访问控制技术现状及展望

doi:10.3969/j.issn.1671-1122.2016.12.004

摘要/Abstract

摘要：

访问控制是信息安全的关键技术之一,它依赖于其他安全服务并与这些服务共存于信息系统中,从而保障信息的安全。为了有助于访问控制技术研究、发展及推广应用,文章在对访问控制技术原理及发展历程研究的基础上,介绍了当前实际应用的主流访问控制技术,如自主访问控制、强制访问控制和基于角色的访问控制,并探讨了访问控制技术的发展方向,包括基于属性和策略的访问控制、风险自适应的访问控制和新一代访问控制。针对访问控制技术的发展和实际应用情况,提出应该在加强有关基础研究的同时,开展符合中国国情的访问控制标准化、规范化研究和建设。

关键词: 访问控制, 访问控制策略, 风险自适应, 安全策略

Abstract:

Access control is one of the key technologies of information security. It relies on other security services and coexists with these services in the information system, so as to ensure the security of information. In order to help research, development and adoption of access control technologies, based on study of access control technology and its development course, some meaningful access control technologies in practical applications are introduced, like discretionary access control, mandatory access control and role-based access control. Then some directions of access control technology development are discussed, including attribute and policy-based access control, risk-adaptable access control and next generation access control. For the development and practical application of access control, we should strengthen the basic research on the same time, in line with the situation in China to carry out access control standardization, deployment, application research and construction.

Key words: access control, access control policy, risk adaptable, security policy

中图分类号:

TP393.09

罗霄峰, 王文贤, 罗万伯. 访问控制技术现状及展望[J]. 信息网络安全, 2016, 16(12): 19-27.

Xiaofeng LUO, Wenxian WANG, Wanbo LUO. The Retrospect and Prospect of Access Control Technology[J]. Netinfo Security, 2016, 16(12): 19-27.

