应用安全透明支撑平台体系结构与模型研究
|
摘要
伴随着全球信息化建设的不断发展,信息安全日益引起包括中国政府在内的各国政府的高度重视。从上个世纪九十年代起,我国陆续出台了一系列有关信息安全等级保护的条例、法规和标准,经过十几年的不断完善和发展,目前等级保护制度正在全国范围内全面贯彻和落实。在等级保护工作开展过程中,如何在不修改现有应用系统的前提下,为应用系统的安全运行提供可靠而有力的支撑,是信息安全等级保护工作中所要解决的最为关键的问题之一。
本文以等级保护工作实际需求为牵引,从构建应用系统安全运行环境的角度出发,研究了应用安全透明支撑平台的体系结构与相关安全模型。应用安全透明支撑平台以可信计算技术和安全操作系统为基础,通过硬件平台和系统软件的安全增强,实现对上层应用的安全、透明、可靠支撑。具体来说,本文的研究成果包括以下几个方面:
1.提出了应用安全透明支撑平台的体系结构。该体系结构从高等级信息系统三层防护体系架构入手,针对应用系统面临的典型安全问题,重点研究安全计算环境的构建,充实和完善了信息系统保护环境框架。文中描述了应用安全透明支撑平台的定义,并深入分析该平台的体系架构。通过与等级保护相关标准的比对表明,应用安全透明支撑平台体系结构能够为应用系统提供全面的、切实可行的安全保障。
2.研究了面向安全计算环境的应用隔离模型。应用隔离模型根据最小权限原则,将不同应用程序及其对应的应用资源划分到各自的域中。通过强化对应用程序启动过程的约束,实现了应用程序的可信启动;通过制定域间信息隔离规则,确保了域中应用程序在运行过程中的动态安全。该模型具备沙箱模型的特点,其隔离监视器位于操作系统层,克服了应用层隔离机制可靠性不高的缺点;同时充分利用了虚拟化模型的优势,针对部分公共资源进行虚拟化,在保证系统安全稳定运行的前提下,提高了系统运行效率。
3.研究了面向安全计算环境的信息交互模型。信息交互模型是对应用隔离模型研究的深化,该模型以无干扰理论为基础,通过细化域中应用进程对资源访问的安全规则,实现域间合法信息的正常交互。针对无干扰理论本身具有高度的抽象性,且安全条件难以直接指导实践的状况,信息交互模型将无干扰理论的构成要素置于应用系统计算环境中,强化其与计算环境组成元素的对应关系,确保在信息交互规则的约束下,应用进程对资源的访问不会受到恶意干扰。
4.研究了面向安全计算环境的语义传递模型。语义传递模型将应用层访问控制语义清晰明确的优势,与操作系统层安全机制强度较高的特点相结合,通过在应用层与内核层建立安全管道,实现访问控制语义的无歧义安全传递。在此基础上,由内核层访问监控器对应用层语义进行解析,将应用服务实际用户的访问请求与内核层安全策略相关联,进而做出最终的判决。与单一的应用层访问控制相比,在该模型中,即使应用层访问控制被旁路或篡改,内核层访问控制仍然能够安全可靠地运行。
5.设计并实现了应用安全透明支撑平台原型系统。该原型系统以上述体系结构和安全模型为指导,通过在硬件平台和系统平台上增加相应的安全模块,来实现可信初始化、横向安全、纵向安全以及安全集中管理,从而验证理论研究的合理性与可实施性。
综上所述,应用安全透明支撑平台的研究能够满足等级保护工作的实际需求,为等级保护工作的全面、深入、可持续性开展,提供切实可行的理论依据和技术保障,对国家的信息安全建设具有重要的现实意义。
With the fast development of informatization construction in the world, information securityproblems are being paid more and more attention by most governments including the Chinesegovernment. Since the1990s, the Chinese government has been issuing a series of ordinances,laws and criteria about information security classified protection. After decades of continuousimprovement and development, information security classified protection scheme is beingcarried out in the whole country nowadays. In the process of that work, it is the most urgent issuethat how to support the application system to operate safely and reliably without modifying theexisting application system itself.
According to the actual requirement of information security classified protection scheme,the paper researches on the Application Security Transparent Supportive Platform (or ASTSP forshort) architecture and related security models from the perspective of constructing a safeoperation environment for the application system. ASTSP is based on trusted computingtechnology and security operating system, which enhances the safety of hardware platform andsystem software. ASTSP is capable of giving safe, transparent and reliable support to theapplication system. Specifically, some research results have been achieved as follows:
1. Propose the ASTSP architecture. In order to solve the typical security problems ofapplication systems, ASTSP architecture focuses on how to establish security computingenvironment which origins from three arrangements protection architecture for high levelinformation system. The definition of ASTSP is described and the ASTSP architecture is givenout, which enriches and perfects the information system protection environment framework.Compared with some related information security classified protection criteria, ASTSParchitecture is able to provide comprehensive and practical safeguard for application systems.
2. Study the application isolation model oriented to security computing environment. Themodel is based on the least privilege principle and separates different programs and relatedresources into their own domains. The model sets application program starting rules so that thestartup process can be trusted, and sets isolation rules so that the dynamic security for applicationprogram can be ensured. Compared with typical isolation models, the application isolation modelhas many advantages. On one hand, application isolation model has the feature of sandboxmodel, but the isolation monitor which is built on operating system layer has better reliability.On the other hand, the model uses the merit of virtualization model to virtualize some publicresources in order to satisfy the security requirement, but it has better operation efficiency.
3. Study the information interaction model oriented to security computing environment. The model, which deepens the research on application isolation model, is based on non-interferencetheory. The model refines security rules between application process and resource in domains, sothat legitimate information can be transferred among domains. Although non-interference theoryis very abstract and its security conditions are not practical, the model reasonably combines theelements of non-interference theory with that of security computing environment. Therefore,under the restricted conditions of the information interaction rules, application process couldaccess resources without evil interference.
4. Study the semantic transmission model oriented to security computing environment. Themodel utilizes merits that the access control semantic on application layer is very clear and thesecurity mechanism on operating system layer is much stronger. Then the model establishessecurity pipe between application layer and operating system kernel, which is used to transmitaccess control semantic unambiguously. After that, access control monitor in the kernel parsesthe semantic, associates the real user request for application server with the security policy andfinally make a judgment. Compare with the single access control mechanism on the applicationlayer, which could easily be bypassed or tampered, the access control mechanism in the kernelimplements more reliably.
5. Design and realize the ASTSP prototype system. With the help of ASTSP architecture andsecurity models, the prototype adds some corresponding security modules to hardware andsoftware platform. The prototype realizes trusted initialization, landscape orientation security,portrait orientation security and security centralized management, which validates the rationalityand practice of ASTSP architecture and security models.
In conclusion, ASTSP can meet the requirement of classified protection work and providethe work with practical theory basis and technical support. The research on ASTSP has realisticmeaning to the information security construction in our country.
