节点文献

基于策略的访问控制关键技术研究

Research on Key Technologies of Policy-Based Access Control

【作者】 林植

【导师】 谢长生; 陈晓苏;

【作者基本信息】 华中科技大学 , 计算机系统结构, 2006, 博士

【摘要】 访问控制是支撑信息系统安全的一项重要技术,广泛应用于各种系统安全防护中。目前已有的访问控制技术由于其约束条件配置管理的局限性和执行机制的约束,在会话管理的灵活性、适应性及综合化控制方面存在很大的不足,因此探讨具有新型控制机制的访问控制方法具有十分重要的理论和实际意义。从保证系统会话请求控制的适应性、灵活性和多策略支持特性这一角度出发,初步构建了一个基于安全策略的访问控制模型PBAC(Policy-based Access Control)。该模型分基本模型和扩展模型。在基本模型中,为增强会话实体管理的适应性,采用了可重构对象描述技术对会话实体实施统一管理。同时,基本模型取消了对会话主体的权限配置,改变了根据主体拥有的权限来约束会话请求的基本访问控制模式,统一建立了会话相关属性描述,实现了会话特性的全面约束管理。此外,基本模型还改变了现有访问控制模型通过权限等约束条件间接描述策略的模式,制定了独立的策略描述和管理机制,实现了访问控制策略的灵活管理,提高了模型的多策略支持能力。以基本模型为基础,构建了PBAC的扩展模型。论述了扩展模型的会话实体和行为内在的逻辑特点,给出了扩展模型中逻辑关系的描述和管理机制,讨论了模型中实体要素间的分组关系、继承关系、约束关系和依存关系等对访问控制管理机制的影响。给出了PBAC模型在移动代理系统中的应用机制。从策略的可用性、灵活性以及描述的一致性角度出发,制定了基于XML( Extensible Markup Language )的访问控制策略描述语言规范XBACPL(XML-based Access Control Policy Language),并以会话实体、行为等要素为基础构建了XBACPL的基本策略,给出了基本策略的分类定义和描述方法。在此基础上,结合元建模理论拟定了XBACPL的元策略管理机制,建立了访问控制策略内部的逻辑关系。此外,针对XBACPL的可用性和一致性要求,描述了满足这些要求的策略管理算法。结合MAS(Mobile Agent System)的特点,讨论了PBAC在MAS中的应用模型。同时,构建了基于策略的网络安全防护框架,在该框架下结合网络层访问控制的特点,开发了一个PBAC的网络安全防护应用原型。原型系统包含一个访问控制实体、属性及策略的配置管理工具,同时在网络驱动层NDIS上实现对网络数据包基于策略规则的过滤。通过原型系统的建立,验证了PBAC模型的灵活性、扩展性和多策略支持特性。通过对基于策略的访问控制相关问题研究,取得了若干具理论价值和实用价值的研究成果,为进一步研究基于策略的访问控制及其实用系统奠定了理论和方法基础。

【Abstract】 The access control technology, widely applied to various security protections, is significant to guarantee the security of information system. The existing access control technology is much deficient on the flexibility, adaptability and the integrated control of session because of its limitation of the restrictive conditions configured for access session and the execution mechanism. Therefore, it is extremely important to develop a new access control mechanism not only for theory but also in practice.To improve the insufficiency of the old access control technology and support multi-policy, a Policy-Based Access Control Model (PBAC) was produced in this article, which is composed of two models, the fundamental model and the extension model. A completely different and innovative technology, reconstructed-object describing technology, is used in the fundamental model to uniformly manage the conversation entities that strengthens the adaptive capacity of PBAC. Furthermore, in this model, the authorization for session subject has been cancelled, the basic access control pattern in which the system restraints sessions based on the authorization of subject has been changed, and an attribute description related to session, realizing the comprehensive restraint management of session attribute, has been integrated. In addition, this model has changed the mode of current models which depict access control policy indirectly by authorization configured on the session entities, formulated a kind of independent policy description and management mechanism, making the management of access control policy more agile and enhancing the ability of multi-policy supporting.Based on that fundamental model, an extension model has been produced. The logic characteristics of its entities and actions have been dissertated in this article. And it has also discussed the rules for logic relationship description, the management mechanism, and the influence of the grouping relation, the inheritance relation, and the restraint and dependency relations among conversation factors on the access control management mechanism as well in the extension model. The management mechanism of PBAC using in mobile agent system is introduced.In order to improve the usability, flexibility and consistency of policy, an XML-Based Access Control Policy Language (XBACPL) has been developed. On the basis elements of entities and actions etc., the essential policies together with its classification and description have been constructed. Integrated with meta-modeling theory, the article has proposed a meta-policy management mechanism of XBACPL, established the logic relationships among access control policies, and described all related algorithms of XBACPL with which the requirements of usability consistency have been defended.Combined with the characteristic of mobile agent system, the article has introduced a application model about PBAC. At the same, the article creates a policy-based framework for network security. In this framework an application prototype of PBAC is programmed for access control of network. The prototype contains a configuration management tool for access control entities, attributes and policies. The network data packets are filtered on network driving layer whose execution is according to the policies. It is so significant that the prototype validates the flexibility, adaptability, and multi-policy support of PBAC.In conclusion, some theoretic and practical achievements obtained from this study will provide a substantial foundation for further policy-based application research.

节点文献中: