CAO Yongchun,HUA Bei,GE Lin,CHEN Xiaojiang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.23.046

2005-01-01

Abstract:This paper discusses the security problems with which active nodes are confronted,and analyzes the train of thought to solve them using authorization-based techniques.It gives the design and implementation of a security management subsystem in an active node operating system prototype,wherein authorization and access control are realized through effective policy management,credential management and validity checking of active packets.

YH Wu,K Xu,JP Wu,MW Xu

DOI: https://doi.org/10.1109/ictel.2003.1191171

2004-01-01

Abstract:Active network is a new network architecture of the last few years, in which active nodes provide programmable network services on passing packets. Users can configure, extend and download these services through active packets. However, the flexibility of network brings serious security problems. Because there are always malicious attackers in network, we must limit users' access to the resources and statuses of active routers to guarantee their safe running. Because traditional routers are mainly responsible for packets forwarding, and lack enough security support to router software, it's necessary to design consummate active network security architecture. This paper defines the integrated security architecture of active network, and provides safe protection to each phase of active codes during their running. And we also define the security architecture of active nodes, and bring forward the resource managing mechanism based on access control. The security architecture and mechanism introduced by this paper have been implemented in Extensible Service Router prototype system.

XH Peng,C Lin

DOI: https://doi.org/10.1117/12.635317

2005-01-01

Abstract:Access control is an important method to improve network security and prevent protected resources from being used by some nodes without authority. Moreover, mobility is an important trend of internet. In this paper, based on the architecture of hierarchical mobile IPv6, we proposed an effective access control approach to support mobility in IPv6 networks, which can ensure the operation of access control when a mobile node roams in these domains with different polices, with decreased delay of access negotiation and cost of delivering messages.

LIN Chuang,FENG Fu-Jun,LI Jun-Shan

DOI: https://doi.org/10.1360/jos180955

2007-01-01

Abstract:Access control is an important technology for system security, and its mechanism is different for different networks. This paper first introduces the characteristics and applications of three traditional access control policies which are DAC (discretionary access control), MAC (mandatory access control) and RBAC (role-based access control), introduces the UCON (usage control) model, and then analyzes access control technology and current researches in Grid, P2P and wireless environment respectively. In addition, this paper proposes that trustworthy networks as the developing goal of the next generation Internet require using trust-based the access control model to assure security. This paper investigates on the trust and reputation model in detail, and finally gives the prospects of access control.

WANGJian-guo,LIZeng-zhi,KOUYan-an

2003-01-01

Abstract:In an active network, users can insert customized active codes into active nodes to execute. Thus it needs more resources than those required by conventional networks, and these resources must be effectively monitored and managed. Management policies in existing OSs are too complicated to apply to simple active packets. In this paper, we present new resources management policies that are mainly adoped to manage CPU, storage and transmission bandwidth. Namely, we use SPF algorithm to schedule and process active packets, and import an interval queue method to allocate transmission bandwidth, and use feedback mechanism to control congestion. At the same time, we design some experiments on prototype systems with and without resources management policies respectively. The experiments results show that management policies presented by us can effectively manage resources in active nodes and can improve the performance of active networks.

LIN Chuang,FENG Fu-Jun,LI Jun-Shan

2007-01-01

Abstract:Access control is an important technology for system security, and its mechanism is different for different networks. This paper first introduces the characteristics and applications of three traditional access control policies which are DAC (discretionary access control), MAC (mandatory access control) and RBAC (role-based access control), introduces the UCON (usage control) model, and then analyzes access control technology and current researches in Grid, P2P and wireless environment respectively. In addition, this paper proposes that trustworthy networks as the developing goal of the next generation Internet require using trust-based the access control model to assure security. This paper investigates on the trust and reputation model in detail, and finally gives the prospects of access control.

Chen Xiaojiang,Cao Yongchun,Hua Bei

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.09.017

2007-01-01

Abstract:The resource management problems that an active node must solve in order to provide customized and fair services are discussed.To support customized services,a simple and general model for NodeOS services is proposed.To support fairness,the resource management problems including resource allocation and adaptation,entry controlling,usage monitoring and policing are systematically studied,and the scheme to resolve them is given.The security problems which active nodes are confronted are discussed,and the active node protecting mechanism with authorization-based techniques is analyzed.How to embed KeyNote trust management system into NodeOS is illustrated with details.