本文以等级保护工作实际需求为牵引,从构建应用系统安全运行环境的角度出发,研究了应用安全透明支撑平台的体系结构与相关安全模型。应用安全透明支撑平台以可信计算技术和安全操作系统为基础,通过硬件平台和系统软件的安全增强,实现对上层应用的安全、透明、可靠支撑。具体来说,本文的研究成果包括以下几个方面:
1.提出了应用安全透明支撑平台的体系结构。该体系结构从高等级信息系统三层防护体系架构入手,针对应用系统面临的典型安全问题,重点研究安全计算环境的构建,充实和完善了信息系统保护环境框架。文中描述了应用安全透明支撑平台的定义,并深入分析该平台的体系架构。通过与等级保护相关标准的比对表明,应用安全透明支撑平台体系结构能够为应用系统提供全面的、切实可行的安全保障。
2.研究了面向安全计算环境的应用隔离模型。应用隔离模型根据最小权限原则,将不同应用程序及其对应的应用资源划分到各自的域中。通过强化对应用程序启动过程的约束,实现了应用程序的可信启动;通过制定域间信息隔离规则,确保了域中应用程序在运行过程中的动态安全。该模型具备沙箱模型的特点,其隔离监视器位于操作系统层,克服了应用层隔离机制可靠性不高的缺点;同时充分利用了虚拟化模型的优势,针对部分公共资源进行虚拟化,在保证系统安全稳定运行的前提下,提高了系统运行效率。
3.研究了面向安全计算环境的信息交互模型。信息交互模型是对应用隔离模型研究的深化,该模型以无干扰理论为基础,通过细化域中应用进程对资源访问的安全规则,实现域间合法信息的正常交互。针对无干扰理论本身具有高度的抽象性,且安全条件难以直接指导实践的状况,信息交互模型将无干扰理论的构成要素置于应用系统计算环境中,强化其与计算环境组成元素的对应关系,确保在信息交互规则的约束下,应用进程对资源的访问不会受到恶意干扰。
4.研究了面向安全计算环境的语义传递模型。语义传递模型将应用层访问控制语义清晰明确的优势,与操作系统层安全机制强度较高的特点相结合,通过在应用层与内核层建立安全管道,实现访问控制语义的无歧义安全传递。在此基础上,由内核层访问监控器对应用层语义进行解析,将应用服务实际用户的访问请求与内核层安全策略相关联,进而做出最终的判决。与单一的应用层访问控制相比,在该模型中,即使应用层访问控制被旁路或篡改,内核层访问控制仍然能够安全可靠地运行。
5.设计并实现了应用安全透明支撑平台原型系统。该原型系统以上述体系结构和安全模型为指导,通过在硬件平台和系统平台上增加相应的安全模块,来实现可信初始化、横向安全、纵向安全以及安全集中管理,从而验证理论研究的合理性与可实施性。
综上所述,应用安全透明支撑平台的研究能够满足等级保护工作的实际需求,为等级保护工作的全面、深入、可持续性开展,提供切实可行的理论依据和技术保障,对国家的信息安全建设具有重要的现实意义。
With the fast development of informatization construction in the world, information securityproblems are being paid more and more attention by most governments including the Chinesegovernment. Since the1990s, the Chinese government has been issuing a series of ordinances,laws and criteria about information security classified protection. After decades of continuousimprovement and development, information security classified protection scheme is beingcarried out in the whole country nowadays. In the process of that work, it is the most urgent issuethat how to support the application system to operate safely and reliably without modifying theexisting application system itself.
According to the actual requirement of information security classified protection scheme,the paper researches on the Application Security Transparent Supportive Platform (or ASTSP forshort) architecture and related security models from the perspective of constructing a safeoperation environment for the application system. ASTSP is based on trusted computingtechnology and security operating system, which enhances the safety of hardware platform andsystem software. ASTSP is capable of giving safe, transparent and reliable support to theapplication system. Specifically, some research results have been achieved as follows:
1. Propose the ASTSP architecture. In order to solve the typical security problems ofapplication systems, ASTSP architecture focuses on how to establish security computingenvironment which origins from three arrangements protection architecture for high levelinformation system. The definition of ASTSP is described and the ASTSP architecture is givenout, which enriches and perfects the information system protection environment framework.Compared with some related information security classified protection criteria, ASTSParchitecture is able to provide comprehensive and practical safeguard for application systems.
2. Study the application isolation model oriented to security computing environment. Themodel is based on the least privilege principle and separates different programs and relatedresources into their own domains. The model sets application program starting rules so that thestartup process can be trusted, and sets isolation rules so that the dynamic security for applicationprogram can be ensured. Compared with typical isolation models, the application isolation modelhas many advantages. On one hand, application isolation model has the feature of sandboxmodel, but the isolation monitor which is built on operating system layer has better reliability.On the other hand, the model uses the merit of virtualization model to virtualize some publicresources in order to satisfy the security requirement, but it has better operation efficiency.
3. Study the information interaction model oriented to security computing environment. The model, which deepens the research on application isolation model, is based on non-interferencetheory. The model refines security rules between application process and resource in domains, sothat legitimate information can be transferred among domains. Although non-interference theoryis very abstract and its security conditions are not practical, the model reasonably combines theelements of non-interference theory with that of security computing environment. Therefore,under the restricted conditions of the information interaction rules, application process couldaccess resources without evil interference.
4. Study the semantic transmission model oriented to security computing environment. Themodel utilizes merits that the access control semantic on application layer is very clear and thesecurity mechanism on operating system layer is much stronger. Then the model establishessecurity pipe between application layer and operating system kernel, which is used to transmitaccess control semantic unambiguously. After that, access control monitor in the kernel parsesthe semantic, associates the real user request for application server with the security policy andfinally make a judgment. Compare with the single access control mechanism on the applicationlayer, which could easily be bypassed or tampered, the access control mechanism in the kernelimplements more reliably.
5. Design and realize the ASTSP prototype system. With the help of ASTSP architecture andsecurity models, the prototype adds some corresponding security modules to hardware andsoftware platform. The prototype realizes trusted initialization, landscape orientation security,portrait orientation security and security centralized management, which validates the rationalityand practice of ASTSP architecture and security models.
In conclusion, ASTSP can meet the requirement of classified protection work and providethe work with practical theory basis and technical support. The research on ASTSP has realisticmeaning to the information security construction in our country.
引文
[1]沈昌祥,张焕国,冯登国,曹珍富,黄继武.信息安全综述[J].中国科学信息科学,2007,37(2):129-150.
[2] U.S. Department of Defense. Trusted Computer System Evaluation Criteria. DoD5200.28-STD [S].1985.
[3] European Commission. Information Technology Security Evaluation Criteria[S]. Technical Report,Version1.2, June1991.
[4] Canadian System Security Centre. Communications Security Establishment[S]. The Canadian TrustedComputer Product Evaluation Criteria (CTCPEC) Version3.0e, January1993.
[5] CC. Common Criteria for Information Technology Security Evaluation[S]. CCIMB-2004-03, Version2.2, Jan.2004.
