曾璎珞,潘雪增,陈健

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.10.052

2010-01-01

Abstract:This paper proposes a dynamic security access control model based on system reliability,so as to improve the flexibility of combination among multiple security access control strategies,and to ensure system security and practicality.The model can choose the proper kind of combination among the security access control strategies dynamically in order to deal with different system states and improve the whole system performance.Experimental results prove that this model makes the multiple strategies control more flexible,ensures the system security,and improves practicality of the system.

Gaozu Wang,LI Wei-hua,Yangling Xu,Jianfeng Yan

DOI: https://doi.org/10.1109/cisw.2007.4425538

2007-01-01

Abstract:CLinux is an embedded operating system with high performance. Security of µCLinux is of great importance for embedded system based on it. To solve security problems of µCLinux system, the author adopts Linux Security ModuleLSM framework and puts forth a multi-policy mandatory access control (MAC) mechanism based on both Domain and Type Enforcement (DTE) model and improved Bell-La Padula BLP model. The mechanism enhances security protection of µCLinux kernel and implements access control in fine-grain level to ensure confidentiality and integrity of the system. The scheme proves to be applied in most embedded system with properties of Level B1 security standard, which ensures security of all application softwares.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

莫毅君,李伟华,王高祖

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.13.045

2008-01-01

Abstract:The current research in access control area and primary access control of Linux is firstly introduced.With the comparison and examples,the existing flaws about access control are discussed.On the basis of role-based access control(RBAC) and process-based access control(PBAC) of current operating system,a new mechanism called role-process-based access control(RPBAC) is presented,which is defined formally.The security of operating system is enhanced by the help of static and dynamic method.The task of follow work is also discussed in the end.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

WANG Jian-jun,NING Hong,PENG Daiwen

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.03.044

2006-01-01

Abstract:Single security policy is implemented in the traditional security kernel.For satisfying the special request of the system,it described a security policy about implementing confidentiality and integrality in the security kernel.

LI Bo,HUANG Dong-jun

DOI: https://doi.org/10.3969/j.issn.1006-8937-B.2006.04.001

2006-01-01

Abstract:The paper analyzes and compares several primary ways to distribute privileges during the current design process of access system such as Discretionary Access Control(DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC), points out their respective characteristics and limitations of their applicability. By taking the new characteristics of modern enterprise management into consideration and combining with the existing access control model, the authors discuss the access control technology of the multi-users information system, present and realize the security control model based on role level, department level and user level in the application. Practical application makes clear that it enhances the security and maintainability of information system.

高亮,张斌,蔡力钢,刘向军

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.08.035

2004-01-01

Abstract:Effective control of access for resource is key to make users work collaboratively.It is also important to ensure information security.Having analyzed traditional access control technologies,a new access control model,eXtensible Access Control Model (XACM),is proposed in this paper.An extensible access control system based on XACM is successfully implemented for control of access to information in Tongda Group's workflow-based office automation system.It proves the characteristics of XACM such as flexibility and generalization.

LIU Wei-peng,HU Jun,LV Hui-jun,LIU Yi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.07.056

2008-01-01

Abstract:This paper analyses the main design idea of Linux Security Module(LSM) and the problem of the intrinsic access control mechanism of Linux executable program, and discusses the design of Mandatory Access Control(MAC) mechanism of executable program based on LSM. As the demonstration, it implements a MAC system prototype based on Linux kernel 2.6.11. The illumination that how to implement MAC of executable program in operating system is given.

Tao Peng,Minghua Jiang,Ming Hu

DOI: https://doi.org/10.4028/www.scientific.net/amr.121-122.558

2010-01-01

Advanced Materials Research

Abstract:A multi-polices access control model is proposed, with the model, access control based on policy regulation and XML based policy description is given. At the same time, We use the XSD(XML Schema Definition) to describe the content and the structure of the xml documents, and check the validity of the xml documents. Based on the description of the access control, an application system is realized we construct the runtime platform and choose some access control polices to test our system. The result is well.

Jinan Shen,Deqing Zou,Hai Jin,Kai Yang,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/cc.2016.7781724

2016-01-01

China Communications

Abstract:In traditional framework, mandatory access control (MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system (OS) is comprised since malwares are running in ring0 level. In this paper, we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management (PM), security server (SS) and policy enforcement (PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache (AVC) between SS and PE in the guest OS, in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implement the system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.

Jin Hai,Zi Xiaochao,Pan Li,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.07.034

2006-01-01

Abstract:In this article,we firstly analyze access control technology of current operating system. Then we discuss the three dimension access model,based on traditional access control model. And,the paper introduces the concept of access control based on program.After that,we introduce Linux Security Module in Linux kernel 2.6. Finally,we design and implement the access control mechanism based on the program privilege.

LI Li-ping,QING Si-han,HE Ye-ping,SHEN Qing-ni

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.016

2006-01-01

Abstract:In order to solve the problems of policy reusability and policy co-existence in LSM,a new security architecture ELSM is proposed.It introduced Model Combiner as main module to implement module stack management and module decision management.Module decision is based on access control space as policy specification for general support.The design of ELSM and the analysis of its implementation in Ansheng OS prove its effectiveness.