参考文献 80

[1]	罗万伯,刘嘉勇,戴宗坤,等. 信息安全应用基础[M]. 重庆:重庆大学出版社,2005.
[2]	戴宗坤,刘永澄,罗万伯,等. 英汉网络信息安全辞典[M]. 北京:电子工业出版社,2003.
[3]	LAMPSON B W.Dynamic Protection Structures [C] // American Federation of Information Processing Societies. Proceedings of AFIPS Fall Joint Computer Conference, November 18-20, 1969, Las Vegas, Nevada, USA. New Jersey: American Federation of Information Processing Societies Press, 1969: 27-38.
[4]	ADAMS C.Access Control: Current Approaches and New Challenges[C]// The Ottawa Centre for Research and Innovation. New Challenges for Access Control Workshop, April 27, 2005, Ottawa, ON, Canada. Ottawa: The Ottawa Centre for Research and Innovation, 2005: 1-5.
[5]	ANDERSON J P.Computer Security Technology Planning Study[R]. Bedford, MA, USA: Air Force Systems Command (USAF), ESD-TR-73-51, Vol. II, Oct. 1972.
[6]	BELL D E, PADULA L L. Secure Computer Systems: Mathematical Foundations[R]. Bedford,MA,USA: The MITRE Corporation,MITRE Technical Report2547, Vol. 1, 1973.
[7]	HARRISON M A, RUZZO W L, ULLMAN J D.Protection in operating systems[J]. Communications of ACM, 1976, 19(8): 461-471.
[8]	BIBA K.Integrity Considerations for Secure Computer Systems[R]. Bedford, MA, USA: MITRE Corporation, Technical Report MTR-3153,30 June 1975.
[9]	DoD 5200.28-STD Trusted computer system evaluation criteria[S]. Virginia: United States Department of Defense, 1985.
[10]	CLARK D D, WILSON D R.A Comparison of Commercial and Military computer Security Policies[C]//IEEE Computer Society. IEEE Symposium on Security and Privacy, April 27, 1987, Oakland, California, USA. Washington, USA: IEEE Computer Society, 1987:184-194.
[11]	BREWER D F C,NASH M J. The Chinese Wall Security Policy[C]// IEEE Computer Society. IEEE Symposium on Security and Privacy, May 1-3, 1989, Oakland, California, USA. Washington, USA: IEEE Computer Society, 1989:206-214.
[12]	FERRAIOLO D, KUHN D R.Role-Based access control[C]//American National Standards Institute. 15th National Computer Security Conference, October 13-16, 1992, Baltimore, MD, USA. Maryland, USA: American National Standards Institute, 1992: 554-563.
[13]	SANDHU R, COYNE E J, FEINSTEIN H L, et al.Role-Based Access Control Models[J]. IEEE Computer, 1996, 29(2): 38-47.
[14]	SANDHU R, BHAMIDIPATI V, MUNAWER Q.The ARBAC97 Model for Role-based Administration of Roles[J]. ACM Trans. on Information and System Security, 1999, 2(1): 105-135.
[15]	SANDHU R, MUNAWER Q.The ARBAC99 Model for Administration of Roles[C]//IEEE Computer Society. 15th Annual Computer Security Applications Conference, December 6-10, 1999, Scottsdale, AZ, USA. Washington, USA: IEEE Computer Society, 1999:229-238.
[16]	FERRAIOLO D F, SANDHU R, GAVRILA S.Proposed NIST Standard for Role-based Access Control[J]. ACM Trans. on Information and Systems Security (TISSEC), 2001, 4(3): 224-274.
[17]	THOMAS R K, SANDHU R S.Task-Based Authentication Control (TBAC): A Family of Models for Active an Enterprise-oriented Authentication Management[C]//International Federation for Information Processing. 11th IFIP Conference on Database Security, August 11-13, 1997, Lake Tahoe, California, USA. London, United Kingdom: Chapman & Hall, 1997:11-13.
[18]	OH S, PARK S.Task-Role-Based Access Control Model[J]. Information System, 2003, 28(6):533-562.
[19]	ANDERSON R J.A Security Policy Model for Clinical Information Systems[C]//IEEE Computer Society. IEEE Symposium on Security and Privacy, May 6-8, 1996, Oakland, California, USA. Washington, USA: IEEE Computer Society, 1996: 30-43.
[20]	郑周,张大军,李运发.云计算中面向数据存储的安全访问控制机制[J]. 信息网络安全,2015(9):221-226.
[21]	WINSBOROUGH W H, JACOBS J .Automated Trust Negotiation in Attribute-based Access Control[C]//IEEE Computer Society. DARPA Information Survivability Conference and Exposition - Volume II, April 22-24, 2003, Washington, DC USA. Washington, USA: IEEE Computer Society, 2003:252.
