Analysis on general security operating system solutions

In the field of information security, the industry is paying more and more attention to the security of server operating systems as attack technologies continue to upgrade and data leakage incidents surge. This article introduces two security operating system solutions starting with the study of the classified protection security operating system, and compares the advantages of the general-purpose security operating system compared with the traditional self-developed security operating system. This article focuses on the technical advantages and implementation principles of the general security operating system solution. Combined with the enhanced DTE, RBAC, and BLP access control security models, the Security Subsystem (SSOOS) of the operating system is reconstructed ), improve the security level of the operating system dynamically and transparently to achieve general-purpose security operating system solutions.

As network security threats become increasingly serious, users pay more and more attention to the construction of information security. At present, security threats are not only more diverse, but also more diverse attack forms. From the early virus and worms to the very common malicious code, Trojan horses, spyware, phishing, and a large number of spam, all of them pose serious security threats to users' normal applications. If the attacked user crashes on a black screen, the user may suffer financial losses. At the same time, Web Application Layer attacks (including SQL injection and cross-site scripting attacks) against servers have become a popular method, resulting in a large number of server webpages providing external services being tampered, or server paralysis. A recent large-scale data leak involving multiple large websites has leaked up to 0.1 billion pieces of user information, seriously infringing the legitimate rights and interests of Internet users and endangering Internet security.

People have long known about network security problems and their harms, and there are also a variety of preventive measures. Although painstaking efforts are made, the results are not satisfactory. In fact, firewall, anti-virus, intrusion detection, UTM and other network-layer and application-layer protection methods have become mature. The most fundamental cause of security problems in information systems is the insecure operating system structure and mechanism. The root cause is the simplification of the PC hardware structure, the system does not execute the "State", the memory does not cross-border protection, and so on, making it difficult for the operating system to establish a true TCB (trusted computing base ). As a result, resource configuration is tampered with, malicious programs are implanted and executed, buffer overflow attacks are exploited, and security incidents such as unauthorized access to system administrators occur. With the proliferation of viruses around the world, attacks initiated by hackers using various vulnerabilities, unauthorized users stealing information resources, and other security risks, as a result, traditional information security products such as "Old Three" (firewall, anti-virus, intrusion detection) and IPS have become increasingly passive protection systems.

The fundamental solution to information security issues should be considered from the perspective of system engineering. By establishing a secure operating system, a trusted computing base (TCB) should be built to establish a dynamic and complete security system. Without the protection of a secure operating system, it is impossible to have the security of the network system or the security of application software information processing.

If the construction of the information security framework only stays on the network protection layer, and ignores the basic elements of the operating system kernel security, it is like building a solid bastion on the sand dune, great security risks.

According to the National GB/T20272-2006 information security technology-operating system security technical requirements, the security operating system needs to solve the following problems:

First, identity authentication;

Second, access control, including autonomous access control and mandatory access control requirements;

Third, Data Stream Control;

Fourth, security audit;

Fifth, user data integrity protection;

Sixth, user data confidentiality protection;

7. SSOOS security protection.

How to solve the above seven problems has become a challenge for developing secure operating systems.

Currently, the server operating systems used in China mainly come from abroad (such as AIX, HP-UX, Solaris, Windows Server, and LinuxServer). Because most commercial server operating systems are not open-source, at this stage, there are two main ways to improve the security level of the operating system: first, relying on the use of open-source Linux source code to independently develop a secure operating system; second, restructuring the Operating System Security Subsystem (SSOOS) improve the security level of the existing operating system to achieve a secure operating system.

Based on the study of Linux open source code, the security transformation of the Linux operating system is carried out, and a new secure operating system is re-built to ensure the controllability and credibility of the operating system. By restructuring the open-source operating system kernel, although the operating system security level can be improved, the disadvantage is that the upper-layer application software, supporting hardware, and network support are not complete. The high-end market of server operating systems in China is IBMAIX, HPHP-UX, and SUNSolaris, while Windows Server is basically used at the low and middle ends. This method is only applicable to operating systems that expose kernel source code. It is not applicable to some commercial server operating systems (including Windows Server, Solaris, And AIX. If the current operating system needs to be abandoned and a brand new operating system is used to adopt this scheme, this will seriously affect the business continuity and business logic of the enterprise, as a result, most enterprises are reluctant to use it and cannot become popular. It can be seen that this method is not suitable for the current general security operating system solution.

Compared with the self-developed security operating system using Linux source code, the method of restructuring the Operating System Security Subsystem (SSOOS) to implement the security operating system is to reconstruct and expand the operating system at the kernel level. This method does not affect the normal use of valid application software and databases installed on the operating system, and is transparent to the underlying hardware drivers, without affecting the continuity of existing services, you can dynamically upgrade the security level of the entire operating system without restarting the server to solve the security risks of the operating system. This is an ideal general security operating system solution.

In the operating system, SSOOS (Operating System Security Subsystem) is a combination of all security protection devices that constitute a secure operating system. An SSOOS can contain multiple SSF (SSOOS security function module). Each SSF is an implementation of one or more SFP (Security Function policies. SSP (SSOOS Security Function Policy) is a general term for these SFP and forms a security domain to prevent interference and tampering of untrusted entities. There are two ways to implement SSF: one is to set the front-end filter and the other is to set the access monitor.

