PDF HTML阅读 XML下载 导出引用 引用提醒 安全策略模型聚合性评估方法 DOI: 作者: 作者单位: 作者简介: 通讯作者: 中图分类号: 基金项目: Supported by the National Natural Science Foundation of China under Grant No.60573042 (国家自然科学基金); the National BasicResearch Program of China under Grant No.G1999035802 (国家重点基础研究发展计划(973)); the Beijing Natural Science Foundationof China under Grant No.4052016 (北京市自然科学基金) Groupability in Security Policy Models Author: Affiliation: Fund Project: 摘要 | 图/表 | 访问统计 | 参考文献 | 相似文献 | 引证文献 | 资源附件 | 文章评论 摘要:动态策略支持与授权粒度是访问控制的关键问题.现有的研究只关注安全策略的描述能力,却忽略了对策略结构与授权粒度的分析,从而无法全面满足动态策略支持与最小授权要求.指出Lampson 访问矩阵模型是对最细粒度访问控制的抽象,普通安全策略则根据应用安全需求对Lampson 访问矩阵进行聚合.基于安全标签的聚合性描述框架(a escriptive framework of groupability basing on security labels,简称GroSeLa)可将普通安全策略映射为Lampson 访问矩阵,该框架分为基本组件与扩展两部分:前者分析用于实现矩阵聚合的安全策略结构;后者则指出实现全面动态策略支持必须支持的7 类管理性需求.在此基础上,提出5 项聚合性指标:聚合因子、动态因子、策略规模、授权粒度与职责隔离支持.对4 类经典安全策略ACL,BLP,DTE 与RBAC 的评估,是从矩阵聚合的角度分析不同的安全策略在表达性、可用性与授权粒度上的差异. Abstract:Dynamic policy supporting and authorization granularity are two key issues in access control. Present researches only compared the expressiveness of policies, but never considered the policy’s structure and the granularity of authorization, which makes it difficult to support the dynamic policy and satisfy the least privilege requirement. As this paper points out that Lampson’s access matrix is the most fine-grained access control model,the other security policies need to group access matrix according to their different application requirements. By defining a descriptive framework of Groupability Basing on Security Labels (GroSeLa), generic security policies can be mapped into Lampson’s access matrix. GroSeLa framework consists of a set of fundamental components and an extension. The fundamental components give all policy’s structure for grouping matrix, and the extension reveals all necessary administrative requirements for supporting dynamic policy completely. Based on GroSeLa, this paper proposes five grouping dimensions for evaluating security policies, including grouping factors, dynamic factors, policy scale, authorization granularity and separation of duty supporting. The paper also compares four classicsecurity policies, namely ACL (access control list), BLP (Bell LaPadula), DTE (domain and type enforcement) andRBAC (role-based access control). To the best of these knowledge, it is studied that the difference onexpressiveness, usability and authorization granularity of different security policies are from the aspect of grouping access matrix. 参考文献 相似文献 引证文献