[22]	DUAN Haixin, WU Jianping, LI Xing.Policy-Based Access Control Framework for Large Networks[C]//IEEE Computer Society. Eighth IEEE International Conference on Networks, September 5-8, 2000, Singapore. Washington, USA: IEEE Computer Society, 2000: 267-272.
[23]	PARK J, SANDHU R.Towards Usage Control Models: Beyond Traditional Access Control[C]//Association for Computing Machinery. 7th ACM Symposium on Access Control Models and Technologies, June 3-4, 2002, California, USA. NY, USA: ACM, 2002: 57-64.
[24]	SANDHU R, PARK J.Usage control: A Vision for Next Generation Access Control[C]//St. Petersburg Institute for Informatics and Automation, Binghamton University (SUNY). 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, September 21-23, 2003, St. Petersburg, Russia. Berlin: Springer-Verlag, 2003:17-31.
[25]	PARK J, SANDHU R.The UCONABC Usage Control Model[J]. ACM Trans. on Information and System Security, 2004, 7(1):128-174.
[26]	KALAM A A E, BAIDA R E, BALBIANI P, et al. Organization Based Access Control[C]//IEEE Computer Society. IEEE 4th International Workshop on Policies for Distributed Systems and Networks (Policy 2003), June 4-6, 2003,Lake Come, Italy. Washington, DC, USA: IEEE Computer Society, 2003.
[27]	JASON Program Office.Horizontal Integration: Broader Access Models for Realizing Information Dominance [R]. McLean, Virginia: The MITRE Corporation, JSR-04-132,December 2004.
[28]	BARKER S, SERGOT M J, WIJESEKERA D.Status-based Access Control[J]. ACM Transactions on Information and Systems Security, 2008, 12(1):1-47.
[29]	GIUNCHIGLIA F, ZHANG R, CRISPO B.RelBAC: Relation- based Access Control[C]//IEEE Computer Society. Fourth International Conference on Semantics, Knowledge and Grid, December 3-5, 2008, Beijing, China. Washington, DC, USA: IEEE Computer Society, 2008: 3-11.
[30]	FONG P W L. Relationship-based Access Control: Protection Model And policy Language[C]//Association for Computing Machinery. Proceedings of the First ACM Conference on Data and Application Security and Privacy, February 21-23, 2011, San Antonio, TX, USA. New York, NY, USA: ACM, 2011: 21-23.
[31]	AHMED A, ZHANG N. A Context-Risk-Aware Access Control Model for Ubiquitous Environments [C]//Polskie Towarzystwo Informatyczne. Proceedings of the International Multiconference on Computer Science and Information Technology,October 20-22, 2008,Wisla, Poland. Washington, DC,USA: IEEE Computer Society, 2008(3):775-782.
[32]	LUO Xiaofeng, LI Lin, LUO Wanbo.A Contextual Usage Control Model[J]. Technical Gazette, 2014, 21(1): 35-41.
[33]	罗霄峰, 罗万伯. 风险自适应PBCUC研究[J]. 通信技术, 2016, 49(7): 890-895.
[34]	FOCARDI R, GORRIERI R.Foundations of Security Analysis and Design[M]. Berlin: Springer-Verlag, 2001:137-196.
[35]	OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0 [EB/OL]. 2013-1-23.
[36]	BISHOP M.Introduction to Computer Security[M]. New Jersey: Addison-Wesley, 2005.
[37]	INCITS 359-2012 Information Technology - Role Based Access Control[S]. Maryland, USA: American National Standards Institute, 2012.
[38]	DAMIANOU N, BANDARA A K, SLOMAN M, et al.A Survey of Policy Specification Approaches[J]. IEEE Network, 2002.
[39]	HAN Weili, LEI Chang.A Survey on Policy Languages in Network and Security Management[J]. Computer Networks, 2012, 56(1):477-489.
[40]	JAJODIA S, SAMARATI P, SUBRAHMANIAN V S.A Logical Language for Expressing Authorizations[C]//IEEE Computer Society. Proceedings of IEEE Symposium on Security and Privacy, May 4-7, 1997, Oakland, CA, USA. Washington, DC, USA: IEEE Computer Society, 1997:31-42.
[41]	CHEN F, R S SANDHU. Constraints for Role-Based Access Control[C]//Association for Computing Machinery. First ACM/NIST Role Based Access Control Workshop, November 30 -December 2, 1995, Gaithersburg, Maryland. New York, NY, USA: ACM Press, 1995:14.
