应用安全形式化描述研究  

作　　者：张明德 毕马宁[2] 王舜[3] 张清国[4] BI Mailing;WANG Shun;ZHANG Qingguo;ZHANG Mingde(China Volant Industry Co., Ltd, Beijing 100080, China;The Third Institute o f Ministry o f Public Security,Shanghai 200031, China;People's Public Security University o f China, Beijing 102623, China;Standardization Administration o f PRC, Beijing 100088, China)

机构地区：[1]中国华腾工业有限公司,北京100080 [2]公安部第三研究所,上海200031 [3]中国人民公安大学,北京102623 [4]国家标准化管理委员会,北京100088

出　　处：《信息网络安全》2016年第10期47-53,共7页Netinfo Security

摘　　要：随着机构内部应用系统的逐渐增多,应用安全问题也愈发突出。鉴于应用系统及其安全的复杂性和多样性,如何合理表示应用安全成为难题,现有研究成果都仅面向应用安全的某一个侧面而缺乏针对性,还没有系统性的应用安全形式化描述模型。文章首先通过分析主客体访问机制,区分业务功能、安全功能和应用策略,对应用系统进行形式化描述。然后对两种最常用的安全功能(身份认证和权限控制)进行形式化定义。权限控制引入保密概念,分析了三种角色(岗位角色、业务角色和保密角色)和客体密级,并区分权限管理方、权限验证方和权限依赖方。在此基础上,通过引入用户身份信息、统一门户等概念,研究了四种统一管理策略和表示方法。W ith the gradual increase of applications w ith in organizations, the issues o fapplication-security have become increasingly prom inent. Due to the com plexity and variety o fapplications and their security, how to reasonably express application-security becomes a d ifficu ltproblem . Existing researches on application-security focus o nly on some aspects or lack o fpertinence, and there is s till no systematically form alized model for application-security at present.This paper presents form alized description for applications through analyzing subject-object access mechanism and distinguishing business functions, security functions and application policies. Then formalized descriptions fo r tw o most common security functions (authentication and authorization)are given. In authorization, based on the concept o f secrecy introduced, three kinds o f roles (position role,business role and secrecy role) and object’s degrees o f secrecy are analyzed,and authority manager, authority verifier and authority relying party are differentiated. Meanwhile, four unifiedmanagement policies and their form alized description are proposed through the introduction of users 9identity inform ation and unified portal.

关 键 词：应用安全 身份认证 权限控制 统一管理 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]