storage area is defined by the address identifiers at both ends, and the set of all the foregoing address identifiers constitutes the boundary of the area.
  • a preferred solution for an area composed of multiple consecutive storage areas is that the consecutive storage areas in the area are disjoint from each other.
  • the storage areas where data and code are stored are called data area and instruction area, respectively. Regions of different MSUs do not intersect each other.
  • the MSU information includes: MSU boundary information, MSU port information, and MSU attribute information.
  • MSU boundary information As an optional implementation manner, an empty port MSU may be set.
  • the MSU port information of the empty port MSU is empty and still has MSU boundary information and MSU attribute information.
  • the MSU information further includes: MSU user information.
  • the permission mechanism includes: allowing non-branch instructions, interrupt instructions, and branch instructions in the current area (without exceeding the current area) to execute in the area, and allowing instructions in the area to access data in the current area. Further, the permission mechanism includes: allowing data to be passed between regions, whether within the region to outside the region or outside the region to the region, by passing parameters; allowing the regions to pass data by sharing physical memory, preferably, passing a large amount The data is shared by physical memory; the permission mechanism for access between regions, that is, beyond or entering the region, further includes: MSUs must execute port transfer instructions through ports, and attribute information and port information must match.
  • the prohibition mechanism includes prohibiting execution of instructions in a data area in the area. Except for the permission mechanism, for all cross-region execution instructions (including non-transfer instructions, branch instructions, and mismatches) from within the region to outside the region or from outside the region to the region, cross-region operations to access data will generate exceptions.
  • shared data MSU which is characterized by containing only data shared by other MSUs and no instructions; allowing other MSUs to manipulate data through agreed instructions.
  • the kernel stack and / or the user stack are placed in the shared data MSU, and the MSU to which the stack belongs must be the shared data MSU, and other MSUs operate the data in the stack by a predetermined instruction.
  • the MSU boundary information includes: a set of boundary information of all continuous storage areas in an area identified by an access control set.
  • the data structure storing the above information is referred to as boundary data, and the address of the boundary data is associated with and identifiable in the memory system device.
  • the device can find the data structure according to the address of the boundary data, and then all the boundary information can be obtained.
  • the MSU port information includes an entrance and / or an exit. Specify a limited number of instruction addresses as entrances or exits in the instruction address area within the area identified by the access control set, where each instruction address is an entrance or exit.
  • the optional entry is: the destination address of the inter-MSU branch instruction in the area; the optional exit is: the address of the inter-MSU branch instruction.
  • the MSU attribute information includes: MSU identification information and MSU type information.
  • the MSU identification information refers to a unique identification that is different from other MSUs.
  • the type information of the MSU may be one of an ordinary MSU and a shared data MSU.
  • the MSU attribute information may further include: user type information to which the MSU belongs, and user identification information to which the MSU belongs.
  • the user type information to which the MSU belongs refers to the type of the user to which the MSU belongs.
  • the user type is a user role
  • the user identifier information to which the MSU belongs refers to the unique identifier of the user to which the MSU belongs.
  • the aforementioned boundary information and / or attribute information and / or MSU port information can be synthesized into a more convenient and complete data structure.
  • the matching of the MSU port information and the matching of the MSU attribute information means that in the program initialization phase, the exit, entrance, boundary, identification information, and type information of the MSU required for execution of the transfer instruction are recorded in the MSU descriptor table.
  • the information contained in the transfer instruction is compared with the port information and attribute information in the MSU descriptor table. If the results match, it is regarded as legitimate and the transfer instruction is allowed to execute. Otherwise, it is considered illegal and an exception is reported.
  • a check MSU is added to the MSU type information.
  • An MSU whose type information is marked "Check MSU" is considered to check MSU.