[6]中国国家质量技术监督局.GB17859-1999,中华人民共和国国家标准计算机信息系统安全保护等级划分准则[S].1999.
[7]沈昌祥.信息安全保障建设中的等级保护[J].信息技术与标准化,2007,(11):5-6.
[8]沈昌祥.基于积极防御的安全保障框架[J].中国信息导报,2003(10):50-51.
[9]沈昌祥.关于加强信息安全保障体系的思考[J].信息安全与通信保密,2003(6):15-17.
[10]中国国家质量技术监督局.信息系统等级保护安全设计技术要求[S].2010.
[11] Trusted Computing Group.TCG Specification Architecture Overview, Version1.4[DB/OL].http://www.trustedcomputinggroup.org,2007.
[12] Open Trusted Computing Overview [DB/OL]. http://www.opentc.net/.
[13]沈昌祥,张焕国,王怀民等.可信计算的研究与发展[J].中国科学信息科学,2010,40(2):139-166.
[14]马新强,黄羿,李丹宁.可信计算发展研究[J].计算机应用,2009,29(4):920-923.
[15]秦中元,胡爱群.可信计算系统及其研究现状[J].计算机工程,2006,32(14):111-113.
[16] Trusted Computing Group. TPM specification version1.2. Part1Design Principles[EB/OL].http://www.trustedcomputinggroup.org/specs/TPM/Main_Part1_rev94.zip,2011.
[17]张兴,沈昌祥.一种新的可信平台控制模块设计方案[J].武汉大学学报信息科学版,2008,33(10):1011-1014.
[18]毛军捷.可信平台控制模块若干关键技术研究[D].北京工业大学博士论文,2011.
[19]石文昌,操作系统信任基的设计研究[J].武汉大学学报信息科学版,2010:35(5),505-508.
[20]张焕国,严飞,傅建明等.可信计算平台测评理论与关键技术研究[J].中国科学(F辑),2010,40(2):167-188.
[21]卿斯汉,刘文清,温红子.操作系统安全[M].北京:清华大学出版社,2004.
[22]石文昌,孙玉芳.安全操作系统研究的发展(上)[J].计算机科学.2002.29(6):21-22.
[23]石文昌,孙玉芳.安全操作系统研究的发展(下)[J].计算机科学.2002.29(7):7-9.
[24] J.Whitmore, A.Bensoussan, et al. Design for Multics Security Enhancements[R]. ESD-TR-74-176.Hanscom Field, Bedford, MA, USA. Air Force Electronic System Division,Dec1973.
[25] E.I.Organick.The Multics System: An Examination of Its Structure[R]. Cambridge, Mass.MIT Press,1972.
[26] James P.Anderson.Computer Security Technology Planning Study Volume II[R]. ESD-TR-73-51,Vol.II,Electronic Systems Division,Air Force Systems Command, Hanscom Field, Bedford, MA,USA, Oct1972.
[27] Jerome H.Saltzer, Michael D.Schroeder.The Protection of Information in Computer Systems[J].Proceedings of the IEEE, Sep1975,63(9):1278-1308.
[28] H.N.Grace.Specification of a Trusted Computing Base[R]. M79-228, the MITRE Corportation,Bedford, MA, USA,1979.
[29] H.N.Grace.Proposed Technical Evaluation Criteria for Trusted Computer Systems[R]. M79-225, theMITRE Corporation, Bedford, MA, USA, Oct1979.
[30] Steven Kcramer.Linus IV-An Experiment in Computer Security[J].Proceedings of the1984Symposiumon Security and Privacy,Oakland,California,USA,IEEE Computer Society Press,Apr29-May2,1984,pp.24-32.
[31] V.D.Gligor, C.S.Chandersekaran, et al.Design and Implementation of Secure Xenix [J]. IEEETransactions on Software Engineering,1987,13(2):208-221.
[32] V.D.Gligor, C.S. Chandersekaran, et al.A New Security Testing Method and its Application to the SecureXenix Kernel [J]. IEEE Transactions on Software Engineering,1987,13(2):169-183.
[33] Charles W.Flink II, Jonathan D.Weiss.System V/MLS Labeling and Mandatory Policy Alternatives [J].AT&T Technical Journal, May/Jun1988, pp.53-64.
[34] Neil A.Waldhart.The Army Secure Operating System [J].1990IEEE Computer Society Symposium onResearch in Security and Privacy,1990, pp.50-60.
[35] Ben L.Di Vito, Paul H.Palmquist, Eric R.Anderson,and Michael L.Johnston. Specification andVerification of the ASOS Kernel [J].1990IEEE Computer Society Symposium on Research in Securityand Privacy,1990, pp.61-74.
[36] Edward A.Feustel, Terry Mayfield.The DGSA: Unmet Information Security Challenges for OperatingSystem Designers [J].ACM Operating Systems Review, Jan1998,32(1):3-22.
[37] Center for Standards.Department of Defense Goal Security Architecture, Version3.0[S].DefenseInformation Systems Agency, Washington, DC,30Apr1996.
[38] Secure Computing Corporation.DTOS Lessons Learned Report[R].CDRL Sequence No.A008, SecureComputing Corporation, Rosevile, Minnesota, Jun1997.
[39] Secure Computing Coroporation.DTOS Generalized Security Policy Specification. Technical reportMDA904-93-C-4209DTOS CDRL A019[R], Secure Computing Corporation, Roseville, Minnesota,June1997.
[40] Secure Computing Corporation.Assurance in the Fluke Microkernel: Final Report[R]. CDRL SequenceNO.A002, Secure Computing Corporation, Apr1999.
[41] A.L.Peter, D.S.Stephen. Integrating Flexible Support for Security Policies into the Linux OperatingSystem.Technical report[R], NSA and NAI labs,Jan2001.
[42]杨涛.一个安全操作系统--SUNIX的研究与设计[D].国防科技大学博士论文,1993.2.
[43]杨涛,陈福接,沈昌祥.一个安全操作系统SUNIX的研究与设计[J].计算机学报.1993,16(6):409-415.
[44] Huagang Xie.LIDS Hacking HOWTO[R], v1.0. http://www.lids.org/lids-howto/lidshacking-howto.ps,Mar29,2000.
[45]茅兵.基于Linux的安全操作系统的开发[J].第一届中国自由软件应用论坛会刊,中国国家高技术智能计算机系统专家组与中国共创软件联盟,2000,(11):22-25.
[46]麒麟产业联盟,麒麟3安全操作系统[O/L],http://www.kylin-os.com/products/os/.
[47]任党恩.安全Linux操作系统审计子系统的设计与实现[D].中国科学院软件研究所博士论文,2000.
[48]刘海峰,卿斯汉,刘文清.安全操作系统审计的设计与实现[J].计算机研究与发展.2001,38(10):1262-1268.
[49]卿斯汉,朱继锋.安胜安全操作系统的隐蔽通道分析[J].软件学报.2004,15(9):1385-1392.
