Abstract:In order to support to the princir'le of least pfivUege effectively,considering the fimitatinns of traditional privilege mechanisms,a new Linux privilege mechanism called controlled privilege framewo (CPF) is proposed.CPF provides a fine-granularity partition of system privileges;improves the privilege computing mechanism of privileged process;and introduces the notation of privilege state for privilege control,refines the unit of pdvilege control farther.Based on CPF,fine-granularity and automatic privilege control can be performed totally transparent to all applications.The experimental results show that the threats of introsion are reduced and effective support to the prineiple ofleast privilege can be achieved.