智能与分布计算实验室
  基于风险的多域互操作访问控制研究
姓名 唐卓
论文答辩日期 2008.06.03
论文提交日期 2008.03.24
论文级别 博士
中文题名 基于风险的多域互操作访问控制研究
英文题名 Risk-Based Access Control for Multi-Domain Interoperation
导师1 卢正鼎
导师2 李瑞轩
中文关键词 多自治域;角色;动态访问控制;互操作;权限查询;冲突消解;风险;信任
英文关键词 Multi-domain;Role;Dynamic Access Control;Inter-operation;Privilege Query;Conflicts Resolution;Risk;Trust
中文文摘 随着Internet及其相关技术的快速发展,在开放的、异构的分布式环境下,出现了大量的分布式应用之间的互操作,通过互操作分布式应用可以共享资源和服务,有效地提高了数据的使用率。访问控制技术是一项关键的安全技术,它在保证合法用户访问资源的前提下,可以有效地限制用户对关键资源的访问。分布式应用所具有的分布性、异构性、自治性和动态性等特点对互操作的访问控制技术提出了许多新的挑战。 在将分布异构的自治系统抽象成自治域的基础上,给出了多自治域环境中互操作访问控制策略的形式化描述以及分析。分析了授权策略和职责策略的确定性、一致性以及完整性的定义,并在这些策略性质的基础上,分析了在互操作过程中,权限策略的主要冲突形式以及冲突产生的原因。给出了一种多域环境中基于请求的安全互操作角色映射框架。在最小唯一角色集(MUS)的基础上,针对多域间的资源访问请求,给出了一种支持灵活的策略表达和多域间的策略映射机制的、方便有效的方法来在自治域内的混杂角色层次中进行权限查询,能有效地计算出满足域间资源访问需求的、最小且唯一的角色集合。角色映射是基于角色访问控制的多自治域域间互操作的基本方法。为了更加实际地描述两个不同的自治域间的参与映射的角色间的层次关系,将角色映射划分为三种类型:I-mapping,A-mapping以及IA-mapping,这些映射反映了多域间不同的角色层次关系。角色映射是引起多域互操作过程中出现策略冲突的主要原因,本框架对这几种多域间互操作的常见冲突产生的起因做了详细分析,并给出如何通过选择外部用户的角色以及映射的类型来避免以上几种冲突的具体算法。较之其他研究,能较好地满足域间互操作的资源访问请求并能尽可能地保持各自治域中的角色层次结构不发生变化。 传统的基于角色的访问控制在权限分配和委托过程中可能存在不可预料的安全漏洞。针对这一问题,将风险的概念引入访问控制,论述了访问控制策略以及角色之间的基于风险的偏序关系,给出了风险距离的概念,使得不同风险等级的访问控制策略,可以相互比较其安全性的差异。论述了角色间的基本关系,分析了基于风险的权限委托以及权限再分配的基本性质及原则,并基于MUS集合的计算方法,给出了一种基于风险最小化的用户访问控制策略的优化方法。在保持用户访问权限不变的情况下,能在系统的角色层次中选择一组权限执行风险最低的角色指派给用户。可以较大程度控制高风险的授权以及权限委托行为,从而提高系统的安全性。 针对传统的访问控制模型不能适应多域互操作环境中系统动态性的需求,在策略风险属性的基础上给出一种基于风险的多域动态访问控制模型。在本模型中,建立有角色映射的主体和客体间,主体所具有的某项安全策略的风险等级由自治域间的信任关系、客体的安全等级以及访问事件的安全系数得出,通过对高风险等级的安全策略进行调整以达到对系统的风险的实时控制。理论分析表明这种方法可有效保证访问控制的灵活性和多自治域环境的安全性。 已有的大多数研究往往侧重于解决访问控制在特定环境下所存在的某些具体问题,而缺乏对分布式环境整体上的考察。基于多自治域环境中的互操作访问控制的需求分析,在对多自治域环境中的访问控制策略的性质,以及域间互操作策略冲突的类型及产生的原因进行深入研究的基础上,给出了一种基于风险的域间互操作访问控制模型。分析了对管理域内的各种实体进行描述与控制的一般性方法,从而满足系统从整体上的安全集成的目的。 基于上述理论研究成果,研制和开发了一个基于风险的多域访问控制授权系统RMAS,可以方便地实现自治域间基于用户请求的角色自动映射以及有效地解决域间的映射冲突,并通过系统的测试,给出了性能分析与评价。
英文文摘 The rapid development of Internet and related technologies has created tremendous possibilities for the interoperability between applications in open and heterogeneous distributed environment. Interoperability provides a means for distributed applications to share resources and services, which improves performance and resource utilization. Access control is a crucial security technology. It can control the legal users to sensitive resources effectively and ensure users to access relative resource. The distributed, heterogeneous, autonomic and dynamic characteristics of distributed applications bring many new challenges to the access control technology. While the distributed systems are abstracted to the multi-domains, this paper proposes a method to formalize the policies of the interoperations in multi-domains. In this paper, proposes the properties of determinism, consistence and completeness for the interoperation security policies, which are the base of the conflict detection. This paper proposes a request-driven role mapping framework for secure interoperation in multi-domain environments. To support flexible policy expression and inter-domain policy mapping, we present a convenient and effective method to perform the privilege query in general hybrid role hierarchies for special external requests based on the minimal uniquely set (MUS). Role mappings are the basic approach for the interoperation among multiple individual domains. To describe the relationships between roles practically, role mappings are divided into three types: I-mapping, A-mapping and IA-mapping. These mappings