  • a non-check MSU is not allowed to directly call another non-check MSU.
  • the source MSU must first call the check MSU, and then the check MSU calls the target MSU. When the target MSU returns, it returns to the check MSU first.
  • the check MSU returns to the source MSU.
  • the non-inspection MSU refers to any other type of MSU other than the inspection MSU.
  • terminal MSU is added to the MSU type information.
  • An MSU whose type information is marked as "terminal MSU" can only be called by other MSUs, and cannot call other MSUs.
  • an empty port MSU is added to the MSU type information.
  • the MSU whose type information is marked as "empty port MSU" has no port.
  • Other MSUs can call any function of the empty port MSU through the port, but cannot directly access the data of the empty port MSU.
  • An empty port MSU calling another MSU must enter the MSU through its port. Function calls can be made between different empty port MSUs, but data cannot be accessed. When the terminal MSU exists, the empty port MSU cannot call the terminal MSU.
  • a safe MSU is added to the MSU type information.
  • This type of MSU is not allowed to contain instruction areas. Only certain operations that need to save status information can access the MSU.
  • the status information may be a return address, an interruption scene, and the like.
  • an IO instruction MSU is added to the MSU type information.
  • the device contains an IO instruction MSU, only special instructions related to IO operations are allowed to be executed within this type of MSU.
  • the attribute matching check rules of this type of MSU are the same as those of the terminal MSU.
  • the device may not support checking the implementation of MSU, terminal MSU, empty port MSU, safe MSU, IO instruction MSU, or one or more of them.
  • the secure user architecture refers to a secure user architecture applied to an operating system.
  • a computing device is characterized in that a register is added and a user saves a current user ID.
  • a computing device is characterized in that a register is added to save the current user role type.
  • a special register for user ID is added to store the current user ID; a special register for user role type is added to save the current user role type.
  • root authority has absolute power and can perform any operation.
  • An attacker gaining root authority means that all authorization checking mechanisms in the system can no longer restrict its behavior.
  • the core goal of most attack code is to obtain root privileges. Once obtained, all operations to obtain attack results can be "normal, legal, and use system functions.”
  • users can create a process with higher privileges than their own due to some special reasons.
  • the process has two user attributes at the same time, one for power judgment and often high privilege level; one for marking The ownership relationship is the actual user.
  • the permissions of the two are different, and this difference can be passed on by the parent-child process creation mechanism, and the child process can also have both types of power. Therefore, the attacker can have high execution permissions as a low-privilege.
  • the attack execution order can be executed with high permissions. If a child process is created at this time, a child process with high permissions can also be obtained and the child process Residing in memory, constantly getting the desired results of the attack.
  • Figure 1 Example of setting up a root node for a file management structure corresponding to that role for each role
  • Figure 2 Schematic diagram of an example of system service provided by the operating system
  • This embodiment is a specific implementation manner of recording the current user and the current user role identifier. These two pieces of information are mainly used for a set that controls a set of process capabilities.
  • One way is to record the current user ID and user role type in the current process information.
  • a preferred method is: adding a register to save the current user ID; adding a register to save the current user role type.
  • the executable program does not have other functions, including the ability to add, delete, modify, and replace the executable program itself; it does not provide the option to add, delete, modify, or replace the executable program. In this way, the power of the user is limited to the scope of the option and cannot be surpassed. In particular: the executable program corresponding to the option cannot be added, deleted, modified, or replaced.
  • the maintainers include: a hardware administrator, a user administrator, and an abnormality administrator.
  • the establishment method is:
  • the system developer For the user of the hardware administrator role, the system developer provides a special program to complete the functions that the hardware administrator needs to complete.
  • the dedicated program does not allow the user to customize input content during use.
  • a system developer is required to provide a special program to perform disk defragmentation.
  • the developer needs to add a special system call port.