The following solution is to set an access monitor to implement SSF by setting multiple resource access monitors in SSOOS, the control objects include files, processes, services, shared resources, disks, ports, and registries (windows only). Subjects include users, processes, and IP addresses, you can also bind a user to a process to control the specified process of the specified user. By closely integrating host resources at all levels, you can reasonably control resources as needed to achieve the minimum permission principle. Combined with the enhanced DTE, RBAC, and BLP access control security models, the Security Subsystem (SSOOS) of the operating system is reconstructed, and the reconstructed "enhanced security subsystem monitor" is used to monitor resource access behavior. Follow the enhanced DTE, RBAC, and BLP models to implement system security policies. Through the interaction and control of the three models, the information in the system and the security of the system are ensured, so as to ensure the confidentiality, integrity, availability and reliability of the operating system.

Difference between enhanced security model and traditional security model

Enhanced DTE model

The DTE (DomainandTypeEnforcement) model is a security policy mechanism that effectively implements fine-grained mandatory access control. As one of the basic requirements for building a trusted system, the security domain isolation technology is a type of access control mechanism that is enforced by the core of the operating system. It is characterized by strict isolation, prevents unauthorized access to objects from security domains and external entities, and implements Security protection such as confidentiality, integrity, and minimum privilege.

Enhanced DTE is extended based on the traditional DTE model. In this way, not only the subject can be allocated but also the object can be allocated in the domain, so that the access between the subject and object in different domains can reach multiple-to-many access relationships. By defining the access permissions of the subject and object in different domains, the security objectives of the existing DTE model are inaccurate, and the system security is difficult to control. By configuring a strict isolation policy, attackers can block unauthorized access to objects within the security domain and from external entities, so as to implement security protection such as confidentiality, integrity, and minimum privilege. A secure and reliable trusted Pipeline mechanism is provided for Inter-Domain Communication, so that the system is defined in a trusted form. Enhanced DTE security domains can be used to divide applications and functions into different domains based on security requirements, so that the subject permissions that enter the domain can be effectively controlled and the subject permissions that leave the domain are minimized. For example:

Comparison between enhanced DTE and traditional DTE

Enhanced RBAC model

Role-Based Access Control (Role-BasedAccessControl) has received wide attention due to its prospect of replacing traditional access control (autonomous access and forced access. In RBAC, permissions are associated with roles. Users can obtain permissions of these roles by becoming appropriate role members, which greatly simplifies permission management. In an organization, roles are created to complete various tasks. Users are assigned roles based on their responsibilities and qualifications, you can easily assign a role to another role. A role can be assigned new permissions based on the combination of new requirements and systems, and permissions can also be revoked from a role as needed. The relationship between roles and roles can be established to cover a wider range of objective situations.

The enhanced RBAC model supports fine-grained configuration, as shown in figure:

RBAC security model

Enhanced BLP Model

The basic security policy of the BLP model is "Up-read-write". A high-security subject can only read objects with a lower security level than it, A low-security subject can only write objects with a higher security level, and can read and write objects at the same level. The "read-write-down" security policy ensures that all data in the data flow can only flow to the high level of security, thus ensuring that sensitive data is not leaked.

The read and write permissions of the enhanced BLP model focus more on fine-grained control. Read Permissions include read data and read ACL. Write Permissions include write data, append write, and write ACL.

The BLP model is as follows:

BLP Security Model

The above solution is based on in-depth technical research and expansion, and is the first to develop a new generation of security environment system for hosts, called JHSE (abbreviation of JOWTOHostSecurityEnvironment ). JHSE is based on national classified protection standards and is a general security operating system solution for security risks existing in server operating systems, this solution provides various attacks at the operating system level, including malicious code execution, unauthorized access, data leakage, and destruction of data integrity.

Jiaotu JHSE can use visual virtualization technology to separate each application or function into a security domain. Each security domain is isolated from each other as an independent host; each security domain generated using the enhanced DTE has an enhanced RBAC security mechanism, which can implement mandatory access control for resources in the domain, making the security of each domain very robust; enhanced DTE isolates access between domains. Even if the administrator forgets to configure security for a domain, a security accident occurs and the impact is limited to this domain, it does not affect and spread to other domains. This default minimal security access mechanism effectively isolates access to system and application resources from known and unknown attacks and malicious code, ensuring the confidentiality and integrity of system resources, this also provides high availability and high reliability for business continuity. By restructuring and expanding the Security Subsystem (SSOOS), JHSE, the free and hierarchical autonomous access control model in the original operating system is changed to the host-type autonomous access control model in line with GB/T20272-2006 information security technology-operating system security technical requirements.

JHSE strictly complies with the Three-Level Operating System security standards, so that the operating system security meets the criteria of identity authentication, mandatory access control, security audit, residual Information Protection, Intrusion Prevention, malicious code prevention, and resource control, provides an in-depth defense system for information systems. At the same time, JHSE is applicable to mainstream commercial server operating systems such as AIX, HP-UX, Solaris, Windows Server, and LinuxServer. Its installation and application will not affect the logic and continuity of the original business, this improves the security level of the server operating system dynamically and transparently. Jiaotu JHSE is China's first general-purpose security operating system that has passed the National Standard Level 3 inspection. It is a general-purpose security operating system solution for finance, telecommunications, customs, taxation and other fields.