摘要
该文指出了Sandhu等人提出的以基于角色的访问控制 (Role BasedAccessControl,RBAC)实施强制访问控制 (MandatoryAccessControl,MAC)策略的方法存在拒绝服务 (DenialofService ,DoS)和给主体赋予过多权限等错误 ,且缺乏对经典BLP模型的充分的支持 .为此作者提出了一种改进的方法———ISandhu方法 ,引入了辅助角色层次 ,加强了角色间关系并提供了对可信主体概念的支持 .此方法修正了原有方法的错误 ,在RBAC中实施了经典的BLP模型及其变种模型以满足实际需求 ,保证了强制访问控制策略的正确实施 ,为在大量商业系统中以较小的代价引入强制访问控制提供了理论依据 .
The existing classical method of enforcing BLP model in Role-based Access Control (RBAC) model presented by Sandhu et al. is researched and analyzed. Some errors of it are revealed, such as denial of service, over many privileges may be granted to the subjects, etc. Additionally, it also lacks of enough support to the classical BLP model. An improved method called ISandhu method is presented; it introduces assistant role hierarchies, strengthens role relations, and provides the support to the notation of trusted subject. Based on this method, the mistakes of the original method are revised and the classical BLP model and some variations of it are enforced in RBAC to meet the practical requirements. As results, the exact enforcement of mandatory access control (MAC) in RBAC is guaranteed and the theoretical foundation for adopting MAC in a large amount of commercial systems with small cost is offered.
出处
《计算机学报》
EI
CSCD
北大核心
2004年第5期636-644,共9页
Chinese Journal of Computers
基金
国家"八六三"高技术研究发展计划项目基金 (2 0 0 2AA14 10 80 )
国家自然科学基金 (60 0 73 0 2 2
60 3 73 0 5 4)
中国科学院知识创新工程项目基金 (KGCX1 0 9)资助