计算机科学 ›› 2014, Vol. 41 ›› Issue (3): 1-11.
• 综述 • 下一篇
吴迎红,黄皓,曾庆凯
WU Ying-hong,HUANG Hao and ZENG Qing-kai
摘要: 策略精化是面向服务分布式应用访问控制策略配置的重要方法。分析了现有策略精化技术,包括系统和策略分层描述、推导下层协同控制策略的方法、策略精化中的策略冲突分析与消解方法、策略精化完全性和一致性、纵深防御协同策略一致性、应用策略组合与互斥约束等策略之间的关联属性分析方法。通过分析发现,策略关联属性分析能力不足是影响精化能力的关键问题。进一步分析了现有策略冲突分析技术的关联属性分析、分布式应用适用性和计算可扩展性。基于分析结果,提出了一些提高策略精化能力以适应面向服务的分布式应用的研究问题。
[1] http://www.ibm.com/developerworks/webservices/library/ws-soa-design1/ [2] Sloman M.Policy Driven Management For Distributed Systems[J].Journal of Network and Systems Management,1994,2(4) [3] Zapthink.The SOA Management Landscape.http://www.zapthink.com/2006/11/30/the-soa-management-landscape/ [4] Wies R.Using a Classification of Management Policies for Policy Specification and Policy Transformation[C]∥Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management.May 1995 [5] Maullo M J,Calo S B.Policy management:an architecture and approach[C]∥Proceedings of the IEEE First International Workshop on Systems Management.1993 [6] Pieters W,Dimkov T,Pavlovic D.Security Policy Alignment:A Formal Approach[J].IEEE System Journal,2012,7(2):275-287 [7] Karat J,Karat C-M,Bertino E,et al.A policy framework for security and privacy management[J].IBM Journal Research & Development,2009,53(2):4 [8] Phan T,et al.CA Survey of Policy-Based Management Approaches for Service Oriented Systems[C]∥19th Australian Conf.Software Eng.(ASWEC 2008).2008 [9] Kamienski C,et al.Unleashing the power of policies for service-oriented computing[C]∥Network and Service Management (CNSM).2011 [10] de Albuquerque J P,Krumm H,de Geus P L,et al.Formal validation of automated policy refinement in the management of network security systems[J].International Journal of Information Security,2010,9(2) [11] The Open Group.SLA Management Handbook[M].October2004,4 [12] Mont C,Baldwin M,Goh A,et al.POWER prototype:towards integrated policy-based management[C]∥Network Operations and Management Symposium,IEEE/IFIP.2000 [13] Menzel M,Meinel C.A Security Meta-Model for Service-oriented Architectures[C]∥2009IEEE International Conference on Services Computing.2009 [14] Lang U.OpenPMFSCaaS:Authorization as a Service for Cloud & SOA Applications[C]∥2nd IEEE International Conference on Cloud Computing Technology and Science.2010 [15] Menzel M,Thomas I,Meinel C.Security Requirements Specification in Service-oriented Business Process Management[C]∥2009International Conference on Availability,Reliability and Security.2009 [16] Johnson M,Karat J,Karat C-M,et al.Usable Policy Template Authoring forIterative Policy Re?nement[C]∥2010IEEE International Symposium on Policies for Distributed Systems and Networks.2010 [17] Aziz B,Arenas A E,Wilson M.Model-Based Refinement of Security Policies in Collaborative Virtual Organisations[C]∥3rd Int.Symp.,ESSoS.Berlin Heidelberg:Springer-Verlag,2011 [18] Kumari P,Pretschner A.Deriving Implementation-level Policiesfor Usage Control Enforcement[C]∥CODASPY 2012ACM.2012 [19] Zhao Hang,Lobo J,Roy A,et al.Policy Refinement of Network Services for MANETs[C]∥12th IFIP/IEEE International Symposium on Integrated Network Management.2011 [20] Su Lin-ying,et al.Automated Decomposition of Access Control Policies[C]∥POLICY 2005IEEE.2005 [21] Basin D,et al.Model Driven Security:From UML Modelsto Ac-cess Control Infrastructures[J].ACM Transactions on Software Engineering and Methodology,2006,15(1) [22] Jayaraman K,Ganesh V,Tripunitara M,et al.Automatic Error Finding in Access-Control Policies[C]∥CCS 2011ACM.2011 [23] Lampson B,Abadi M,Burrows M,et al.Authentication in Distributed Systems:Theory and Pratice[J].ACM Trans.Compu-ter Systems,1992,0(4):265-310 [24] Abadi M,Burrows M,Lampson B,et al.A Calculus for Access Control in Distributed Systems[J].ACM Transactions on Programming Languages and Systems,1993,5(4) [25] Barrère F,Benzekri A,Grasset F,et al.SPIDERNet:the Security Policy Derivation for Networks tool[C]∥3rd IEEE Latin America Network Operations and Management Symposium (LANOMS) [26] Davy S,Jennings B.Harnessing Models for Policy Confiict Ana-lysis[C]∥Proc.Autonomous Infrastructure,Management and Security,AIMS.2007 [27] Davy S,Jennings B,Strassner J.Application Domain Independent Policy Confiict Analysis Using Information Models[C]∥Proc.IEEE/IFIP Network Operations and Management Symposium.2008 [28] Barrett K,Davy S,Strassner J,et al.A Model Based Approach for Policy Tool Generation and Policy Analysis[C]∥Proc.IEEE Global Information Infrastructure Symposium.2007 [29] Davy S,Jennings B,Strassner J.Policy Confiict Prevention via Model-driven Policy Refinement[C]∥Proc.of the 17th IFIP/IEEE Distributed Systems:Operations and Management,DSOM.2006 [30] Davy S,Jennings B,Strassner J.On Harnessing InformationModels and Ontologies for Policy Confiict Analysis[C]∥Integrated Network Management.IM’09.IFIP/IEEE International Symposium.2009 [31] Fu Zhi,Wu Fe-lix.Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment[C]∥12th International Worshop on Distributed Systems.2001 [32] Fu Z,Wu S F,Huang H,et al.IPSec/VPN Security Policy:Correctness,Conflict Detection and Resolution[C]∥Proceedings of IEEE Policy 2001Workshop.2001 [33] Lück I,et al.Model-Based Tool-Assistance for Packet-Filter Design[C]∥POLICY 2001.2001 [34] Lück I,Vgel S,Krumm H.Model-Based Configuration ofVPNs[C]∥Network Operations and Management Symposium.2002 [35] OMG.MDA Guide Version 1.0.1[S] [36] McDougall M,Alur R,Gunter C A.AModel-Based Approach to Integrating Security Policies or Embedded Devices[C]∥EMSOFT’04.ACM,2004 [37] Nute D.Defeasible logic[J].Lecture Notes in Computer Science,2003,3:151-169 [38] Maher M J.Efficient defeasible reasoning systems[C]∥12thIEEE Int.Conf.on Tools with Artificial Intelligence.Vancouver,2000:384-392 [39] Chow R,Golle P,Jakobsson M,et al.Controlling Data in the Cloud:Outsourcing Computation without Outsourcing Control[C]∥CCSW’09.ACM,2009 [40] Boella G,van der Torre L.Security Policies for Sharing Know-ledge in Virtual Communities[J].IEEE Transactions on System,Man,and Cybernetics—Part A:Systems and Humans, 2006,36(3) [41] Boella G,van der Torre L.A game theoretic approach to contractsin multiagent systems[J].IEEE Trans.Syst.,Man,Cybern.C,Appl.Rev.,2006,36(1):68-79 [42] Broersen J,Dastani M,Hulstijn J,et al.Goal generation in the BOID architecture[J].Cogn.Sci.Q., 2002,2(3/4):428-447 [43] Belnap N D.A useful four-valued logic[J].Modern Uses of Multiple-Valued Logic,Episteme,1977,2:5-37 [44] Fitting M.Bilattices and the semantics of logic programming[J].Logic Program,1991,11(1/2):91-116 [45] Ginsberg M.Multi-valued logics:A uniform approach to reasoning[J].AIComput.Intell.,1988,4:256-316 [46] Boella G,van der Torre L.Permission and authorization in policies for virtual communities of agents[C]∥Proc.Agents and P2P Computing Workshop AAMAS,Lecture Notes in Computer Science.Berlin,Germany:Springer-Verlag,2004,3601:86-97 [47] Van Emden M H,Kowalski R A.The Semantics of PredicateLogic as a Programming Language[J].ACM,JACM,1976,23(4):733-742 [48] Baral C,Subrahmanian V.Stable and extension class theory for logic programs and default theories[J].Automat.Reas.,1992,8:345-366 [49] Van Gelder A.The alternating fixpoint of logic programs with negation[C]∥Proceedings of the 8th ACM SILACT-SICMOO-SILART Symposium on Principles of Database Systems.1989 [50] Jajodia S,Samarati P,Sapion M L,et al.Flexible Support for Multiple Access Control Policies[J].ACM Transactions on Database Systems,2001,26(2) [51] Gelfond M,Lifschitz V.The stable model semantics for logicprogramming[C]∥Proceedings of the 5th International Confe-rence and Symposium on Logic Programming (Seattle,Wash.).1988 [52] Bertino E,Buccafurri F,Ferrari E,et al.A logical framework for reasoning on data access control policies[C]∥Computer Security Foundations Workshop.IEEE,1999 [53] Przymusinski T.The Well-Founded Semantics Coincides WithThree-Valued Stable Semantics[J].Journal of Fundamenta Informaticae,1999,3(4):445-463 [54] Damianou N,Dulay N,Lupu E C,et al.The Ponder Policy Specification Language[C]∥Workshop on Policies for Distributed Systems and Networks.2001 [55] Barker S,Stuckey P J.Flexible Access Control Policy Specification with Constraint Logic Programming[J].ACM Transactions on Information and System Security,2003,6(4):501-546 [56] Bandara A K,Lupu E C,Russo A.Using Event Calculus to Formalise Policy Specification and Analysis[C]∥Proceedings of the 4th International Workshop on Policies for Distributed Systems and Networks (POLICY’03).IEEE,2003 [57] 王雅哲,冯登国.一种XACML规则冲突及冗余分析方法[J].计算机学报,2009,32(3) [58] Jaeger T,Zhang Xiao-lan,Edwards A.Policy Management U-sing Access Control Spaces[J].ACM Transactions on Information and System Security,2003,6(3):327-364 [59] Tidswell J E,Jaeger T.An Access Control Model for Simplifying Constraint Expression[C]∥Proceedings of the 7th ACM Conference on Computer and Communications Security [60] Zanin G,Mancini L V.Towards a Formal Model for Security Policies Specification and Validation in the SELinux System[C]∥SACMAT’04.ACM,2004 [61] Basile C,Cappadonia A,Lioy A.Network-Level Access Control Policy Analysis and Transformation[J].IEEE/ACM Transactions on Neworking,2012,20(4) [62] 姚键,茅兵,谢立.一种基于有向图模型的安全策略冲突检测方法[J].计算机研究与发展,2005(7) [63] 倪俊,陈晓苏,刘辉宇,等.网络安全策略求精一致性检测和冲突消解机制的研究[J].计算机科学,2011,38(2) |
No related articles found! |
|