  • the parameters of this port only include the drive letter that needs to be defragmented.
  • this program only includes the program that calls this system call port and other related logic.
  • formal verification and exhaustive testing are required. As long as the verification is passed, it can be ensured that the program is free of vulnerabilities.
  • the establishment method is:
  • the system developer For users subordinate to the role of hardware administrator, the system developer provides a special program to complete the functions that the hardware administrator needs to complete.
  • the dedicated program does not allow the user to customize input content during use.
  • a system driver is required to provide a special driver processing program to process the driver.
  • a set of driver writing recognition formats must be agreed between the developer of the program and the driver developer, that is, , Set specific fields in the file header of the file to which the driver belongs to mark this program as the driver and the type of driver.
  • the driver handler can identify the driver and load it by using the fields in the file header.
  • the driver uses the programs in the operating system to complete the I / O processing.
  • the driver processing program is loading.
  • the driver Before the driver, it will scan the driver for the existence of I / O instructions through a special scanning tool. If it exists, it will not be loaded, and it will enter the exception processing flow. If it does not exist, it will be loaded.
  • the file where the driver is located requires a specific file type, that is, the driver file type.
  • the driver handler can only find files of the driver file type in a specific directory. In addition, ensure that only the drivers in a specific directory are displayed in the human-computer interaction interface provided to the user. Type of files, and only provide users with the option to select specific files and install / uninstall the driver to ensure that no other operations can be performed except the driver process.
  • the establishment method is:
  • the system developer For users subordinate to the abnormal situation administrator role, the system developer provides a special program to complete the functions that the abnormal situation administrator needs to complete.
  • the dedicated program does not allow the user to customize input content during use.
  • the system developer needs to provide a special kill process for other processes, and ensure that only logic related to the kill process exists in this program, and only the system related to the kill process can be called. Invoking port.
  • the human-computer interaction interface only the user with the administrator role in abnormal situations is allowed to select the process name and process number to be killed, so as to ensure that the user cannot do other work except the kill process.
  • a system developer is required to provide a special user file deleting program.
  • This program obtains a set of user IDs through the inter-process communication and a specific process of the user administrator.
  • This program can only delete the file of the specified user.
  • the program only has logic related to deleting this file and can only call and Delete the system call port related to the file.
  • only the administrator in the abnormal situation is allowed to select the file to be deleted in the specified user's file directory to ensure that the user cannot do anything else. Other work.
  • a method for determining whether a system call meets a role requirement includes:
  • a method for determining whether access to a file meets a role requirement includes:
  • Add an operable role type to the file management structure node When accessing the file, determine whether the role type in the file management structure node is consistent with the current role type. If the role type is consistent, it can be accessed. If it is inconsistent, an error message is returned.
  • the operating system provides an application program "system service interface input process" for users to execute.
  • the function of the program is to receive service requests from users.
  • This program is created by users in the user role.
  • the user of the process is the user who created it. Users can execute this program. Two users execute this program at the same time to create two processes, and their users are the users who created the processes. See step 1 in Figure 2.
  • the operating system provides a "system service resident process", which is created by the kernel at boot time, and its user is a service maintainer role user and is resident in memory. This process communicates with the "system service interface input process” and is responsible for collecting user requests and communicating with the service program that completes the request.
  • the resident process is responsible for Created, the role of the user belongs to administrator. See steps 2 and 3 in Figure 2.
