智能与分布计算实验室
  多级安全工作流研究
姓名 朱国华
论文答辩日期 2003.10.16
论文提交日期 2004.06.04
论文级别 博士
中文题名 多级安全工作流研究
英文题名 Research on the Multilevel Secure Workflow Management Systems
导师1 卢正鼎
导师2
中文关键词 多级安全;工作流;着色网;可达性;主体敏感度;动态调整
英文关键词 multilevel security;workflow;colored Petri net;reachability;subject sensitivity label;dynamic determination
中文文摘 随着WFMS的应用发展,其安全问题也就成为特别需要关注的问题。目前市场上现有的工作流产品所提供的安全功能都非常有限,仅包括基本的身份认证和简单的访问控制机制,不能满足高安全应用的需求。国内外也开展了一些关于安全工作流技术的研究,但与实用仍有一定差距。 多级安全工作流管理系统是对传统的工作流管理系统的扩展。对于实施多级安全策略(MLS)的工作流管理系统,分析在满足多级安全策略下的可达性,必须将工作流的控制流和数据流结合分析。根据多级安全工作流需要有能力同时描述控制流和数据流的特点,提出了一种基于着色Petri网的工作流模型,利用着色Petri网描述工作流的控制流和数据流,将工作流中的数据流和控制流分别描述成为工作流着色Petri网中的控制流子网和数据流子网,并分别给出了工作流着色Petri网WCPN、数据流着色Petri子网DCPN、控制流着色Petri子网FCPN的定义,从而为多级安全工作流的实施和分析提供基础。 对于工作流中任务涉及的数据进行安全级别的分级和对于工作流中定义的任务进行安全级别的分级有着很大的不同。前一种情形决定了任务是否允许存取数据,后一种情形决定了主体是否允许执行一个任务。按照这个标准,提出了对多级安全工作流的分类,分为4类: (1) 没有实施多级安全策略; (2) 数据流实施多级安全策略; (3) 控制流实施多级安全策略; (4) 数据流与控制流实施多级安全。 对于第三类对控制流实施多级安全策略的工作流,Vijayalakshmi Atluri已经进行了详细的讨论,提出了多级安全模型SPN模型。在此基础之上,对于其他三种情况的可达性进行了举例分析、对比,并给出了可达图生成算法,指出了多级安全策略对于其可达性的不同影响。 Atluri的SPN模型描述了不同的任务节点具有不同的安全级别的情况,通过对SPN进行扩展,使其能够描述同时对数据流和控制流采取多级安全策略的情况。在此基础之上,定义了多级安全工作流网MLS_CPN中任务的触发规则,从而为多级安全工作流的过程定义和分析提供基础。 针对基于CPN的多级安全工作流MLS_CPN无法完全表达控制流依赖的弊端,提出采用系统约束的手段对工作流过程定义进行丰富完善,并给出了将系统约束与过程定义相结合的方法。但是系统约束对于多级安全工作流分析的影响有待今后研究。 着色网网图较简单,但其函数关系却很复杂;Petri网网图较复杂,但其函数关系却很简单。由于着色网的特殊性,一般利用Design/CPN对其进行仿真分析,直接分析其性能要比基本网困难得多。通过给出把着色网转换成等价的基本网的算法,可以把WCPN转化为普通Petri网进行分析,为多级安全工作流的系统化验证提出了一条思路。 BLP模型过于严格简单,缺乏灵活性, 容易使工作流无法顺利执行,不能满足实际需要。为了解决上述问题,对经典的BLP模型进行了改进,并证明了这种改进方案的正确性。该方案对主体的敏感标记进行扩充,将主体的敏感度标记分离为读写相互独立的区间,主体当前敏感标记根据客体敏感标记和主体访问权限的历史过程进行动态调整,从而提高数据完整性和系统的可用性。 本文的研究将为多级安全工作流的进一步研究和系统的开发提供理论基础。
英文文摘 With the wide use of WfMSs in different areas, it draws more attention to the security aspect of WfMSs. Most products nowadays on the market supply limited security properties, including the basic authentication and access control mechanism, and cannot meet the requriments of high security applications. More and More researchers overseas devote to the study of security workflow management system. It’s almost still a vacancy in China in the study of security workflows The multilevel secure workflow management system is the extension of trandational WfMSs. It support the the concepts of users (subjet), datas(object),control flow and data flow under the multilevel security environment. A subject can enforce a task by using or creating data items. The dataflow describe the movement of dataitems between different tasks. In order to analysis the reachability of the workflow management system under the multilevel strategy, it’s necessary to combine the control flows with data flows. The model in this article based on the study of the wf_net proposed by W.M.P Van der Aalst and the study of process definition with petri nets by WangTao. A powerful modelling tool-colored petri nets (cpn) will be used to describe the control flow and data flow synchronously. The data items used or created by workflow processes under a MLS policy could be denoted with individual tokens in colored Petri nets. So the control flow and data flow of a workflow could be described with the control flow subnet and data flow subnet of the colored Petri net based workflow in an united way. It's convenient to analysis the workflow with mature methods and computer tools and supplies one practical approach for the application of MLS in Workflow management systems. Based on this model, a multilevel security colored petri workflow net is proposed. It’s far different from the SPN model proposed by Vijayalakshmi Atluri. Also the firing rules of the MLS_WCPN is defines and so this model will make