WO2017174030A1

WO2017174030A1 - Data access control method and device

Info

Publication number: WO2017174030A1
Application number: PCT/CN2017/079738
Authority: WO
Inventors: 黄志忠
Original assignee: 中兴通讯股份有限公司
Priority date: 2016-04-08
Filing date: 2017-04-07
Publication date: 2017-10-12
Also published as: CN107273754A

Abstract

A data access control method and device. The data access control method comprises: according to a current access operation in a secure operating system (OS), adjusting an integrity level of an integrity label in a security context of a subject or an object, wherein a confidentiality label for indicating a security level is pre-configured in the security context of the subject and the object (S110); according to the security level of the subject and the object, and the adjusted integrity level of the subject and the object, executing the current access operation (S120). The method solves the problem in the prior art that information access cannot have both confidentiality and integrity due to only a BLP model or a BIBA model being able to be selectively used for a data access control method.

Description

一种数据访问控制方法和装置Data access control method and device

技术领域Technical field

本发明实施例涉及但不限于计算机技术和***安全领域，尤指一种数据访问控制方法和装置。Embodiments of the present invention relate to, but are not limited to, the field of computer technology and system security, and in particular, to a data access control method and apparatus.

背景技术Background technique

随着计算机技术的发展，电子信息的应用逐步取代纸质文件的使用，已成为用户的主要信息来源和存储方式。基于安全角度考虑，要保证信息资产的安全，业界主要集中关注信息安全的三元组为信息的保密性、完整性和可用性。With the development of computer technology, the application of electronic information has gradually replaced the use of paper documents, and has become the main source of information and storage methods for users. From the perspective of security, to ensure the security of information assets, the industry mainly focuses on information security triples for the confidentiality, integrity and availability of information.

在安全操作***(Operating System，简称为：OS)的多级安全模型中，针对信息的保密性，由David Bell和Leonard La Padula在1973年提出一种安全性访问控制模型，即Bell-La Padula(简称为：BLP)模型，该BLP模型是一种基于状态机的模型，是定义多级安全的基础，目前已被视为基本安全公理；针对信息的完整性，由毕巴(K.J.Biba)在1977年提出一种完整性访问控制模型，即BIBA模型，该BIBA模型一个强制访问模型。目前的安全OS中通过上述BLP模型和BIBA模型来实现对信息的保护，其中，BLP模型是为保证信息的保密性而设计的，其实现原则为允许上写和允许下读，且禁止上读和禁止下写，从而保证数据的保密性；BIBA模型是为保护信息的完整性而设计，其实现原则为允许上读和允许下写，且禁止下读和禁止上写，从而来保证数据的完整性。显然地，基于BLP模型和BIBA模型各自的设计原理而言，若在安全OS中同时使用BLP模型和BIBA模型，则会出现在安全级别和保密级别双高或双低的情况下，从而严重限制了主体的访问能力。因此，目前的安全OS中只能选择性使用BLP模型或BIBA模型，即无法兼顾信息的保密性和完整性。In the multi-level security model of the Operating System (OS), for the confidentiality of information, David Bell and Leonard La Padula proposed a security access control model in 1973, namely Bell-La Padula. (BLP for short), the BLP model is a state machine-based model that is the basis for defining multi-level security and is now considered a basic security axiom; for information integrity, by KJBiba In 1977, an integrity access control model was proposed, namely the BIBA model, which is a mandatory access model. In the current security OS, the information protection is implemented by the above BLP model and the BIBA model. The BLP model is designed to ensure the confidentiality of information, and the implementation principle is to allow writing and allowing reading, and prohibiting reading. And prohibit writing, thus ensuring the confidentiality of data; BIBA model is designed to protect the integrity of information, the implementation principle is to allow reading and allowing to write, and to prohibit reading and prohibiting writing, thus ensuring data Integrity. Obviously, based on the respective design principles of the BLP model and the BIBA model, if both the BLP model and the BIBA model are used in the security OS, the security level and the security level may be double or high, thereby severely limiting. The subject's accessibility. Therefore, in the current security OS, only the BLP model or the BIBA model can be selectively used, that is, the confidentiality and integrity of the information cannot be balanced.

综上所述，现有技术中的数据访问控制方式，由于只能选择性的使用BLP模型或BIBA模型，从而造成了信息访问无法兼顾保密性和完整性的问题。In summary, the data access control method in the prior art can only selectively use the BLP model or the BIBA model, thereby causing the information access to fail to balance confidentiality and integrity. problem.

发明内容Summary of the invention

为了解决上述技术问题，本发明实施例提供了一种数据访问控制方法和装置，以解决现有技术中的数据访问控制方式，由于只能选择性的使用BLP模型或BIBA模型，从而造成了信息访问无法兼顾保密性和完整性的问题。In order to solve the above technical problem, an embodiment of the present invention provides a data access control method and apparatus, which solves the data access control method in the prior art, and can only selectively use a BLP model or a BIBA model, thereby causing information. Access issues that do not balance confidentiality and integrity.

第一方面，本发明实施例提供一种数据访问控制方法，包括：In a first aspect, an embodiment of the present invention provides a data access control method, including:

根据安全操作***OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，所述主体和所述客体的安全上下文中预先配置有用于指示安全级别的保密性标签；Adjusting the integrity level of the integrity label in the security context of the subject or the object according to the current access operation in the security operating system OS, and the security context of the subject and the object is pre-configured with a privacy label for indicating the security level;

根据所述主体和所述客体的安全级别，以及调整后的所述主体和所述客体的完整级别，执行所述当前访问操作。The current access operation is performed according to the security level of the subject and the object, and the adjusted integrity level of the subject and the object.

在第一方面的第一种可能的实现方式中，所述调整主体或客体的安全上下文中完整性标签的完整级别，包括：In a first possible implementation manner of the first aspect, the adjusting the integrity level of the integrity label in the security context of the subject or the object includes:

在完整级别较高的主体对完整级别较低的客体执行读操作时，将所述主体的完整级别降低为所述客体的完整级别；或者，When a higher-level subject performs a read operation on a lower-level object, the full level of the subject is reduced to the full level of the object; or,

在完整级别较低的主体对完整级别较高的客体执行写操作时，将所述客体的完整级别降低为所述主体的完整级别。When a lower-level body performs a write operation on a higher-level object, the full level of the object is reduced to the full level of the subject.

在第一方面的第二种可能的实现方式中，所述调整主体或客体的安全上下文中完整性标签的完整级别，包括：In a second possible implementation manner of the first aspect, the adjusting the integrity level of the integrity label in the security context of the subject or the object includes:

通过修改命令所指示的完整级别，将所述主体或所述客体的安全上下文中的完整性标签调整为相应的完整级别。The integrity label in the security context of the subject or the object is adjusted to the corresponding full level by modifying the full level indicated by the command.

根据第一方面、第一方面的第一种到第二种可能的实现方式中任意一种，在第三种可能的实现方式中，所述调整主体或客体的安全上下文中完整性标签的完整级别之前，还包括：According to the first aspect, any one of the first to the second possible implementations of the first aspect, in a third possible implementation, the adjusting integrity of the integrity label in the security context of the subject or the object Before the level, it also includes:

分别在所述主体和所述客体的安全上下文中配置所述完整性标签。 The integrity tag is configured in the security context of the subject and the object, respectively.

根据第一方面的第三种可能的实现方式，在第四种可能的实现方式中，所述在所述主体的安全上下文中添加所述完整性标签，包括：According to a third possible implementation manner of the first aspect, in a fourth possible implementation, the adding the integrity label in a security context of the subject includes:

在所述安全OS中进行用户登陆的过程中对所述主体的安全上下文进行初始化配置；Initializing the security context of the subject during the user login in the security OS;

通过读取预置的主体完整性级别配置文件，在所述主体的安全上下文中添加所述完整性标签。The integrity tag is added in the security context of the subject by reading a preset body integrity level profile.

根据第一方面的第四种可能的实现方式，在第五种可能的实现方式中，所述主体完整性级别配置文件中包括第一级别调整参数，所述第一级别调整参数为1时，指示开启“下读”操作权限，所述第一级别调整参数为0时，指示关闭“下读”操作权限。According to the fourth possible implementation manner of the first aspect, in the fifth possible implementation, the first level adjustment parameter is included in the principal integrity level configuration file, where the first level adjustment parameter is 1, Indicates that the "Read Down" operation permission is turned on. When the first level adjustment parameter is 0, the "Lower Read" operation permission is turned off.

根据第一方面的第五种可能的实现方式，在第六种可能的实现方式中，所述第一级别调整参数的初始值为1。According to a fifth possible implementation manner of the first aspect, in a sixth possible implementation manner, the initial value of the first level adjustment parameter is 1.

根据第一方面的第三种可能的实现方式，在第七种可能的实现方式中，所述在所述客体的安全上下文中配置所述完整性标签，包括：According to a third possible implementation manner of the first aspect, in the seventh possible implementation, the configuring the integrity label in a security context of the object includes:

在所述安全OS启动的过程中对所述客体的安全上下文进行初始化配置；Initializing the security context of the object during the startup of the security OS;

通过读取预置的客体完整性级别配置文件，在所述客体的安全上下文中配置所述完整性标签。The integrity tag is configured in the security context of the object by reading a preset object integrity level profile.

根据第一方面的第七种可能的实现方式，在第八种可能的实现方式中，所述客体完整性级别配置文件中包括第二级别调整参数，所述第二级别调整参数为1时，指示开启“上写”操作权限，所述第二级别调整参数为0时，指示关闭“上写”操作权限。According to the seventh possible implementation manner of the first aspect, in the eighth possible implementation, the object integrity level configuration file includes a second level adjustment parameter, where the second level adjustment parameter is 1, Indicates that the "up write" operation permission is turned on. When the second level adjustment parameter is 0, the "up write" operation permission is turned off.

根据第一方面的第八种可能的实现方式，在第九种可能的实现方式中，所述第二级别调整参数的初始值为0。According to the eighth possible implementation manner of the first aspect, in the ninth possible implementation manner, the initial value of the second level adjustment parameter is 0.

第二方面，本发明实施例提供一种数据访问控制装置，所述数据访问控制装置包括：相连接的调整模块和访问模块； In a second aspect, an embodiment of the present invention provides a data access control apparatus, where the data access control apparatus includes: a connected adjustment module and an access module;

所述调整模块，配置为能够根据安全操作***OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，所述主体和所述客体的安全上下文中预先配置有用于指示安全级别的保密性标签；The adjustment module is configured to adjust a complete level of the integrity label in the security context of the subject or the object according to the current access operation in the security operating system OS, where the security context of the subject and the object is pre-configured with an indication Security level privacy label;

所述访问模块，配置为能够根据所述主体和所述客体的安全级别，以及所述调整模块调整后的所述主体和所述客体的完整级别，执行所述当前访问操作。The access module is configured to perform the current access operation according to a security level of the subject and the object, and a complete level of the subject and the object adjusted by the adjustment module.