[42]	RJ HAYTON,JM BACON,K MOODY. Access Control in an Open Distributed Environment[C]//IEEE Computer Society. IEEE Symposium on Security and Privacy, May 3-6, 1998, Oakland, California, USA. Washington, DC, USA: IEEE Computer Society,1998:3.
[43]	AHN G, SANDHU R.The RSL99 Language for Role-based Separation of Duty Constraints[C]//Association for Computing Machinery. Proceedings of the fourth ACM Workshop on Role-Based Access Control, October 28-29, 1999, Virginia. New York, NY, USA: ACM Press. 1999: 43-54.
[44]	SPIVEY J M.An Introduction to Z and Formal Specifications[J]. IEE/BCS Software Engineering Journal, 1989, 4(1): 40-50.
[45]	GLASGOW J,MACEWEN G,PANANGADEN P.A Logic for Reasoning about Security[C]//IEEE Computer Society. Computer Security Foundations Workshop III, June 12-14, 1990, Franconia, NH. Washington, DC, USA: IEEE Computer Society,1990, 10(3): 2-13.
[46]	LOBO J, BHATIA R, NAQVI S.A Policy Description Language[C]//Association for the Advancement of Artificial Intelligence.In Proc. of AAAI, July 18-22, 1999, Orlando, Florida, USA. California: Association for the Advancement of Artificial Intelligence, 1999: 291-298.
[47]	DAMIANOU N, DULAY N, LUPU E, et al.The Ponder Policy Specification Language[J]. Lecture Notes in Computer, 2000, 55(8):18-38.
[48]	BATISTA B L A, FERNANDEZ M P. PonderFlow: A New Policy Specification Language to SDN OpenFlow-based Networks[J]. International Journal on Advances in Networks and Services, 2014, 7(3-4): 163-172.
[49]	RIBEIRO C, ZÚ QUETE A, FERREIRA P,et al. SPL: An Access Control Language for Security Policies and Complex Constraints[C]// Internet Society. Proceedings of the Network and Distributed System Security Symposium, February 8-9, 2001, San Diego, California. VA, USA: Internet Society, 2001: 89-107.
[50]	HOAGLAND J, PANDEY R, LEVITT K. Security Policy Specification Using a Graphical Approach [EB/OL]. .
[51]	HERZBERG A, MASS Y, MICHAELI J, et al.Access Control Meets Public Key Infrastructure, or: Assigning Roles to Strangers[C]//IEEE Computer Society. Proceedings of the 2000 IEEE Symposium on Security and Privacy, May 14-17, 2000, Berkeley, California, USA. Washington, USA: IEEE Computer Society, 2000: 2-14.
[52]	RFC2753 - A Framework for Policy-based Admission Control[S]. USA: RFC Editor, 2000.
[53]	BONATTI P and SAMARATI P. Regulating Service Access and Information Release on the web[C]//Association for Computing Machinery. 7th ACM Conference on Computer and Communications Security, November 1-4, 2000, Athens, Greece. New York, NY, USA: ACM Press, 2000: 134-143.
[54]	王小明,付红,张立臣. 基于属性的访问控制研究进展[J]. 电子学报, 2010, 38(7): 1660-1667.
[55]	LI N, MITCHELL J C, WINSBOROUGH W H.Design of a Role-based Trust Management Framework[C]//IEEE Computer Society.In Proc. IEEE Symposium on Security and Privacy, May 12-15, 2002, Oakland, California, USA. Washington, USA: IEEE Computer Society, 2002: 114-130.
[56]	YU T, WINSLETT M,SEAMONS K E.Prunes: an Efficient and Complete Strategy for Automated Trust Negotiation over the Internet[C]//Association for Computing Machinery. 7th ACM conference on Computer and Communications Security, November 1-4, 2000, Athens, Greece. New York, NY, USA: ACM Press, 2000: 210-219.
[57]	OASIS eXtensible Access Control Markup Language (XACML) TC [EB/OL], 2016-5-3.
[58]	NISTSP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations[S]. Maryland, USA: National Institute of Standards and Technology, 2014.
[59]	NISTSP 1800-3 ATTRIBUTE BASED ACCESS CONTROL (Draft)[S]. Maryland, USA: National Institute of Standards and Technology, 2016.
[60]	UNGUREANU V,VESUMA F,MINSKY N.A Policy-based Access Control Mechanism for the Corporate Web[C]//IEEE Computer Society. 16th Annual Conference of Computer Security Applications, December 11-15, 2000, Sheraton New Orleans, Louisiana, USA. Washington, USA: IEEE Computer Society , 2000: 150-158.