[50] Bell D E,LaPadula L J. Secure Computer Systems: Mathematical Foundations. Technical ReportM74-244[R],The MITRE Corporation,1973.
[51] K Biba. Integrity considerations for secure computer systems[R]. Technical Report76-372, U. S. AirForce Electronic Systems Division,1977.
[52] R.S.Sandhu.Lattice-Based Access Control Models. IEEE Computer, Nov1993,26(11):9-19.
[53]蔡谊,郑志蓉,沈昌祥.基于多级安全策略的二维标识模型[J].计算机学报.2004,27(5):619-624.
[54]李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学.2006,36(4):347-356.
[55] Ravi S.Sandhu, Edward J.Coyne, Hal L.Feinstein, Charles E.Youman, Role-Based Access ControlModels [J], IEEE Computer, February1996,29(2):38-47.
[56] W E Boebert, R Y kain.A practical alternative to hierarchical integrity policies [J].The NationalComputer Security Conf,Gaithersburg,Maryland,1985.
[57] L.Badger, D.F.Sterne et al.Practical Domain and Type Enforcement for UNIX [J].In Proceedings of theIEEE Symposium on Security and Privacy,1995.
[58] Clark D D,Wilson D R.A comparison of commercial and military computer security policies[J].IEEESymp.on Security and Privacy.New York:IEEE Computer Society Press,1987:184-194.
[59] D.Brewer, M.Nash.The Chinese Wall Security Policy [J], Proceedings of the1989IEEE Symposium onSecurity and Privacy.May1989, pp.206-214.
[60]季庆光,卿斯汉,贺也平.基于DTE技术的完整性保护形式模型[J].中国科学E辑,2005,35(6):570-587.
[61]卿斯汉.基于DTE策略的安全域隔离Z形式模型[J].计算机研究与发展,2007,(11):1881-1888.
[62]龚雷,赵勇,韩培胜,李瑜.典型应用系统安全保护框架研究[J].计算机工程与应用,2010,46(28):90-94.
[63]龚雷,赵勇.应用安全支撑平台体系结构与实现机制研究[J].计算机工程与设计,2011,32(7):2217-2220.
[64]赵勇.重要信息系统安全体系结构及实用模型研究[D].北京交通大学博士论文,2008.06.
[65] William Wright, David Schroh, Pascale Proulx. The Sandbox for analysis: concepts and methods[C]. InACM conf. on Human Factors in computing systems,2006, pp:801-810.
[66] Fritzinger J, Mueller M.Java security[R].Sun Microsystems Inc,1996.
[67] Gong L, Mueller M, Prafullchandra, et al. Going beyond the sandbox: An overview of the new securityarchitecture in the java development kit1.2[C]. Proceedings of the USENIX Symposium on InternetTechnologies and Systems,1997.
[68] D. Thomsen. Sidewinder: Combining Type Enforcement and UNIX [C]. Proceedings of the11th AnnualComputer Security Application Conference, Dec.1995:14-20.
[69] Goldberg I, Wagner D, Thomas R et al. A secure environment for untrusted helper applications:Confining the wily hacker [C]. Proceedings of the6th USENIX Security Symposium. San Jose,California, USA,1996:1-13.
[70] Dan A, Mohindra A, Ramaswami R et al. ChakraVyuha (CV): A sandbox operating system environmentfor controlled execution of alien code [R]. IBM T.J. Watson Research Center: Techn ical Report20742,1997.
[71] Acharya A, Raje M. Mapbox: Using param eterized behavior classes to confine application s [C].Proceedings of the9th USENIX Security Symposium. Denver, Colorado, USA,2000:1-18.
[72] Prevelakis V, Spinellis D. Sandboxing applications [C]. Proceedings of the USENIX Annual TechnicalConference. Washington, D.C., USA,2001:119-126.
[73] Provos N. Improving host security with system call policies [C]. Proceedings of the12th USENIXSecurity Symposium. Washington, D.C., USA,2003:257-271.
[74]方艳湘.基于虚拟机监视器的可信计算平台研究[D].南开大学博士论文,2006.06.
[75]孙昱.虚拟机Xen及其实时迁移技术研究[D].上海交通大学硕士论文,2008.01.
[76]温研.隔离运行环境关键技术研究[D].国防科技大学博士论文,2008.06.
[77] J. Sugerman, G. Venkitachalam, and B.-H. Lim. Virtualizing I/O devices on VMware workstation'shosted virtual machine monitor [C]. In Proceedings of the General Track:2002USENIX AnnualTechnical Conference. Berkeley, CA, USA,2001:1–14.
[78] VMware, Inc. VMware ESX Server User’s Manual Version1.5, Palo Alto, CA, April2002.
[79] Waldspurger C A.Memory Resource Management in VMware ESX Server[C].Proceedings of the5thSymposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts,USA.2002, pp:181-194.
[80] Microsoft. Microsoft virtual pc [R]. http://www.microsoft.com/windows/virtualpc/default.mspx.
[81] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A.Warfield.Xen and the art of virtualization [C]. Proceedings of the neteenth ACM symposium on Operatingsystems principles. New York, NY, USA,2003:164–177.
[82] Clark B,Deshane T,Dow E,et al.Xen and the Art of Repeated Research[C]. Proceedings of the USENIXAnnual Technical Conference,Boston, Massachusetts,USA.2004, pp:47-56.
[83] Ian P,Keir F,Steve H,et al.Xen3.0and the Art of Virtualization[C]. Proceedings of the Ottawa LinuxSymposium, Ottawa, Canada.2005, pp:65-78.
[84] Uhlig R, Neiger G, Rodgers D, et al.Intel Virtualization Technology [J].IEEE Computer.2005,38(5),pp:48-56.
[85] Abramson D,Jackson J,Muthrasanallur S,et al.Intel Virtualization Technology For Directed I/O[J].IntelTechnology Journal.2006,10(3), pp:179-192.
[86] Neiger G,Santoni A,Leung F,et al.Intel Virtualization Technology:Hardware Support for EfficientProcessor Virtualization[J].Intel Technology Journal.2006,10(3), pp:167-177.
[87] Yaozu D,Shaofan L,Asit M,et al.Extending Xen with Intel Virtualization Technology [J].IntelTechnology Journal.2006,10(3), pp:193-203.
[88] Amd.AMD64Vrtualization Codenamed "pacifica" Technology: Secure Virtual Machine ArchitectureReference Manual[R].2005.
[89] Kamp P H, Watson R N.Jails: Confining the omnipotent root[C].2nd International SystemAdministration and Network Engineering Conference (SANE'00), Maastricht, The Netherlands.2000,pp:1-15.
[90] H. Potzl. Linux-vserver technology [R]. http://linux-vserver.org/Linux-VServer-Paper,2004.
[91] SWsoft. Virtuozzo for windows&linux server virtualization [R]. http://www.virtuozzo.com/en/products/virtuozzo/.
[92] Sun Microsystems. Solaris containers: Server virtualization and manageability [R].http://www.sun.com/software/whitepapers/solaris10/grid_containers.pdf,2004.
[93] Stephen Soltesz, Herbert Potzl, Marc E. Fiuczynski, Andy Bavier. Container-based operating systemvirtualization: a scalable, high-performance alternative to hypervisors[C]. In Proc. of the2nd ACMSIGOPS EuroSys European Conf. on Computer,2007, pp:275-287.
[94] Dike J.A User-mode Port of the Linux Kernel[C].Proceedings of the4th Annual LinuxShowcase&Conference, Atlanta, Georgia, USA.2000, pp:7-16.
[95] Hoxer H J,Buchacker K,Sieh V.Implementing a User-Mode Linux with Minimal Changes from OriginalKernel[C].Proceedings of the2002International Linux System Technology Conference, Cologne,Germany.2002, pp:72-82.
[96] Jeff D.User Mode Linux [M].Prentice Hall,2006, pp:12-14.
[97] Gong Lei, Zhao Yong. Formal Description For Trusted Application Environment [C]. The2ndInternational Conference on Information Engineering and Computer Science (ICIECS2010),24-26December,2010:1184-1187, Wuhan, Hubei, China.
[98] Gong Lei, Zhao Yong, Liao Jianhua. Research on the Application Security Isolation Model [J]. ChinaCommunications,2010,7(6):153-156.
[99] Zhang Shibin, Xu Chunxiang, Long Yaxing. Study on Terminal Trusted Model Based on TrustedComputing[C]. In International Conf. on Internet Technology and Applications (iTAP),2011, pp:1-4.
[100] HongWei Zhou, JinHui Yuan. Formal Analysis of Trusted Computing: One Case Study[C]. In ThirdInternational Conf. on Communications and Mobile Computing.2011, pp:55-58.
[101] Li, C., Raghunathan, A., Jha, N. A trusted virtual machine in an untrusted management environment[J].IEEE Trans. on Services Computing.2011, pp:1-12.
[102]周正.安全操作系统的恶意代码自身免疫机制研究[D].海军工程大学博士论文,2008
[103] Goguen J A, Meseguer J. Security policies and security models [C]. Proc. of the1982IEEE Symposiumon Security and Privacy. IEEE Computer Society Press, April1982:11-20.
[104] McCullough D.Noninterference and the composition of security properties [C].Proc.of the IEEESymposium on Research in Security and Privacy,1988.
[105] Sutherland D.A model of information [C].Proc.of the ninth National Computer Security Conference,1986:175-183.
[106] Guttman J D, Nadal M E.What needs securing [C]. Pro.of the Computer Security FoundationsWorkshop. IEEE Computer Society, June1988:34-57.
[107] Wittbold J T. Johnson D M.Information flow in nondeterministic systems [C]. Proc.of the1990IEEESymposium on Research on Security and Privacy,1990:144-161.
[108] Johnson D,Thayer F.Security and the composition of machines [C].Proc.of the Computer SecurityFoundations Workshop. IEEE Press,1988:14-23.
[109] O’Halloran C. A calculus of information flow [C].Proc.of First European Symposium on Research inComputer Security,1990:147-159.
[110] Rushby J. Noninterference, transitivity, and channel-control security polices [R]. CSL-92-02. MenloPark: Stanford Research Institute,1992.
[111]周伟,尹青,郭金庚.计算机安全中的无干扰模型[J].计算机科学,2005,32(2):159-165.
[112] Gong Lei, Tian Lu, Zhang Fulian. Application Information Flow Non-Interference Transmission Model
[C].2011International Conference on Electronic&Mechanical Engineering and InformationTechnology (EMEIT2011),12-14August,2011:2306-2309, Harbin, Heilongjiang, China.
[113]刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报,2009,30(2):52-58
[114]张兴,陈幼雷,沈昌祥.基于进程的无干扰可信模型[J].通信学报,2009,30(3):6-11.
[115]郑志蓉,沈昌祥.支持应用类安全的操作系统安全结构框架设计[J].计算机工程与应用,2002,38(22):45-47.
[116]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究[J].计算机研究与发展,2005,42(2):322-328.
[117] MICHAEL H, STEVEL. Inside the Windows security push [J]. IEEE Security and Privacy,2003,1(1):57-61.
[118] PHILLIPS L. WindowsVista security: first impressions [J]. Information Security Tech Report,2006,11(4):176-185.
[119] MICK B. Paranoid penguin: introduction to SELinux [J]. Linux Journal,2007,2007(154):1-15.
[120]廖建华,赵勇,沈昌祥.基于管道的TCB扩展模型[J].北京工业大学学报,2010,36(5):592-596.
[121]李勇,张松铁,王飞,董丽娜.基于TCB子集的应用安全框架研究[J].无线电通信技术,2010,36(4):48-51.
[122]李勇,王飞,胡俊,沈昌祥. TCB可信扩展模型研究[J].计算机工程与应用,2010,46(13):1-3.
[123]陈泽茂,沈昌祥.操作系统安全增强模型的通用化[J].计算机工程,2005,31(1):27-28.
[124]施光源,公备,冯聿梦,岳少园.利用DTE技术的证明系统安全域模型研究[J].武汉大学学报信息科学版,2010,35(5):537-541.
[125] Gong Lei, Xin Siyuan, Zhao Yong. Access Control Semantic Encapsulation Model and Appliance [C].The3rd International Conference on Computer and Network Technology (ICCNT2011),26-28February,2011:116-119, Taiyuan, Shanxi, China.
[126]黄涛,沈昌祥.一种基于可信服务器的可信引导方案[J].武汉大学学报(理学版),2004,50(1):12-14.
[127]谭良,周明天.基于可信计算平台的可信引导过程研究[J].计算机应用研究,2008,25(1):231-234.
[128] Yang Yu, Fanglu Guo, Susanta Nanda. A feather-weight virtual machine for windows applications[C]. InProc of the2nd international conf. on Virtual execution environments,2006, pp:24-34.
[129]石文昌,孙玉芳,梁洪亮等.安全Linux内核安全功能的设计与实现[J].计算机研究与发展,2001,38(10):1255-1261.
[130]袁春阳,李琳,石文昌,梁洪亮,贺也平.改进增强型高安全等级操作系统SECIMOS的设计与实现[J].计算机科学,2007,34(8):289-292.
[131]黄涛.基于可信计算的操作系统安全研究[D].信息工程大学博士论文,2007.
[132]黄强.基于可信计算的终端安全体系结构研究[D].海军工程大学博士论文,2007.
[133]范艳芳.重要信息系统强制访问控制模型研究[D].北京交通大学博士论文,2011.
[134]陈亚莎.重要信息系统计算环境的保护研究[D].海军工程大学博士论文,2011.
[135]廖建华.系统结构化可信保障模型与关键技术研究[D].北京大学博士论文,2012.
[2] U.S. Department of Defense. Trusted Computer System Evaluation Criteria. DoD5200.28-STD [S].1985.
[3] European Commission. Information Technology Security Evaluation Criteria[S]. Technical Report,Version1.2, June1991.
