期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于可信计算的使用控制实施方案 被引量:1

Approach of Usage Control Enforcement Based on Trusted Computing
下载PDF
导出
摘要 针对访问的持续性保护问题,使用控制模型可以加强对传统模型的访问控制。已有的使用控制系统研究中,利用可信计算技术保证访问控制策略的正确实施。该类工作存在的问题是,对使用控制模型的决策连续特性支持不足。提出了新型的可信使用控制架构,持续监控系统变化,在使用过程中控制客体资源,有效支持决策连续性。提出了一种基于模型的行为证明方案,利用可信芯片TCM(trusted cryptography module)作为信任根,度量使用控制架构的动态行为,确保策略有效实施,并在操作系统内核中实现了该可信使用控制架构。通过实验评估,使用控制系统支持决策连续性并能及时发现攻击行为,是一种有效的可信使用控制的解决方案。 Usage control (UCON) model enhances traditional access control models by continuous protection of object access. The researches on usage control enforcement mechanism leverage trusted computing techniques to ensure that the enforcement of policy is trusted. But these researches have problems that they lack the support of decision continuity. This paper proposes a novel architecture of trusted usage control system, which supports decision continuity by monitoring system changes continuously and controlling object resources during usage period. This paper also proposes a behavior attestation method to measure the dynamic behavior of usage control system on pur- pose of ensuring the trustworthy of policy enforcement by leveraging TCM (trusted cryptography module). Finally, this paper builds a system in operation system kernel to control the usage of files. The evaluation shows that the pro- posed model is feasible to support continuity of access decision evaluation and detect violation.
作者 翟翔 贺也平
机构地区 中国科学院大学 中国科学院软件研究所
出处 《计算机科学与探索》 CSCD 北大核心 2015年第8期954-962,共9页 Journal of Frontiers of Computer Science and Technology
基金 国家科技重大专项"核高基"项目No.2012ZX01039-004~~
关键词 可信计算 使用控制 决策持续性 远程证明 trusted computing usage control decision continuity remote attestation
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献14

  • 1Katt B, Zhang Xinwen, Breu R, et al. A general obligation model and continuity: enhanced policy enforcement engine for usage control[C]//Proceedings of the 13th ACM Sympo- sium on Access Control Models and Technologies, Estes Park, USA, Jun 11-13, 2008. New York, NY, USA: ACM, 2008: 123-132.
  • 2Xu Min, Jiang Xuxian, Sandhu R, et al. Towards a VMM- based usage control framework for OS kernel integrity pro- tection[C]//Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, Jun 20-22, 2007. New York, NY, USA: ACM, 2007: 71-80.
  • 3Park J, Sandhu R. Towards usage control models: beyond traditional access control[C]//Proceedings of the 7th ACMSymposium on Access Control Models and Technologies, Monterey, USA, Jun 3-4, 2002. New York, NY, USA: ACM, 2002: 57-64.
  • 4初晓博,秦宇.一种基于可信计算的分布式使用控制系统[J].计算机学报,2010,33(1):93-102. 被引量:21
  • 5Neisse R, Pretschner A, Di Giacomo V. A trustworthy usage control enforcement framework[C]//Proceedings of the 6th International Conference on the Availability, Reliability and Security, Vienna, Austria, Aug 22-26, 2011. Piscataway, N J, USA: IEEE, 2011: 230-235.
  • 6胡浩,冯登国,秦宇,于爱民.分布式环境下可信使用控制实施方案[J].计算机研究与发展,2011,48(12):2201-2211. 被引量:3
  • 7Park J, Sandhu R. The UCON ABC usage control model[J]. ACM Transactions on Information and System Security, 2004, 7(1): 128-174.
  • 8Li Ninghui, Chen Haining, Bertino E. On practical specifi- cation and enforcement of obligations[C]//Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. New York, NY, USA: ACM, 2012: 71-82.
  • 9Alam M, Zhang Xinwen, Nauman M, et al. Model-based behavioral attestation[C]//Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, USA, Jun 11-13, 2008. New York, NY, USA: ACM, 2008: 175-184.
  • 10Nauman M, Alam M, Zhang Xinwen, et al. Remote attesta-tion of attribute updates and information flows in a UCON system[M]//Tmsted Computing. Berlin, Heidelberg: Springer, 2009: 63-80.

二级参考文献34

  • 1Park J, Sandhu R. The UCONABC usage control model. ACM Transactions on Information and System Security,2004, 7(1): 128- 174.
  • 2Hilty M, Pretschner A, Basin D, Schaefer D, Waiter T. A policy language for distributed usage control//Proceedings of the European Symposium on Research in Computer Security (ESORICS). Dresden, 2007:531-546.
  • 3Pretschner A, Hilty M, Basin D. Distributed usage control. Communications of the ACM, 2006, 49(9):39-44.
  • 4Sailer R, Zhange X L, Jaeger T, Doorn L V. Design and implementation of a TCG-based integrity measurement architecture//Proceedings of the 13th USENIX Security Symposium. San Diego, 2004: 223-238.
  • 5Jaeger T, Sailer R, Shankar U. PRIMA: Policy- reduced integrity measurement architecture//Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT). Lake Tahoe, 2006: 19-28.
  • 6Chen L Q, Lohr H, Manulis M, Sadeghi A R. Propertybased attestation without a trusted third party//Proceedings of the Information Security Conference(ISC). Taipei, China, 2008:31-46.
  • 7Brickell E, Camenisch J, Chen L Q. Direct anonymous attestation//Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004). Washington. D.C., 2004:132-145.
  • 8Chen L, Landfermann R, Lohr H, Rohe M, Sadeghi A, Stuble C. A protocol for property-based attestation//Proceedings of the 2006 ACM Workshop on Scalable Trusted Computing(STC), Alexandria, 2006:7-16.
  • 9Kyle D, Brustoloni J C. UCLinux: A Linux security module for trusted computing based usage controls enforcement// Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing(STC). Alexandria, 2007:63 -70.
  • 10Wright C, Cowan C, Smalley S, Morris J, Hartman G K. Linux security modules: General security support for the Linux kernel//Proceedings of the 11th USENIX Security Symposium. Berkeley, 2002:17 -31.

共引文献21

同被引文献8

引证文献1

二级引证文献3

计算机科学与探索
2015年 第8期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部