网格环境中访问控制与信任模型研究-智能与分布计算实验室

网格环境中访问控制与信任模型研究

姓名	姚寒冰
论文答辩日期	2006.05.09
论文提交日期	2006.05.11
论文级别	博士
中文题名	网格环境中访问控制与信任模型研究
英文题名	Research on Access Control and Trust Model in Grid Environment
导师1	卢正鼎
导师2	胡和平
中文关键词	网格计算;访问控制;信任模型;上下文约束;信任评估;主观逻辑
英文关键词	Grid Computing;Access Control;Trust Model;Context Constraints;Trust Measurement;Subjective Logic Theory 论文总页码 106
中文文摘	网格技术将地理上广泛分布的计算资源、存储资源、网络资源、软件资源、信息资源等通过计算机网络连成一个逻辑整体，像一台超级计算机一样为用户提供一体化的应用服务。由于网格技术有着非常广泛的前景和发展空间，已成为国内外研究的热点，但是，网格研究还有很多关键技术问题需要解决。其中，网格安全问题尤其突出，网格环境具有异构、动态和多域的特点，这给网格的安全研究带来新的挑战，只有具有可靠的安全保障后，其大规模的推广和应用才能得以实现。网格安全基础设施(Grid Security Infrastructure, GSI)解决了网格环境下的安全认证、安全通信问题，但没有对访问控制予以足够的重视。为解决网格环境的动态性和不确定性带来的安全问题，对网格环境下的访问控制和信任模型进行深入研究，既具有理论意义亦具有实用价值，研究内容主要包括：传统的访问控制方法仅仅对资源提供方提供了保护，没有考虑访问主体的安全。网格环境下访问主体不仅仅关心获取的资源是否可用，还要考虑共享资源可能对自身造成破坏，需要对交互的双方都提供保护机制。针对该问题，结合网格环境特点，基于主观逻辑的网格行为信任模型(An Entity-Behavior Trust Model Based on the Subjective Logic in Grid Environment, EB-GTM)根据网格实体所处管理域的不同，将网格中的行为信任关系分为域内实体间的信任和域间信任，通过EB-GTM模型的信任评估机制对实体间的信任度进行评估，通过推荐网络进行信任的传播。通过交互实体间的信任关系，EB-GTM模型支持对未知实体的授权，对资源调用者和资源提供者都提供了安全保护。通过扩展RBAC模型，引入上下文约束机制，基于角色和上下文的访问控制模型(Dynamic Role-Based and Context-Based Access Control Model, RCBAC)实现了粒度可控，实时变化的授权这一目标。通过将上下文约束引入访问控制过程，为网格资源提供更加有效的访问控制。RCBAC模型的从运行环境中获取上下文信息，当满足系统所设定的上下文约束时，才可以授权。RCBAC模型保持了RBAC模型的优点，通过上下文约束增加了RBAC模型的描述能力，能定义更灵活、细粒度的访问控制策略。要支持网格环境下灵活的访问控制，需要一种通用的用于保护资源的访问决策语言，以及一种交换认证和授权等安全信息的标准，且容易扩展。通过基于XML的安全断言标记语言 (Security Assertion Markup Language, SAML)和可扩展访问控制语言(eXtensible Access Control Markup Language, XACML)，设计了可伸缩、可扩展的访问控制安全策略描述机制，支持网格计算环境固有的动态性、可伸缩性和可扩展性。基于该策略描述机制给出了RCBAC模型的实施框架。和现有网格计算安全领域的相关研究对比，该策略描述机制对XML技术的充分利用使它可很好地支持层次结构，并具有易扩展的优越性，可实现独立于平台的策略结构化描述。通过EB-GTM模型和RCBAC模型的综合应用，将授权实体的执行情况反映到其后的授权过程中去，建立了一个基于信任度参数的动态授权反馈应用框架，能根据网格实体的历史行为对其权限进行调整。传统的访问控制主要考虑对用户的授权，不关心用户在获得权限后在系统中的行为，这可能带来安全漏洞，比如对某用户授权过大，或者被授予适当权限的用户本身具有恶意行为，这在复杂的网格环境下尤其突出。通过对每次动态授权的执行结果进行监控，将实体授权后的行为反应到实体的信任度中去，在动态授权的过程中使用信任度参数，用户和资源都可以对交互对象的信任度参数提出要求，使得以前的执行情况对新的动态授权过程产生影响，实现实体权限的自动调整。仿真实验表明，支持动态约束机制的RCBAC访问控制模型和EB-GTM信任模型能较好的解决复杂的网格应用环境中的访问控制问题。
英文文摘	Grid is a set of application services which make geographically widely distributed computation resources, storage resources, network resources, software resources, information resources and so forth serve users like a supercomputer. Because of its magnificent future and great development potential, Grid technologies attract great concerns of academic field. However, there are many key unsolved issues in Grid technologies, and Grid security is one of them. Only after the Grid system may offer safe and reliable services will it be extensively built and used. GSI, the grid security infrastructure mainly oriented to security authentication and communications, pays insufficient attention to the access control. Grid system consists of various resources, and the resources have some features of dynamic change, geographical dispersion and heterogeneous systems, which will hinder the development of grid application to such extent and trigger security challenges of the grid computing. So some key issues of access control and trust management in grid environments are researched in this thesis and our work mainly include: The traditional security mechanisms are mainly concerned about the security of the provider of resources and miss the protection of the access requesters. Nevertheless, the requesters are concerned about not only the availability of the