[4] Canadian System Security Centre. Communications Security Establishment[S]. The Canadian TrustedComputer Product Evaluation Criteria (CTCPEC) Version3.0e, January1993.
[5] CC. Common Criteria for Information Technology Security Evaluation[S]. CCIMB-2004-03, Version2.2, Jan.2004.
[6]中国国家质量技术监督局.GB17859-1999,中华人民共和国国家标准计算机信息系统安全保护等级划分准则[S].1999.
[7]沈昌祥.信息安全保障建设中的等级保护[J].信息技术与标准化,2007,(11):5-6.
[8]沈昌祥.基于积极防御的安全保障框架[J].中国信息导报,2003(10):50-51.
[9]沈昌祥.关于加强信息安全保障体系的思考[J].信息安全与通信保密,2003(6):15-17.
[10]中国国家质量技术监督局.信息系统等级保护安全设计技术要求[S].2010.
[11] Trusted Computing Group.TCG Specification Architecture Overview, Version1.4[DB/OL].http://www.trustedcomputinggroup.org,2007.
[12] Open Trusted Computing Overview [DB/OL]. http://www.opentc.net/.
[13]沈昌祥,张焕国,王怀民等.可信计算的研究与发展[J].中国科学信息科学,2010,40(2):139-166.
[14]马新强,黄羿,李丹宁.可信计算发展研究[J].计算机应用,2009,29(4):920-923.
[15]秦中元,胡爱群.可信计算系统及其研究现状[J].计算机工程,2006,32(14):111-113.
[16] Trusted Computing Group. TPM specification version1.2. Part1Design Principles[EB/OL].http://www.trustedcomputinggroup.org/specs/TPM/Main_Part1_rev94.zip,2011.
[17]张兴,沈昌祥.一种新的可信平台控制模块设计方案[J].武汉大学学报信息科学版,2008,33(10):1011-1014.
[18]毛军捷.可信平台控制模块若干关键技术研究[D].北京工业大学博士论文,2011.
[19]石文昌,操作系统信任基的设计研究[J].武汉大学学报信息科学版,2010:35(5),505-508.
[20]张焕国,严飞,傅建明等.可信计算平台测评理论与关键技术研究[J].中国科学(F辑),2010,40(2):167-188.
[21]卿斯汉,刘文清,温红子.操作系统安全[M].北京:清华大学出版社,2004.
[22]石文昌,孙玉芳.安全操作系统研究的发展(上)[J].计算机科学.2002.29(6):21-22.
[23]石文昌,孙玉芳.安全操作系统研究的发展(下)[J].计算机科学.2002.29(7):7-9.
[24] J.Whitmore, A.Bensoussan, et al. Design for Multics Security Enhancements[R]. ESD-TR-74-176.Hanscom Field, Bedford, MA, USA. Air Force Electronic System Division,Dec1973.
[25] E.I.Organick.The Multics System: An Examination of Its Structure[R]. Cambridge, Mass.MIT Press,1972.
[26] James P.Anderson.Computer Security Technology Planning Study Volume II[R]. ESD-TR-73-51,Vol.II,Electronic Systems Division,Air Force Systems Command, Hanscom Field, Bedford, MA,USA, Oct1972.
[27] Jerome H.Saltzer, Michael D.Schroeder.The Protection of Information in Computer Systems[J].Proceedings of the IEEE, Sep1975,63(9):1278-1308.
[28] H.N.Grace.Specification of a Trusted Computing Base[R]. M79-228, the MITRE Corportation,Bedford, MA, USA,1979.
[29] H.N.Grace.Proposed Technical Evaluation Criteria for Trusted Computer Systems[R]. M79-225, theMITRE Corporation, Bedford, MA, USA, Oct1979.
[30] Steven Kcramer.Linus IV-An Experiment in Computer Security[J].Proceedings of the1984Symposiumon Security and Privacy,Oakland,California,USA,IEEE Computer Society Press,Apr29-May2,1984,pp.24-32.
[31] V.D.Gligor, C.S.Chandersekaran, et al.Design and Implementation of Secure Xenix [J]. IEEETransactions on Software Engineering,1987,13(2):208-221.
[32] V.D.Gligor, C.S. Chandersekaran, et al.A New Security Testing Method and its Application to the SecureXenix Kernel [J]. IEEE Transactions on Software Engineering,1987,13(2):169-183.
[33] Charles W.Flink II, Jonathan D.Weiss.System V/MLS Labeling and Mandatory Policy Alternatives [J].AT&T Technical Journal, May/Jun1988, pp.53-64.
[34] Neil A.Waldhart.The Army Secure Operating System [J].1990IEEE Computer Society Symposium onResearch in Security and Privacy,1990, pp.50-60.
[35] Ben L.Di Vito, Paul H.Palmquist, Eric R.Anderson,and Michael L.Johnston. Specification andVerification of the ASOS Kernel [J].1990IEEE Computer Society Symposium on Research in Securityand Privacy,1990, pp.61-74.
[36] Edward A.Feustel, Terry Mayfield.The DGSA: Unmet Information Security Challenges for OperatingSystem Designers [J].ACM Operating Systems Review, Jan1998,32(1):3-22.
[37] Center for Standards.Department of Defense Goal Security Architecture, Version3.0[S].DefenseInformation Systems Agency, Washington, DC,30Apr1996.
[38] Secure Computing Corporation.DTOS Lessons Learned Report[R].CDRL Sequence No.A008, SecureComputing Corporation, Rosevile, Minnesota, Jun1997.
[39] Secure Computing Coroporation.DTOS Generalized Security Policy Specification. Technical reportMDA904-93-C-4209DTOS CDRL A019[R], Secure Computing Corporation, Roseville, Minnesota,June1997.
[40] Secure Computing Corporation.Assurance in the Fluke Microkernel: Final Report[R]. CDRL SequenceNO.A002, Secure Computing Corporation, Apr1999.
[41] A.L.Peter, D.S.Stephen. Integrating Flexible Support for Security Policies into the Linux OperatingSystem.Technical report[R], NSA and NAI labs,Jan2001.
[42]杨涛.一个安全操作系统--SUNIX的研究与设计[D].国防科技大学博士论文,1993.2.
[43]杨涛,陈福接,沈昌祥.一个安全操作系统SUNIX的研究与设计[J].计算机学报.1993,16(6):409-415.
[44] Huagang Xie.LIDS Hacking HOWTO[R], v1.0. http://www.lids.org/lids-howto/lidshacking-howto.ps,Mar29,2000.
[45]茅兵.基于Linux的安全操作系统的开发[J].第一届中国自由软件应用论坛会刊,中国国家高技术智能计算机系统专家组与中国共创软件联盟,2000,(11):22-25.
[46]麒麟产业联盟,麒麟3安全操作系统[O/L],http://www.kylin-os.com/products/os/.
[47]任党恩.安全Linux操作系统审计子系统的设计与实现[D].中国科学院软件研究所博士论文,2000.
[48]刘海峰,卿斯汉,刘文清.安全操作系统审计的设计与实现[J].计算机研究与发展.2001,38(10):1262-1268.