[61]	BLAZE M, FEIGENBAUM J, LACY J.Decentralized Trust Management[C]//IEEE Computer Society. 17th IEEE Symposium on Security and Privacy, May 6-8, 1996, Oakland, California. Washington, DC, USA: IEEE Computer Society, 1996: 164-173.
[62]	RFC 2704 - The KeyNote Trust-Management System Version 2[S]. IETF, 1999.
[63]	Gartner. Market Trends: Cloud-Based Security Services Market,Worldwide, 2014[EB/OL]., 2013-10-15.
[64]	MCGRAW R W.Risk-Adaptable Access Control (RAdAC)[C]//National Institute of Standards and Technology. NIST Privilege (Access) Management Workshop, September 1-3, 2009, Gaithersburg, Maryland. Maryland, USA: National Institute of Standards and Technology, 2009: 1-10.
[65]	KANDALA S, SANDHU R, BHAMIDIPATI V.An Attribute Based Framework for Risk-Adaptive Access Control Models[C]//IEEE Computer Society. 2011 Sixth International Conference on Availability, Reliability and Security (ARES), August 22-26, 2011, Vienna, Austria. Washington, DC, USA: IEEE Computer Society, 2011:22-26.
[66]	BIJON K Z, KRISHNAN R, SANDHU R.A Framework for Risk-aware Role based Access Control[C]//IEEE Computer Society. 6th Symposium on Security Analytics and Automation, October 14-16, 2013, National Harbor, MD, USA. Washington, DC, USA: IEEE Computer Society, 2013: 462-469.
[67]	SANTOS D R, WESTPHALL C M, WESTPHALL C B.A Dynamic Risk-based Access Control Architecture for Cloud Computing[C]//IEEE Computer Society. Network Operations and Management Symposium (NOMS), May 5-9, 2014, Krakow, Poland. Washington, DC, USA: IEEE Computer Society, 2014: 1-9.
[68]	惠榛,李昊,张敏,等. 面向医疗大数据的风险自适应的访问控制模型[J]. 通信学报, 2015, 36(12):190-199.
[69]	Díaz-López D,Dólera-Tormo G,Gómez-Mármol F, et al.Dynamic Counter-measures for Risk-based Access Control Systems: An Evolutive Approach[J].Future Generation Computer Systems, 2016, (55): 321-345.
[70]	LANGALIYA C, ALUVALU R.Enhancing Cloud Security through Access Control Models: A Survey[J]. International Journal of Computer Applications, 2015, 112(7): 8-12.
[71]	李建,管卫利,刘吉强,等. 基于信任评估的网络访问模型[J]. 信息网络安全,2015(10):14-23.
[72]	张玉清, 王晓菲, 刘雪峰,等. 云计算环境安全综述[J]. 软件学报, 2016, 27(6): 1-21.
[73]	王于丁, 杨家海, 徐聪,等. 云计算访问控制技术研究综述[J]. 软件学报, 2015, 26(5): 1129-1150.
[74]	LAZOUSKI A, MARTINELLI F, MORI P.Usage Control in Computer Security: A Survey[J]. Computer Science Review, 2010, 4(2): 81-99.
[75]	AKL S G, TAYLOR P D.Cryptographic Solution to a Problem of Access Control in a Hierarchy[J]. ACM Transactions on Computer Systems, 1983, 1(3): 239-248.
[76]	ALUVALU R, MUDDANA L.A Survey on Access Control Models in Cloud Computing[C]//Computer Society of India.Emerging ICT for Bridging the Future - Proceedings of the 49th Annual Convention of the Computer Society of India, December 12-14, 2014, Hyderabad, India. Switzerland: S pringer International Publishing, 2015: 653-663.
[77]	KAMLIYA V, ALUVALU R.A Survey on Hierarchical Attribute Set based Encryption (HASBE) Access Control Model for Cloud Computing[J]. International Journal of Computer Applications, 2015,112(7): 4-7.
[78]	FERRAIOLO D, CHANDRAMOULI R, KUHN R, et al.Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)[C]//Association for Computing Machinery. 2016 ACM International Workshop on Attribute Based Access Control, March 9-11, 2016, New Orleans, LA, USA. New York, NY, USA: ACM, 2016:13-24.
[79]	INCITS 499-2013 Information Technology - Next Generation Access Control - Functional Architecture[S]. Maryland, USA: American National Standards Institute, March 2013.
[80]	INCITS 526-2016 Information technology-Next Generation Access Control-Generic Operations and Data Structures[S]. Maryland, USA: American National Standards Institute, 2016.