DAC (Discretionary Access Control Policy) is access control based on ownership relations between subject and object, the subject can discretionarily decide on that who, by what methods, can access his owns object. I...DAC (Discretionary Access Control Policy) is access control based on ownership relations between subject and object, the subject can discretionarily decide on that who, by what methods, can access his owns object. In this paper, the system time is looked as a basic secure element. The DAC_T (Discretionary Access Control Policy with Time Character) is presented and formalized. The DAC_T resolves that the subject can discretionarily decide that who, on when, can access his owns objects. And then the DAC_T is implemented on Linux based on GFAC (General Framework for Access Control), and the algorithm is put forward. Finally, the performance analysis for the DAC T Linux is carried out. It is proved that the DAC T Linux not only can realize time constraints between subject and object but also can still be accepted by us though its performance have been decreased.展开更多
Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there a...Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there are still a number of ongoing problems.We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases.The negative authorization is supported,which allows the security administrator to specify what data should not be accessed by certain users.Moreover,multiple policies defined to regulate user access together are also supported.The definition and combination algorithm of multiple policies are thus provided.Finally,we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance.The performance results show that the proposed model is feasible.展开更多
为保障铁路系统的信息安全,文章提出一种铁路运行环境下可信根实体(Entity of Root of Trust,ERT)的软件化技术,在内核中实现强制访问控制功能,通过操作系统内核的修改或扩展,实现更为细粒度和强大的权限管理。同时考虑到轻量级场景下...为保障铁路系统的信息安全,文章提出一种铁路运行环境下可信根实体(Entity of Root of Trust,ERT)的软件化技术,在内核中实现强制访问控制功能,通过操作系统内核的修改或扩展,实现更为细粒度和强大的权限管理。同时考虑到轻量级场景下部分设备存在计算能力弱、存储空间有限和电源供应不稳定等问题,提出一种轻量级可信计算体系,最大程度满足可信计算要求。通过实施内核级的强制访问控制和轻量级的可信计算体系改造,缓解未知风险对关键信息基础设施的威胁,为铁路系统的安全性提供保障。展开更多
为满足社会性、交互性、动态性极强的各种社交场景应用需求,将在线社交网络与社会情境中的环境、身份、行为、意愿等关键要素相结合,提出一种融合社会情境的访问控制模型SSAC(social situational access control model),在此基础上提出...为满足社会性、交互性、动态性极强的各种社交场景应用需求,将在线社交网络与社会情境中的环境、身份、行为、意愿等关键要素相结合,提出一种融合社会情境的访问控制模型SSAC(social situational access control model),在此基础上提出当下社交网络安全热点场景——虚假信息传播控制的访问控制方案。根据用户历史行为,推测用户下一步是否具有传播虚假信息的潜在意图,结合安全策略对其进行细粒度的访问权限控制。通过模型对比分析表明了SSAC模型具有较为全面的访问控制特征,通过原型系统应用验证了该模型的安全性、可用性和优越性。展开更多
基金Supported by the National 863 Broad Band VPN Project (No.863-104-03-01)
文摘DAC (Discretionary Access Control Policy) is access control based on ownership relations between subject and object, the subject can discretionarily decide on that who, by what methods, can access his owns object. In this paper, the system time is looked as a basic secure element. The DAC_T (Discretionary Access Control Policy with Time Character) is presented and formalized. The DAC_T resolves that the subject can discretionarily decide that who, on when, can access his owns objects. And then the DAC_T is implemented on Linux based on GFAC (General Framework for Access Control), and the algorithm is put forward. Finally, the performance analysis for the DAC T Linux is carried out. It is proved that the DAC T Linux not only can realize time constraints between subject and object but also can still be accepted by us though its performance have been decreased.
基金Project (No.2006AA01Z430) supported by the National High-Tech Research and Development Program (863) of China
文摘Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications.Though much work on FGAC models has been conducted,there are still a number of ongoing problems.We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases.The negative authorization is supported,which allows the security administrator to specify what data should not be accessed by certain users.Moreover,multiple policies defined to regulate user access together are also supported.The definition and combination algorithm of multiple policies are thus provided.Finally,we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance.The performance results show that the proposed model is feasible.
文摘为保障铁路系统的信息安全,文章提出一种铁路运行环境下可信根实体(Entity of Root of Trust,ERT)的软件化技术,在内核中实现强制访问控制功能,通过操作系统内核的修改或扩展,实现更为细粒度和强大的权限管理。同时考虑到轻量级场景下部分设备存在计算能力弱、存储空间有限和电源供应不稳定等问题,提出一种轻量级可信计算体系,最大程度满足可信计算要求。通过实施内核级的强制访问控制和轻量级的可信计算体系改造,缓解未知风险对关键信息基础设施的威胁,为铁路系统的安全性提供保障。
文摘为满足社会性、交互性、动态性极强的各种社交场景应用需求,将在线社交网络与社会情境中的环境、身份、行为、意愿等关键要素相结合,提出一种融合社会情境的访问控制模型SSAC(social situational access control model),在此基础上提出当下社交网络安全热点场景——虚假信息传播控制的访问控制方案。根据用户历史行为,推测用户下一步是否具有传播虚假信息的潜在意图,结合安全策略对其进行细粒度的访问权限控制。通过模型对比分析表明了SSAC模型具有较为全面的访问控制特征,通过原型系统应用验证了该模型的安全性、可用性和优越性。