C Cao,J Lu

DOI: https://doi.org/10.1109/icdcsw.2005.19

2005-01-01

Abstract:To solve the security issues in a mobile agent system, the access control is always employed. Existing access control models enable the agent's identity, trust and other information to influence the security decisions. We argue that the path, which a mobile agent travels along, should be taken into consideration and affect what the agent can do dynamically. An access control model is proposed in this paper which captures the path history of the agent and reaches a decision according to both whether the path matches a path pattern set and whether the path can follow a host patch set. The flexibility of this model is shown and some issues in implementing such a model are discussed as well.

XU Dong-sheng,YUAN Fei-yun,WANG Jian-guo

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.02.022

2006-01-01

Abstract:Active networks need more resources than passive networks,because active networks allow users to inject active application into the active network nodes and execute. These bandwidth resources must be suitably assigned and managed,in order to improve quality of service of the active networks. This paper analyzes the difference of bandwidth resources between active network and passive network,and explores the policy of bandwidth resources management in an active network node.These issues are implemented in the prototype system.

Fenghua Li,Zifu Li,Weili Han,Ting Wu,Lihua Chen,Yunchuan Guo

DOI: https://doi.org/10.1109/dsc.2017.100

2017-01-01

Abstract:With the rapid development of information technologies, our daily life has become deeply dependent on cyberspace. The new technologies provide more facilities and enhancements to the existing Internet services as it allows users more flexibility in terms of exploring webpages, sending messages or publishing tweets via cell phones or laptops. However, there are many security issues such as security policy definition and security policy enforcement of current cyberspace. In this paper, we study information access problems in cyberspace where users leverage devices via the Internet to access sensitive objects with temporal and spatial limitations. We propose a Cyberspace-oriented Access Control model (CoAC) to ensure the security of the mentioned accesses in cyberspace. The proposed model consists of seven atomic operations, such as Read, Write, Store, Execute, Publish, Forward and Select, which can denote all operations by the combination of several atomic operations in cyberspace. For each atomic operation, we assemble a suite of security policies and demonstrate its flexibility. By that, a series of security policies are denfined for CoAC.

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

huabei,lizheng,xiongyan,gelin

2005-01-01

Abstract:This paper proposes a three-layered structural model for the node operating system (NodeOS) in an active network, including hardwareabstraction layer, resource management layer and NodeOS-EE API layer, and discusses at length their primary functions and implementingmechanisms. This paper also investigates the authorization enforcement based security architecture of active node. This architecture properlycombines distributed authorization, policy management, authorization based access control, authentication with integrity control of active packets toensure the security of active nodes and active packets.

CHEN Xiao-Lin,LU Sang-Lu,CHEN Dao-Xu

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.08.003

2006-01-01

Computer Science

Abstract:Security issue challenges active network much more than it does to the traditional one, and obviously is an obstacle preventing active network from being put into real application. In this survey, we focus our research on active network security. We first present the state-of-art of this research field, and then introduce the security architecture of active networks. Afterwards, different approaches to implement secure activate network are analyzed. Finally, we give some interesting fields that are worthy of investigation and research in the future.

Y Tang,Ss Zhang,L Li

DOI: https://doi.org/10.1007/3-540-27912-1_61

2005-01-01

Abstract:The characteristics of multiple security domains environment include multifactor, dynamic, heterogeneity, and openness, which make its resources at high security risks. Thus, it is very critical for mobile access to realize the efficient resources access control in multiple security domains environment. This paper aims at the problems of dynamic privilege assignment for mobile users in cross-domain access, proposes a mobile access control architecture for multiple security domains environment (MACAMSDE), and introduces flexible access control mechanisms. In addtion it discusses the enabling key technologies.

LIU Li,LI Jin-sheng,HONG Pei-lin,ZHU Wen-tao

DOI: https://doi.org/10.3969/j.issn.0255-8297.2005.02.023

2005-01-01

Journal of Applied Sciences

Abstract:The current multicast model provides no access control mechanism. Any host can send data directly to a multicast address or join a multicast group to become a member. After analyzing the different types of multicast participants and the requirements of access control, a multicast access control system based on policy ACL is put forword. And after the model of this system is given, the process of requesting, replying and ACL configuration of the host access is also elucidated in this paper.