[49]卿斯汉,朱继锋.安胜安全操作系统的隐蔽通道分析[J].软件学报.2004,15(9):1385-1392.
[50] Bell D E,LaPadula L J. Secure Computer Systems: Mathematical Foundations. Technical ReportM74-244[R],The MITRE Corporation,1973.
[51] K Biba. Integrity considerations for secure computer systems[R]. Technical Report76-372, U. S. AirForce Electronic Systems Division,1977.
[52] R.S.Sandhu.Lattice-Based Access Control Models. IEEE Computer, Nov1993,26(11):9-19.
[53]蔡谊,郑志蓉,沈昌祥.基于多级安全策略的二维标识模型[J].计算机学报.2004,27(5):619-624.
[54]李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学.2006,36(4):347-356.
[55] Ravi S.Sandhu, Edward J.Coyne, Hal L.Feinstein, Charles E.Youman, Role-Based Access ControlModels [J], IEEE Computer, February1996,29(2):38-47.
[56] W E Boebert, R Y kain.A practical alternative to hierarchical integrity policies [J].The NationalComputer Security Conf,Gaithersburg,Maryland,1985.
[57] L.Badger, D.F.Sterne et al.Practical Domain and Type Enforcement for UNIX [J].In Proceedings of theIEEE Symposium on Security and Privacy,1995.
[58] Clark D D,Wilson D R.A comparison of commercial and military computer security policies[J].IEEESymp.on Security and Privacy.New York:IEEE Computer Society Press,1987:184-194.
[59] D.Brewer, M.Nash.The Chinese Wall Security Policy [J], Proceedings of the1989IEEE Symposium onSecurity and Privacy.May1989, pp.206-214.
[60]季庆光,卿斯汉,贺也平.基于DTE技术的完整性保护形式模型[J].中国科学E辑,2005,35(6):570-587.
[61]卿斯汉.基于DTE策略的安全域隔离Z形式模型[J].计算机研究与发展,2007,(11):1881-1888.
[62]龚雷,赵勇,韩培胜,李瑜.典型应用系统安全保护框架研究[J].计算机工程与应用,2010,46(28):90-94.
[63]龚雷,赵勇.应用安全支撑平台体系结构与实现机制研究[J].计算机工程与设计,2011,32(7):2217-2220.
[64]赵勇.重要信息系统安全体系结构及实用模型研究[D].北京交通大学博士论文,2008.06.
[65] William Wright, David Schroh, Pascale Proulx. The Sandbox for analysis: concepts and methods[C]. InACM conf. on Human Factors in computing systems,2006, pp:801-810.
[66] Fritzinger J, Mueller M.Java security[R].Sun Microsystems Inc,1996.
[67] Gong L, Mueller M, Prafullchandra, et al. Going beyond the sandbox: An overview of the new securityarchitecture in the java development kit1.2[C]. Proceedings of the USENIX Symposium on InternetTechnologies and Systems,1997.
[68] D. Thomsen. Sidewinder: Combining Type Enforcement and UNIX [C]. Proceedings of the11th AnnualComputer Security Application Conference, Dec.1995:14-20.
[69] Goldberg I, Wagner D, Thomas R et al. A secure environment for untrusted helper applications:Confining the wily hacker [C]. Proceedings of the6th USENIX Security Symposium. San Jose,California, USA,1996:1-13.
[70] Dan A, Mohindra A, Ramaswami R et al. ChakraVyuha (CV): A sandbox operating system environmentfor controlled execution of alien code [R]. IBM T.J. Watson Research Center: Techn ical Report20742,1997.
[71] Acharya A, Raje M. Mapbox: Using param eterized behavior classes to confine application s [C].Proceedings of the9th USENIX Security Symposium. Denver, Colorado, USA,2000:1-18.
[72] Prevelakis V, Spinellis D. Sandboxing applications [C]. Proceedings of the USENIX Annual TechnicalConference. Washington, D.C., USA,2001:119-126.
[73] Provos N. Improving host security with system call policies [C]. Proceedings of the12th USENIXSecurity Symposium. Washington, D.C., USA,2003:257-271.
[74]方艳湘.基于虚拟机监视器的可信计算平台研究[D].南开大学博士论文,2006.06.
[75]孙昱.虚拟机Xen及其实时迁移技术研究[D].上海交通大学硕士论文,2008.01.
[76]温研.隔离运行环境关键技术研究[D].国防科技大学博士论文,2008.06.
[77] J. Sugerman, G. Venkitachalam, and B.-H. Lim. Virtualizing I/O devices on VMware workstation'shosted virtual machine monitor [C]. In Proceedings of the General Track:2002USENIX AnnualTechnical Conference. Berkeley, CA, USA,2001:1–14.
[78] VMware, Inc. VMware ESX Server User’s Manual Version1.5, Palo Alto, CA, April2002.
[79] Waldspurger C A.Memory Resource Management in VMware ESX Server[C].Proceedings of the5thSymposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts,USA.2002, pp:181-194.
[80] Microsoft. Microsoft virtual pc [R]. http://www.microsoft.com/windows/virtualpc/default.mspx.
[81] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A.Warfield.Xen and the art of virtualization [C]. Proceedings of the neteenth ACM symposium on Operatingsystems principles. New York, NY, USA,2003:164–177.
[82] Clark B,Deshane T,Dow E,et al.Xen and the Art of Repeated Research[C]. Proceedings of the USENIXAnnual Technical Conference,Boston, Massachusetts,USA.2004, pp:47-56.
[83] Ian P,Keir F,Steve H,et al.Xen3.0and the Art of Virtualization[C]. Proceedings of the Ottawa LinuxSymposium, Ottawa, Canada.2005, pp:65-78.
[84] Uhlig R, Neiger G, Rodgers D, et al.Intel Virtualization Technology [J].IEEE Computer.2005,38(5),pp:48-56.
[85] Abramson D,Jackson J,Muthrasanallur S,et al.Intel Virtualization Technology For Directed I/O[J].IntelTechnology Journal.2006,10(3), pp:179-192.
[86] Neiger G,Santoni A,Leung F,et al.Intel Virtualization Technology:Hardware Support for EfficientProcessor Virtualization[J].Intel Technology Journal.2006,10(3), pp:167-177.
[87] Yaozu D,Shaofan L,Asit M,et al.Extending Xen with Intel Virtualization Technology [J].IntelTechnology Journal.2006,10(3), pp:193-203.
[88] Amd.AMD64Vrtualization Codenamed "pacifica" Technology: Secure Virtual Machine ArchitectureReference Manual[R].2005.
[89] Kamp P H, Watson R N.Jails: Confining the omnipotent root[C].2nd International SystemAdministration and Network Engineering Conference (SANE'00), Maastricht, The Netherlands.2000,pp:1-15.
[90] H. Potzl. Linux-vserver technology [R]. http://linux-vserver.org/Linux-VServer-Paper,2004.
