XACML Admin中的策略预处理研究  被引量：5

作　　者：李晓峰[1,2] 冯登国[1,2] 何永忠[1,3] 

机构地区：[1]中国科学院软件研究所信息安全国家重点实验室 [2]中国科学院研究生院信息安全国家重点实验室北京100049 [3]北京交通大学计算机学院北京100044

出　　处：《计算机研究与发展》2007年第5期729-736,共8页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60025205;60373047);国家"九七三"重点基础研究发展规划基金项目(G1999035802);国家"八六三"高技术研究发展计划基金项目(2004AA147070)~~

摘　　要：根据XACMLAdmin中访问策略和管理策略混合的特点,提出了一个在PDP中将策略树分割为访问策略树和管理策略树来提高在线判定性能的匹配方案.在此基础上,根据委托的逻辑含义,通过构造委托图,去除管理策略树和访问策略树中的无效节点,从而使在线判定时不考虑引起拒绝服务攻击的无效策略.同时根据目前XACML Admin中模式定义的缺陷,提出了一种改进的模式定义,此模式定义使Delegates能够与XACML核心规范中Subjects,Resources等元素的处理规则保持一致,并能够更加有效地定义管理策略.以上这些方式能够有效地改善在线判定性能和阻止针对请求判定过程的拒绝服务攻击.Access policies and administrative policies are mixed together in XACML administrative policy schema. It would worsen the performance of making decision. In XACML administrative policy, whether a policy is trusted is checked when making access request decision. It would cause denial-of-service （DOS） attack. In this paper, a scheme is presented to improve the on-line decision performance through dividing policy tree into an access policy tree and an administrative policy tree in policy decision point or in policy repository. According to logic implication of delegation, a method of constructing delegation graph is proposed. The invalid policies in which there doesn＇t exist a path to trusted policy are deleted. Deleting invalid policies makes the policies created by attackers applicable in making access request decision so that policy decision point can resist such DoS attack. In XACML administrative policy, the delegation element process is different with elements in XACML. It is recognized as a bug in XACML administrative policy. An improved policy schema definition is presented to correct the bugs, which makes the processing of delegations be in conformance with the elements of subject, resources, etc in XACML core, and defines administrative policies more efficiently. Through these improvements, the performance of making decision is accelerated. Policy decision point can resist DoS attack in some sense.

关 键 词：委托策略 管理策略 访问控制 XACML 信息安全 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]