【作者】 张明生；

【导师】 张明义；

【作者基本信息】 贵州大学 ， 计算机软件与理论， 2008， 博士

【摘要】 信息安全是可信计算的一个领域,访问控制是整个信息安全的基础。访问控制是保护安全系统所维护的数据和资源,以避免未授权访问与不恰当修改,同时确保对合法用户的可用性。访问控制系统的开发过程总是基于安全策略、安全模型和安全机制的多阶段实施。然而,访问控制策略/模型的定义是非平凡的,它的最大难点在于如何以恰当的定义和明确的规则解释真实世界的安全策略(通常是复杂的,有时是模糊的)及其转化,并使它们易于计算机系统的实现。随着访问控制理论的发展和实际应用中对安全需求的日益提高,表达能力和灵活性现在已成为一个访问控制系统中的优先要求,而访问控制又经常要求处理冲突性、简单性和有效性,即现代访问控制策略要求是柔性的足以刻画现实世界中的安全需求。柔性访问控制主要涉及柔性授权、逻辑形式化和策略集成等当今访问控制中的热点问题和发展趋势。研究如何使用逻辑程序强大的表达能力和计算能力确定现实中的柔性访问控制策略;如何平衡柔性访问控制规范的表达性、简单性和有效性;如何处理柔性访问控制中的冲突;如何在一个框架下集成已有柔性访问控制理论的优点;如何使用常识推理(即非单调推理)刻画柔性特征。本文研究主要集中于下列几个问题:柔性访问控制的概念;基于角色访问控制模型(RBAC)的柔性;柔性访问控制策略中的冲突消解;基于逻辑程序的柔性授权框架的设计与分析。基于上述问题的深入研究,我们取得了四个方面的成果与创新:(1)柔性访问控制规范与分析就我们所知,有关柔性访问控制的概念尚无明确定义与总结,我们认为其含义是模糊的和处于进化过程中的。我们可以简单地理解柔性为“多属性”和“多域性”,但今天的柔性访问控制已涉及到信任管理和信任协商等问题,因此对柔性访问控制的概念归纳与特征描述是必要的。进一步,我们分析了如何用逻辑程序表示柔性访问控制策略所涉及的几个问题,特别是如何用逻辑程序规则确定“柔性”特征。我们也研究了几个流行的授权框架理论。这样,我们获得了以下结果:—柔性访问控制的概念外延可归纳为:表达从显式到隐式、决策从身份标识到主体属性、更新从静态到动态、实施从单一到组合、环境从封闭到开放;—柔性访问控制的特征有:条件(系统、上下文与历史)、层次(主体、客体、权限和角色)、正负授权、基于属性的规范、动态环境、授权推理;—分析逻辑程序的结构特征能确定相应的安全需求性质,同时也决定其语义计算;—几个经典的授权框架优缺点互补交叉,这给我们进一步研究的空间。(2) RBAC模型的柔性在分析RBAC柔性的基础上,我们提出了“在RBAC中实现LBAC策略的形式化分析”问题,它涉及如何用RBAC的机制来实施基于格的访问控制(LBAC)策略。尽管已有一些有关LBAC与RBAC关系的研究,但大多是非形式化的。我们的研究是基于形式化的方法,涉及到关系、逻辑与同态等。这一研究主要有下列贡献:—形式化分析显示如何用RBAC框架使关键的LBAC策略有效,RBAC有一个好的机制——角色在统一处理一系列LBAC系统中所起的作用;—研究得出几个基于格的访问控制策略能在RBAC中实现,并且也清楚地探索出RBAC控制管理机制;—通过使用一种安全模型来统一研究其它的方法,使我们探索一种有关集成安全策略的推理成为可能。(3)偏好冲突消解策略据我们所知,少有基于文字偏好冲突消解用于访问控制领域。根据冲突消解原理,我们研究问题:用LPOD程序消解冲突,用带有序析取的逻辑程序(LPOD)规则消解冲突。我们所提出的方法有下列优点:—这一方法是偏好冲突消解方法,它是基于文字与上下文依赖的,不同于规则优先和基于组织的策略,它有精细的粒度;—LPOD程序的语义不是通常的稳定模型,但它的语义计算可转化为稳定模型计算。因此它是新颖的;—选择LPOD程序回答集的选择标准是灵活的,并能很好适应于实际需求。(4)基于逻辑程序的柔性授权框架我们提出授权框架由三个程序模块组成:PRAP组件、URAP组件与UR-RP授权策略,PRAP指“权限角色分配程序”负责分配权限给角色,URAP表示“用户角色分配程序”,其功能是分配角色予用户,UR-RP程序结合PRAP和URAP实施多策略集成。这个授权框架有下列优点:—由于该框架的管理机制是基于RBAC,所以它易于进一步扩展与精化;—因为这个框架是基于逻辑程序的,所以它是柔性的。使用RBAC组织策略规范中的规则可强化规范的结构;—框架中的组件模块能充分利用已有理论的优点。例如,PRAP对角色、客体与权限使用Bertino99框架中的精细粒度和结构化的遗传机制,URAP对用户利用FAF理论中的多重冲突消解与决策策略,UR-RP显式地体现出RBAC中会话功能;—各组件模块在一个统一的框架下独立地实施策略并进行交互。事实上这种实施和交互功能是基于逻辑程序的结合;—由于非单调理论应用于我们的授权框架,所以我们能应用信念修改来实现现实世界中的柔性策略。上面所有结果无论在理论还是实践方面都是有价值的,同时也是我们进一步研究柔性访问控制的基础。更多还原