在第二方面的第一种可能的实现方式中，所述调整模块配置为能够调整主体或客体的安全上下文中完整性标签的完整级别，包括：In a first possible implementation manner of the second aspect, the adjusting module is configured to be able to adjust a complete level of the integrity label in the security context of the subject or the object, including:

配置为能够在完整级别较高的主体对完整级别较低的客体执行读操作时，将所述主体的完整级别降低为所述客体的完整级别；或者，Configuring to be able to reduce the full level of the subject to the full level of the object when the full level of the subject performs a read operation on the lower level object; or

配置为能够在完整级别较低的主体对完整级别较高的客体执行写操作时，将所述客体的完整级别降低为所述主体的完整级别。It is configured to be able to reduce the full level of the object to the full level of the subject when the lower level subject performs a write operation on the higher level object.

在第二方面的第二种可能的实现方式中，所述调整模块配置为能够调整主体或客体的安全上下文中完整性标签的完整级别，包括：In a second possible implementation of the second aspect, the adjustment module is configured to be capable of adjusting a complete level of the integrity label in the security context of the subject or the object, including:

配置为能够通过修改命令所指示的完整级别，将所述主体或所述客体的安全上下文中的完整性标签调整为相应的完整级别。It is configured to be able to adjust the integrity label in the security context of the subject or the object to a corresponding full level by modifying the full level indicated by the command.

根据第二方面、第二方面的第一种到第二种可能的实现方式中任意一种，在第三种可能的实现方式中，所述数据访问控制装置还包括：分别与所述调整模块和所述访问模块相连接的配置模块，配置为能够在所述调整模块调整主体或客体的安全上下文中完整性标签的完整级别之前，分别在所述主体和所述客体的安全上下文中配置所述完整性标签。According to the second aspect, any one of the first to the second possible implementation manners of the second aspect, in a third possible implementation, the data access control device further includes: respectively a configuration module coupled to the access module, configured to be configured in a security context of the principal and the object, respectively, before the adjustment module adjusts a complete level of integrity tags in a security context of a subject or object The integrity label.

根据第二方面的第三种可能的实现方式，在第四种可能的实现方式中，所述配置模块包括：相连接的初始化单元和配置单元；According to a third possible implementation manner of the second aspect, in a fourth possible implementation, the configuration module includes: an initializing unit and a configuration unit that are connected;

所述初始化单元，配置为能够在所述安全OS中进行用户登陆的过程中对所述主体的安全上下文进行初始化配置；The initialization unit is configured to be capable of initializing a security context of the subject during a user login in the security OS;

所述配置单元，配置为能够通过读取预置的主体完整性级别配置文件，在所述初始化单元初始化后的主体的安全上下文中添加所述完整性标签。The configuration unit is configured to be capable of reading a preset body integrity level profile And adding the integrity tag in a security context of the body after initialization of the initialization unit.

根据第二方面的第四种可能的实现方式，在第五种可能的实现方式中，所述主体完整性级别配置文件中包括第一级别调整参数，所述第一级别调整参数为1时，指示开启“下读”操作权限，所述第一级别调整参数为0时，指示关闭“下读”操作权限。According to the fourth possible implementation manner of the second aspect, in the fifth possible implementation, the body integrity level configuration file includes a first level adjustment parameter, where the first level adjustment parameter is 1, Indicates that the "Read Down" operation permission is turned on. When the first level adjustment parameter is 0, the "Lower Read" operation permission is turned off.

根据第二方面的第五种可能的实现方式，在第六种可能的实现方式中，所述第一级别调整参数的初始值为1。According to a fifth possible implementation manner of the second aspect, in a sixth possible implementation manner, the initial value of the first level adjustment parameter is 1.

根据第二方面的第三种可能的实现方式，在第七种可能的实现方式中，所述配置模块包括：相连接的初始化单元和配置单元；According to a third possible implementation manner of the second aspect, in a seventh possible implementation, the configuration module includes: an initializing unit and a configuration unit that are connected;

所述初始化单元，配置为能够在所述安全OS启动的过程中对所述客体的安全上下文进行初始化配置；The initialization unit is configured to be capable of initializing a security context of the object during the startup of the security OS;

所述配置单元，配置为能够通过读取预置的客体完整性级别配置文件，在所述初始化单元初始化后的客体的安全上下文中配置所述完整性标签。The configuration unit is configured to be configured to configure the integrity tag in a security context of an object after initialization of the initialization unit by reading a preset object integrity level configuration file.

根据第二方面的第七种可能的实现方式，在第八种可能的实现方式中，所述客体完整性级别配置文件中包括第二级别调整参数，所述第二级别调整参数为1时，指示开启“上写”操作权限，所述第二级别调整参数为0时，指示关闭“上写”操作权限。According to the seventh possible implementation manner of the second aspect, in the eighth possible implementation, the object integrity level configuration file includes a second level adjustment parameter, where the second level adjustment parameter is 1, Indicates that the "up write" operation permission is turned on. When the second level adjustment parameter is 0, the "up write" operation permission is turned off.

根据第二方面的第八种可能的实现方式，在第九种可能的实现方式中，所述第二级别调整参数的初始值为0。According to the eighth possible implementation manner of the second aspect, in the ninth possible implementation manner, the initial value of the second level adjustment parameter is 0.

根据本发明的又一个实施例，还提供了一种存储介质，所述存储介质包括存储的程序，其中，所述程序运行时执行上述任一项所述的方法。According to still another embodiment of the present invention, there is also provided a storage medium comprising a stored program, wherein the program is executed to perform the method of any of the above.

根据本发明的又一个实施例，还提供了一种处理器，所述处理器用于运行程序，其中，所述程序运行时执行上述任一项所述的方法。According to still another embodiment of the present invention, there is also provided a processor for running a program, wherein the program is executed to perform the method of any of the above.

本发明实施例提供的数据访问控制方法和装置，根据安全OS中的当前访问操作，通过调整主体或客体的安全上下文中完整性标签的完整级别，该安全上下文中预先配置有指示安全级别的保密性标签，通过上述调整，根据主体和客体的安全级别，以及调整后的完整级别，执行当前访问操作；本发明实施例中通过在BLP模型的基础上实现BIBA模型，将完整性标签和保密性标签设置在同一安全上下文中，并且可以根据当前访问操作动态调整完整级别，以实现BLP模型与BIBA模型共存的应用方式，解决了现有技术中的数据访问控制方式，由于只能选择性的使用BLP模型或BIBA模型，从而造成了信息访问无法兼顾保密性和完整性的问题。The data access control method and apparatus provided by the embodiments of the present invention are based on The pre-access operation adjusts the integrity level of the integrity label in the security context of the subject or object. The security context is pre-configured with a privacy label indicating the security level. According to the above adjustment, according to the security level of the subject and the object, and after the adjustment. The integrity level of the current access operation is performed; in the embodiment of the present invention, the BIBA model is implemented on the basis of the BLP model, the integrity label and the privacy label are set in the same security context, and the complete level can be dynamically adjusted according to the current access operation. In order to realize the coexistence of the BLP model and the BIBA model, the data access control method in the prior art is solved, and the BLP model or the BIBA model can only be selectively used, thereby making the information access unable to balance confidentiality and integrity. The problem.

附图说明DRAWINGS

附图用来提供对本发明技术方案的进一步理解，并且构成说明书的一部分，与本申请的实施例一起用于解释本发明的技术方案，并不构成对本发明技术方案的限制。The drawings are used to provide a further understanding of the technical solutions of the present invention, and constitute a part of the specification, which together with the embodiments of the present application are used to explain the technical solutions of the present invention, and do not constitute a limitation of the technical solutions of the present invention.

图1为现有技术中BLP模型中一种数据访问控制原理的示意图；1 is a schematic diagram of a data access control principle in a BLP model in the prior art;

图2为现有技术中BLP模型中另一种数据访问控制原理的示意图；2 is a schematic diagram of another data access control principle in a BLP model in the prior art;

图3为现有技术中BIBA模型中一种数据访问控制原理的示意图；3 is a schematic diagram of a data access control principle in a BIBA model in the prior art;

图4为现有技术中BIBA模型中另一种数据访问控制原理的示意图；4 is a schematic diagram of another data access control principle in the BIBA model in the prior art;

图5为本发明实施例提供的一种数据访问控制方法的流程图；FIG. 5 is a flowchart of a data access control method according to an embodiment of the present invention;

图6为本发明实施例提供的另一种数据访问控制方法的流程图；FIG. 6 is a flowchart of another data access control method according to an embodiment of the present invention;

图7为图6所示实施例提供的数据访问控制方法中一种模型应用示意图；FIG. 7 is a schematic diagram of a model application in a data access control method provided by the embodiment shown in FIG. 6; FIG.

图8为本发明实施例提供的又一种数据访问控制方法的流程图；FIG. 8 is a flowchart of still another data access control method according to an embodiment of the present invention;

图9为图8所示实施例提供的一种数据访问控制方法中一种应用场景示意图；FIG. 9 is a schematic diagram of an application scenario in a data access control method provided by the embodiment shown in FIG. 8;

图10为图8所示实施例提供的一种数据访问控制方法中另一种应用场景示意图；FIG. 10 is another application of a data access control method provided by the embodiment shown in FIG. 8. Schematic diagram of the scene;

图11为本发明实施例提供的一种数据访问控制装置的结构示意图；FIG. 11 is a schematic structural diagram of a data access control apparatus according to an embodiment of the present invention;

图12为本发明实施例提供的另一种数据访问控制装置的结构示意图。FIG. 12 is a schematic structural diagram of another data access control apparatus according to an embodiment of the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白，下文中将结合附图对本发明的实施例进行详细说明。需要说明的是，在不冲突的情况下，本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机***中执行。并且，虽然在流程图中示出了逻辑顺序，但是在某些情况下，可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.

BLP模型是实现信息保密性的控制策略，该保密性控制策略仅对主体和客体间的读写进行限制。保密性控制策略的规则如下：The BLP model is a control strategy for achieving information confidentiality, and the confidentiality control strategy only limits the reading and writing between the subject and the object. The rules for the privacy control policy are as follows:

1)、低保密性的主体禁止读取高保密性的客体，即禁止上读，如图1所示，为现有技术中BLP模型中一种数据访问控制原理的示意图。1) A low-confidence subject prohibits reading a high-confidence object, that is, prohibiting reading, as shown in FIG. 1, which is a schematic diagram of a data access control principle in the prior art BLP model.

