基于行为的结构化文档多级访问控制  被引量：17

作　　者：熊金波[1,2] 姚志强[1,2] 马建峰[1] 李凤华[3] 李琦[1] 

机构地区：[1]西安电子科技大学计算机学院西安710071 [2]福建师范大学软件学院福州350108 [3]:信息安全国家重点实验室中国科学院信息工程研究所北京100093

出　　处：《计算机研究与发展》2013年第7期1399-1408,共10页Journal of Computer Research and Development

基　　金：长江学者和创新团队发展计划基金项目(IRT1078);国家自然科学基金委员会-广东联合基金重点基金项目(U1135002);国家科技重大专项基金项目(2011ZX03005-002);国家“八六三”高技术研究发展计划基金项目(2012AA013102);国家自然科学基金项目(61170251);北京市自然科学基金项目(4102056);中央高校基本科研业务费专项基金项目(JY10000903001);福建省自然科学基金项目(2011J01339);福建省教育厅科技项目(JA12078,JB11034)

摘　　要：针对当前云计算环境中因缺乏多级安全机制而使结构化文档容易产生信息泄露和非授权访问等问题,提出基于行为的多级访问控制(action-based multilevel access control model,AMAC)模型并给出策略的形式化描述.利用信息流中的不干扰理论建立AMAC不干扰模型,并证明AMAC模型中多级访问控制策略的安全性.与已有访问控制模型的比较与分析表明,AMAC模型既可以利用角色、上下文和用户访问行为以提高访问控制策略的灵活性,还可以依据用户,用户访问行为和结构化文档的安全等级实现多级安全机制.Cloud computing is a promising computing paradigm which has recently drawn extensive attention from both academia and industry. Meanwhile, structured document plays a vital role as information carrier in cloud computing. Therefore apparently, secure access to structured document is a key technology for the quality control of cloud services. In order to prevent information leakage and unauthorized access to the structured document, which is a common problem caused by lack of the multilevel security mechanism in current cloud computing environment, we propose an action-based multilevel access control model （referred to as the AMAC） and provide a formal description of access control policies. In our AMAC model, we employ noninterference theory in the information flow to establish AMAC noninterference model, and prove the security of multilevel access control policies in our AMAC model. Comparison and analysis with the existing access control models demonstrate that the AMAC model not only improves the flexibility of access control policies on the basis of roles, contexts and access actions, but also realizes multilevel security mechanism in terms of the security levels of the user, the access actions and the structured document.

关 键 词：多级安全 多级访问控制 结构化文档 不干扰理论 云计算 访问行为 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]