  • the "system function processing process” obtains the request and parameters submitted by the user from the "system service resident process”, performs judgment and processing, and initiates a system call to the kernel to complete the function.
  • the system calls required for these functions are usually set to be used only by the process to which the administrator role belongs. See steps 4 and 5 in Figure 2.
  • the system service After the system service completes the work, it returns the processing result information to the resident program through inter-process communication, and then the resident program returns the processing result information to the user's application program through inter-process communication. As shown in steps 2, 7, 8, 9 in FIG.
  • An implementation manner in which a user administrator role user interacts with a user role user, a service maintainer role user, and a hardware administrator role is:
  • the creation of the user's first process is not created by the user's process, but by the login program.
  • the process corresponding to the login program belongs to the user in the user administrator role. For example, if the actual user logged in is the user role user, when he logs in through the login program, the login program creates a shell process for the user: the specific method is to add a special
  • the system call interface for creating a process is called by the login program. When creating a process, the interface can specify the user and user role to which the process belongs. This interface is only used by the user administrator role.
  • the specific method is the same as the method for creating a shell process for the user role user.
  • Embodiment 10 Cooperation between a user setting program and an administrator program
  • the actual operation is related to power maintenance or hardware management. For example, users want to change their passwords, or modify their desktops, power options, mouse settings, and so on.
  • the initiator is the user
  • the maintainer of the final data is the user administrator or hardware administrator. If the modification is performed by the user, it is equivalent to giving the administrator the power, and if all operations are performed by the administrator, the user's sense of use is very rigid.
  • a user with the administrator role must open the program that belongs to the administrator and complete the operation independently. For example, adding a user, such an operation requires humans to identify whether it is feasible, an application cannot be submitted by a user, the administrator is allowed to perform the operation by default, and the administrator must perform the entire process in person.
  • Embodiment 11 Load a dynamic link library under the MSU mechanism, and store the user ID and user type of the dynamic link library file in the MSU information of the dynamic link library
  • the instructions and data in the dynamic link library are stored in an MSU different from the original process.
  • the user ID and user role type recorded in the attribute information of these MSUs are The user and user type to which the dynamic link library file belongs.
  • the current user ID and user role are the ID and role of the user to which the process belongs.
  • switching the MSU will cause the current user ID and user role to become the user in the target MSU information ID and user role.
  • the production of A1 memory system device includes:
  • the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
  • the MSU port information includes: MSU exit information and MSU entry letter;
  • the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs;
  • the entrance information of the MSU includes the ID, entry number, and entry address value of the MSU to which it belongs;
  • the port matching table includes a pair of exits and entries having a calling relationship between MSUs.
  • each MSU In the data area of each MSU, set: a pointer variable pointing to the MSU control comparison table; a pointer variable pointing to the port matching table; a variable that records the address value of the bottom of the MSU stack.
  • a space is reserved in a page-aligned manner, and the space size is an integer multiple of the page size.
  • the control lookup table is set therein, and other data is not stored therein.
  • MSU access control logic is controlled by software instructions, which specifically include:
  • the logic of adding instructions is: before the parameter transfer instruction called between MSUs, obtain the top address of the stack, and push this address value into the stack, this address value is used as the bottom MSU address value; At the beginning of its instruction, the above address value passed in the stack is obtained and saved to a variable used to record the current address value of the bottom of the MSU stack.
  • non-pointer variables can be explicitly accessed at the compilation stage, a preferred solution is that they no longer perform boundary judgment on the runtime, and only need to perform a boundary check on the data pointer.
  • the specific method is to access the corresponding data pointer. Before the instruction, add judgment logic to check the boundary of the access, including:
