基于LSM的安全审计系统
摘要
操作系统的安全对于计算机系统的安全具有举足轻重的作用。而在操作系统的诸多子系统中,审计系统又为最后一道安全防线。
现有的审计系统主要可以分为两类:操作系统自带的以及第三方专门提供的。操作系统自带的审计功能深入系统底层,审计精确,但以被动式非实时审计为主,审计粒度可控性低,日志文件可靠性差;第三方软件则主要审计应用软件的操作,审计粒度粗,安全性和可移植性差。综合而言,现有的审计系统主要有四个方面需要改进:可移植性、实时性、日志管理、安全性。
论文基于可移植性Linux操作系统安全模型LSM,设计并实现了一个实时、安全、高效的审计系统LSAS,论文的主要研究内容和研究成果包括:
一、针对审计功能对LSM进行了有效扩展。将操作系统进程任务结构中的安全域指向为审计功能专门设置的数据结构,以增强审计功能;添加了审计钩子和审计钩子函数,以收集更加全面的审计信息;提供了加载函数和卸载函数,以实现安全审计模块的动态增删;
二、设计了双链表结构的缓冲区,解决了审计信息易丢弃、缓冲区常溢出的问题。具体实现方法借鉴了操作系统的PV操作原理,很好地解决了进程间的同步协调问题;
三、设计了正常行为规则库RVA及其动态响应算法,并通过约束控制算法以及预警阈值和惩罚阈值的设置,实现了实时安全预警与惩罚;
四、基于标准化和审计效率,设计了安全审计日志数据结构,并提供了五种基本查询方式。五种查询方式为:用户名查询、时间周期查询、客体对象属性查询、错误类型查询、操作等级查询,还可根据需要进行复合式查询;
五、采用最小特权管理技术,多级安全设置技术和日志有效性检查技术,保证了审计系统的安全;
六、从带宽、进程切换时间、系统调用时间等三个方面,对所提出的安全审计系统LSAS进行了运行性能比较测试。并利用Linux系统sendmail攻击,对LSAS进行了安全性能测试。测试结果表明,LSAS具有良好的运行性能和安全性能。
The security of operating system plays an important role in building robust computer systems.Moreover,the security of operating system is dependent on the secure auditing system.
There are two kinds of audit system,one is the auditing capability of the operating system,and the other is specific audit system provided by the third-party softwares.Auditing of operating systems can provide more fine-grained audit function, which can be inserted into the system kernel,but it mainly uses passive and non-real-time auditing mechanism with less controllable of audit granularity and poor reliable of audit logs.The third-party softwares mainly audit operations of applications,which has coarse-grained,poor security and portability.To sum up, existed auditing systems can be improved in four aspects:portability,real-time,log management,self-security.
A real-time,secure,effective audit system based on LSM,LSAS,is designed and realized in this paper.Main tasks and achievements are as follows.
1 Enhancing LSM in auditing capability.Security domain of process task structure in operating systems is pointed to the specified data structure,in order to enhance auditing capability.Audit hooks and hook functions are added to capture comprehensive audit information.Futhermore,registered functions and unregistered functions are provided to implement dynamic addition and deletion of security audit modules.
2 Buffer with double-linked list structure is designed to solve easy lost of audit information and buffer overflow.The PV operating principles of operating system are learned to solve the synchronization of processes.
3 Normal activities rule base,RVA,and its dynamic response algorithm are presented.And real-time security warning and punishment mechanisms are achieved by constraint control algorithmm,and the set of warning threshold and punish threshold.
4 Audit log data structure based on standardization and efficiency is designed. And five kinds of basic query are provided,which are query-by-username, query-by-time,query-by-objects,query-by-error,query-by- operator;meanwhile, composite queries can be allowed.
5 The least privilege management technology,multi-level security technology and validation technology of logs are applied to ensure safety of audit system.
6 The width,the switching time of processes and system call time are tested in the LSAS.And the suecrity of LSAS is tested by the attacks of sendmail in Linux. The results show that the LSAS has effective performance and fine security.