it easy for the analysis application of multilevel security policy in WfMSs. That can automatically detect and prevent all the dependencies that violate the multilevel secure policy. Because the cannot simulate all the dependencies of business processes, so the conception of system constraint is proposed, a model of system constraint is built, methods to combine flow logic with system constraint in workflow management system are presented. Talking about workflow management systems and mandatory access control we have to see several levels of abstraction due to the workflow system’s distributivity. There are at least two criterion we should considered. The first one is sensitivity of data: 1) Only data are classified - we are securing only data we are working with. Definitions of tasks are public and there is no reason to suppose them to be sensitive. The classic example may be administration where all the information flows should be transparent. 2) Workflows’ definitions are classified - the opposite possibility when workflows are viewed as data and access to their definition is granted according to the classification. We define four categories according to the criterions: (1) WNSN (workflows are not classified, systems are not classified) (2) WNSC (workflows are not classified, systems are classified) (3) WCSN (workflows are classified, systems are not classified) (4) WCSC (workflows are classified, systems are classified) There is a strong difference between classification of data the system works with and classification of tasks’ definitions. The latter situation is more difficult not only from the theoretical reasons but also from the administration and functional point of view. We are developing procedures for the task execution management that are based on the unified classification of data that are processed. This classification may be used not only for controlling the access to the resources but also for the determination of subjects that are allowed to execute parts of the workflow tasks (task-steps). It’s intuitionticly to study the reachability of the mutilevel secure WfMSs with the reachability graph. According to the reachability graph the a insntace, It can be seen that the MLS polity will influence the reachablity of the system. Although most products supply the simulation the defined workfow , but it’s not enough to finding the control flow error and verification the correctness of the system. Especially for the Colored petri nets, it’s too complicated to verify . But in the same time, the normal petri net it is very easy to analysis. So it’s reasonable to model the system with CPN and analysis the system with normal petri net. According to the characteristics of workflow model for, a Petri net based verification approach that employs a set of graph reduction rules is proposed. The completeness and polynomial time complexity properties of the proposed method can be proved. An enforcement to the sensitivity label of subjects of the BLP model and the scheme of the dynamic determination of the current sensitivity label are proposed in this article. The sensitivity label of the subject is separated into two parts: write sensitivity range and read sensitivity range. One subject could change it's current write sensitivity label and current read sensitivity label according to the sensitivity label of related objects dynamically without destroying the security axioms of the BLP model, and that could improve the agility and practicability of the BLP model. This research will build a theoretical base for further study and development of multi-level secure workflow managements.