  • Step 1 If the final destination address of the access is in the global data area of the current MSU, or in the heap area, or in the area corresponding to the current MSU in the stack area, skip to step 2, otherwise skip to step 3;
  • Step 2 execute the data access instruction, skip to step 4;
  • Step 3 Enter the exception processing flow
  • Step 4 Execute the next instruction
  • Step 1 If the accessed final destination address is in the instruction area of the current MSU, skip to step 2; otherwise, skip to step 3;
  • Step 2 execute the indirect transfer instruction in the MSU, and go to step 4;
  • Step 3 Enter the exception processing flow
  • Step 4 Execute the next instruction
  • the address information and target address information of the call instructions between MSUs are recorded and reflected in the check instructions.
  • the purpose of the port check is to check whether the current MSU call and return are consistent with the expected inter-MSU call and return to prevent changing the execution order between MSUs.
  • the specific method is: 1. Before calling between MSUs, check whether the address value of the current calling instruction and the target address are recorded in the port matching table. 2. When returning between MSUs, one return instruction may correspond to multiple legal return addresses. If the entry and exit match check is performed, execution efficiency may be reduced. A preferred solution is to check only the return instruction when returning. For legal export.
  • non-branch instructions they can be determined to be within the MSU area by compiling.
  • the target address can also be ensured to be within the MSU area during the compilation phase.
  • By setting the page where the instruction area is set to read-only it can be guaranteed that the instruction will not be changed at runtime.
  • a preferred solution is to rely on the compilation stage to ensure its correctness, and no longer modify it at runtime. Check.
  • This operation is required whether the IO instructions are advanced code generation or directly embedded assembly, to ensure that all IO instructions in the executable program include this check logic before.
  • the IO instruction is a special instruction that directly reads and writes to peripheral devices.
  • the IO instructions of CPUs in different systems are different, and the actual conditions prevail, such as the in and out instructions under the INTEL system.
  • Access control application methods for manufacturing methods of such memory system devices include:
  • B1 compiles the source program containing MSU, including:
  • Extract MSU information including:
  • B1-1-1 Write and compile source programs containing MSU information:
  • this rule adds the following grammar rules based on the C language:
  • the MSU type represents the attributes of MSU: common_msu represents ordinary MSU, check_msu represents check MSU, terminal_msu represents terminal MSU, nothing_msu represents empty port MSU, and share_msu represents shared data MSU.
  • common_msu represents ordinary MSU
  • check_msu represents check MSU
  • terminal_msu represents terminal MSU
  • nothing_msu represents empty port MSU
  • share_msu represents shared data MSU.
  • the MSU name represents the identification information of the MSU; the data and functions in a pair of ⁇ belong to the same MSU.
  • the function identified by the inner access identifier is the MSU empty port function
  • the function identified by the port access identifier is an MSU port function
  • Validation / deactivation bit which records whether the MSU is available. 1 means valid, 0 means invalid.
  • Pointer area type The pointer identified by data is the global data area pointer; the pointer identified by stack is the pointer of the stack area; the pointer identified by heap is the pointer of the heap area; if the pointer area type identifier is not added before the pointer definition, the default pointer is global data Area pointer.
  • the compiler recognizes the MSU information retained in the program by adding syntax rules and saves the information in the syntax tree. For subsequent steps.
  • the compiler When the compiler performs syntax analysis, the above rules can be used to identify the information related to the MSU in the program, and finally generate a syntax tree and save the MSU information.
  • the remaining syntax compiling technology is the same as the existing technology.
  • Instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area. All MSUs are uniformly addressed with the same base address in the same linear address space.
  • the ID of the current MSU stores the ID value of the currently running MSU, and is used to find information of the currently running MSU in the MSU control comparison table.
  • the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • MSU ID number MSU ID number
  • MSU boundary information attribute information
  • port information port information
  • validity / invalidation information Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • the MSU ID number is generated by different MSU names stored in the syntax tree
