Research on Softwaization Techniques for ERT Trusted Root Entity in Railway Operation Environment

doi:10.3969/j.issn.1671-1122.2024.05.012

Abstract

Abstract:

In order to guarantee the information security of railway system, the article proposed a software-based technology of entity of root of Trust(ERT) in railway operation environment, which implemented the mandatory access control function in kernel, and realized a more fine-grained and powerful privilege management through the modification or extension of operating system kernel. Meanwhile, considering the problems of weak computing capability, limited storage space and unstable power supply of some devices in lightweight scenarios, a lightweight trusted computing system is proposed to maximally meet the requirements of trusted computing. Through the implementation of kernel-level mandatory access control and the transformation of the lightweight trusted computing system, the threat of unknown risks to critical infrastructure is mitigated, and a solid guarantee is provided for the security of the railroad system.

Key words: railway system information security, ERT trusted root entity, mandatory access control, trusted computing system

CLC Number:

TP309

WANG Wei, HU Yongtao, LIU Qingtao, WANG Kailun. Research on Softwaization Techniques for ERT Trusted Root Entity in Railway Operation Environment[J]. Netinfo Security, 2024, 24(5): 794-801.

Figures/Tables 14

References 13

[1]	ZHANG Boju, ZHU Guangjie. Research on Security Assurance System of Railway Critical Information Infrastructure[J]. Railroad Computer Application, 2022, 31(11): 1-5.
	张伯驹, 朱广劼. 铁路关键信息基础设施安全保障体系研究[J]. 铁路计算机应用, 2022, 31(11):1-5.
[2]	XUE Zhaohui, XIANG Min. Research on Data Center Security Protection under Zero-Trust Security Model[J]. Communication Technology, 2017, 50(6): 1290-1294.
	薛朝晖, 向敏. 零信任安全模型下的数据中心安全防护研究[J]. 通信技术, 2017, 50(6):1290-1294.
[3]	LI Fenghua, SU Mang, SHI Guozhen, et al. Research Progress and Development Trend of Access Control Modeling[J]. Journal of Electronics, 2012, 40(4): 805-813.
	李凤华, 苏铓, 史国振, 等. 访问控制模型研究进展及发展趋势[J]. 电子学报, 2012, 40(4):805-813. doi: 10.3969/j.issn.0372-2112.2012.04.030
[4]	WEI Xingmin, HE Jiangmin. Discussion on Mandatory Access Control Technology in Information Security Level Protection Technology[J]. Electronic World, 2019, 8(8): 148-150.
	魏兴民, 贺江敏. 信息安全等级保护技术之强制访问控制技术探讨[J]. 电子世界, 2019, 8(8):148-150.
[5]	FENG Chaosheng, YU Keping, BASHIR A K, et al. Efficient and Secure Data Sharing for 5G Flying Drones: A Blockchain-Enabled Approach[J]. IEEE Network, 2021, 35(1): 130-137.
[6]	CHEN Danhui, ZHANG Weijun, ZHOU Anran. Research on Host Security Protection Technology of Railroad Communication Network Based on Trusted Computing Environment[J]. Railway Communication Signal, 2022, 58(7): 74-78.
	陈丹晖, 张卫军, 周安冉. 基于可信计算环境的铁路通信网络主机安全防护技术研究[J]. 铁道通信信号, 2022, 58(7):74-78.
[7]	ZHANG Xinwen, COVINGTON M J, CHEN Songqing, et al. SecureBus: Towards Application-Transparent Trusted Computing with Mandatory Access Control[C]// ACM. 2nd ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2007: 117-126.
[8]	ROSSI M, FACCHINETTI D, BACIS E, et al. {SEApp}: Bringing Mandatory Access Control to Android APPs[C]// USENIX. 30th USENIX Security Symposium(USENIX Security 21). New York: USENIX, 2021: 3613-3630.
[9]	DING Yan, WANG Peng, WANG Chuang, et al. Attribute-Based Dynamic Mandatory Access Control Mechanism for Operating Systems[J]. Computer Engineering and Science, 2023, 45(10): 1770-1778.
	丁滟, 王鹏, 王闯, 等. 基于属性的操作系统动态强制访问控制机制[J]. 计算机工程与科学, 2023, 45(10):1770-1778.
[10]	LIU Haidong, GUO Songhui, SUN Lei, et al. Trusted Computing Architecture for Secure Network Functions[C]// IEEE. 2020 7th International Conference on Information Science and Control Engineering(ICISCE). New York: IEEE, 2020: 1478-1483.
[11]	KANG Luyi, XUE Yuqi, JIA Weiwei, et al. Iceclave: A Trusted Execution Environment for in-Storage Computing[C]// IEEE. MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture. New York: IEEE, 2021: 199-211.
[12]	FENG Dengguo, LIU Jingbin, QIN Yu, et al. Trustworthy Computing Theory and Technology in Innovative Development[J]. Chinese Science: Information Science, 2020, 50(8): 1127-1147.
	冯登国, 刘敬彬, 秦宇, 等. 创新发展中的可信计算理论与技术[J]. 中国科学:信息科学, 2020, 50(8):1127-1147.
[13]	SUO Xiangrong, QI Sheng, ZHANG Yuebin, et al. Research on Fine-Grained Access Control Scheme for Railroad Cloud Platform[J]. Railroad Computer Application, 2021, 30(4): 45-49.
	锁向荣, 齐胜, 张悦斌, 等. 铁路云平台细粒度访问控制方案研究[J]. 铁路计算机应用, 2021, 30(4):45-49.