denote the forms of the different role hierarchies respectively. Role mappings are the major causes for various types of conflicts and inconsistencies in multi-domains. This paper analyses the reasons for generating these conflicts and presents the algorithms to resolve them. Comparing to other researches, this method can ensure that the external user requests will be satisfied and the local role hierarchies will be furthest preserved. Finally, the study of the instance for interoperation among the various offices of a county shows the validity of this role mapping framework. There are leaks existing in the permission distribution and delegation for the traditional access control based roles. Through introducing the concept of risk, this paper establishes an integrated theoretic framework. This paper represents access control policy and the ordering relation among roles based risk. The concept of risk distance is proposed, it made the security of access control polices can be compared according their various risk bands. This paper illuminates the basic relationship between the roles. The properties and principle are proposed for the policies’ delegation and reallocate based risk. Based on the algorithm of computing the MUS, this paper proposed a method to optimize the users’ access control polices. It is able to ensure the executions of the policy are under the minimum risk. This method which introduces risk in access control can control the high risky authorization and delegation. And it can advance the security of the system. For the traditional access control model can not satisfy the requirement of the dynamic of the multi-domain environment, this paper proposes a dynamic access control model for multi-domain environment based the risk of inter-operations. The risk grade of an access policy can be calculated by the trust relationships among individual domains; the security degree of the objects and the safety factor of the access events. Through the adjusting the access policies which own the high risk grade, the risk in the system can be controlled in real time. The analysis of the security theory shows that this method can reinforce the facility of the access control and the security of the multi-domain environment. While a lot of past researches have focused on some problems of special situations-- in multi-domian environments that were fairly static, issues relating to regulating constantly evolving domains have not been as thoroughly explored. The new techniques are required to govern the behavior of entities in these environments so that even though each entity takes individual decisions, the overall system objectives are also satisfied. In particular, the goal is to develop a policy framework that: a holistic resolution of inter-operation access control basing risk is proposed to be used, where the norms or rules of ideal behavior of entities in RBAC of these environments are described in a machine-understandable specification language. Based on the theory and research production mentioned above, RMAS, a risk based multi-domain access control authorization system, is designed and implemented.This system can realize the automatically establishment of the role-mapping between different domain based the users’ request expediently. This system can also resolve the conflicts of the role mapping among multi-domain effectively. Finally, we give performance analysis and evaluation through system experiment.