首页 | 本学科首页   官方微博 | 高级检索  
     

基于安全审计日志的网络文件系统数据完整性保护方法
引用本文:黄荣荣,舒继武,肖达,陈康.基于安全审计日志的网络文件系统数据完整性保护方法[J].计算机研究与发展,2009,46(Z2).
作者姓名:黄荣荣  舒继武  肖达  陈康
作者单位:清华大学计算机科学与技术系,北京,100084
基金项目:国家"九七三"重点基础研究发展计划基金项目,教育部新世纪优秀人才支持计划基金项目 
摘    要:网络文件系统在方便数据共享的同时也带来了新的安全隐患,审计日志跟踪并记录文件服务器上数据的变化,对于分析评价系统的安全性有重要价值.现有的系统因为不能防止内部攻击以保证审计日志的安全性,无法很好地满足用户需求,如攻击者可以直接通过驱动程序修改磁盘上的审计日志来删除敏感数据.提出了一种基于安全审计日志的对网络文件服务器上的数据进行完整性保护的方法.服务器中的每个文件和目录都对应一个认证符以保证其完整性,通过将文件服务器上的活动记录下来并生成日志,事后根据认证符和分析日志信息来对数据进行审计.另外,通过引入一个可信组件来生成认证符和审计日志并保证它们的安全性.根据该方法在NFS服务器上实现了原型系统Nfsd-log并对其进行了性能测试.SSH-build的测试结果表明,Nfsd-log的总时间开销比未受审计日志保护的原始NFS服务器的时间开销仅增加9.2%.

关 键 词:网络文件系统  审计日志  认证符  防篡改硬件

A Data Integrity Protection Method for Network File Systems Based on Secure Audit Logs
Huang Rongrong,Shu Jiwu,Xiao Da,Chen Kang.A Data Integrity Protection Method for Network File Systems Based on Secure Audit Logs[J].Journal of Computer Research and Development,2009,46(Z2).
Authors:Huang Rongrong  Shu Jiwu  Xiao Da  Chen Kang
Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.
Keywords:network file system  audit logs  authenticator  tamper-resistant hardware
本文献已被 万方数据 等数据库收录!
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号