现有的审计系统主要可以分为两类:操作系统自带的以及第三方专门提供的。操作系统自带的审计功能深入系统底层,审计精确,但以被动式非实时审计为主,审计粒度可控性低,日志文件可靠性差;第三方软件则主要审计应用软件的操作,审计粒度粗,安全性和可移植性差。综合而言,现有的审计系统主要有四个方面需要改进:可移植性、实时性、日志管理、安全性。
论文基于可移植性Linux操作系统安全模型LSM,设计并实现了一个实时、安全、高效的审计系统LSAS,论文的主要研究内容和研究成果包括:
一、针对审计功能对LSM进行了有效扩展。将操作系统进程任务结构中的安全域指向为审计功能专门设置的数据结构,以增强审计功能;添加了审计钩子和审计钩子函数,以收集更加全面的审计信息;提供了加载函数和卸载函数,以实现安全审计模块的动态增删;
二、设计了双链表结构的缓冲区,解决了审计信息易丢弃、缓冲区常溢出的问题。具体实现方法借鉴了操作系统的PV操作原理,很好地解决了进程间的同步协调问题;
三、设计了正常行为规则库RVA及其动态响应算法,并通过约束控制算法以及预警阈值和惩罚阈值的设置,实现了实时安全预警与惩罚;
四、基于标准化和审计效率,设计了安全审计日志数据结构,并提供了五种基本查询方式。五种查询方式为:用户名查询、时间周期查询、客体对象属性查询、错误类型查询、操作等级查询,还可根据需要进行复合式查询;
五、采用最小特权管理技术,多级安全设置技术和日志有效性检查技术,保证了审计系统的安全;
六、从带宽、进程切换时间、系统调用时间等三个方面,对所提出的安全审计系统LSAS进行了运行性能比较测试。并利用Linux系统sendmail攻击,对LSAS进行了安全性能测试。测试结果表明,LSAS具有良好的运行性能和安全性能。
The security of operating system plays an important role in building robust computer systems.Moreover,the security of operating system is dependent on the secure auditing system.
There are two kinds of audit system,one is the auditing capability of the operating system,and the other is specific audit system provided by the third-party softwares.Auditing of operating systems can provide more fine-grained audit function, which can be inserted into the system kernel,but it mainly uses passive and non-real-time auditing mechanism with less controllable of audit granularity and poor reliable of audit logs.The third-party softwares mainly audit operations of applications,which has coarse-grained,poor security and portability.To sum up, existed auditing systems can be improved in four aspects:portability,real-time,log management,self-security.
A real-time,secure,effective audit system based on LSM,LSAS,is designed and realized in this paper.Main tasks and achievements are as follows.
1 Enhancing LSM in auditing capability.Security domain of process task structure in operating systems is pointed to the specified data structure,in order to enhance auditing capability.Audit hooks and hook functions are added to capture comprehensive audit information.Futhermore,registered functions and unregistered functions are provided to implement dynamic addition and deletion of security audit modules.
2 Buffer with double-linked list structure is designed to solve easy lost of audit information and buffer overflow.The PV operating principles of operating system are learned to solve the synchronization of processes.
3 Normal activities rule base,RVA,and its dynamic response algorithm are presented.And real-time security warning and punishment mechanisms are achieved by constraint control algorithmm,and the set of warning threshold and punish threshold.
4 Audit log data structure based on standardization and efficiency is designed. And five kinds of basic query are provided,which are query-by-username, query-by-time,query-by-objects,query-by-error,query-by- operator;meanwhile, composite queries can be allowed.
5 The least privilege management technology,multi-level security technology and validation technology of logs are applied to ensure safety of audit system.
6 The width,the switching time of processes and system call time are tested in the LSAS.And the suecrity of LSAS is tested by the attacks of sendmail in Linux. The results show that the LSAS has effective performance and fine security.
引文
[1]Jean E.Smith,Frd W.Weingarten,(Edited)."Research Challenges for the Next Generation Interent."Computing Research Association,Washington,DC,USA,Workshop on Research Direction for the Next Generation Interent,May 1997
[2]Olson,LM.,and M.D.Abrams,"Computer Access Control Policy Choices."Computers and Security,Vol.9,No.8,Dec.1990,pp.699714
[3]Sandhu,R.S.and Samarati,P.,"Access control:Principles and practice." IEEE Communications Magazine,pp.40-48,September 1994
[4]Abrams,M.D.,et al.,"A Generalized Framework for Access Control:An Informal Description." 13th Nat'l Computer Security Conf.,Oct.1990,pp.135-143.
