An assurance model for accesscontrol on cloud computing systems
LI Yu1,2,3, ZHAO Yong2,3, GUO Xiaodong1, LIU Guole1
1. National Secrecy Science and Technology Evaluation Center, Beijing 100044, China;
2. College of Computer Science, Beijing University of Technology, Beijing 100124, China;
3. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China
Abstract:An access control points in cloud computing are difficult to link. An assurance model for access control on the whole system was developed based on formal definitions of the access request equivalence relation and the support relation, the analysis formally proves that the assurance algorithm can ensure the credibility of access requests. The implementation methods are given for the network layer, application layer and operating system kernel layer in cloud computing. An access semantic encapsulation shows that the algorithm meets the access control linkage requirements and can ensure the credibility of access requests.
李瑜, 赵勇, 郭晓栋, 刘国乐. 全系统一体的访问控制保障模型[J]. 清华大学学报(自然科学版), 2017, 57(4): 432-436.
LI Yu, ZHAO Yong, GUO Xiaodong, LIU Guole. An assurance model for accesscontrol on cloud computing systems. Journal of Tsinghua University(Science and Technology), 2017, 57(4): 432-436.
俞能海, 郝卓, 徐甲甲, 等. 云安全研究进展综述[J]. 电子学报, 2013, 41(2): 371-381.YU Nenghai, HAO Zhuo, XU Jiajia, et al. Review of cloud computing security[J]. Acta Electronica Sinica, 2013, 41(2):371-381. (in Chinese)
[2]
Gentry C. Fully homomorphic encryption using ideal lattices[C]//Symposium on Theory of Computing, STOC 2009. New York, USA: ACM, 2009: 169-178.
[3]
Dijk M V, Gentry C, Halevi S, et al. Fully homomorphic encryption over the integers[C]//Advances in Cryptology- EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Germany: Springer, 2010: 24-43.
[4]
Gentry C. A Fully Homomorphic Encryption Scheme[D]. Palo Alto, USA: Stanford University, 2009.
[5]
Amazon. Amazon simple storage service . (2012-10-07). http://aws.amazon.com/s3/.
Hao F, Lakshman T V, Mukherjee S, et al. Secure cloud computing with a virtualized network infrastructure[C]//Usenix Conference on Hot Topics in Cloud Computing. Berkeley, USA: USENIX Association, 2010: 57-61.
[8]
Oberheide J, Cooke E, Jahanian F. Cloud AV: N-version antivirus in the network cloud[C]//Proceedings of the 17th Conference on Security Symposium. Berkeley, USA: USENIX Association, 2008: 91-106.
[9]
Yu S, Wang C, Ren K, et al. Achieving secure, scalable, and fine-grained data access control in cloud computing[C]//Proceedings of the IEEE INFOCOM 2010. San Diego, USA: IEEE, 2010: 1-9.
[10]
Wang G, Liu Q, Wu J. Hierarchical attribute-based encryption for fine-grained access control in cloud storage services[C]//Proceedings of the 2010 ACM Conference on Computer & Communications Security. New York, USA: ACM, 2010: 735-737.
[11]
赵勇, 刘吉强, 韩臻, 等. 信息泄露防御模型在企业内网安全中的应用[J]. 计算机研究与发展, 2007, 44(5): 761-767.ZHAO Yong, LIU Jiqiang, HAN Zhen, et al. The application of information leakage defense model in enterprise intranet security[J]. Journal of Computer Research and Development, 2007, 44(5): 761-767. (in Chinese)
[12]
石文昌, 孙玉芳, 梁洪亮. 经典BLP安全公理一种适应性标记实施方法及其正确性[J]. 计算机研究与发展, 2001, 38(11): 1366-1372.SHI Wenchang, SUN Yufang, LIANG Hongliang. An adaptable labeling enforcement approach and its correctness for the classical BLP security axioms[J]. Journal of Computer Research and Development, 2001, 38(11): 1366-1372. (in Chinese)
[13]
郑志蓉, 蔡谊, 沈昌祥. 操作系统安全结构框架中应用类通信安全模型的研究[J]. 计算机研究与发展, 2005, 42(2): 322-328.ZHENG Zhirong, CAI Yi, SHEN Changxiang. Research on an application class communication security model on operating system security framework[J]. Journal of Computer Research and Development, 2005, 42(2): 322-328. (in Chinese)
[14]
Bell D E, La Padula L J. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306[R]. Bedford, USA: Electronic Systems Division, 1977.