2)、高保密性的主体禁止写入低保密性的客体，即禁止下写，如图2所示，为现有技术中BLP模型中另一种数据访问控制原理的示意图。2) The high-confidence subject prohibits writing to the object of low confidentiality, that is, prohibiting the writing, as shown in FIG. 2, which is a schematic diagram of another data access control principle in the BLP model in the prior art.

上述规则指示不允许低安全级别的用户读高敏感度的信息，也不允许高敏感度的信息写入低敏感度区域，即禁止信息从高级别流向低级别。保密性控制策略通过这种梯度式的安全标签实现信息的单向流通，实现了信息只能按照安全等级从下往上流动，或者根据策略的规定在同安全级别间流动。The above rules indicate that users with low security levels are not allowed to read high-sensitivity information, and high-sensitivity information is not allowed to be written to low-sensitivity areas, that is, information is prohibited from flowing from a high level to a low level. The confidentiality control strategy realizes the one-way circulation of information through the gradient security tag, so that the information can only flow from the bottom up according to the security level, or flow between the same security level according to the policy.

BIBA模型是实现信息完整性的控制策略，该完整性控制策略同样仅对主体和客体间的读写进行限制。完整性控制策略的规则如下：The BIBA model is a control strategy for information integrity. The integrity control strategy also limits the reading and writing between subjects and objects. The rules for an integrity control policy are as follows:

1)、高完整性的主体禁止读取低完整性的客体，即禁止下读，如图3所示，为现有技术中BIBA模型中一种数据访问控制原理的示意图。1) The high integrity entity prohibits reading low integrity objects, ie, prohibits reading, as shown in FIG. 3, which is a schematic diagram of a data access control principle in the prior art BIBA model.

2)、低完整性的主体禁止写入高完整性的客体，即禁止上写，如图4 所示，为现有技术中BIBA模型中另一种数据访问控制原理的示意图。2), the low integrity of the subject is prohibited from writing high integrity objects, that is, prohibit writing, as shown in Figure 4. Shown is a schematic diagram of another data access control principle in the prior art BIBA model.

在实际应用中，完整性控制策略主要是为了避免应用程序修改某些重要的***程序或***数据库。IBA模型规定信息只能从高完整等级向低完整等级流动，也就是要防止低完整等级的信息“污染”高完整等级的信息。In practical applications, the integrity control strategy is mainly to prevent the application from modifying some important system programs or system databases. The IBA model stipulates that information can only flow from a high integrity level to a low integrity level, that is, to prevent low-level information from "polluting" high-level information.

通过上述BLP模型和BIBA模型的原理介绍，显然地，在一个安全OS中无法实现BLP模型和BIBA模型共存的要求，由于BLP模型和BIBA模型的访问存在矛盾，因此，在一个安全OS中只能选择使用BLP模型或BIBA模型，即必须选择性牺牲信息的保密性或完整性。如何同时满足安全OS对信息保密性和完整性的要求，成为业界目前共同期待亟需解决的问题。Through the introduction of the above BLP model and the principle of BIBA model, it is obvious that the requirement of coexistence of BLP model and BIBA model cannot be realized in a secure OS. Because of the contradiction between the access of BLP model and BIBA model, it can only be in a secure OS. The choice to use the BLP model or the BIBA model necessitates a selective sacrifice of the confidentiality or integrity of the information. How to meet the security OS's requirements for confidentiality and integrity of information at the same time has become a problem that the industry is currently looking forward to.

下面通过具体的实施例对本发明的技术方案进行详细说明，本发明以下各实施例中的安全OS例如可以是Windows***、Linux***或其它安全OS，执行本发明各实施例的终端设备例如具有上述安全OS***的计算机。本发明提供以下几个具体的实施例可以相互结合，对于相同或相似的概念或过程可能在某些实施例不再赘述。The technical solutions of the present invention are described in detail below by using specific embodiments. The security OS in the following embodiments of the present invention may be, for example, a Windows system, a Linux system, or another security OS. The terminal device that executes the embodiments of the present invention has, for example, the foregoing. A computer with a secure OS system. The following specific embodiments of the present invention may be combined with each other, and the same or similar concepts or processes may not be described in some embodiments.

图5为本发明实施例提供的一种数据访问控制方法的流程图。本实施例提供的数据访问控制方法适用于执行数据读写访问的情况中，该方法可以由数据访问控制装置执行，该数据访问控制装置通过硬件和软件结合的方式来实现，该装置可以集成在终端设备的处理器中，供处理器调用使用。如图5所示，本实施例的方法可以包括：FIG. 5 is a flowchart of a data access control method according to an embodiment of the present invention. The data access control method provided in this embodiment is applicable to the case of performing data read/write access, and the method can be implemented by a data access control device, which is implemented by a combination of hardware and software, and the device can be integrated in The processor of the terminal device is used by the processor to call. As shown in FIG. 5, the method in this embodiment may include:

S110，根据安全OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，该主体和客体的安全上下文中预先配置有用于指示安全级别的保密性标签。S110. Adjust a complete level of the integrity label in the security context of the subject or the object according to the current access operation in the security OS. The security context of the subject and the object is pre-configured with a privacy label for indicating the security level.

本发明实施例提供的数据访问控制方法，为在安全OS中执行数据访问时进行保密性控制和完整性控制的方式。为了确保数据保密性，本发明各实施例中的访问控制基于安全性访问控制模型，例如基于BLP模型，安全OS将计算机信息***中的实体分为主体和客体两部分，其中，主体和客体的定义为：The data access control method provided by the embodiment of the present invention is a method for performing confidentiality control and integrity control when performing data access in a secure OS. In order to ensure data confidentiality, the access control in the embodiments of the present invention is based on a security access control model, for example, based on a BLP model, the security OS divides the entities in the computer information system into two parts: a subject and an object, wherein the subject And the object is defined as:

主体：凡是实施操作的称为主体，例如用户和进程。Subject: Any entity that performs an operation, such as a user, and a process.

客体：凡是***作的对象则称为客体，例如文件、数据库等。Object: Any object that is manipulated is called an object, such as a file, a database, and so on.

安全OS还为每个主体和客体都配置了一个安全上下文(Security context)，该安全上下文是对主体或客体的安全描述，类似于文件***的rwx权限，存放于文件的索引节点(eye-node，简称为：inode)内。该安全上下文的格式可以为：The security OS also configures a security context for each principal and object. The security context is a security description of the principal or object, similar to the file system's rwx permissions, and is stored in the file's index node (eye-node). , referred to as: inode). The format of the security context can be:

用户：角色：类型：安全级别。其中，用“：”号进行分隔。User: Role: Type: Security Level. Among them, separated by ":".

该安全上下文的格式还可以表示为：The format of the security context can also be expressed as:

user_u:object_r:tmp_t:敏感属性+分类属性；User_u:object_r:tmp_t: sensitive attribute + classification attribute;

上述格式中，user_u为用户(User)，object_r为角色(Role)，tmp_t为类型(Type)，其中，安全级别(Security Level，简称为：SL)＝敏感属性+分类属性，可以采用保密性标签指示SL，例如通过属性字段“s”表示保密性标签。In the above format, the user_u is the user (User), the object_r is the role (Role), and the tmp_t is the type (Type). The security level (SL:=SL)=sensitive attribute+category attribute can be used for the privacy label. The indication SL, for example, indicates the privacy label by the attribute field "s".

在本实施例中，基于上述安全OS中的BLP模型和支撑该BLP模型的安全上下文，用户可以通过命令“ls-Z文件名”查看某个文件的安全上下文，如查看文件Linux***中/etc/shadow文件的安全上下文，可以输入如下命令：In this embodiment, based on the BLP model in the security OS and the security context supporting the BLP model, the user can view the security context of a file by using the command “ls-Z file name”, such as viewing the file in the Linux system. The security context of the /shadow file, you can enter the following command:

#ls -Z /etc/shadow；得到的安全上下文信息为：#ls -Z /etc/shadow; The obtained security context information is:

-r--------. root root system_u:object_r:shadow_t:s0-s15/etc/shadow；其中，“system_u:object_r:shadow_t:s0-s15”即为文件shadow的安全上下文格式，其中，“s0-s15”为文件shadow的保密性标签，表示SL的级别为0到15。-r--------. root root system_u:object_r:shadow_t:s0-s15/etc/shadow; where "system_u:object_r:shadow_t:s0-s15" is the security context format of the file shadow, where "s0-s15" is the privacy label of the file shadow, indicating that the level of the SL is 0 to 15.

本实施例的安全OS中，可以将完整性标签分为两大类：有完整性标签和无完整性标签。完整性标签定义如下：In the security OS of this embodiment, integrity labels can be classified into two categories: integrity labels and no integrity labels. The integrity label is defined as follows:

i0<i1<i2<i3<...<i[N]，其中0<＝N<＝15。 I0 < i1 < i2 < i3 < ... < i [N], where 0 <= N <= 15.

上述表达式中，i0表示主体或客体无完整性标签；[i1,i15]表示主体或客体有完整性标签。完整性标签通过在主体和客体的安全上下文中的新增字段“i”来实现。例如，新增完整性标签的客体安全上下文如下：In the above expression, i0 indicates that the subject or object has no integrity label; [i1, i15] indicates that the subject or object has an integrity label. The integrity tag is implemented by adding a new field "i" in the security context of the subject and the object. For example, the object security context for the new integrity tag is as follows:

如：user_u:object_r:user_home_t:s0:i1Such as: user_u: object_r: user_home_t: s0: i1

#ll -Z test#ll -Z test

-rw-r--r--. root root user_u:object_r:user_home_t:s0:i1test-rw-r--r--. root root user_u:object_r:user_home_t:s0:i1test

其中i[N]是新增完整性标签，在当前安全上下文的末尾添加。Where i[N] is the new integrity tag, added at the end of the current security context.

再例如，针对用户的安全上下文如下：For another example, the security context for the user is as follows:

#id -Z#id -Z

user_u:user_r:user_t:s0:i8User_u:user_r:user_t:s0:i8

可以看出，增加有完整性标签的安全上下文的格式可以表示为：It can be seen that increasing the format of the security context with integrity labels can be expressed as:

user_u:object_r:tmp_t:敏感属性+分类属性：完整级别；User_u:object_r:tmp_t: sensitive attribute + classification attribute: full level;

上述格式中，user_u为用户(User)，object_r为角色(Role)，tmp_t为类型(Type)，其中，安全级别(Security Level，简称为：SL)＝敏感属性+分类属性，保密性标签例如通过属性字段“s”来表示，完整性标签例如通过属性字段“i”来表示。另外，完整性标签i[N]和保密性标签s[N]分别代表主体、客体的完整级别和安全级别维度的标识，完整性标签与保密性标签不同，主体和客体的完整级别只是单级不能设置范围。In the above format, the user_u is the user (User), the object_r is the role (Role), and the tmp_t is the type (Type). The security level (referred to as SL) = sensitive attribute + classification attribute, for example, the privacy label is passed. The attribute field "s" indicates that the integrity tag is represented, for example, by the attribute field "i". In addition, the integrity label i[N] and the privacy label s[N] represent the identity of the subject and the object's complete level and the security level dimension respectively. The integrity label is different from the privacy label, and the complete level of the subject and the object is only a single level. The range cannot be set.