王建国,李增智,王宇,寇雅楠

DOI: https://doi.org/10.3321/j.issn:0253-987X.2002.08.012

2002-01-01

Abstract:After analyzing the current research about active network security, a universal security mechanism for active network is presented. This mechanism keeps to the security specification proposed by Active Network Security Working Group. According to the characteristics of active network, two important protected objects, active node and capsule, are proposed. This mechanism constructs two engines, authentication/authorization engine and accessing control engine. Certificate database and security policy database are designed so that engines can consult certificate to authenticate principals' identity and refer to security policy to control capsule to access system resources when it provide request services for execution environment. These can protect active nodes effectively. In order to describe the complicated dynamic security control policies, this mechanism imports capability. Digital signature and software states catching mechanism are used to protected and isolated capsules. Active nodes and capsules can be protected effectively with this mechanism. Security facilities implemented with this mechanism can serve as a generic component to build secure active network.

WANG Jian-guo,WEI Bi-fan,LI Ya-hong

DOI: https://doi.org/10.3969/j.issn.1673-9965.2007.01.015

2007-01-01

Abstract:Scheduling algorithm for complicated resources management is not fit for active code,it debases transmission speed of capsules.The authors propose resources management architecture of active network node based on components,and discuss the classification and encapsulation format.This architecture proposes scheduting algorithm of the shortest packet with multi-priority first to schedule capsules,assigns and manages bandwidth with low bandwidth first algorithm based on priority.It manages memory by dynamic supervising and static limiting capsule.Experimental results show that this management mechanism conforms to characteristics of active network.It effectively manages resources of active network nodes,and improves the performance of active network nodes.

Fenghua Li,Zifu Li,Weili Han,Ting Wu,Lihua Chen,Yunchuan Guo,Jinjun Chen

DOI: https://doi.org/10.1109/jiot.2018.2839065

IF: 10.6

2018-01-01

IEEE Internet of Things Journal

Abstract:With wide development of various information technologies, our daily activities are becoming deeply dependent on cyberspace. People often use handheld devices (e.g., mobile phones or laptops) to publish social messages, facilitate remote e-health diagnosis, or monitor a variety of surveillance. However, security insurance for these activities remains as a significant challenge. Representation of s...

周恒琳,李增智

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.07.030

2004-01-01

Abstract:The paper represents how to utilize the authentication and authorization theory to resolve the secure problem of the active network. A packet authentication and code authorization mechanism for active network is realized, with the application of the digital certificate and signature technology, the security system of the Java language, as well as the Java Authentication and Authorization Service; In addition, the secure active packet is designed to collaborate with this mechanism. The packet authentication module authenticates the identity of the active packet and checks the integrality of the packet in order to prevent illegal active node from sending baleful code or juggling the active packet midway. The code authenticate module includes authentication of the Executive Environment's code and authentication of the active packet's code. It avoids the ruinous effect on active node by restricting the action of the extraneous code in the active node.

Xin Zhang,Yifan Zhang

DOI: https://doi.org/10.1016/j.hcc.2022.100073

2022-01-01

High-Confidence Computing

Abstract:The capability of interacting with web content has become increasingly common among mobile apps. While web-app interaction can facilitate many new functionalities and improve app user experience, they also cause various notable security attacks on mobile apps or web content. The root cause is lack of proper access control mechanisms for web-app interactions on mobile OSes. Existing solutions usually adopt either an origin-centric design or a code-centric deign, and suffer from one or several of the following limitations: coarse protection granularity, poor flexibility in terms of access control policy establishment, and incompatibility with existing apps/OSes due to the need of modifying the apps and/or the underlying OS. More importantly, none of the existing works can organically deal with all the five web-app interaction mechanisms. In this paper, we first identify and survey five mechanisms through which web content interacts with mobile apps. We then propose ReACt, a novel Resource-centric Access Control design that can coherently work with all the web-app interaction mechanisms while addressing the above-mentioned limitations. We have implemented a prototype system on Android, and performed extensive evaluation on it. The evaluation results show that our system works well with existing commercial off-the-shelf Android apps and different versions of Android OS, and it can achieve the design goals with small overhead.