一种新的访问控制策略描述语言及其权限划分方法

A Novel Access Control Policy Specification Language and Its Permission Classification Method

云平台RESTful接口往往暴露在Internet上,为保证云资源的安全,防止数据泄露和非授权访问,必须实施安全策略对这些接口进行访问控制.然而,目前RESTful接口缺乏统一的访问控制策略描述语言及相应的权限划分机制.这导致两个问题:(1)用户不得不学习不同的策略语言来管理不同云平台上的权限;(2)云服务提供商缺乏对RESTful接口的细粒度的访问控制,不符合最小特权原则.对此,该文提出了一种新的访问控制策略描述语言.该语言定义了RESTful的标准请求格式,从而可以直接从一个RESTful请求中构造样本策略,为RESTful接口访问控制提供语法一致的策略语言.在该语言的基础上,进而提出了一种基于遗传算法的RESTful权限划分方法,采用2维矩阵表示一个权限划分,并作为遗传算法的种群个体.接着定义了选择算子、变异算子和交叉算子,提出了权限划分的三个原则:分类个数、测试用例覆盖、权限重叠,并设计适应度函数.该文基于OpenStack云平台给出了策略语言评估机制的参考实现,验证了方法的可行性.实验结果表明,相比OpenStack原有策略,该文策略评估开销降低了19.4%.在学习成本方面,与XACML策略语言相比,该文策略能够减少策略管理员41.6%的策略设计成本.该文的权限划分方法可以产生符合用户预期、可理解的划分结果,从而为云服务提供商进行权限划分提供指导.

Cloud computing platforms usually employ representational state transfer（REST）interfaces to expose their services to the Internet,including computing service,storage service,network service,etc.To avoid data leak and unauthorized access,service providers prefer to control the access to the cloud interface through security policy enforcement.However,there is no widely-accepted standard for the authorization of the cloud public interfaces,including the security policy language and corresponding permission classification method.In a cloud,besides the cloud provider,the tenants can modify his own policy too.Without a unified authorization language,the tenants have to learn and design different security policies if they want to use multiple clouds.To address this issue,in this paper,we propose a novel access control language to control the access to a cloud interface.An automatic policy generation algorithm is proposed toautomatically generate access control policies from the cloud requests.It reduces the human intervention in the policy design process.The generated policy can be used to assign permissions to certain groups or roles for fine-grained access control.So that when one administrator account is compromised,the adversary can only utilize the permissions that are assigned to that administrator,which reduces the attack surface.A permission classification method based on matrix operations is proposed to solve the permission classification issue.The integration test is an important input of our algorithm.The dependency on the integration test will not affect our method＇s applicability.Because nowadays,most of the large-scale software like a cloud platform is already shipped with a complete integration test set.Our permission classification method supports three goals：expected number of classification groups,the coverage of the original management tasks and the number of permission overuse.The expected number of classification groups can be customized by the cloud provider.The coverage of original management tasks can reflect how complete the resulting categories of permissions can cover the original cloud management tasks.The number of permission overuse reflects how the resulting categories conform to the principle of least privilege.These three goals contradict with each other and it is difficult to propose a straightforward algorithm to get a balanced permission classification result for the three goals.So we choose to use a heuristic algorithm.We implement a prototype of our policy language＇s enforcement mechanism on a popular open-source cloud platform called OpenStack to show the effectiveness and performance of our method.Compared to the original OpenStack policy,the enforcement overhead of our policy is reduced by 19.4%.In the usability,we compared our language to a popular authorization policy language called XACML.By investigating an experiment on policy designers from different levels,we find that our language can cut down the learning cost for about 41.6% compared to XACML.Our permission classification method can also provide a reasonable classification result for permissions.They can be used as an important reference when the cloud provider manages the security tasks for a cloud.The overhead of running the algorithm is acceptable in a real cloud environment.