本发明实施例为了便于主体和客体的完整性标签描述简单且易于理解，同时又能兼顾数据保密性的设计，在上述BLP模型中主体和客体的安全上下文格式的基础上，本实施例中主体和客体的安全上下文中还具有指示完整级别的完整性标签，例如，在上述安全上下文的末尾增加属性字段“i”来表示数据的完整性标签，从而有效实现对数据完整性的保护。本实施例通过在BLP模型中主体和客体的安全上下文中增加可以表示数据完整性的标签，从而在BLP模型的基础上实现BIBA模型，并且可以按照当前访问操作的需求对主体或客体的完整性标签所指示的完整级别进行调整，从而在BLP模型的基础上实现了非严格策略的BIBA模型，即“低水印BIBA模型”。In the embodiment of the present invention, in order to facilitate the description of the integrity label of the subject and the object, and to understand the design of the data confidentiality, the subject in this embodiment is based on the security context format of the subject and the object in the BLP model. There is also an integrity tag indicating the full level in the security context of the object, for example, by adding an attribute field "i" at the end of the above security context to represent the integrity tag of the data, thereby effectively protecting the integrity of the data. This embodiment implements the BIBA model based on the BLP model by adding tags that can represent data integrity in the security context of the subject and the object in the BLP model, and can follow The requirements of the current access operation adjust the complete level indicated by the integrity label of the subject or object, thereby implementing a non-strictive BIBA model based on the BLP model, namely the "low watermark BIBA model".

S120，根据主体和客体的安全级别，以及调整后的主体和客体的完整级别，执行所述当前访问操作。S120. Perform the current access operation according to the security level of the subject and the object, and the adjusted level of the subject and the object.

在本实施例中，已经根据当前访问操作，例如一个进程的安全级别和完整级别对“读”操作和“写”操作的限制出现冲突，调整了主体或客体的完整级别。例如，进程A的标签为(S3：I2)需要向完整级别为I1的客体执行“读”操作，由于BIBA模型的限制，无法执行“下读”操作，此时，通过本实施例提供的访问控制方法，可以将进程A的完整性标签的完整级别由I2降低为I1，此时，进程A的标签为(S3：I1)，即可执行对客体(I1)的下读操作。In this embodiment, the restrictions on the "read" operation and the "write" operation have been violated according to the current access operation, such as the security level and the full level of a process, and the complete level of the subject or object has been adjusted. For example, the label of process A is (S3:I2), and the "read" operation needs to be performed on the object of the complete level I1. Due to the limitation of the BIBA model, the "read down" operation cannot be performed. At this time, the access provided by the embodiment is provided. The control method can reduce the complete level of the integrity label of the process A from I2 to I1. At this time, the label of the process A is (S3: I1), and the read operation of the object (I1) can be performed.

相比之下，现有技术中的BLP模型和BIBA模型是两个独立的模型，并且BLP模型严格遵守“禁止上读、禁止下写”的原则，BIBA模型严格遵守“禁止下读、禁止上写”的原则，结合下表1中完整性和保密性共存的访问许可矩阵。In contrast, the BLP model and the BIBA model in the prior art are two independent models, and the BLP model strictly abides by the principle of “prohibiting reading, prohibiting writing down”, and the BIBA model strictly abides by “prohibiting reading, prohibiting The principle of “writing”, combined with the access permission matrix of the consistency and confidentiality in Table 1 below.

表1Table 1

显然地，在完整性和保密性共存的访问许可矩阵中的每行和每列中，BLP模型和BIBA模型的共存都严格遵循BLP模型和BIBA模型的原则，只要出现跨行或者跨列的访问情形，就无法实现BLP模型和BIBA模型共存。并且在完整性和保密性级别双高或双低的情况下，严重限制了主体的访问能力，即共存模型中存在信息孤岛的问题。Obviously, in each row and column of the access permission matrix where integrity and confidentiality coexist, the coexistence of the BLP model and the BIBA model strictly follows the principles of the BLP model and the BIBA model. As long as there is a cross-row or cross-column access situation, the BLP model and the BIBA model cannot coexist. And in the case of high or low level of integrity and confidentiality, the accessibility of the subject is severely limited, that is, the problem of information islands in the coexistence model.

本实施例提供的访问控制模型，通过重新设计BLP模型和BIBA模型工作的方式，实现模型共存的方式并非两个独立的模型，而是在BLP模型的基础上设计BIBA模型，并且BIAB模型中的完整性标签可以根据当前访问操作，进行调整，以实现一种“低水印BIBA模型”，从而可以兼顾数据访问的保密性和完整性。The access control model provided by this embodiment, by redesigning the BLP model and the BIBA model work, realizes that the model coexistence is not two independent models, but designs the BIBA model based on the BLP model, and the BIAB model The integrity tag can be adjusted based on the current access operation to implement a "low watermark BIBA model" that allows for both confidentiality and integrity of data access.

本实施例提供的数据访问控制方法，根据安全OS中的当前访问操作，通过调整主体或客体的安全上下文中完整性标签的完整级别，该安全上下文中预先配置有指示安全级别的保密性标签，通过上述调整，根据主体和客体的安全级别，以及调整后的完整级别，执行当前访问操作；本实施例中通过在BLP模型的基础上实现BIBA模型，将完整性标签和保密性标签设置在同一安全上下文中，并且可以根据当前访问操作动态调整完整级别，以实现BLP模型与BIBA模型共存的应用方式，解决了现有技术中的数据访问控制方式，由于只能选择性的使用BLP模型或BIBA模型，从而造成了信息访问无法兼顾保密性和完整性的问题。The data access control method provided in this embodiment adjusts the integrity level of the integrity label in the security context of the subject or the object according to the current access operation in the security OS, and the security context is pre-configured with a security label indicating the security level. Through the above adjustment, the current access operation is performed according to the security level of the subject and the object, and the adjusted complete level; in this embodiment, the integrity label and the confidentiality label are set in the same by implementing the BIBA model based on the BLP model. In the security context, and the dynamic level can be adjusted according to the current access operation, the application mode of the BLP model and the BIBA model coexisting is realized, and the data access control mode in the prior art is solved, since the BLP model or the BIBA can only be selectively used. Models, resulting in the inability of information access to balance confidentiality and integrity issues.

可选地，图6为本发明实施例提供的另一种数据访问控制方法的流程图，在上述图5所示实施例的基础上，本实施例中调整主体或客体的具体方式，即上述实施例中的S110可以包括：Optionally, FIG. 6 is a flowchart of another data access control method according to an embodiment of the present invention. On the basis of the foregoing embodiment shown in FIG. 5, a specific manner of adjusting a subject or an object in the embodiment, that is, the foregoing S110 in the embodiment may include:

S111，在完整级别较高的主体对完整级别较低的客体执行读操作时，将主体的完整级别降低为客体的完整级别。或者可以包括：S111. When a higher-level subject performs a read operation on a lower-level object, the complete level of the subject is reduced to the complete level of the object. Or it can include:

S112，在完整级别较低的主体对完整级别较高的客体执行写操作时，将客体的完整级别降低为主体的完整级别。S112, when the lower-level body performs a write operation on the object with a higher level, the complete level of the object is reduced to the full level of the subject.

在本实施例中，如图7所示，为图6所示实施例提供的数据访问控制方法中一种模型应用示意图。本实施例提供的访问控制方法中，对于共存的BLP模型和BIBA模型，约定主体和客体的完整级别的调整是永久生效的。图7中的进程A的保密性标签和完整性标签为(S3：I2)，即中间方框，安全级别为“S3，机密”，完整级别为“I2，中完整度”，现有技术中BLP模型和BIBA模型共存的情况中，限制了主体对不同安全级别和完整级别的客体的读写操作，图中的“R”和“W”为现有技术的共存模型可以执行的读写操作，采用本实施例提供的方法实现的“低水印BIBA模型”，可以实现图7中“R(2)”和“W(3)”的访问许可。In this embodiment, as shown in FIG. 7, a schematic diagram of a model application in the data access control method provided in the embodiment shown in FIG. In the access control method provided by this embodiment, for the coexisting BLP model and the BIBA model, the adjustment of the complete level of the agreed subject and the object is permanent. of. The confidentiality label and integrity label of the process A in FIG. 7 is (S3: I2), that is, the middle block, the security level is "S3, confidentiality", and the complete level is "I2, medium integrity", in the prior art. In the case where the BLP model and the BIBA model coexist, the subject is restricted from reading and writing operations to objects of different security levels and complete levels. The "R" and "W" in the figure are read and write operations that can be performed by the prior art coexistence model. The "low watermark BIBA model" implemented by the method provided in this embodiment can implement the access permission of "R(2)" and "W(3)" in FIG.

举例来说，若进程A(S3：I2)需要执行的当前操作为R(2)，由于该进程A完整级别高于客体I1的完整级别，因此将该进程A的完整级别调整为I1，即进程A执行R(2)操作后，该进程A的级别调整为(S3：I1)。For example, if the current operation that process A (S3:I2) needs to perform is R(2), since the process A complete level is higher than the complete level of the object I1, the complete level of the process A is adjusted to I1, that is, After process A performs the R(2) operation, the level of the process A is adjusted to (S3: I1).

再举例来说，若进程A(S3：I2)需要执行的当前操作为W(3)，由于W(3)操作中客体的完整级别高于进程A的完整级别，因此将该客体的完整级别由I3调整为I2，即进程A执行W(3)操作后，被写入文件的完整级别调整为I2。For another example, if the current operation that process A (S3:I2) needs to perform is W(3), since the complete level of the object in the W(3) operation is higher than the complete level of process A, the complete level of the object is Adjusted from I3 to I2, that is, after process A performs W(3) operation, the full level of the file being written is adjusted to I2.