[5]LaPadula,L.J.,"Formal Modeling in a Generalized Framework for Access Control." Proc.IEEE Computer Security Foundations Workshop 111,June 1990,pp.100-109
[6]Nat 1 Computer Security Center,"A Guide to Understanding Audit in Trusted Systems"June 1,1988
[7]U.S.Department of Defense."Trusted Computer System Evaluation Criteria".December 1985.DoD 5200.28-STD
[8]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 1:Introduction and General Model".ISO/IEC 15408-1:1999(E),1999
[9]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 2:Security Functional Requirements".ISO/IEC 15408-2:1999(E),1999
[10]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 3:Security Assurance Requirements".ISO/IEC 15408-3:1999(E),1999
[11]GB 17859-1999,中华人民共和国国家标准《计算机信息系统安全保护等级划 分准则》,中国国家质量技术监督局,1999年9月13日发布,2001年1月1日实施
[12]Alessandro Rubini,Jonathan Corbet(美).Linux Device Drivers,Second Edition(魏永明,骆刚,姜君 译者)北京:中国电力出版社2004
[13]Leigh Purdie.Guide to SNARE for Linux.Version NO.1.1 August 2004:5-8
[14]George Cora.SNARE Generator User Manual,http://www.intersectalliance.com/resources/index,html,2005.9
[15]Chris Wright,etc.Linux Security Modules:General Security Support for the Linux Kernel.In USENIX Security Symposium,San Francisco,CA,Aug.,2002.
[16]赵志科,卿斯汉,李丽萍,支持动态多策略的安全体系结构应用研究,计算机工程,2004,30(3)
[17]James Morris,Stephen Smalley,Greg Kroah-Hartman.Linux Security Modules:General Security Support for the Linux Kernel.In Linux Security Modules:General Security Support for the Linux Kernel,2002.
[18]阮越,王成耀,基于LSM的安全访问控制实现,北京科技大学计算机系
[19]赵亮,未来的标准Linux内核的通用安全支持框架,南京大学计算机系http://www-900.ibm.com/developerWorks/cn/linux/l-lsm/partl/index.shtml
[20]Matt Bishop,Christopher Wee,Jeremy Frank."Goal Oriented Auditing and Logging." Submitted to IEEE Transactions on Computing Systems.1996
[21]Adam G.Pennington,John D.Strunk,John Linwood Griffin,Craig A.N.Soules,Garth R.Goodson,and Gregory R.Ganger."Storage-based intrusion detection:Watching storage activity for suspicious behavior".Technical report CMU-CS-02-179.Carnegie Mellon University,October 2002.
[22]WARRENDER C,FORREST S,PEARLMUTTER B.Detecting intrusions using system calls:alternative data models:proceedings of the IEEE Symposium on Security and Privacy[C].Los Alamitos:[s.n.],1999:133-145.
[23]KRUEGEL C,MUTZ D,VALEUR F,et al.On the detection of anomalous system call arguments:proceedings of the 8th European Symposium on Research in Computer Security(ESORICS)[C].Gjovik:[s.n.],2003:101-118.
[24]Kim Jingwon,Bentley P.The Human Immune System and Network Intrusion Detection.In:Proceedings of the 7~(th) European Congress on Intelligent Techniques and Soft Computing(EUFIT'99),Achen,Germany,1999.13-19.
[25]M.Bishop,“A Standard Audit Log Format".Proc.of the 1995 National Information Systems Security Conference.Baltimore,Maryland,October 10-13,1995,pp.136-145
[26]N.Habra,B.Le Charlier,A.Mounji,“Advanced Security Audit Trail Analysis on unix”.Implementation Design of the NADF Evaluator.Research Report,March 1993.
[27]Abdelaziz Mounji.“Languages and Tools for Rule-Based Distributed Intrusion Detection”.PhD thesis,Institut d'Informatique,Facult es Universitaires NotreDame de la Paix,Namur,Belgium,September 1997.
[28]Rajeev Gopalakrishna.“Audit Trails”.Available at http://www.cerias.purdue.edu/homes/rgk/at.html,2000.4
[29]Dorothy E.Denning,David Edwards,R.Jagannathan,Teresa Lunt,and Peter G.Neumann,“A Prototype IDES-A Real-Time Intrusion Detection Expert System,”Technical Report,SRI International,August 1987.
[30]Harold S.Javitz and Al Valdez,“The SRI IDES Statistical Anomaly Detector,”Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,May 1991.
[31]Stephen E.Smaha.Haystack.“An Intrusion Detection System'Mn Proceedings of the Fourth Aerospace Computer Security Applications Conference,pages 37{44,December 1988.
[32]Teresa Lunt,R.Jagannathan,Rosanna Lee,Alan Whitehurst,and Sherry Listgarten,“Knowledge-Based Intrusion Detection”,Proceedings of the AI Systems in Government Conference,Washington DC,March 1989.
[33]Thomas D.Garvey and Teresa Lunt,“Model-based Intrusion Detection,” Proceedings of the 14th National Computer Security Conference,Washington DC,October 1991.
[34]Steven R.Snapp,James Brentano,Gihan Dias,Terrance Goan,Louis Todd Heberlein,Chelin Ho,Karl Levitt,Biswanath Mukherjee,Stephen Smaha,Tim Grance,Daniel Teal,and Douglas Mansur,“DIDS(Distributed Intrusion Detection System)-Motivation,Architecture,and An Early Prototype",Proceedings of the 14th National Computer Security Conference,Washington DC,October 1991.
