本文针对安全操作系统开发和安全操作系统网络适应性方面涉及的关键问题进行研究。从信息系统整体来看，安全操作系统是解决各种安全威胁的基础。在网络环境中，计算机系统面临复杂、多样的安全威胁，尤其是机密信息泄露的威胁。网络环境对安全操作系统的研究和开发实践提出了新的挑战和要求：1) 网络环境中需要多层次安全策略实施框架，而以安全内核为基础的安全操作系统总是将安全功能集中在最小的安全内核中；2) 安全操作系统机密性策略导致的单向信息流动与网络环境下的双向信息交互之间存在冲突，需要引入大量的可信主体；3) 网络环境中独立的节点间缺少必要的信任。

    本文对上述几个方面的关键问题进行研究，并取得如下的创新：

    第一，针对网络环境中多层次安全策略实施要求，探索基于虚拟机环境的安全操作系统体系结构。提出一种基于虚拟机的双内核体系结构，这种体系结构以隔离作为基础，将操作系统分解为可以单独设计、开发、测评的组件。还提出一种基于消息的策略体系结构来约束组件的开发和设计。分析了虚拟机环境下动态内存管理的隔离性问题，提出一种基于BLP模型的安全的内存管理方案。

    第二，对安全操作系统的可信主体进行了研究。 该研究涉及到判定可信主体、确定可信主体的安全需求以及评估可信主体对于整个系统的安全风险等多个方面。本文以信息流分析为基础，利用TE安全规范与MLS策略间的信息流冲突定位可信主体，确定可信主体的安全标签范围，采用风险分析法确定每个可信主体的安全保障级指派。

    第三，针对网络环境中信任缺乏的问题，研究建立远程信任的平台证明技术，尤其关注平台证明的隐私保护问题。本文提出一种隐私隐藏的度量体系结构，并给出了相应的远程平台证明方案，改进了基于TCG的IMA度量体系结构    存在的配置隐私泄露问题。在此基础上，提出一种二进制证明与属性证明结合的混合证明方案。该方案既具有平台配置隐私保护能力又不需要属性证明所必须的在线可信第三方。

    第四，对属性证明的配置隐私保护能力进行研究。本文提出了几种可以被用来攻击属性证明隐私保护的方法：奇异属性法、增量分析法和统计分析法，证实了属性证明并不具有完全的配置隐私保护能力， 需要在设计中满足一定条件才具有隐私保护能力。上述研究也可为属性证明的设计提供参考。

This thesis focuses on the key problems about the development of a secure operating system and its network adaptability. In general, secure operating systems are the foundations to solve the security threats. In the network environments, computer systems are confronted with complex,various  security threats, especially threats of leaking confidential information.  Network environments have introduced new challenges and requirements to secure operating systems, which are listed as follows:1)network environments need a multiple layered security policy enforcement framework, while traditional operating system depends on a small security kernel which contains all security functions. 2) the classic confidential  policy of a secure operating system imposes one-way information flows,  which conflict with the requirements of interactive information flows; as a result,  a lot of trusted subjects must be introduced. 3) trust is absent among platforms in networks.

    To settle above problems, we conduct studies on the key technologies of  secure operating system  and achieve the following major  achievements:

    Firstly, in order for the multi-layered policy enforcement requirements, we investigate the secure operating system architecture and propose  an architecture with dual kernels  for the secure operating system based on virtual machine. Because this architecture is based on separation, the functions of the operating system can be discomposed into components which can be designed,developed and certified independently. And then, a security policy architecture based on message  is proposed as a means to restrain the developments and designs of the secure operating system. We also analyze the separation of virtual machine dynamic memory management and  present a secure memory management scheme  based on BLP model.

    Secondly, we explore the trusted subjects on the secure operating system.  This work involves finding out trusted subjects, determining their security requirements and assessing overall risk levels due to these trusted subjects. Based on information flows analysis，this thesis finds out trusted subjects by conflicts between the information flows of MLS policy and TE specification. And then security requirements such as security label range and security assurance level are presented according to the risk analysis.

    Thirdly, We investigate the remote attestation in order for the trust absence in network, and especially pay attention to the privacy of remote attestation. A privacy hidden integrity measurement architecture is proposed to improve original IMA for it's privacy disclosure, and then attestation process is enhanced. Based on this work, a hybrid attestation model of binary attestation and property attestation is proposed to provide privacy-preserving in attestation without an online configuration-property translation trusted third party.

    Finally, we discuss the privacy of property-based attestation.  Several methods that attackers can exploit are presented : singular-property method, incremental analysis and statistical analysis. The results demonstrate that property-based attestation isn't privacy preserving intrinsically and that privacy should be taken into consideration too. In addition, these methods provide a guideline for designing property-based attestation.