可选地，本实施例中对主体或客体的完整级别的调整方式，即上述实施例中的S110还可以为：S113，通过修改命令所指示的完整级别，将主体或客体的安全上下文中的完整性标签调整为相应的完整级别。Optionally, the manner of adjusting the complete level of the subject or the object in the embodiment, that is, S110 in the foregoing embodiment may also be: S113, by modifying the complete level indicated by the command, in the security context of the subject or the object. The integrity label is adjusted to the appropriate full level.

在本实施例中，用户或设计人员可以当前访问需求，或者主体或客体对完整级别范围要求，可以自行调整主体或客体的完整级别，可以通过设置命令，即“chcon命令”来设置完整级别的参数“i”。In this embodiment, the user or the designer can access the requirement at present, or the subject or the object requires the complete level range, and can adjust the complete level of the subject or the object by itself, and can set the complete level by setting a command, that is, a “chcon command”. Parameter "i".

例如，如设置/root以及目录下所有的文件和子目录的完整性标签为i2。For example, if you set /root and all files and subdirectories under the directory, the integrity tag is i2.

#chcon -i i2 -R /root#chcon -i i2 -R /root

通过上述命令，/root目录下面的文件的完整性级别就会全部被修改为i2，其格式形如：With the above command, the integrity level of the files under the /root directory will be all changed to i2, which has the following format:

user_u：user_r：user_t：s0：i2User_u:user_r:user_t:s0:i2

需要说明的是，本实施例中的S111、S112和S113为选择执行的，通常根据当前进程执行访问的类型，以及主体和客体的完整性级别选择其中一种方式进行调整；另外，用户或设计人员可以根据需求在任意时刻执行S113。It should be noted that S111, S112, and S113 in this embodiment are selected for execution. Usually, depending on the type of access performed by the current process and the integrity level of the subject and the object, one of the methods is selected for adjustment; in addition, the user or the designer can execute S113 at any time according to the requirement.

在本发明各实施例中，主体和客体安全上下文中的完整性标签是预先配置的，如图8为本发明实施例提供的又一种数据访问控制方法的流程图，在上述图5所示实施例的基础上，本实施例在S110之前还包括：S100，分别在主体和客体的安全上下文中配置完整性标签。In the embodiments of the present invention, the integrity label in the subject and the object security context is pre-configured. FIG. 8 is a flowchart of still another data access control method according to an embodiment of the present invention. On the basis of the embodiment, the embodiment further includes: S100, before the S110, respectively configuring the integrity label in the security context of the subject and the object.

本实施例在具体实现中，客体的安全上下文中配置完整性标签的方式可以包括：In this embodiment, the manner in which the integrity label is configured in the security context of the object may include:

S101，在安全OS启动的过程中对客体的安全上下文进行初始化配置。S101: Initialize the security context of the object during the startup of the security OS.

S102，通过读取预置的客体完整性级别配置文件，在客体的安全上下文中配置所述完整性标签。S102. Configure the integrity label in the security context of the object by reading the preset object integrity level configuration file.

本实施例中客体完整性级别配置文件例如为：/etc/selinux/file_lomacThe object integrity level configuration file in this embodiment is, for example: /etc/selinux/file_lomac

配置文件的结构如下：The structure of the configuration file is as follows:

/etc/* 12/etc/* 12

/root/test.txt 2/root/test.txt 2

此时可以在***中通过命令“ls-Z”查看客体的完整性级别，例如：At this point, you can view the integrity level of the object in the system with the command "ls-Z", for example:

#ls -Z /root/test.txt#ls -Z /root/test.txt

得到的查看结果为：user_u：user_r：user_t：s0：i2。The result of the review is: user_u:user_r:user_t:s0:i2.

需要说明的是：上述user_u、user_r、user_t、s0可能会因为具体情况而变化，这里只是为了说明文件/root/test.txt的完整性级别为i2，至于前面的“用户：角色：类型：安全级别”是为了更好的说明文件后面的完整性级别i2。It should be noted that the above user_u, user_r, user_t, and s0 may change due to specific conditions. This is just to show that the integrity level of the file /root/test.txt is i2. As for the previous "user: role: type: security Level is for better description of the integrity level i2 behind the file.

其格式为： Its format is:

用户：角色：类型：安全级别：完整级别，即完整性级别是继安全级别后的一种扩展。同理可以利用命令“ls-d”查看/etc/目录的完整性级别，例如：User: Role: Type: Security Level: The full level, that is, the integrity level is an extension after the security level. Similarly, you can use the command "ls-d" to view the integrity level of the /etc/ directory, for example:

#ls -d -Z /etc/#ls -d -Z /etc/

得到的查看结果为：user_u：user_r：user_t：s0：i12。该表达式中的“用户：角色：类型：安全级别”与上述描述相同，故不再赘述。The result of the review is: user_u:user_r:user_t:s0:i12. The "user: role: type: security level" in the expression is the same as described above, and therefore will not be described again.

如图9所示，为图8所示实施例提供的一种数据访问控制方法中一种应用场景示意图，图9为在客体的安全上下文中配置完整性标签的应用场景，在客体的安全上下文中配置完整性标签，通常在***启动阶段由0号进程完成完整性标签的初始配置，具体包括：FIG. 9 is a schematic diagram of an application scenario in a data access control method provided in the embodiment shown in FIG. 8. FIG. 9 is an application scenario in which an integrity label is configured in a security context of an object, and a security context in the object. Configure the integrity label, usually the initial configuration of the integrity label is completed by the process 0 in the system startup phase, including:

S210，多操作***启动程序(GRand Unified Bootloader，简称为：Grub)和小内核启动。S210, GRand Unified Bootloader (Grub for short) and small kernel boot.

S220，切换根文件***。S220, switch the root file system.

S230，启动0号进程(systemd)。S230, start process 0 (systemd).

S240，调用rhel-autorelabel脚本。S240, call the rhel-autorelabel script.

S250，初始化客体的完全上下文。S250, initializing the complete context of the object.

S260，读取客体完整性配置文件。该完整性配置文件在上述实施例中已经具体说明，故在此不再赘述。S260. Read the object integrity configuration file. The integrity configuration file has been specifically described in the foregoing embodiment, and therefore will not be further described herein.

S270，***服务启动阶段。S270, system service startup phase.

另外，图8所示实施例在具体实现中，主体的安全上下文中配置完整性标签的方式可以包括：In addition, in a specific implementation, the manner in which the integrity label is configured in the security context of the entity may include:

S103，在安全OS中进行用户登陆的过程中对主体的安全上下文进行初始化配置。S103: Initialize the security context of the main body during the user login in the security OS.

S104，通过读取预置的主体完整性级别配置文件，在主体的安全上下文中添加完整性标签。S104: Add an integrity label in the security context of the subject by reading the preset body integrity level configuration file.

本实施例中主体完整性级别配置文件例如为：/etc/selinux/user_lomac The principal integrity level configuration file in this embodiment is, for example: /etc/selinux/user_lomac

test 10Test 10

#test用户设置的完整标签级别为10，此时可以在***中通过命令“id -Z”查看用户的完整性级别，例如：The complete tag level set by the #test user is 10. You can view the user's integrity level by using the command "id -Z" in the system. For example:

#id -Z#id -Z

得到的查看结果为：user_u：user_r：user_t：s0：i10。The result of the review is: user_u:user_r:user_t:s0:i10.

如图10所示，为图8所示实施例提供的一种数据访问控制方法中另一种应用场景示意图，图10为在主体的安全上下文中配置完整性标签的应用场景，在主体的安全上下文中配置完整性标签，通常通过内核态组件和用户态组件的协同操作完成完整性标签的初始配置，具体包括：FIG. 10 is a schematic diagram of another application scenario in a data access control method provided in the embodiment shown in FIG. 8. FIG. 10 is an application scenario in which an integrity label is configured in a security context of a subject, and security in the main body is provided. The integrity label is configured in the context, and the initial configuration of the integrity label is usually completed through the cooperation of the kernel state component and the user state component, including:

S310，用户登陆并进行身份认证。S310, the user logs in and performs identity authentication.

S320，密码检验。S320, password verification.

S311，会话初始化。S311, session initialization.

S321，初始化主体的完全上下文。S321, initialize the full context of the subject.

S322，读取主体完整性配置文件。该完整性配置文件在上述实施例中已经具体说明，故在此不再赘述。S322. Read the principal integrity configuration file. The integrity configuration file has been specifically described in the foregoing embodiment, and therefore will not be further described herein.

S312，后续初始化设置。S312, subsequent initialization settings.

S313，成功登陆。S313, successfully logged in.

需要说明的是，图9所示应用场景中的S310、S311和S312～S313，为在用户态组件上执行的操作，该用户态组件例如是具有图形用户界面(Graphical User Interface，简称为：GUI)的终端；S320和S321～S322为在内核态组件上执行的操作，该内核态组件例如是可插拔认证(Pluggable Authentication Modules，简称为：PAM)模块。It should be noted that S310, S311, and S312-S313 in the application scenario shown in FIG. 9 are operations performed on a user state component, for example, a graphical user interface (GUI). The terminal; S320 and S321 to S322 are operations performed on the kernel state component, such as a Pluggable Authentication Modules (PAM) module.

还需要说明的，图8所示实施例中对主体和客体配置完整性标签，通常为在***启动阶段先配置客体的完整性标签，在***启动后，通过用户登陆来配置主体的完整性标签；即图8所示实施例中的S101～S102在S103～S104之前执行。It should also be noted that, in the embodiment shown in FIG. 8, the integrity label is configured for the subject and the object. The integrity label of the object is usually configured in the system startup phase. After the system is started, the integrity label of the entity is configured by the user login. That is, S101 to S102 in the embodiment shown in FIG. 8 are executed before S103 to S104.

本发明各实施例在具体实现中，可以通过“低水印BIBA模型”的外部接口设计调整完整级别，该外部接口可以是在配置主体和客体完整性配置文件中设计的。具体地，本实施例中主体完整性级别配置文件中可以包括第一级别调整参数，例如参数“lomac”，该第一级别调整参数为1时，指示开启“下读”操作权限，即允许将主体的完整级别由高调低，该第一级别调整参数为0时，指示关闭“下读”操作权限，即禁止将主体的完整级别由高调低；另外，第一级别调整参数的初始值为1，即默认开启基于主体“下读”操作权限。本实施例通过在策略的BIBA模型基础上，允许“下读”操作，当主体读较低完整级别的客体时，主体的完整级别降低为客体的完整级别。In a specific implementation of the present invention, the full level can be adjusted through the external interface design of the "low watermark BIBA model", which can be designed in the configuration body and the object integrity configuration file. Specifically, in the embodiment, the body integrity level configuration file may include a first level adjustment parameter, for example, the parameter “lomac”. When the first level adjustment parameter is 1, it indicates that the “lower read” operation permission is enabled, that is, permission is allowed. The complete level of the main body is high and low. When the first level adjustment parameter is 0, it indicates that the “low read” operation permission is turned off, that is, the full level of the main body is prohibited from being high-low; in addition, the initial value of the first level adjustment parameter is prohibited. Is 1, which is based on the default "read" operation permission. In this embodiment, based on the BIBA model of the policy, the "read-down" operation is allowed. When the subject reads a lower-level object, the integrity level of the subject is reduced to the complete level of the object.

