基于TrustZone技术的Linux安全模块隔离方法研究
发布时间:2018-08-02 10:30
【摘要】:保护Linux安全模块的完整性是保护内核的首要目标,安全模块受到攻击将导致整个内核处于非安全状态,安全模块不安全,其他的内核模块安全性更难以保证。SELinux是Linux发行版必备的内核安全模块,最初以补丁方式出现,并于Linux 2.6版本开始加入内核。在Linux宏内核的系统架构下,SELinux同其他模块运行在单一地址空间,导致恶意模块的加载运行能够篡改配置文件加载过程,破坏访问控制的完整性。内核模块的保护方案多以虚拟化隔离技术为主,但传统虚拟化方式在移动平台限制较多不够实用,因此本文提出了基于TrustZone技术的Linux安全模块隔离方法。ARM TrustZone技术是为解决高性能计算平台安全需求的系统范围的安全方法,与硬件结合紧密,从而保护安全内存、代码或外设。本方案核心思想是将SELinux安全模块运行在有TrustZone技术支持的可信运行环境(Trusted Execution Environment,TEE)中,内核发出的访问控制决策请求将通过符合TEE规范的安全通信机制实现功能调用,利用TrustZone技术保护SELinux数据安全性及服务完整性。为实现Linux安全模块的隔离保护,本文做了以下分析及创新工作:1.通过分析SELinux初始化流程与服务流程,总结出了 SELinux与LSM钩子函数的关系、SELinux各组件间的关系,并整理得出了 SELinux安全服务器与其他组件隔离的关键位置。2.研究了 TEE规范及OP-TEE源码,设计并实现了供内核模块使用的TEE客户端接口,重新实现了与内核接口相关的驱动操作函数。通过驱动与内核接口为内核模块提供建立与可信应用的会话,发起命令请求等服务,重新建立SELinux其他组件与安全服务器的通信机制。3.基于TrustZone技术的软件架构,设计并实现了 Linux安全模块隔离方案。区别于虚拟化方式,本文提出的方案更好的结合硬件隔离机制,利用TrustZone的安全启动保证策略加载过程安全性,利用TEE与Linux隔离运行的特点保证决策服务的完整性。本文详细描述了 Linux安全模块隔离方法的设计和实现细节,最后通过实验证明该方案的可行性和有效性。
[Abstract]:Protecting the integrity of the Linux security module is the primary goal of protecting the kernel. The attack on the security module will result in the entire kernel being in an insecure state, and the security module will not be secure. The security of other kernel modules is even more difficult to guarantee. SELinux is the kernel security module necessary for the Linux distribution. It first appeared as a patch and began to join the kernel in Linux 2. 6. Under the system architecture of Linux macro kernel, SELinux runs in a single address space with other modules, which results in malicious module loading can tamper with the configuration file loading process and destroy the integrity of access control. The protection scheme of kernel module is mainly based on virtualization isolation technology, but the traditional virtualization method is not practical enough to restrict the mobile platform. Therefore, this paper puts forward the isolation method of Linux security module based on TrustZone technology. Arm TrustZone technology is a security method to solve the security requirement of high performance computing platform. It is closely combined with hardware to protect secure memory, code or peripheral devices. The core idea of this scheme is to run the SELinux security module in the trusted running environment (Trusted Execution Environment tee) supported by TrustZone technology. The access control decision request issued by the kernel will be called through the secure communication mechanism in accordance with the TEE specification. Use TrustZone technology to protect SELinux data security and service integrity. In order to realize the isolation protection of Linux security module, this paper has done the following analysis and innovation work: 1. By analyzing the initialization flow and service flow of SELinux, the relationship between SELinux and LSM hook function is summarized, and the key position of isolating SELinux security server from other components is obtained. This paper studies the TEE specification and OP-TEE source code, designs and implements the TEE client interface for the kernel module, and reimplements the driver operation function related to the kernel interface. The communication mechanism between other components of SELinux and secure server. 3 is re-established by providing services such as establishing sessions with trusted applications and initiating command requests for kernel modules by means of driver and kernel interface. Based on the software architecture of TrustZone, the isolation scheme of Linux security module is designed and implemented. Different from the virtualization method, the scheme proposed in this paper combines the hardware isolation mechanism better, using the TrustZone security startup to ensure the security of the policy loading process, and using the characteristics of TEE and Linux isolated operation to ensure the integrity of the decision service. In this paper, the design and implementation of Linux security module isolation method are described in detail. Finally, the feasibility and effectiveness of the scheme are proved by experiments.
【学位授予单位】:南京大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP309;TP316.81
本文编号:2159139
[Abstract]:Protecting the integrity of the Linux security module is the primary goal of protecting the kernel. The attack on the security module will result in the entire kernel being in an insecure state, and the security module will not be secure. The security of other kernel modules is even more difficult to guarantee. SELinux is the kernel security module necessary for the Linux distribution. It first appeared as a patch and began to join the kernel in Linux 2. 6. Under the system architecture of Linux macro kernel, SELinux runs in a single address space with other modules, which results in malicious module loading can tamper with the configuration file loading process and destroy the integrity of access control. The protection scheme of kernel module is mainly based on virtualization isolation technology, but the traditional virtualization method is not practical enough to restrict the mobile platform. Therefore, this paper puts forward the isolation method of Linux security module based on TrustZone technology. Arm TrustZone technology is a security method to solve the security requirement of high performance computing platform. It is closely combined with hardware to protect secure memory, code or peripheral devices. The core idea of this scheme is to run the SELinux security module in the trusted running environment (Trusted Execution Environment tee) supported by TrustZone technology. The access control decision request issued by the kernel will be called through the secure communication mechanism in accordance with the TEE specification. Use TrustZone technology to protect SELinux data security and service integrity. In order to realize the isolation protection of Linux security module, this paper has done the following analysis and innovation work: 1. By analyzing the initialization flow and service flow of SELinux, the relationship between SELinux and LSM hook function is summarized, and the key position of isolating SELinux security server from other components is obtained. This paper studies the TEE specification and OP-TEE source code, designs and implements the TEE client interface for the kernel module, and reimplements the driver operation function related to the kernel interface. The communication mechanism between other components of SELinux and secure server. 3 is re-established by providing services such as establishing sessions with trusted applications and initiating command requests for kernel modules by means of driver and kernel interface. Based on the software architecture of TrustZone, the isolation scheme of Linux security module is designed and implemented. Different from the virtualization method, the scheme proposed in this paper combines the hardware isolation mechanism better, using the TrustZone security startup to ensure the security of the policy loading process, and using the characteristics of TEE and Linux isolated operation to ensure the integrity of the decision service. In this paper, the design and implementation of Linux security module isolation method are described in detail. Finally, the feasibility and effectiveness of the scheme are proved by experiments.
【学位授予单位】:南京大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP309;TP316.81
【参考文献】
相关期刊论文 前5条
1 杨霞;刘志伟;雷航;;基于TrustZone的指纹识别安全技术研究与实现[J];计算机科学;2016年07期
2 郝先林;曾萍;胡荣磊;;基于TrustZone技术的TEE安全方案的研究[J];北京电子科技学院学报;2016年02期
3 梁金宏;叶海蓉;孙世菊;;基于ARM的嵌入式Linux字符设备驱动设计研究[J];电子世界;2013年13期
4 陈旺;李中学;;BLP模型及其研究方向[J];计算机工程与应用;2006年13期
5 冯国富;魏恒义;朱利;肖新风;;一种基于字符设备驱动的Linux性能参数获取方法[J];小型微型计算机系统;2006年03期
,本文编号:2159139
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2159139.html