resources, but also the potential risks that they are running in grid environments. To solve this problem, we develop An Entity-Behavior Trust Model based on the Subjective Logic to adapt the grid environments. The EB-GTM discriminates the trust relationships among entities between the same autonomous domains and different domains. By handling these two kinds of trust relationships with the subjective logic theory, the EB-GTM supplies security protection to both the providers and the requesters of resources, avoid vicious attacks in the dynamic and uncertain grid environment, and support the access control of the unknown entities as well. We propose a Dynamic Role and Context-Based Access Control model (RCBAC) which extends the traditional RBAC with context constraints to solve the security issues in grid application. The RCBAC provide authorization with dynamic granularity and real-time permissions. The authorizations of the traditional access control models depend on a central database and identity of subjects. The RCBAC mechanisms dynamically grant and adapt permissions to users based on a set of contextual information collected from the application environments, besides retaining the advantages of RBAC model. Although context constraints potentially add a great deal of complexity to access control policies, they add much flexibility and can define the fine-grained access control policies as they are often needed in real-world applications. To attain the flexible access control, a common and extensible security policy language is required in grid computing environment which can be used to exchange the security information in different domains. We realize the security policy language with Security Assertion Markup Language and eXtensible Access Control Markup Language which are both based on XML. By inheriting the advantages of XML, this security policy language achieves the inherent qualities of dynamicity, scalability and extensibility of grid computing environments. The implementation of RABAC is just based on this security policy language. Compared with current research works, this security policy is more scalable and extensible and platform-independent. An authorization feedback mechanism is realized by combining the RCBAC model with the EB-GTM model. The traditional access control mechanisms are mainly concerned about the user's authorizations without considering the authorized users’ behaviors, which carries out potential security vulnerability. For instance, a user may be authorized excessive authority, or the user authorized with appropriate authority has malicious behaviors. The problem is especially acute in grid environments. To solve this problem, we propose a dynamic authorization mechanism which integrates access control with the trust parameters. The authorization mechanisms monitor the behaviors of the authorized entities. The malicious behaviors will debase the entities’ trust parameters, and the good behaviors will increase the entity’s trust parameters. By introducing the trust parameter into RCBAC model as the feedback of the previous results of authorization decision, the history behaviors of Grid entities have effect on the new process of authorization. The results of computer simulation prove that the RCBAC model and the EB-GTM model can solve the problem of the authorization in the complicated grid environment effectively.