| 基于能力机制的Linux进程行为控制 |
| |
| 引用本文: | 张涛,宋磊,张毓森,闫正伟.基于能力机制的Linux进程行为控制[J].解放军理工大学学报,2004,5(3):9-12. |
| |
| 作者姓名: | 张涛 宋磊 张毓森 闫正伟 |
| |
| 作者单位: | 南京大学,计算机系,江苏,南京,210093;解放军理工大学,指挥自动化学院,江苏,南京,210007;解放军理工大学,指挥自动化学院,江苏,南京,210007 |
| |
| 摘 要: | 与传统的Linux超级用户机制相比,能力机制能够提供更加灵活和全面的进程行为控制保护。分析了Linux内核现有能力机制实现的不足,基于最小特权和特权分离原则对Linux内核中的能力机制进行了扩充,提出了一种基于“会话ID”机制保护能力子系统的方法,通过这种机制可以限制进程euid的变化,防止进程能力属性被任意提升。
|
| 关 键 词: | Linux 安全 进程行为控制 能力机制 最小特权 特权分离 |
| 文章编号: | 1009-3443(2004)03-0009-04 |
Process Behavior Controlling Based on Capability Mechanism in Linux OS |
| |
| ZHANG Tao,SONG Lei,ZHANG Yu-sen and YAN Zheng-wei.Process Behavior Controlling Based on Capability Mechanism in Linux OS[J].Journal of PLA University of Science and Technology(Natural Science Edition),2004,5(3):9-12. |
| |
| Authors: | ZHANG Tao SONG Lei ZHANG Yu-sen and YAN Zheng-wei |
| |
| Abstract: | Compared with traditional super-user scheme, the capability mechanism can be used to provide more flexible and powerful controlling on process behavior. In this paper, some shortcomings of capability implementation in current Linux kernel are analyzed at first, then some changes are discussed based on least privilidge and privilege separation principles. A method based on session ID is also introduced to protect capability mechanism itself. This method can limit processes to change their euid, and get more capabilities. |
| |
| Keywords: | Linux security process behavior control capability mechanism least privilege privilege separation |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《解放军理工大学学报》浏览原始摘要信息 |
| 点击此处可从《解放军理工大学学报》下载免费的PDF全文 |