[91] SWsoft. Virtuozzo for windows&linux server virtualization [R]. http://www.virtuozzo.com/en/products/virtuozzo/.
[92] Sun Microsystems. Solaris containers: Server virtualization and manageability [R].http://www.sun.com/software/whitepapers/solaris10/grid_containers.pdf,2004.
[93] Stephen Soltesz, Herbert Potzl, Marc E. Fiuczynski, Andy Bavier. Container-based operating systemvirtualization: a scalable, high-performance alternative to hypervisors[C]. In Proc. of the2nd ACMSIGOPS EuroSys European Conf. on Computer,2007, pp:275-287.
[94] Dike J.A User-mode Port of the Linux Kernel[C].Proceedings of the4th Annual LinuxShowcase&Conference, Atlanta, Georgia, USA.2000, pp:7-16.
[95] Hoxer H J,Buchacker K,Sieh V.Implementing a User-Mode Linux with Minimal Changes from OriginalKernel[C].Proceedings of the2002International Linux System Technology Conference, Cologne,Germany.2002, pp:72-82.
[96] Jeff D.User Mode Linux [M].Prentice Hall,2006, pp:12-14.
[97] Gong Lei, Zhao Yong. Formal Description For Trusted Application Environment [C]. The2ndInternational Conference on Information Engineering and Computer Science (ICIECS2010),24-26December,2010:1184-1187, Wuhan, Hubei, China.
[98] Gong Lei, Zhao Yong, Liao Jianhua. Research on the Application Security Isolation Model [J]. ChinaCommunications,2010,7(6):153-156.
[99] Zhang Shibin, Xu Chunxiang, Long Yaxing. Study on Terminal Trusted Model Based on TrustedComputing[C]. In International Conf. on Internet Technology and Applications (iTAP),2011, pp:1-4.
[100] HongWei Zhou, JinHui Yuan. Formal Analysis of Trusted Computing: One Case Study[C]. In ThirdInternational Conf. on Communications and Mobile Computing.2011, pp:55-58.
[101] Li, C., Raghunathan, A., Jha, N. A trusted virtual machine in an untrusted management environment[J].IEEE Trans. on Services Computing.2011, pp:1-12.
[102]周正.安全操作系统的恶意代码自身免疫机制研究[D].海军工程大学博士论文,2008
[103] Goguen J A, Meseguer J. Security policies and security models [C]. Proc. of the1982IEEE Symposiumon Security and Privacy. IEEE Computer Society Press, April1982:11-20.
[104] McCullough D.Noninterference and the composition of security properties [C].Proc.of the IEEESymposium on Research in Security and Privacy,1988.
[105] Sutherland D.A model of information [C].Proc.of the ninth National Computer Security Conference,1986:175-183.
[106] Guttman J D, Nadal M E.What needs securing [C]. Pro.of the Computer Security FoundationsWorkshop. IEEE Computer Society, June1988:34-57.
[107] Wittbold J T. Johnson D M.Information flow in nondeterministic systems [C]. Proc.of the1990IEEESymposium on Research on Security and Privacy,1990:144-161.
[108] Johnson D,Thayer F.Security and the composition of machines [C].Proc.of the Computer SecurityFoundations Workshop. IEEE Press,1988:14-23.
[109] O’Halloran C. A calculus of information flow [C].Proc.of First European Symposium on Research inComputer Security,1990:147-159.
[110] Rushby J. Noninterference, transitivity, and channel-control security polices [R]. CSL-92-02. MenloPark: Stanford Research Institute,1992.
[111]周伟,尹青,郭金庚.计算机安全中的无干扰模型[J].计算机科学,2005,32(2):159-165.
[112] Gong Lei, Tian Lu, Zhang Fulian. Application Information Flow Non-Interference Transmission Model
[C].2011International Conference on Electronic&Mechanical Engineering and InformationTechnology (EMEIT2011),12-14August,2011:2306-2309, Harbin, Heilongjiang, China.
[113]刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报,2009,30(2):52-58
[114]张兴,陈幼雷,沈昌祥.基于进程的无干扰可信模型[J].通信学报,2009,30(3):6-11.
[115]郑志蓉,沈昌祥.支持应用类安全的操作系统安全结构框架设计[J].计算机工程与应用,2002,38(22):45-47.
[116]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究[J].计算机研究与发展,2005,42(2):322-328.
[117] MICHAEL H, STEVEL. Inside the Windows security push [J]. IEEE Security and Privacy,2003,1(1):57-61.
[118] PHILLIPS L. WindowsVista security: first impressions [J]. Information Security Tech Report,2006,11(4):176-185.
[119] MICK B. Paranoid penguin: introduction to SELinux [J]. Linux Journal,2007,2007(154):1-15.
[120]廖建华,赵勇,沈昌祥.基于管道的TCB扩展模型[J].北京工业大学学报,2010,36(5):592-596.
[121]李勇,张松铁,王飞,董丽娜.基于TCB子集的应用安全框架研究[J].无线电通信技术,2010,36(4):48-51.
[122]李勇,王飞,胡俊,沈昌祥. TCB可信扩展模型研究[J].计算机工程与应用,2010,46(13):1-3.
[123]陈泽茂,沈昌祥.操作系统安全增强模型的通用化[J].计算机工程,2005,31(1):27-28.
[124]施光源,公备,冯聿梦,岳少园.利用DTE技术的证明系统安全域模型研究[J].武汉大学学报信息科学版,2010,35(5):537-541.
[125] Gong Lei, Xin Siyuan, Zhao Yong. Access Control Semantic Encapsulation Model and Appliance [C].The3rd International Conference on Computer and Network Technology (ICCNT2011),26-28February,2011:116-119, Taiyuan, Shanxi, China.
[126]黄涛,沈昌祥.一种基于可信服务器的可信引导方案[J].武汉大学学报(理学版),2004,50(1):12-14.
[127]谭良,周明天.基于可信计算平台的可信引导过程研究[J].计算机应用研究,2008,25(1):231-234.
[128] Yang Yu, Fanglu Guo, Susanta Nanda. A feather-weight virtual machine for windows applications[C]. InProc of the2nd international conf. on Virtual execution environments,2006, pp:24-34.
[129]石文昌,孙玉芳,梁洪亮等.安全Linux内核安全功能的设计与实现[J].计算机研究与发展,2001,38(10):1255-1261.
[130]袁春阳,李琳,石文昌,梁洪亮,贺也平.改进增强型高安全等级操作系统SECIMOS的设计与实现[J].计算机科学,2007,34(8):289-292.
[131]黄涛.基于可信计算的操作系统安全研究[D].信息工程大学博士论文,2007.
[132]黄强.基于可信计算的终端安全体系结构研究[D].海军工程大学博士论文,2007.
[133]范艳芳.重要信息系统强制访问控制模型研究[D].北京交通大学博士论文,2011.
[134]陈亚莎.重要信息系统计算环境的保护研究[D].海军工程大学博士论文,2011.
[135]廖建华.系统结构化可信保障模型与关键技术研究[D].北京大学博士论文,2012.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |