LIANG Jinqian,GUAN Xiaohong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.02.009

2007-01-01

Abstract:This paper introduces an access control mechanism called PBAC(process-based access control),which models from the active process,based on the access control model of current operating system,according to the role of process,the process privilege is assigned and managed in more detail.It enhances information confidentiality,integrity and controllability,and reduces the malicious code threat to the computer system.The basic concepts of PBAC are introduced and a formalization description is given,and the implementation in the Windows platform is discussed.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

黄益民,杨子江,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2004.04.005

2004-01-01

Abstract:The traditional role-based access control (RBAC) model was extended in this work aimed at studying practical ways to implement access control, enforce security administration, and acquire available information from real world to construct an access control model and establish security policies. A three-layered architecture for role-based security administration was proposed. And a practical way was presented to implement role-based access control and role-based security administration ,so that cross-platform role-based access control is implemented automatically and systematically in the security administration system.

Chen Weidong,Wang Chao,Zhang Li,Xu Zheng,Xing Xishuang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.03.080

2013-01-01

Abstract:Information security of server is encountering increasingly serious security menace.Viruses,worms,Trojans and other malicious programs impose the threat on the security of server system.The operating system has the needs to identify and control from kernel layer the subjects and objects imperilling the security.Mandatory access control has to be executed on files,registry,process,etc.in kernel layer.We study and address the implementation of operating system security kernel in terms of system resources and networks covert communication in this paper.The system has been applied to the corporate websites,various types of servers and other network security applications that have higher security requirement.The mandatory access control and each process,file,registry and network communications,etc.are all endued the appropriate security attributes systematically.Security attributes are set by the administrator strictly in accordance with the rules.Combined with the principle of least privilege and security auditing,security control is conducted at the application layer on the server or server cluster.

DING Hongda,ZENG Qingkai,BAO Bixian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.01.056

2007-01-01

Abstract:Test and validation of access control is a crucial part of the security evaluation of the system.A testing approach by extending GFAC is proposed,automatically to test the access control service according to requirements of security evaluation based on common criteria.The implementation of testing on Linux+RSBAC demonstrates the approach available.

Alam Masoom,Seifert Jean-Pierre,Li Qi,Zhang Xinwen

DOI: https://doi.org/10.1145/1368310.1368345

2008-01-01

Abstract:Continuous access control after an object is released into a distributed environment has been regarded as the usage control problem and has been investigated by different researchers in various papers. However, the enabling technology for usage control is a challenging problem and the space has not been fully explored yet. In this paper we identify the general requirements of a trusted usage control enforcement in heterogeneous computing environments, and also propose a general platform architecture to meet these requirements.

Zheng Xiao-lin,Lei Yu,Chen De-ren

DOI: https://doi.org/10.1007/s11460-006-0089-x

2006-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:An integrated user access control method was proposed to address the issues of security and management in networked manufacturing systems (NMS). Based on the analysis of the security issues in networked manufacturing system, an integrated user access control method composed of role-based access control (RBAC), task-based access control (TBAC), relationship-driven access control (RDAC) and coalition-based access control (CBAC) was proposed, including the hierarchical user relationship model, the reference model and the process model. The elements and their relationships were defined, and the expressions of constraints authorization were given. The extensible access control markup language (XACML) was used to implement this method. This method was used in the networked manufacturing system in the Shaoxing spinning region of China. The results show that the integrated user access control method can reduce the costs of system security maintenance and management.

Zhiyong Tan,Duo Liu,Xuejun Zhuo,Yiqi Dai,Laurence T. Yang

DOI: https://doi.org/10.1007/s11227-011-0732-z

IF: 3.3

2013-01-01

The Journal of Supercomputing

Abstract:This paper presents the design and implementation features of Centralized Pervasive Computing Environment/Multilevel Security (CPCE/MLS), a multilevel security (MLS) system in pervasive computing environment deployed in Local area network (LAN) with a Mandatory Access Control (MAC) mechanism. By introducing the server-storage terminals and implementing the multilevel security access control mechanism based on the Bell---LaPadula model, process creation supervision, and an auditing mechanism, the CPCE/MLS system is able to provide the security guarantee of the whole computing environment. As such, each terminal is controlled under an integrated security policy. The performance test results show that the CPCE/MLS system, without optimization, generates great overhead but achieves significantly better performance after the cache mechanism is added in the monitor agent and in the hook driver. The system with the hook driver cache mechanism is able to achieve the 95.9% throughput of the native system with 8 K and 16 K requested data blocksize.

Wang Baoyi,Zhang Shaomin,Zhilei Zhang

DOI: https://doi.org/10.1109/ICIT.2008.4608609

2008-01-01

Abstract:Role-based Access Control (RBAC) policy separates user and privilege logically by importing the concept of role, which can simplify the management of privilege in electric power enterprise. As the development and sustaining change of electric power system, unattended substations become the new developing direction. Unattended substation automation system will realize centralized management and remote control, so the use of RBAC access control method will aggravate the burden of the access control server. What is more, it adds the complexity of management. RBAC could not meet the needs of the system. This paper designs Distributed RBAC access control model, according to the substation automation system structure stated in IEC61850. Users obtain their roles in centralized server, and obtain their privilege dispersedly. The efficiency is improved. Management is more convenient. In the end, a practical example is presented to prove that the designed model and algorithm have high security, feasibility and effectiveness in unattended substation automation system. Because the model and algorithm are designed according to the ITU-T X.509 and IEC61850 international standards, the design has high currency, adaptability and expansibility. ©2008 IEEE.

Yi Zong,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1109/sose.2019.00062

2019-01-01

Abstract:With the wide application of modern robots, more concerns have been raised on security and privacy of robotic systems and applications. Although the Robot Operating System (ROS) is commonly used on different robots, there have been few work considering the security aspects of ROS. As ROS does not employ even the basic permission control mechanism, applications can access any resources without limitation, which could result in equipment damage, harm to human, as well as privacy leakage. In this paper we propose an access control mechanism for ROS based on an extended policy-based access control (PBAC) model. Specifically, we extend ROS to add an additional node dedicated for access control so that it can provide user identity and permission management services. The proposed mechanism also allows the administrator to revoke a permission dynamically. We implemented the proposed method in ROS and demonstrated its applicability and performance through several case studies.

Yunfei Meng,Zhiqiu Huang,Senzhang Wang,Yu Zhou,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.48550/arXiv.1908.10201

2019-08-23

Cryptography and Security

Abstract:Service-oriented architecture (SOA) system has been widely utilized at many present business areas. However, SOA system is loosely coupled with multiple services and lacks the relevant security protection mechanisms, thus it can easily be attacked by unauthorized access and information theft. The existed access control mechanism can only prevent unauthorized users from accessing the system, but they can not prevent those authorized users (insiders) from attacking the system. To address this problem, we propose a behavior-aware service access control mechanism using security policy monitoring for SOA system. In our mechanism, a monitor program can supervise consumer's behaviors in run time. By means of trustful behavior model (TBM), if finding the consumer's behavior is of misusing, the monitor will deny its request. If finding the consumer's behavior is of malicious, the monitor will early terminate the consumer's access authorizations in this session or add the consumer into the Blacklist, whereby the consumer will not access the system from then on. In order to evaluate the feasibility of proposed mechanism, we implement a prototype system. The final results illustrate that our mechanism can effectively monitor consumer's behaviors and make effective responses when malicious behaviors really occur in run time. Moreover, as increasing the rule's number in TBM continuously, our mechanism can still work well.

Yahui Lu,Li Zhang,Jiaguang Sun

DOI: https://doi.org/10.1016/j.compind.2009.02.009

IF: 10

2009-01-01

Computers in Industry

Abstract:The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and resources in information systems. However, the traditional centralized authorization and administration mechanism in access control can not satisfy the administrative requirements in process collaboration environments. In this paper, we propose a domain based administration model for task-role based access control (DATRBAC), in which the authorization and administration permissions are distributed to multiple administrative domains and administrative roles. Then we propose the solution to detect and resolve the conflicts between access control policies defined by different administrative roles. We also described the implementation of the model in the PLM product and the experiments based on the practical application data.

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

Wei Wei,Zhang Qing,Liang Wenzheng

DOI: https://doi.org/10.3969/j.issn.1006-1576.2011.02.015

2011-01-01

Abstract:Through analyzing the compulsion access in HTTP request and information juggle and forgery,design data access control model and task purview model,and realize access filtering of task data and URL verifying request.The technology can solve the access control problem in B/S system and realize multi-dimension data logic in encrypt system.

Gaoshou Zhai,Jie Zeng,Miaoxia Ma,Liang Zhang

DOI: https://doi.org/10.1109/isa.2008.61

2008-01-01

Abstract:Nowadays, technologies of information security have been attached more and more importance to and it's a critical problem to take measures to ensure the reliability of related trustworthy software such as secure operating systems (SOSs). Thereafter, it's always necessary for such systems to be taken complete and rigorous security test and evaluation among development team and/or by third-party security certification organization. However, such software testing is usually time consuming, cost consuming and boresome and thus technologies of software testing automation have alluring application foreground in that field. In this paper, methods and technologies about how to test a SOS automatically are discussed in breadth and in depth at first. Then least privilege is studied and the corresponding modules of security enhancement are added to Linux based on Linux Kernel Modules (LKM). Finally, a prototype of automatic security testing as to such least privilege mechanism is implemented and the results are analyzed.

XU Guo-yong,LIU Qiang,ZHANG Pu-xuan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.01.011

2007-01-01

Abstract:On resource integration implemented in government and organization,a more security and open access control system working in large scale application environment is required.Public key infrastructure authenticates a user by granting a public key certificate.Pri-vilege management infrastructure authorizes a user using attribute certificates.RBAC provides a flexible relationship between user and privilege.Emphasis on access control proceeding and policy management using PKI,PMI and RBAC,an access control mechanism based on role and dual-certificates is described.The mechanism has implemented in the taxation resource integration project.