Security on-demand architecture with multiple modules support

Abstract

It's very important for a general-purpose operating system to have a security-tunable feature to meet different security requirements. This can be achieved by supporting diverse security modules, invoking them on demand. However, the security architectures of existing projects on Linux kernels do not support this feature or have some drawbacks in their supporting. Thus we introduce a layered architecture which consists of original kernel layer, module coordination layer and module decision layer. The architecture supports multiple modules register, resolves policy-conflicts of modules by changing their invoking order, and allow user to customize the security by enabling or disabling modules during runtime. The detailed structure and implementation in Linux based system, SECIMOS is described. The caching issue and performance are also discussed. Our practice showed the architecture helps us achieve flexible adaptation in different environments. © Springer-Verlag Berlin Heidelberg 2005.