主体	主体用户	保护客体	操作系统权限	MAC 权限	实验效果
所有程序\指定程序	所有用户	如/home	读、写	读	只读
所有程序\指定程序	所有用户	可执行程序	读、写、执行权限	禁止执行	无法运行
所有程序\指定程序	所有用户	进程、子进程	可以kill	禁止kill	无法kill

防护类型	主体用户	保护客体	权限
文件	操作系统用户及自定义用户	文件、文件夹路径	只读、只写
程序	操作系统用户及自定义用户	可执行程序	禁止运行
进程	操作系统用户及自定义用户	正在运行的进程	禁止kill
子进程	操作系统用户及自定义用户	正在运行的子进程	禁止kill
Windows 注册表	操作系统用户及自定义用户	注册表编辑	只读、只写

序号	操作系统	初始规则	规则说明
1	Windows	禁止Powershell	禁止Powershell命令
2	Windows	PHP的webshell防护	针对PHP类的webshell具有防止执行命令的保护作用
3	Windows	防止WMIC远程执行	禁止通过WMIC的方式进行远程执行操作
4	Windows	防止SC远程执行	禁止通过SC的方式进行远程执行操作
5	Windows	重要文件防篡改	标记重要文件防篡改
6	Windows	程序运行禁止	危险指令禁止执行
7	Windows	ASPX的webshell防护	针对ASP、ASPX类的webshell具有防止执行命令的保护作用
8	Windows	保护host文件	保护host文件，防止DNS劫持
9	Windows	JSP的webshell防护	针对JSP、JSPX类的webshell起到防止执行命令的保护作用
10	Windows	引导文件保护	Windows系统的引导文件只读保护
11	Windows	下载进程禁止	阻止常用的命令行下载工具执行
12	Windows	防止PsExec远程执行	禁止通过PsExec的方式进行远程执行操作
13	Windows	禁止修改服务	防止对系统服务进行增、删、改
14	Windows	启动项保护	对自启动相关的目录及注册表进行保护

技术区别	最小利用率	最大利用率	平均值
无系统漏洞安全免疫	2.53%	74.58%	10.84%
系统漏洞安全免疫开启	3.31%	60.43%	11.29%
系统漏洞安全免疫关闭	4.09%	61.22%	11.34%

技术区别	最小值	最大值	平均值
无系统漏洞安全免疫	12.03 GB	12.16 GB	12.12 GB
系统漏洞安全免疫开启	12.02 GB	12.16 GB	12.12 GB
系统漏洞安全免疫关闭	12.01 GB	12.16 GB	12.12 GB