Deqing Zou,Lei Shi,Hai Jin

DOI: https://doi.org/10.1109/ICPADS.2009.128

2009-01-01

Abstract:We design and implement a Mandatory Access Control (MAC) system in distributed virtual computing environment, named DVM-MAC, aiming to provide distributed trust through enforcing MAC policies. In DVM-MAC, Prioritized Chinese Wall (PCW) model is implemented to control potential covert channels between VMs in both single node and distributed environment. A policy enforcement module locates inside Xen VMM for better enforcing MAC locally rather than outside the VMM. DVM-MAC adopts centralized architecture for multi-level management and secure transmission of inter-node policy information. For performance consideration, a specific policy decision and enforcement module for controlling inter-node behaviors is moved out of Xen VMM and up to user space. DVM-MAC authorizes a specific center node named Central Security Server (CSS) to be responsible for the decision making between the nodes as well as leaves the inter-node policy enforcement module in each node. Through our experiments and data analysis, we verify the correctness, effectiveness, and efficiency in our prototype when implementing PCW model.

Jiang Jun,Zhai Zhengjun,Wang Ji

DOI: https://doi.org/10.16526/j.cnki.11-4762/tp.2008.08.026

2008-01-01

Abstract:By analysis of the current popular method of access control,point out their deficiencies.Based on the visit of the remote testing and diagnosis system requirement,design a kind of multi-element mixed access control model(MMAC) which is mixed with role-based access control,task-control and time-control.Describe the definition and improved strategy of access control model.Finally,give the performance comparison between MMAC and RBAC under the result of the experiment.

Liang Cheng,Yang Zhang,Zhihui Han

DOI: https://doi.org/10.1109/SERE.2013.12

2013-01-01

Abstract:Access control mechanisms (ACM) play a critical role in protecting operating systems from malicious attacks. A variety of ACMs have been proposed till date, including discretionary access control (DAC) and mandatory access control (MAC). However, it is often challenging to evaluate and compare the quality of protection (QoP) of ACMs, especially when they are deployed on different platforms. In this paper, we propose an approach to quantitatively measure and compare the quality of ACMs. We introduce the notion of vulnerability profiles to capture the weakness of ACMs in protecting against attacks, and the notion of vulnerability coefficients as a numeric and platform-independent measurement of the protection quality of ACMs. Based on these two notions, our approach applies the Grey System Theory and an independent vulnerability scoring system to infer complete vulnerability profiles and to calculate fair and objective vulnerability coefficients for ACMs. To our knowledge, our approach is the first attempt for quantitative measurement and comparison of ACMs across different operating systems. Based on our approach, we implement a prototype tool called ACVAL that leverages logic programming to characterize, evaluate, and compare access control mechanisms. We apply ACVAL to three mainstream ACMs, and results that ACVAL is effective in evaluating access control mechanisms across different operating systems, a feature particularly useful to administrators of heterogenous IT systems.

Lei Xia,Wei Huang,Hao Huang

DOI: https://doi.org/10.1007/978-3-540-77535-5_21

2007-01-01

Abstract:Multilevel security policies aim at only confidentiality assurance, with less consideration on integrity assurance and weakness in expressing channel control policies. Besides, the trusted subjects it introduces to handle the information flow "downgrade" have many security flaws. Moreover, increasing diversity of the computing environments results in various security requirements. However, current mainstream security models are aiming at only one or few requirements of them each. The Multi-Policy Views Security Model is presented, which is based on the MLS model, combining the domain and role attributes to the model, to enforce the expression power in channel control policies, make permission management more fine-grained and enhance the ability of confining the permission of the trusted subjects. Moreover, MPVSM has integrated the properties and functions of MLS, Domain-Type and Role Based models into one unified model. It is able to enforce multi-policy views in operating system in a flexible way.

Y Tang,Ss Zhang,L Li

DOI: https://doi.org/10.1007/3-540-27912-1_61

2005-01-01

Abstract:The characteristics of multiple security domains environment include multifactor, dynamic, heterogeneity, and openness, which make its resources at high security risks. Thus, it is very critical for mobile access to realize the efficient resources access control in multiple security domains environment. This paper aims at the problems of dynamic privilege assignment for mobile users in cross-domain access, proposes a mobile access control architecture for multiple security domains environment (MACAMSDE), and introduces flexible access control mechanisms. In addtion it discusses the enabling key technologies.

Fenghua Li,Zifu Li,Weili Han,Ting Wu,Lihua Chen,Yunchuan Guo

DOI: https://doi.org/10.1109/dsc.2017.100

2017-01-01

Abstract:With the rapid development of information technologies, our daily life has become deeply dependent on cyberspace. The new technologies provide more facilities and enhancements to the existing Internet services as it allows users more flexibility in terms of exploring webpages, sending messages or publishing tweets via cell phones or laptops. However, there are many security issues such as security policy definition and security policy enforcement of current cyberspace. In this paper, we study information access problems in cyberspace where users leverage devices via the Internet to access sensitive objects with temporal and spatial limitations. We propose a Cyberspace-oriented Access Control model (CoAC) to ensure the security of the mentioned accesses in cyberspace. The proposed model consists of seven atomic operations, such as Read, Write, Store, Execute, Publish, Forward and Select, which can denote all operations by the combination of several atomic operations in cyberspace. For each atomic operation, we assemble a suite of security policies and demonstrate its flexibility. By that, a series of security policies are denfined for CoAC.

WU Qian,FAN Li

DOI: https://doi.org/10.3969/j.issn.1005-8036.2010.01.009

2010-01-01

Abstract:In this paper,we propose an active content access control device whose uniqueness lies on built-in intelligence powered by a specially designed USB controller and application firmware.The device functions standalone as a universal security key to unlock virtually all commonly used secure information storage volumes,as long as user identity,assigned privileges,and dynamic authorizations are provided properly.A variety of real world use cases demonstrate significant improvement in effectiveness and flexibility for secure information management.