  • the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
  • the instruction area boundary information and global data area boundary information can be determined by statistically compiling the generated instructions and the global data footprint.
  • For heap area boundary information because the size of the heap area that needs to be established cannot be determined at compile time, you can reserve an entry in the comparison table and temporarily add information when the heap area is needed at runtime;
  • the MSU attribute information may be set according to the MSU type information recorded in the syntax tree;
  • the MSU port information includes: MSU exit information and MSU entry letter;
  • the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs; where the exit number is a unique number for each exit, and the exit address value is the address value of the call / return instruction between MSUs;
  • the MSU entry information includes the ID, entry number, and entry address value of the MSU to which it belongs; where the entry number is a unique number for each entry, and the entry address value is the next instruction address value of the call instruction between MSUs, and The address value of the first instruction of the port function;
  • the validity / invalidation information is set by the validity / invalidation flag recorded in the syntax tree node.
  • the port matching table is a set of call relationships for the MSU to call other MSUs.
  • One of the entries includes a pair of exits and entries that have a call relationship between MSUs.
  • the pointer variable pointing to the MSU control comparison table is used to access the MSU control comparison table in the inspection instruction.
  • the pointer variable pointing to the port matching table is used to access the port matching table in a check instruction.
  • the variable used to record the address value of the bottom of the MSU stack is used to control the access boundary of the stack area of the current MSU in the check instruction.
  • the initial value of this variable is the stack bottom address value of the corresponding privileged stack.
  • each MSU data area a piece of space is reserved in page alignment.
  • the size of the space is an integer multiple of the page size.
  • the control table is set in it, and other data cannot be stored in it. Within the execution file.
  • the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
  • B1-3 generates instructions related to MSU access:
  • the inter-MSU call access transfer instruction is: call target address value.
  • indirect transfer by call instruction is not allowed.
  • the inter-MSU return access transfer instruction is: ret.
  • the instructions for accessing global MSU and heap data are consistent with the instructions for accessing stack data.
  • the operating system allocates a stack area for the process.
  • a preferred solution is to set the size of the stack to the actual applicable size, rather than the size of the entire linear address space.
  • the boundary of the shared data MSU representing the stack is set to Same boundary as the stack.
  • the program in the MSU When the program in the MSU is executed, if it needs to request / release heap space, it enters the kernel through a dedicated system call, and the dedicated program in the kernel requests / releases heap space for it, and the heap area boundary value in the MSU control comparison table is modified accordingly.
  • the program in the MSU When the program in the MSU is executed, if it is necessary to add / remove the MSU, it enters the kernel through a dedicated system call, and the dedicated program in the kernel adds / removes the MSU for it, and modifies the corresponding data for boundary access control.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne une architecture d'utilisateur de sécurité et un procédé de contrôle d'autorité se rapportant au domaine de la technologie de l'information et plus spécifiquement au champ de la sécurité de l'information. De nombreux rôles d'utilisateur sont agencés ; un ensemble de compétences d'un utilisateur de chaque rôle est défini ; et un rôle respectif ne peut pas détenir une autorité pleine ; et un ensemble de contrôle est établi pour un ensemble de compétences de progression de telle sorte que l'ensemble de compétences du rôle ne soit pas interrompue pendant le fonctionnement. Grâce à la solution technique de la présente invention, même si un programme d'intrusion obtient illégalement l'autorité d'un utilisateur quelconque, les comportements mis en œuvre par le programme d'intrusion sont très limités en raison de la limitation de l'autorité du rôle subordonné à l'utilisateur et ils ne sont limités qu'à la portée de l'autorité de l'utilisateur lui-même ; en conséquence, l'effet provoqué par l'intrusion est très limité.
PCT/CN2019/086496 2018-06-12 2019-05-11 Architecture d'utilisateur de sécurité et procédé de contrôle d'autorité WO2019237864A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810599753.7A CN110598393B (zh) 2018-06-12 2018-06-12 一种安全用户架构及权限控制方法
CN201810599753.7 2018-06-12