【Abstract】 Information security is a realm in trusted computing,and access control plays an important role in overall information security.Access control is to protect the data and resources maintained by a security system against unauthorized disclosure or improper modifications,while at the same time ensuring their availability to legitimate users.The development process of an access control system is usually carried out with a multi-phase approach based on the concepts of security policy,security model and security mechanism.However,the definition of an access control policy/model is far from being a trivial process.The most major difficulty lies in the interpretation of real-world security policies(often complex and sometimes ambiguous) and their translation in well defined and unambiguous rules,which are easily implemented by a computer system.With the development of access control theory and security requirements in many emerging applications,nowadays,expressiveness and flexibility have been become top requirements for an access control system together with,and usually in conflict with,simplicity and efficiency,that is,a modern access control policy needs to be flexible enough to capture security requirements in real world scenarios.This is why we study the flexible access control.Our flexible access control mainly refers to three aspects:flexible authorizations,logic based formalization,and integration of policies,which obtain a significant attention and also reflect the development tendency of the current access control.It has been investigated in this dissertation that how to specify flexible access control policies in real world using the powerful expressiveness and computation of logic programs,how to deal with conflicts in flexible access controls,how to balance expressiveness,simplicity and efficiency in flexible access control specifications,how to make use of common reasoning(i.e.,non-monotonic reasoning) to express the flexible characteristics, and how to integrate the advantages in the prevailing flexible access control theories on the basis of a unified framework.The dissertation focuses on the following several problems:the concept of flexible access control;the flexibility of role based access control(RBAC);conflict resolution strategy in flexible access control policy;design and analysis of the flexible authorization framework based on logic programs.By careful investigation of the above problems,the following results and contributions based on the four aspects have been obtained.(1) Knowledge and specification of the flexible access control To our best knowledge,the concept of flexible access control has not been specified definitely and summarized so far.We think that the meaning of flexible access control is ambiguous and evolving.We can simply view it as multi-attributes and multi-domains,which are traditional and classical,but today’s flexible access control may refer to trust management,trust negotiation etc.Therefore inducing concepts and describing characteristics are necessary for flexible access controls.Further,we analyzed several problems about how to use logic programs to represent the flexible access control policies.Especially,we analyzed how to the "flexible" features are specified via logic rules.We also exploited the several prevailing framework theories for the next investigation. Thus,the following consequences have been acquired:-- The conceptual extension of flexible access controls is induced as:a) Expression from explicit to implicit;b) Determination from identity to attribute;c) Update from static to dynamic;d) Enforcement from single to compositional;e) Environment from close to open.-- The characteristics of flexible access controls are summarized as:a) Conditions(referring to system,context,history and so on);b) Hierarchies(include Subject,Object,Privilege and Role);c) Positive and negative authorizations;d) Attributes based specifications;e) Dynamic environments;f) Authorization derivations.-- The structural features of logic programs can specify the responding properties of security requirements,at the same time,also determine the semantics computation of the logic programs. -- Several prevailing authorization frameworks are complementary and cross between advantages and disadvantages.This gives us the space for further study.(2) Flexibility of RBAC ModelBased on analyzing the flexibility of RBAC,we have proposed the problem:a formal analysis for implementing LBAC in RBAC,which refers to how to implement lattice-based access control(LBAC) policy using the mechanisms of RBAC.Although there have been some researches on the relationships between LBAC and RBAC,these researches are non-formal.Our investigation is based on the formal method related to the ideas of relation,homomorphism and logic etc.The research has the following main contributions:-- The formal analysis shows how to use the RBAC framework to validate the key LBAC policies,suggesting that RBAC has a good role to play in unifying the formal treatment of a range of LBAC systems.-- The research can conclude that several studied lattice-based access control policies can be carried out in RBAC,and that the mechanism of managing access control in RBAC can be clearly exploited.-- Through using one security model as a unifying principle for studying others, we have possibility to explore a way for reasoning about combinations of security policies.(3) Conflict resolution strategy with preferenceTo our best knowledge,there are little conflict resolution polices with literal preference applied to access control.In terms of the principles of conflicts resolutions,we have researched the problem:Conflicts Resolution with LPOD Program,where rules with LPOD(Logic Program with Ordered Disjunction) are applied to solve conflicts.Our method has the following advantages:-- The method is a conflict resolution with preference.It is based on literals and dependent-context,different from rule priority and organization based strategy. Thus decision of this method is fine-grain;-- The semantics of LPOD program is not a stable model,but its semantic computation can transform into stable model.Therefore,it is novel.-- The criteria of selecting answer sets are more flexible and well accommodating to practical requirements.(4) Flexible authorization framework based on logic programs Our proposed authorization framework is composed of the programs of three main parts:PRAP module,URAP module and UR-RP authorization policy module,where PRAP means Privilege Role Assignment Program that is in charge of assigning privileges to roles;URAP expresses User Role Assignment Program whose function is the assignment of roles to users;UR-RP program combine PRAP and URAP for implementing the integration of multiple policies. The framework has the following advantages:-- As the administrative mechanism of the framework is based on RBAC,it may be easily further extended and refined.-- Since the framework is specified by logic programs,it is flexible.Using RBAC to organize the rules in a specification may enhance the construction of the specification.-- The component modules can adopt the advantages of the theories in the literature.For instance,PRAP makes use of the fine-grained and structural propagation mechanism in Bertino99 Framework for roles,objects and privileges;URAP employs the multiple conflict resolution and decision policies in FAF for users.UR-RP explicitly facilitates the session like RBAC.-- The component modules implement independently the policies,and interplay on base of the unifying framework.In fact,the functions of the implementations and interplay are based on the combination of logic programs.-- Since non-monotonic theory is used in our framework,we can use belief revision to capture flexible policies in real world.All the above consequences are worthwhile not only in theory but also in practice,and at the same time they are also the foundation of our further study on the flexible access control.更多还原