期刊文献+

一种可确保完整性策略有效性的可信恢复模型 被引量:2

A Trusted Recovery Model for Assurance of Integrity Policy Validity
下载PDF
导出
摘要 多策略融合是访问控制技术研究的重要内容.可信恢复是高等级安全操作系统的必需功能.为解决过于严格的安全策略难以推广应用的局限性,提出了一种可确保完整性策略恢复后有效性的可信恢复模型.首先给出了模型的框架结构,利用多模型融合方法,通过对类型实施模型(type enforcement,TE)和基于角色的访问控制(role-based access control,RBAC)模型的重新构造和配置,实现了形式化的Clark-Wilson完整性策略模型及其扩展模型PCW(Poveys Clark-Wilson).然后,结合文件系统的具体特点,提出静态和运行时两类恢复算法,通过分析系统日志,撤销恶意操作,使文件系统恢复到原先的一致状态.该恢复方法增强了系统的可用性,对设计和实现我国自主高等级安全操作系统的可信恢复机制进行了重要探索. Access control is one of the most important protection mechanisms of current mainstream operating systems. It is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. There are some typical security policies of access control. The mainstream operating systems is inadequate to support multi-policy at the same time for enforcing different access control decision. Integrity of multi-policy is an important part of access control research in secure systems. Trusted recovery is the necessary function of high-level security operating system. The objective of trusted recovery is to ensure the maintenance of the security and accountability properties of a system in the face of failures. This paper presents a trusted recovery monitoring model, which can solve some limits of strict security policy for access control. Firstly, the framework of model is given. The formal Clark Wilson model and its improved model PCW (Povey's Clark-Wilson) are implemented by configuring TE (type enforcement) and RBAC (role-based access control) model. Secondly, combining the characteristics of a file system in operating system, this paper presents how to recover the file system to its last consistency secure state, in conservative and optimistic recovery policy respectively, by analyzing audit logs and undoing some malicious operations. This method can recover the system to a secure state in the face of failures and improves the availability of the system. It provides an important exploration for the design and implementation of the trusted recovery mechanisms of our own high-level secure operating system.
出处 《计算机研究与发展》 EI CSCD 北大核心 2014年第2期360-372,共13页 Journal of Computer Research and Development
基金 国家"九七三"重点基础研究发展计划基金项目(2011CB302600) 国家"八六三"高技术研究发展计划基金项目(2011AA010601) 国家科技支撑计划课题(2012BAH45B01) 国家自然科学基金项目(61271275 61370211)
关键词 信息安全 安全操作系统 完整性策略 可信恢复 访问控制 information security security operating system integrity policy trusted recovery accesscontrol
  • 相关文献

参考文献2

二级参考文献44

  • 1Jueneman R R. Integrity controls for military and commercial applications. Fourth Aerospace Computer Security Applications Conference. Florida: IEEE Computer Society Press, 1988. 298~322.
  • 2Ruthberg Z G, Polk W T. Report of the Invitational Workshop on Data Integrity. National Institute of Standards and Technology, September 1989. NIST Special Publication 500-168.
  • 3Mayfield T, Boore J M, Welke S R. Integrity-oriented control objectives: proposed revisions to the trusted computer systems evaluation criteria (TCSEC, DoD5200.28.STD), IDA document D-967, prepared for National Security Agency (U. S.), available at http:∥www.mirrors.wiretapped.net/security/info/reference /ncsc-publications/C-TR- 111-91 .pdf.
  • 4Information Technology-Security Techniques-Evaluation Criteria for IT Security - Part 2: Security Functional Requirements. ISO/IEC 15408-2, 1999, International Standards Organization.
  • 5Abrams M D, Joyce M V. Trusted system concepts. Computers and Security, 1995, 14(1): 45~56.
  • 6Bell D E. Modeling the "multipolicy machine", in Proceedings of the 1994 ACM SIGSAC on New Security Paradigms Workshop, August 1994, Little Compton, RI USA. 2~9.
  • 7Mayfield T, Roskos J E, Welke S R, et al. Integrity in Automated Information Systems. NCSC Technical Report. National Computer Security Center, 1991.
  • 8Sandhu R S. On five definitions of data integrity. In: Proceedings of the IFIP WG11.3 Workshop on Database Security, Alabama: Lake Guntersville, 1993.
  • 9LaPadula L J. Rule-set modelling of a trusted computer system. In: Abrams M D, Jajodia S, Podell H J,eds. Information Security: An Integrated Collection of Essays. Los Alamitos: IEEE Computer Society Press, 1995.
  • 10Kargar P A, Austel V, Toll D. A new mandatory security policy combining secrecy and integrity. IBM Research Report, RC21717, 2000.

共引文献13

同被引文献27

引证文献2

二级引证文献6

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部