[15]
Biba K J. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372[R]. Bedford, USA: Electronic Systems Division, 1977.
[16]
Chadwick D W, Otenko A. The PERMIS X.509 role based privilege management infrastructure[J]. Future Generation Computer Systems, 2003, 19(2): 277-289.
[17]
Nochta Z, Ebinger P, Abeck S. PAMINA: A certificate based privilege management system[C]//Proceedings of Network and Distributed System Security Symposium Conference, 2002. San Diego, USA: NDSS, 2002.
[18]
Osborn S. Configuring role-based access control to enforce mandatory and discretionary access control policies[J]. ACM Transactions on Information & System Security, 2000, 3(2): 85-106.
[19]
Jansen W A. A Revised Model for Role-based Access Control[R]. Gaithersburg, Maryland: NISTIR 6192, National Institute of Standards and Technology (NIST), 1998.
[20]
Ahn G J. Role-based Authorization Constraints Specification[M]. Berlin Heidelberg, Germany: Springer, 2010.
[21]
Park J S, Sandhu R, Ahn G J. Role-based access control on the web[J]. ACM Transactions on Information & System Security, 2001, 4(1): 37-71.
[22]
Sandhu R, Park J. Usage Control: A Vision for Next Generation Access Control[M]. Berlin Heidelberg, Germany: Springer, 2003.
[23]
Park J, Sandhu R. Towards usage control models: Beyond traditional access control[C]//Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. New York, USA: ACM Press, 2002: 57-64.
[24]
Park J, Sandhu R. The UCON ABC usage control model[J]. ACM Transactions on Information & System Security, 2004, 7(1): 128-174.
[25]
Zhang X, Park J, Parisi-Presicce F, et al. A logical specification for usage control[C]//Proceedings of the 9th ACM Symposium on Access Control Models and Technologies. New York, USA: ACM, 2004: 2-12.
[26]
Park J, Sandhu R. Originator control in usage control[C]//International Workshop on Policies for Distributed Systems and Networks, 2002. Monterey, USA: IEEE, 2002: 60-66.
[27]
胡浩, 冯登国, 秦宇, 等. 分布式环境下可信使用控制实施方案[J]. 计算机研究与发展, 2011, 48(12): 2201-2211.HU Hao, FENG Dengguo, QIN Yu, et al. An approach of trusted usage control in distributed environment[J]. Journal of Computer Research and Development, 2011, 48(12): 2201-2211. (in Chinese)
[28]
初晓博, 秦宇. 一种基于可信计算的分布式使用控制系统[J]. 计算机学报, 2010, 33(1): 93-102.CHU Xiaobo, QIN Yu. A distributed usage control system based on trusted computing[J]. Chinese Journal of Computers, 2010, 33(1): 93-102. (in Chinese)
[29]
洪帆, 崔永泉, 崔国华, 等. 多域安全互操作的可管理使用控制模型研究[J]. 计算机科学, 2006, 33(3): 38-47.HONG Fan, CUI Yongquan, CUI Guohua, et al. Administrative usage control model for secure interoperability between administrative domains[J]. Computer Science, 2006, 33(3): 38-47. (in Chinese)
[30]
Chiueh T C, Sankaran H, Neogi A. Spout: A transparent distributed ution engine for Java applets[C]//Proceedings of the 20th International Conference on Distributed Computing Systems (ICDCS' 00). Taipei, China: IEEE, 2000: 394-401.
[31]
Malkhi D, Reiter M K. Secure ution of Java applets using a remote playground[C]//Proceedings of IEEE Symposium on Security and Privacy, 1998. Oakland, USA: IEEE, 2000: 40-51.
[32]
Kamp P H, Watson R N. Jails: Confining the omnipotent root[C]//Proceedings of the 2nd International System Administration and Network Engineering Conference (SANE'00). Maastricht, The Netherlands: USENIX, 2000: 1-15.
[33]
Evan S. Securing free BSD using jail[J]. Syst Admin, 2001, 10(5): 31-37.
[34]
Price D, Tucker A. Solaris zones: Operating system support for consolidating commercial workloads[C]//Proceedings of the 18th Large Installation System Administration Conference (LISA'04). Atlanta, USA: USENIX, 2004: 241-254.
[35]
Tucker A, Comay D. Solaris zones: Operating system support for server consolidation[C]//Proceedings of the 3rd Virtual Machine Research and Technology Symposium (VM'04). San Jose, USA: USENIX, 2004: 1-2.