Publications (1)

Publication Number Publication Date
WO2019237864A1 true WO2019237864A1 (fr) 2019-12-19

Family

ID=68841924

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/086496 WO2019237864A1 (fr) 2018-06-12 2019-05-11 Architecture d'utilisateur de sécurité et procédé de contrôle d'autorité

Country Status (2)

Country Link
CN (1) CN110598393B (fr)
WO (1) WO2019237864A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117272397A (zh) * 2023-11-22 2023-12-22 华信咨询设计研究院有限公司 一种基于文件设计的rbac的角色权限修改方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827091A (zh) * 2010-03-26 2010-09-08 浪潮电子信息产业股份有限公司 一种利用强制访问控制检测Solaris系统故障的方法
CN102325132A (zh) * 2011-08-23 2012-01-18 北京凝思科技有限公司 一种系统层安全dns防护方法
WO2017016231A1 (fr) * 2015-07-27 2017-02-02 深圳市中兴微电子技术有限公司 Procédé et système de gestion de politique, et support de stockage informatique
CN106557699A (zh) * 2016-11-11 2017-04-05 大唐高鸿信安(浙江)信息科技有限公司 基于权能模块的操作系统安全增强系统
CN107871077A (zh) * 2016-09-27 2018-04-03 阿里巴巴集团控股有限公司 用于系统服务的权能管理方法、权能管理方法及装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1763710A (zh) * 2004-10-22 2006-04-26 中国人民解放军国防科学技术大学 基于能力的特权最小化方法
CN100401223C (zh) * 2005-04-28 2008-07-09 中国科学院软件研究所 一种安全操作系统中实现最小特权控制的策略和方法
CN104484594B (zh) * 2014-11-06 2017-10-31 中国科学院信息工程研究所 一种基于权能机制的linux系统特权分配方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827091A (zh) * 2010-03-26 2010-09-08 浪潮电子信息产业股份有限公司 一种利用强制访问控制检测Solaris系统故障的方法
CN102325132A (zh) * 2011-08-23 2012-01-18 北京凝思科技有限公司 一种系统层安全dns防护方法
WO2017016231A1 (fr) * 2015-07-27 2017-02-02 深圳市中兴微电子技术有限公司 Procédé et système de gestion de politique, et support de stockage informatique
CN107871077A (zh) * 2016-09-27 2018-04-03 阿里巴巴集团控股有限公司 用于系统服务的权能管理方法、权能管理方法及装置
CN106557699A (zh) * 2016-11-11 2017-04-05 大唐高鸿信安(浙江)信息科技有限公司 基于权能模块的操作系统安全增强系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117272397A (zh) * 2023-11-22 2023-12-22 华信咨询设计研究院有限公司 一种基于文件设计的rbac的角色权限修改方法
CN117272397B (zh) * 2023-11-22 2024-04-16 华信咨询设计研究院有限公司 一种基于文件设计的rbac的角色权限修改方法

Also Published As

Publication number Publication date
CN110598393B (zh) 2022-02-08
CN110598393A (zh) 2019-12-20

Similar Documents

Publication Publication Date Title
KR102255767B1 (ko) 가상 머신 감사를 위한 시스템 및 방법들
CN105431858B (zh) 安全特权等级执行和访问保护
RU2640300C2 (ru) Движок интроспекции памяти для защиты целостности виртуальных машин
CN101351774B (zh) 将存储页面与程序相关联的页面着色的方法、装置和系统
US7380049B2 (en) Memory protection within a virtual partition
US9256552B2 (en) Selective access to executable memory
US9063899B2 (en) Security in virtualized computer programs
JP4925422B2 (ja) データ処理装置内コンテンツへのアクセス管理
US20080126740A1 (en) Restricting type access to high-trust components
US20070067590A1 (en) Providing protected access to critical memory regions
KR20010040979A (ko) 스택에 기초한 액세스 제어
US20040205203A1 (en) Enforcing isolation among plural operating systems
WO2019237866A1 (fr) Procédé de contrôle d'accès au moment de l'exécution, et dispositif informatique
BRPI0618027A2 (pt) configuração de extensões isoladas e acionadores de dispositivo
US7647629B2 (en) Hosted code runtime protection
CN108154032A (zh) 一种基于可信执行环境的具有内存完整性保障功能的计算机系统信任根构建方法
US8635664B2 (en) Method and system for securing application program interfaces in unified extensible firmware interface
GB2403827A (en) Kernel cryptographic module signature verification system and method
US7512768B2 (en) Dynamically sharing a stack between different code segments
KR20090097174A (ko) 소프트웨어 라이센스에서의 조건부 정책
WO2019237864A1 (fr) Architecture d'utilisateur de sécurité et procédé de contrôle d'autorité
US9798558B2 (en) Modified JVM with multi-tenant application domains and class differentiation
WO2019237863A1 (fr) Procédé de protection de saut de valeur non immédiate et appareil informatique correspondant
US11340915B2 (en) Encaching and sharing transformed libraries
CN110598412B (zh) 将权力信息隔离并依托它进行权力检查的方法及计算装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19820399

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19820399

Country of ref document: EP

Kind code of ref document: A1