计算机工程与应用 ›› 2015, Vol. 51 ›› Issue (12): 55-62.

• 网络、通信、安全 • 上一篇    下一篇

DFCM:以数据为中心的安全控制机制

江凌波,马  超,王加玉   

  1. 清华大学 计算机科学与技术系,北京 100084
  • 出版日期:2015-06-15 发布日期:2015-06-30

DFCM:novel data oriented security control mechanism

JIANG Lingbo, MA Chao, WANG Jiayu   

  1. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
  • Online:2015-06-15 Published:2015-06-30

摘要: 数据安全是信息系统安全的根本目的。在两类主流安全模型中,访问控制模型侧重系统主、客体间的操作控制,难以直接对数据实施全程保护,而信息流控制模型虽然直接面向信息的传递控制,但其需要映射数据与安全级关系,难以很好地在主流操作系统中应用。提出一种兼有两类模型优点的数据流控制机制DFCM。DFCM以数据为中心,通过控制面向数据状态转换的系统操作,实现对机密数据块的全程、细粒度控制保护。实验结果表明,DFCM能够在主流商用操作系统上,在低开销的前提下实现对信息的保护。

关键词: 数据安全, 数据流, 操作系统, 数据流控制机制(DFCM)

Abstract: The security of data is the fundamental goal of information system security. In two kinds of main security models, the access control model puts extra emphasis on operation controlling between subjects and objects, which is difficult to protect data at the whole process. While the information flow model aims to transfer the controlling information by mapping data and security levels, and it cannot be used in major operating systems. This paper proposes a method named with DFCM, which combines the access control model and the information flow model to give full play to advantages of both models. DFCM is a data flow oriented security mechanism, and it can control system actions according to state transfer of data and hence can achieve the goal of protecting confidential data at the whole process in a fine-grained way. The experiment results show that DFCM can preserve information with low overhead on the major commercial operating system.

Key words: data security, data flow, operating system, Data Flow Control Mechanism(DFCM)