另一方面，本实施例中客体完整性级别配置文件中包括第二级别调整参数，例如参数“/proc/sys/selinux/”，该第二级别调整参数为1时，指示开启“上写”操作权限，即允许将客体的完整级别由高调低，该第二级别调整参数为0时，指示关闭“上写”操作权限，即禁止将客体的完整级别由高调低；另外，第二级别调整参数的初始值为0，即默认关闭基于客体“上写”操作权限。本实施例通过在严格策略的BIBA模型基础上，允许“上写”操作。当主体写高完整级别的客体时，客体的完整级别降低为主体的完整级别。On the other hand, in the object integrity level configuration file, the second level adjustment parameter is included in the embodiment, for example, the parameter “/proc/sys/selinux/”, and when the second level adjustment parameter is 1, the indication “ON” is turned on. Operation authority, that is, allowing the complete level of the object to be lowered from high to low. When the second level adjustment parameter is 0, it indicates that the "up write" operation permission is turned off, that is, the complete level of the object is prohibited from being high-low; The initial value of the level adjustment parameter is 0, which means that the object-based "up write" operation permission is turned off by default. This embodiment allows an "up write" operation based on the BIBA model of the strict policy. When the subject writes a high-level object, the complete level of the object is reduced to the full level of the subject.

可选地，本实施例的配置文件中还可以设置有参数“low-watermark”，该参数为1时，指示当前内核开启本发明实施例提供的完整性控制策略，即开启“低水印BIBA模型”，该参数为0是，指示为BIBA模型为严格策略的BIBA模型。Optionally, the configuration file of the embodiment may further be configured with a parameter “low-watermark”, where the parameter is 1, indicating that the current kernel starts the integrity control policy provided by the embodiment of the present invention, that is, the “low watermark BIBA model is enabled. ", the parameter is 0, indicating that the BIBA model is a strict strategy BIBA model.

需要说明的是，本发明各实施例为了解决BLP模型和BIBA模型共存中存在的信息孤岛问题，具有如下约定： It should be noted that, in order to solve the problem of information islands existing in the coexistence of the BLP model and the BIBA model, the embodiments of the present invention have the following conventions:

1、有完整标标签的主体和客体之间的访问控制方式：采用“低水印BIBA模型”动态调整主体或客体完整性标签级别；即本发明各实施例提供的对严格BIBA模型的一种改进方法，所谓“低水印”就是指在动态调整的时候取低完整级别。1. The access control method between the subject and the object with complete label: dynamically adjust the subject or object integrity label level by using the "low watermark BIBA model"; that is, an improvement of the strict BIBA model provided by the embodiments of the present invention The method, the so-called "low watermark", refers to taking a low level when dynamically adjusting.

2、特殊完整性标签的主体访问2. Subject access of special integrity tags

1)、无完整性标签的主体，其完整级别等同于I0，仅允许对有完整性标签的客体执行“读操作”。1) A body without an integrity label whose full level is equivalent to I0, allowing only "read operations" to be performed on objects with integrity labels.

在本发明实施例提供的方法中，假设没有完整性标签的主体是一个非法，那么如果通过降低客体的完整级别，从而实现给没有完整性标签的主体赋予“上写”权限，很可能就会破会数据的完整性，因此，该条原则就是为了与严格BIBA模型的禁止上写操作保持一致。In the method provided by the embodiment of the present invention, if the subject without the integrity label is illegal, then if the object with no integrity label is given the "write-on" permission by lowering the complete level of the object, it is likely that Breaking the integrity of the data, therefore, the principle is to be consistent with the prohibition of write operations on the strict BIBA model.

2)、有完整性标签主体和无完整性标签客体的访问，该情况下无完整性控制策略，仅受selinux DTE策略限制，selinux DTE是指selinux的域类型增强；其中，DTE为：Domainand Type Enforcement for Linux，即为Linux域类型增强；selnux为：Security Enhancements(SE)for Linux，即为Linux安全增强，selinux和DTE都是***中的一种访问控制技术。2) There is an integrity tag body and no integrity tag object access. In this case, there is no integrity control policy, only limited by the selinux DTE policy. Selinux DTE refers to the domain type enhancement of selinux; among them, DTE is: Domainand Type Enforcement for Linux, which is Linux domain type enhancement; selnux: Security Enhancements (SE) for Linux, which is Linux security enhancement, selinux and DTE are all access control technologies in the system.

3)无完整性标签的主体和客体间的访问，该情况下无完整性控制策略，同样仅受selinux DTE策略限制。3) Access between the subject and the object without integrity labels. In this case, there is no integrity control strategy, which is only limited by the selinux DTE policy.

可选地，说明本发明各实施例提供的访问控制方法中完整级别的调整原则，包括如下原则：Optionally, the principle of adjusting the complete level in the access control method provided by the embodiments of the present invention is described, including the following principles:

1、主客体完整级别自动调整遵循当前内核生效的“低水印BIBA模型”；1. The automatic adjustment of the complete level of the subject and object follows the "low watermark BIBA model" in effect with the current kernel;

2、主客体完整级别自动调整遵循完整级别递减原则：即高完整级别向低完整级别调整；2. The automatic adjustment of the complete level of the subject and object follows the principle of full-level decrement: that is, the high-level level is adjusted to the low-level level;

3、除用户登录读取配置文件中的完整级别外，子进程继承其父进程的完整级别； 3. The child process inherits the full level of its parent process, except that the user logs in to read the full level in the configuration file.

4、进程创建的文件等客体，客体继承进程的完整级别；4. The object created by the process and other objects, the complete level of the object inheritance process;

5、当主客体的完整级别完成初始配置后：体完整级别禁止显示调整；并且客体完整级别不能通过用户态命令显示调整(selinux设置为permissive情况除外)。5. When the complete level of the subject and object completes the initial configuration: the body integrity level prohibits display adjustment; and the object complete level cannot be adjusted through the user mode command (except for selinux set to permissive).

本发明实施例通过“低水印BIBA模型”的设计以及上述访问原则，可以有效的解决现有技术中BLP模型和BIBA模型共存的情况下存在的信息孤岛问题，以及双高或双低的主体访问受限的问题。The embodiment of the present invention can effectively solve the information island problem existing in the case where the BLP model and the BIBA model coexist in the prior art through the design of the "low watermark BIBA model" and the above access principle, and the subject access of double high or low double Limited problem.

图11为本发明实施例提供的一种数据访问控制装置的结构示意图。本实施例提供的数据访问控制装置适用于执行数据读写访问的情况中，该数据访问控制装置通过硬件和软件结合的方式来实现，该装置可以集成在终端设备的处理器中，供处理器调用使用。如图11所示，本实施例的数据访问控制装置具体包括：相连接的调整模块11和访问模块12。FIG. 11 is a schematic structural diagram of a data access control apparatus according to an embodiment of the present invention. In the case where the data access control device provided in this embodiment is adapted to perform data read/write access, the data access control device is implemented by a combination of hardware and software, and the device may be integrated in a processor of the terminal device for the processor. Called for use. As shown in FIG. 11, the data access control apparatus of this embodiment specifically includes: an adjustment module 11 and an access module 12 that are connected.

其中，调整模块11，配置为能够根据安全操作***OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，该主体和客体的安全上下文中预先配置有用于指示安全级别的保密性标签。The adjustment module 11 is configured to be able to adjust the integrity level of the integrity label in the security context of the subject or the object according to the current access operation in the security operating system OS, where the security context of the subject and the object is pre-configured to indicate the security level. Privacy label.

本发明实施例提供的数据访问控制装置，为在安全OS中执行数据访问时进行保密性控制和完整性控制的方式。为了确保数据保密性，本发明各实施例中的访问控制基于安全性访问控制模型，同样例如基于BLP模型，安全OS将计算机信息***中的实体分为主体和客体两部分，其中，主体和可以的定义，以及BLP模型为主体和客体配置的安全上下文的具体格式，以及对该安全上下文所执行的各项操作，在上述实施例中已经说明，故在此不再赘述。The data access control apparatus provided by the embodiment of the present invention is a method for performing confidentiality control and integrity control when performing data access in a secure OS. In order to ensure data confidentiality, the access control in the embodiments of the present invention is based on a security access control model. Similarly, for example, based on the BLP model, the security OS divides the entities in the computer information system into two parts: a subject and an object. The definition of the security context of the BLP model for the subject and the object, and the operations performed on the security context have been described in the above embodiments, and therefore will not be described herein.

需要说明的是，本实施例中主体和客体的安全上下文中配置的完整性标签的方式和格式，以及配置的完整性标签后安全上下文的格式和可以执行的各项操作，在上述实施例中已经说明，故在此不再赘述。It should be noted that, the manner and format of the integrity label configured in the security context of the subject and the object in the embodiment, and the format of the security context after the integrity label is configured and the operations that can be performed are in the foregoing embodiment. It has already been explained, so it will not be described here.

本发明实施例为了便于主体和客体的完整性标签描述简单且易于理解，同时又能兼顾数据保密性的设计，在上述BLP模型中主体和客体的安全上下文格式的基础上，本实施例中主体和客体的安全上下文中还具有指示完整级别的完整性标签，例如，在上述安全上下文的末尾增加属性字段“i”来表示数据的完整性标签，从而有效实现对数据完整性的保护。本实施例通过在BLP模型中主体和客体的安全上下文中增加可以表示数据完整性的标签，从而在BLP模型的基础上实现BIBA模型，并且可以按照当前访问操作的需求对主体或客体的完整性标签所指示的完整级别进行调整，从而在BLP模型的基础上实现了非严格策略的BIBA模型，即“低水印BIBA模型”。In the embodiment of the present invention, in order to facilitate the description of the integrity label of the subject and the object, and to understand the design of the data confidentiality, the subject and the object in the BLP model are described above. On the basis of the security context format, in the security context of the subject and the object in this embodiment, there is also an integrity label indicating a complete level. For example, an attribute field "i" is added at the end of the security context to indicate an integrity label of the data. This effectively protects data integrity. This embodiment implements the BIBA model based on the BLP model by adding tags that can represent data integrity in the security context of the subject and the object in the BLP model, and can complete the integrity of the subject or object according to the requirements of the current access operation. The complete level indicated by the label is adjusted to implement a non-strict strategy BIBA model based on the BLP model, namely the "low watermark BIBA model".