[35]H.S.Vaccaro and G.E.Liepins,"Detection of Anomalous Computer Session Activity",Proceedings of the IEEE Symposium on Security and Privacy,May1989.
[36]Steven Ray Snapp,"Signature Analysis and Communication Issues in a Distributed Intrusion Detection System",Master s Thesis,Department of Computer Science,University of California,Davis CA 95616,1991.
[37]W.Lee,S.J.Stolfo,and P,K.Chan,"Leaming patterns from UNIX process execution traces for intrusion detection".In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management,pages 50-56.AAAI Press,July 1997.
[38]Lee W,"A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems".PhD thesis,Dept of Computer Science,Columbia University,2000
[39]G.G.Helmer,J.S.K.Wong,V.Honavar,and L.Miller,"Intelligent agents for intrusion detection",In Proceedings,IEEE Information Technology Conference,pages 121-124,Syracuse,NY,September 1998.
[40]李宋琛.Linux面向对象窗口高级编程.北京:科学出版社,2001:51-72,105-123.
[41]http://www.bitmover.com/lmbench/lmbench.html
[42]Larry McVoy and Carl Staelin.lmbench:Portable tools for performance analysis.In Proc.Winter 1996 USENIX,San Diego,CA,pp.279-284.January 1996.
[43]Dr.Edward G.Bradford,Linux和Windows中的高性能编程技巧http://www-900.ibm.com/developerWorks/cn/linux/sdk/rt/part9/index.shtml,IBM
[2]Olson,LM.,and M.D.Abrams,"Computer Access Control Policy Choices."Computers and Security,Vol.9,No.8,Dec.1990,pp.699714
[3]Sandhu,R.S.and Samarati,P.,"Access control:Principles and practice." IEEE Communications Magazine,pp.40-48,September 1994
[4]Abrams,M.D.,et al.,"A Generalized Framework for Access Control:An Informal Description." 13th Nat'l Computer Security Conf.,Oct.1990,pp.135-143.
[5]LaPadula,L.J.,"Formal Modeling in a Generalized Framework for Access Control." Proc.IEEE Computer Security Foundations Workshop 111,June 1990,pp.100-109
[6]Nat 1 Computer Security Center,"A Guide to Understanding Audit in Trusted Systems"June 1,1988
[7]U.S.Department of Defense."Trusted Computer System Evaluation Criteria".December 1985.DoD 5200.28-STD
[8]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 1:Introduction and General Model".ISO/IEC 15408-1:1999(E),1999
[9]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 2:Security Functional Requirements".ISO/IEC 15408-2:1999(E),1999
[10]The International Organization for Standardization."Common Criteria for Information Technology Security Evaluation-Part 3:Security Assurance Requirements".ISO/IEC 15408-3:1999(E),1999
[11]GB 17859-1999,中华人民共和国国家标准《计算机信息系统安全保护等级划 分准则》,中国国家质量技术监督局,1999年9月13日发布,2001年1月1日实施
[12]Alessandro Rubini,Jonathan Corbet(美).Linux Device Drivers,Second Edition(魏永明,骆刚,姜君 译者)北京:中国电力出版社2004
[13]Leigh Purdie.Guide to SNARE for Linux.Version NO.1.1 August 2004:5-8
[14]George Cora.SNARE Generator User Manual,http://www.intersectalliance.com/resources/index,html,2005.9
[15]Chris Wright,etc.Linux Security Modules:General Security Support for the Linux Kernel.In USENIX Security Symposium,San Francisco,CA,Aug.,2002.
[16]赵志科,卿斯汉,李丽萍,支持动态多策略的安全体系结构应用研究,计算机工程,2004,30(3)
[17]James Morris,Stephen Smalley,Greg Kroah-Hartman.Linux Security Modules:General Security Support for the Linux Kernel.In Linux Security Modules:General Security Support for the Linux Kernel,2002.
[18]阮越,王成耀,基于LSM的安全访问控制实现,北京科技大学计算机系
[19]赵亮,未来的标准Linux内核的通用安全支持框架,南京大学计算机系http://www-900.ibm.com/developerWorks/cn/linux/l-lsm/partl/index.shtml
[20]Matt Bishop,Christopher Wee,Jeremy Frank."Goal Oriented Auditing and Logging." Submitted to IEEE Transactions on Computing Systems.1996
[21]Adam G.Pennington,John D.Strunk,John Linwood Griffin,Craig A.N.Soules,Garth R.Goodson,and Gregory R.Ganger."Storage-based intrusion detection:Watching storage activity for suspicious behavior".Technical report CMU-CS-02-179.Carnegie Mellon University,October 2002.
[22]WARRENDER C,FORREST S,PEARLMUTTER B.Detecting intrusions using system calls:alternative data models:proceedings of the IEEE Symposium on Security and Privacy[C].Los Alamitos:[s.n.],1999:133-145.
[23]KRUEGEL C,MUTZ D,VALEUR F,et al.On the detection of anomalous system call arguments:proceedings of the 8th European Symposium on Research in Computer Security(ESORICS)[C].Gjovik:[s.n.],2003:101-118.
[24]Kim Jingwon,Bentley P.The Human Immune System and Network Intrusion Detection.In:Proceedings of the 7~(th) European Congress on Intelligent Techniques and Soft Computing(EUFIT'99),Achen,Germany,1999.13-19.
[25]M.Bishop,“A Standard Audit Log Format".Proc.of the 1995 National Information Systems Security Conference.Baltimore,Maryland,October 10-13,1995,pp.136-145
[26]N.Habra,B.Le Charlier,A.Mounji,“Advanced Security Audit Trail Analysis on unix”.Implementation Design of the NADF Evaluator.Research Report,March 1993.
[27]Abdelaziz Mounji.“Languages and Tools for Rule-Based Distributed Intrusion Detection”.PhD thesis,Institut d'Informatique,Facult es Universitaires NotreDame de la Paix,Namur,Belgium,September 1997.
[28]Rajeev Gopalakrishna.“Audit Trails”.Available at http://www.cerias.purdue.edu/homes/rgk/at.html,2000.4
[29]Dorothy E.Denning,David Edwards,R.Jagannathan,Teresa Lunt,and Peter G.Neumann,“A Prototype IDES-A Real-Time Intrusion Detection Expert System,”Technical Report,SRI International,August 1987.
[30]Harold S.Javitz and Al Valdez,“The SRI IDES Statistical Anomaly Detector,”Proceedings of the IEEE Symposium on Security and Privacy,Oakland,CA,May 1991.
[31]Stephen E.Smaha.Haystack.“An Intrusion Detection System'Mn Proceedings of the Fourth Aerospace Computer Security Applications Conference,pages 37{44,December 1988.
[32]Teresa Lunt,R.Jagannathan,Rosanna Lee,Alan Whitehurst,and Sherry Listgarten,“Knowledge-Based Intrusion Detection”,Proceedings of the AI Systems in Government Conference,Washington DC,March 1989.
[33]Thomas D.Garvey and Teresa Lunt,“Model-based Intrusion Detection,” Proceedings of the 14th National Computer Security Conference,Washington DC,October 1991.
[34]Steven R.Snapp,James Brentano,Gihan Dias,Terrance Goan,Louis Todd Heberlein,Chelin Ho,Karl Levitt,Biswanath Mukherjee,Stephen Smaha,Tim Grance,Daniel Teal,and Douglas Mansur,“DIDS(Distributed Intrusion Detection System)-Motivation,Architecture,and An Early Prototype",Proceedings of the 14th National Computer Security Conference,Washington DC,October 1991.
[35]H.S.Vaccaro and G.E.Liepins,"Detection of Anomalous Computer Session Activity",Proceedings of the IEEE Symposium on Security and Privacy,May1989.
[36]Steven Ray Snapp,"Signature Analysis and Communication Issues in a Distributed Intrusion Detection System",Master s Thesis,Department of Computer Science,University of California,Davis CA 95616,1991.
[37]W.Lee,S.J.Stolfo,and P,K.Chan,"Leaming patterns from UNIX process execution traces for intrusion detection".In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management,pages 50-56.AAAI Press,July 1997.
[38]Lee W,"A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems".PhD thesis,Dept of Computer Science,Columbia University,2000
[39]G.G.Helmer,J.S.K.Wong,V.Honavar,and L.Miller,"Intelligent agents for intrusion detection",In Proceedings,IEEE Information Technology Conference,pages 121-124,Syracuse,NY,September 1998.
[40]李宋琛.Linux面向对象窗口高级编程.北京:科学出版社,2001:51-72,105-123.
[41]http://www.bitmover.com/lmbench/lmbench.html
[42]Larry McVoy and Carl Staelin.lmbench:Portable tools for performance analysis.In Proc.Winter 1996 USENIX,San Diego,CA,pp.279-284.January 1996.
[43]Dr.Edward G.Bradford,Linux和Windows中的高性能编程技巧http://www-900.ibm.com/developerWorks/cn/linux/sdk/rt/part9/index.shtml,IBM