访问模块12，配置为能够根据主体和客体的安全级别，以及调整模块11调整后的主体和客体的完整级别，执行当前访问操作。The access module 12 is configured to perform the current access operation according to the security level of the subject and the object, and the adjusted level of the subject and the object of the object.

在本实施例中，已经根据当前访问操作，例如一个进程的安全级别和完整级别对“读”操作和“写”操作的限制出现冲突，调整了主体或客体的完整级别，调整后的主体或客体的完整级别可以执行当前访问操作。In this embodiment, the restrictions on the "read" operation and the "write" operation have been conflicted according to the current access operation, such as the security level and the complete level of a process, and the complete level of the subject or object is adjusted, and the adjusted subject or The full level of the object can perform the current access operation.

本发明实施例提供的数据访问控制装置用于执行本发明图5所示实施例提供的数据访问控制方法，具备相应的功能模块，其实现原理和技术效果类似，此处不再赘述。The data access control device provided by the embodiment of the present invention is used to perform the data access control method provided by the embodiment shown in FIG. 5 of the present invention, and has a corresponding function module, and the implementation principle and the technical effect thereof are similar, and details are not described herein again.

可选地，本发明上述实施例中调整模块11调整主体或客体的安全上下文中完整性标签的完整级别的具体方式，可以为：配置为能够在完整级别较高的主体对完整级别较低的客体执行读操作时，将主体的完整级别降低为客体的完整级别；或者，配置为能够在完整级别较低的主体对完整级别较高的客体执行写操作时，将客体的完整级别降低为主体的完整级别。Optionally, the specific manner in which the adjustment module 11 adjusts the integrity level of the integrity label in the security context of the subject or the object in the foregoing embodiment of the present invention may be: configured to be capable of being at a lower level at a higher level. When the object performs a read operation, the full level of the subject is reduced to the full level of the object; or, configured to reduce the full level of the object to the subject when the lower-level body performs a write operation on the object of a higher-level object The full level.

可选地，调整模块11调整主体或客体的安全上下文中完整性标签的完整级别的具体方式，还可以为：配置为能够通过修改命令所指示的完整级别，将主体或客体的安全上下文中的完整性标签调整为相应的完整级别。Optionally, the adjustment module 11 adjusts the integrity label of the security context of the subject or object The complete level of the specific method can also be: configured to be able to adjust the integrity label in the security context of the subject or object to the corresponding complete level by modifying the complete level indicated by the command.

需要说明的是，本实施例中调整模块11的上述具体调整方式为选择执行的，通常根据当前进程执行访问的类型，以及主体和客体的完整性级别选择其中一种方式进行调整；另外，用户或设计人员可以根据需求在任意时刻通过修改命令调整主体或客体的完整级别。It should be noted that, in the embodiment, the foregoing specific adjustment manner of the adjustment module 11 is performed selectively, and generally, one of the manners of performing the access according to the current process, and the integrity level of the subject and the object are selected for adjustment; Or the designer can adjust the complete level of the subject or object at any time by modifying the command as needed.

本发明实施例提供的数据访问控制装置用于执行本发明图6所示实施例提供的数据访问控制方法，具备相应的功能模块，其实现原理和技术效果类似，此处不再赘述。The data access control device provided by the embodiment of the present invention is used to perform the data access control method provided by the embodiment shown in FIG. 6 of the present invention, and has a corresponding function module, and the implementation principle and the technical effect thereof are similar, and details are not described herein again.

在本发明各实施例中，主体和客体安全上下文中的完整性标签是预先配置的，如图12所示，为本发明实施例提供的另一种数据访问控制装置的结构示意图，在上述图11所示实施例的基础上，本实施例中提供数据访问控制装置还包括：分别与调整模块11和访问模块12相连接的配置模块13，配置为能够在调整模块11调整主体或客体的安全上下文中完整性标签的完整级别之前，分别在主体和客体的安全上下文中配置完整性标签。In the embodiments of the present invention, the integrity label in the subject and the object security context is pre-configured, as shown in FIG. 12, which is a schematic structural diagram of another data access control apparatus according to an embodiment of the present invention. The data access control apparatus provided in this embodiment further includes: a configuration module 13 respectively connected to the adjustment module 11 and the access module 12, and configured to adjust the security of the main body or the object in the adjustment module 11 Before the integrity level of the integrity label in the context, the integrity label is configured in the security context of the principal and the object, respectively.

在具体实现中，本实施例中的配置模块13包括：相连接的初始化单元14和配置单元15；用于在主体的安全上下文中配置所述完整性标签，其中，初始化单元14，配置为能够在安全OS中进行用户登陆的过程中对主体的安全上下文进行初始化配置；配置单元15，配置为能够通过读取预置的主体完整性级别配置文件，在初始化单元14初始化后的主体的安全上下文中添加完整性标签。本实施例中的主体完整性级别配置文件中包括第一级别调整参数，第一级别调整参数为1时，指示开启“下读”操作权限，第一级别调整参数为0时，指示关闭“下读”操作权限，并且第一级别调整参数的初始值为1。In a specific implementation, the configuration module 13 in this embodiment includes: an initializing unit 14 and a configuration unit 15 connected to each other; configured to configure the integrity label in a security context of the body, wherein the initialization unit 14 is configured to be capable of Initializing the security context of the subject during the user login in the secure OS; the configuration unit 15 is configured to be able to read the preset principal integrity level configuration file, and the security context of the subject after initialization by the initialization unit 14 Add an integrity label. The body integrity level configuration file in this embodiment includes a first level adjustment parameter. When the first level adjustment parameter is 1, the operation permission of the “lower read” operation is turned on. When the first level adjustment parameter is 0, the indication is turned off. Read the "Operational Authority" and the initial value of the first level adjustment parameter is 1.

另外，本实施例中的初始化单元14和配置单元15还用于在客体的安全上下文中配置完整性标签，其中，初始化单元14，配置为能够在安全OS启动的过程中对客体的安全上下文进行初始化配置；配置单元15，配置为能够通过读取预置的客体完整性级别配置文件，在初始化单元14初始化后的客体的安全上下文中配置完整性标签。本实施例中的客体完整性级别配置文件中包括第二级别调整参数，第二级别调整参数为1时，指示开启“上写”操作权限，第二级别调整参数为0时，指示关闭“上写”操作权限；并且该第二级别调整参数的初始值为0。In addition, the initialization unit 14 and the configuration unit 15 in this embodiment are also used in the object security. The integrity tag is configured in the full context, wherein the initialization unit 14 is configured to be able to initialize the security context of the object during the startup of the secure OS; the configuration unit 15 is configured to be able to read the preset object integrity level The configuration file configures an integrity label in the security context of the object after initialization unit 14 is initialized. The object integrity level configuration file in this embodiment includes a second level adjustment parameter. When the second level adjustment parameter is 1, the operation permission of the “up write” is enabled, and when the second level adjustment parameter is 0, the indication is turned off. Write "operation authority; and the initial value of the second level adjustment parameter is 0.

需要说明的是，本实施例中配置模块13在客体和主体的安全上下文中配置完整性标签的具体方式如上述图9和图10，通常为在***启动阶段先配置客体的完整性标签，在***启动后，通过用户登陆来配置主体的完整性标签。It should be noted that, in this embodiment, the configuration module 13 configures the integrity label in the security context of the object and the host as in the foregoing FIG. 9 and FIG. 10, and generally configures the integrity label of the object in the system startup phase. After the system is started, the user's login is used to configure the integrity tag of the subject.

还需要说明的是，本实施例提供的数据访问控制装置，为了解决BLP模型和BIBA模型共存中存在的信息孤岛问题，约定的主体和客体的访问方式，以及完整级别的调整原则在上述实施例中已经说明，故在此不再赘述。It should be noted that the data access control apparatus provided in this embodiment solves the information island problem existing in the coexistence of the BLP model and the BIBA model, the agreed access mode of the subject and the object, and the adjustment principle of the complete level in the above embodiment. It has already been explained, so it will not be repeated here.

本发明实施例提供的数据访问控制装置用于执行本发明图7所示实施例提供的数据访问控制方法，具备相应的功能模块，其实现原理和技术效果类似，此处不再赘述。The data access control device provided by the embodiment of the present invention is used to perform the data access control method provided by the embodiment shown in FIG. 7 of the present invention, and has a corresponding function module, and the implementation principle and the technical effect are similar, and details are not described herein again.

在具体实现中，本发明图11到图12所示各实施例中的调整模块11、访问模块12和配置模块13可以通过终端设备的处理器来实现，其中的各单元和子单元同样可以通过终端设备的处理器来实现，该处理器例如可以是一个中央处理器(Central Processing Unit，简称为：CPU)，或者是特定集成电路(Application Specific Integrated Circuit，简称为：ASIC)，或者是完成实施本发明实施例的一个或多个集成电路。In a specific implementation, the adjustment module 11, the access module 12, and the configuration module 13 in the embodiments shown in FIG. 11 to FIG. 12 can be implemented by a processor of the terminal device, wherein each unit and sub-unit can also pass through the terminal. The processor is implemented by a processor, which may be, for example, a central processing unit (CPU), or an application specific integrated circuit (ASIC), or an implementation template. One or more integrated circuits of an embodiment of the invention.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可以通过程序来指令相关硬件(例如处理器)完成，所述程序可以存储于计算机可读存储介质中，如只读存储器、磁盘或光盘等。可选地，上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地，上述实施例中的各模块/单元可以采用硬件的形式实现，例如通过集成电路来实现其相应功能，也可以采用软件功能模块的形式实现，例如通过处理器执行存储于存储器中的程序/指令来实现其相应功能。本发明实施例不限制于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware (e.g., a processor), which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Optionally, in the above embodiment All or part of the steps may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function. Embodiments of the invention are not limited to any specific form of combination of hardware and software.

虽然本发明所揭露的实施方式如上，但所述的内容仅为便于理解本发明而采用的实施方式，并非用以限定本发明。任何本发明所属领域内的技术人员，在不脱离本发明所揭露的精神和范围的前提下，可以在实施的形式及细节上进行任何的修改与变化，但本发明的专利保护范围，仍须以所附的权利要求书所界定的范围为准。While the embodiments of the present invention have been described above, the described embodiments are merely for the purpose of understanding the invention and are not intended to limit the invention. Any modification and variation in the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention. The scope defined by the appended claims shall prevail.

工业实用性Industrial applicability

如上所述，本发明实施例提供的一种数据访问控制方法和装置具有以下有益效果：解决了现有技术中的数据访问控制方式，由于只能选择性的使用BLP模型或BIBA模型，从而造成了信息访问无法兼顾保密性和完整性的问题。 As described above, a data access control method and apparatus provided by an embodiment of the present invention have the following beneficial effects: the data access control method in the prior art is solved, and the BLP model or the BIBA model can be selectively used, thereby causing Information access cannot balance confidentiality and integrity.

Claims

一种数据访问控制方法，包括：A data access control method comprising:

根据安全操作***OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，所述主体和所述客体的安全上下文中预先配置有用于指示安全级别的保密性标签；Adjusting the integrity level of the integrity label in the security context of the subject or the object according to the current access operation in the security operating system OS, and the security context of the subject and the object is pre-configured with a privacy label for indicating the security level;

根据所述主体和所述客体的安全级别，以及调整后的所述主体和所述客体的完整级别，执行所述当前访问操作。The current access operation is performed according to the security level of the subject and the object, and the adjusted integrity level of the subject and the object.
根据权利要求1所述的数据访问控制方法，其中，所述调整主体或客体的安全上下文中完整性标签的完整级别，包括：The data access control method according to claim 1, wherein the adjusting the integrity level of the integrity label in the security context of the subject or the object comprises:

在完整级别较高的主体对完整级别较低的客体执行读操作时，将所述主体的完整级别降低为所述客体的完整级别；或者，When a higher-level subject performs a read operation on a lower-level object, the full level of the subject is reduced to the full level of the object; or,

在完整级别较低的主体对完整级别较高的客体执行写操作时，将所述客体的完整级别降低为所述主体的完整级别。When a lower-level body performs a write operation on a higher-level object, the full level of the object is reduced to the full level of the subject.
根据权利要求1所述的数据访问控制方法，其中，所述调整主体或客体的安全上下文中完整性标签的完整级别，包括：The data access control method according to claim 1, wherein the adjusting the integrity level of the integrity label in the security context of the subject or the object comprises:

通过修改命令所指示的完整级别，将所述主体或所述客体的安全上下文中的完整性标签调整为相应的完整级别。The integrity label in the security context of the subject or the object is adjusted to the corresponding full level by modifying the full level indicated by the command.
根据权利要求1～3中任一项所述的数据访问控制方法，其中，所述调整主体或客体的安全上下文中完整性标签的完整级别之前，还包括：The data access control method according to any one of claims 1 to 3, wherein before the adjusting the integrity level of the integrity label in the security context of the subject or the object, the method further includes:

分别在所述主体和所述客体的安全上下文中配置所述完整性标签。The integrity tag is configured in the security context of the subject and the object, respectively.
根据权利要求4所述的数据访问控制方法，其中，所述在所述主体的安全上下文中添加所述完整性标签，包括：The data access control method according to claim 4, wherein said at present Adding the integrity label to the security context of the subject includes:

在所述安全OS中进行用户登陆的过程中对所述主体的安全上下文进行初始化配置；Initializing the security context of the subject during the user login in the security OS;

通过读取预置的主体完整性级别配置文件，在所述主体的安全上下文中添加所述完整性标签。The integrity tag is added in the security context of the subject by reading a preset body integrity level profile.
根据权利要求5所述的数据访问控制方法，其中，所述主体完整性级别配置文件中包括第一级别调整参数，所述第一级别调整参数为1时，指示开启“下读”操作权限，所述第一级别调整参数为0时，指示关闭“下读”操作权限。The data access control method according to claim 5, wherein the subject integrity level configuration file includes a first level adjustment parameter, and when the first level adjustment parameter is 1, it indicates that the "lower read" operation permission is enabled. When the first level adjustment parameter is 0, it indicates that the "low read" operation authority is turned off.
根据权利要求6所述的数据访问控制方法，其中，所述第一级别调整参数的初始值为1。The data access control method according to claim 6, wherein the initial value of the first level adjustment parameter is 1.
根据权利要求4所述的数据访问控制方法，其中，所述在所述客体的安全上下文中配置所述完整性标签，包括：The data access control method of claim 4, wherein the configuring the integrity tag in a security context of the object comprises:

在所述安全OS启动的过程中对所述客体的安全上下文进行初始化配置；Initializing the security context of the object during the startup of the security OS;

通过读取预置的客体完整性级别配置文件，在所述客体的安全上下文中配置所述完整性标签。The integrity tag is configured in the security context of the object by reading a preset object integrity level profile.
根据权利要求8所述的数据访问控制方法，其中，所述客体完整性级别配置文件中包括第二级别调整参数，所述第二级别调整参数为1时，指示开启“上写”操作权限，所述第二级别调整参数为0时，指示关闭“上写”操作权限。The data access control method according to claim 8, wherein the object integrity level configuration file includes a second level adjustment parameter, and when the second level adjustment parameter is 1, the "on write" operation permission is turned on. When the second level adjustment parameter is 0, it indicates that the "up write" operation authority is turned off.
根据权利要求9所述的数据访问控制方法，其中，所述第二级别调整参数的初始值为0。 The data access control method according to claim 9, wherein the initial value of the second level adjustment parameter is zero.
一种数据访问控制装置，所述数据访问控制装置包括：相连接的调整模块和访问模块；A data access control device, the data access control device comprising: a connection adjustment module and an access module;

所述调整模块，配置为能够根据安全操作***OS中的当前访问操作，调整主体或客体的安全上下文中完整性标签的完整级别，所述主体和所述客体的安全上下文中预先配置有用于指示安全级别的保密性标签；The adjustment module is configured to adjust a complete level of the integrity label in the security context of the subject or the object according to the current access operation in the security operating system OS, where the security context of the subject and the object is pre-configured with an indication Security level privacy label;

所述访问模块，配置为能够根据所述主体和所述客体的安全级别，以及所述调整模块调整后的所述主体和所述客体的完整级别，执行所述当前访问操作。The access module is configured to perform the current access operation according to a security level of the subject and the object, and a complete level of the subject and the object adjusted by the adjustment module.
根据权利要求11所述的数据访问控制装置，其中，所述调整模块配置为能够调整主体或客体的安全上下文中完整性标签的完整级别，包括：The data access control device of claim 11, wherein the adjustment module is configured to be capable of adjusting a complete level of integrity tags in a security context of the subject or object, including:

配置为能够在完整级别较高的主体对完整级别较低的客体执行读操作时，将所述主体的完整级别降低为所述客体的完整级别；或者，Configuring to be able to reduce the full level of the subject to the full level of the object when the full level of the subject performs a read operation on the lower level object; or

配置为能够在完整级别较低的主体对完整级别较高的客体执行写操作时，将所述客体的完整级别降低为所述主体的完整级别。It is configured to be able to reduce the full level of the object to the full level of the subject when the lower level subject performs a write operation on the higher level object.
根据权利要求11所述的数据访问控制装置，其中，所述调整模块配置为能够调整主体或客体的安全上下文中完整性标签的完整级别，包括：The data access control device of claim 11, wherein the adjustment module is configured to be capable of adjusting a complete level of integrity tags in a security context of the subject or object, including:

配置为能够通过修改命令所指示的完整级别，将所述主体或所述客体的安全上下文中的完整性标签调整为相应的完整级别。It is configured to be able to adjust the integrity label in the security context of the subject or the object to a corresponding full level by modifying the full level indicated by the command.
根据权利要求11～13中任一项所述的数据访问控制装置，其中，所述数据访问控制装置还包括：分别与所述调整模块和所述访问模块相连接的配置模块，配置为能够在所述调整模块调整主体或客体的安全上下文中完整性标签的完整级别之前，分别在所述主体和所述客体的安全上下文中配置所述完整性标签。The data access control device according to any one of claims 11 to 13, wherein the data access control device further comprises: a configuration module respectively connected to the adjustment module and the access module, configured to be capable of The adjustment module adjusts a subject or an object The integrity tag is configured in the security context of the subject and the object, respectively, before the integrity level of the integrity tag in the security context.
根据权利要求14所述的数据访问控制装置，其中，所述配置模块包括：相连接的初始化单元和配置单元；The data access control device according to claim 14, wherein the configuration module comprises: an initializing unit and a configuration unit that are connected;

所述初始化单元，配置为能够在所述安全OS中进行用户登陆的过程中对所述主体的安全上下文进行初始化配置；The initialization unit is configured to be capable of initializing a security context of the subject during a user login in the security OS;

所述配置单元，配置为能够通过读取预置的主体完整性级别配置文件，在所述初始化单元初始化后的主体的安全上下文中添加所述完整性标签。The configuration unit is configured to be able to add the integrity tag in a security context of the body after initialization of the initialization unit by reading a preset body integrity level profile.
根据权利要求15所述的数据访问控制装置，其中，所述主体完整性级别配置文件中包括第一级别调整参数，所述第一级别调整参数为1时，指示开启“下读”操作权限，所述第一级别调整参数为0时，指示关闭“下读”操作权限。The data access control device according to claim 15, wherein the body integrity level profile includes a first level adjustment parameter, and when the first level adjustment parameter is 1, it indicates that the "down read" operation permission is turned on. When the first level adjustment parameter is 0, it indicates that the "low read" operation authority is turned off.
根据权利要求16所述的数据访问控制装置，其中，所述第一级别调整参数的初始值为1。The data access control device according to claim 16, wherein the initial value of the first level adjustment parameter is 1.
根据权利要求14所述的数据访问控制装置，其中，所述配置模块包括：相连接的初始化单元和配置单元；The data access control device according to claim 14, wherein the configuration module comprises: an initializing unit and a configuration unit that are connected;

所述初始化单元，配置为能够在所述安全OS启动的过程中对所述客体的安全上下文进行初始化配置；The initialization unit is configured to be capable of initializing a security context of the object during the startup of the security OS;

所述配置单元，配置为能够通过读取预置的客体完整性级别配置文件，在所述初始化单元初始化后的客体的安全上下文中配置所述完整性标签。The configuration unit is configured to be configured to configure the integrity tag in a security context of an object after initialization of the initialization unit by reading a preset object integrity level configuration file.
根据权利要求18所述的数据访问控制装置，其中，所述客体完整性级别配置文件中包括第二级别调整参数，所述第二级别调整参数为1时，指示开启“上写”操作权限，所述第二级别调整参数为0时，指示关闭“上写”操作权限。The data access control device according to claim 18, wherein said guest The second level adjustment parameter is included in the physical integrity level configuration file. When the second level adjustment parameter is 1, it indicates that the "up write" operation authority is turned on. When the second level adjustment parameter is 0, the indication is turned off. "Operation rights.
根据权利要求19所述的数据访问控制装置，其中，所述第二级别调整参数的初始值为0。 The data access control device according to claim 19, wherein the initial value of the second level adjustment parameter is zero.