基于可信计算的应用环境安全研究
|
摘要
应用环境是“三纵三横两个中心”信息安全保障技术框架中的关键环节。作为用户的工作环境,它既是合法用户与信息系统交互的直接窗口,同时又是非法用户窃取权限进行破坏的重要途径。因此,对应用环境的安全保护是信息安全战略防御的关键环节,应用环境是否安全直接关系到信息系统的安全性。目前,针对应用环境安全的研究主要存在以下问题:一是系统安全和应用安全脱节,系统层安全机制没有对应用层安全机制提供有力的支撑;二是可信和安全结合不紧密,TCB (Trusted Computing Base,可信计算基)可信扩展缺少理论支撑。上述原因导致目前的应用层安全在很大程度上还依赖应用软件本身的安全措施(如身份认证、权限控制等),应用层安全问题成为整个应用环境安全的短板。
针对上述问题,本文重点研究了如何构建安全的应用环境,目的是提出应用环境安全保障框架,探讨相关的理论模型和技术问题,为构建安全的应用环境提供理论支撑。本文的研究思路是:从可信机制、安全机制和安全策略三个方面入手解决应用环境安全保障问题,首先通过TCB可信扩展将系统中所有安全机制和策略纳入TCB的保护范畴,保证其不被篡改和旁路;其次通过可信管道实现系统层和应用层安全机制的无缝连接,解决系统安全和应用安全脱节的问题;最后通过层次化设计的访问控制策略实现对应用层越权访问的有效控制。最终目标是在应用环境内达到可信机制支持下的硬件安全、系统安全和应用安全的统一
在论文研究过程中取得了以下四个方面的成果:
第一,提出基于可信计算的应用环境安全保障框架,明确了应用环境安全保障的思路。首先,分析了应用环境安全保障涉及的关键环节,明确了可信机制、安全机制和安全策略的关系;其次,建立了应用环境安全保障框架,通过系统层和应用层关联的访问控制机制和层次化的安全策略实现对应用层访问行为的有效控制。
第二,提出TCB可信扩展模型,解决TCB扩展的理论支撑问题。TCB边界的可信扩展是应用环境安全安全保障的基础和前提,目前关于TCB扩展的理论研究相对滞后。本文提出了基于TCB子集的TCB可信扩展模型,该模型依据安全策略将TCB层次化分割为TCB子集,形式化描述了TCB子集之间的时间隔离关系和空间隔离关系,在此基础上描述了TCB子集之间的可信支撑关系,最终给出了TCB可信扩展的必要条件,并证明了判定定理。
第三,提出可信管道形式化模型,解决系统层引用监视器和应用层引用监视器之间的无缝连接问题,使系统层安全机制对应用层安全机制形成有力的支撑。可信管道是应用环境安全保障框架中访问控制机制的核心组件,同时也是TCB可信扩展模型成立的关键因素。本文对可信管道进行了深入的研究,给出了可信管道的定义和分类,采用形式化方法研究了可信管道的构成元素及其建立、传输和撤销规则,并利用非传递无干扰模型分析了其安全性,最后给出了可信管道的实施方案和工作流程。
第四,提出面向应用对象的访问控制模型,解决缺乏适用的应用层访问控制策略问题。该模型将面向对象思想引入基于任务的访问控制模型,并从“用户-角色-应用-任务”的角度重新建模,通过应用对象的状态转换关系实现了将环境上下文纳入访问控制要素的目的,通过临时权限实现了逆向信息流,相对十同类其他模型具有更好的安全性和适用性。
Application environment which is the working environment of the users of the information system is the key tache of the "Information Security Assurance Framework". The lawful users communicate with the information system through the application environment while the unlawfull users destroy the secureity of the system mainly through the application environment. So the safeguard of the application environment is the leading edge of the information secureity recovery. Whether the application environment is secure or not has directly relation to the security of the information system. At present the researches on the secureity of application environment are focused on trusted hardware designing secure OS and network security etc. But there are at least two problems. Firstly, the safequard of OS and that of application system are out of joint. Secondly, combination of trust and security is not closely. All of these problems result in that the security of application layer is depended on the safeguard of the application software (such as authorization and privilege). The secure problem of application layer has become the shot board of the application environment security.
According to the hereinbefore problems, this paper is focused on how to make up a secure application environment. The purpose of this paper is to discuss the theories and key technologies about application environment security, bring forward the application environment security assurance framework, and provide academic and technicall support for making up the secure application environment. This paper is following the route of that resolve the problem application environment security assurance on the base of TCB expanding. We will work on the TCB trusted expanding model based on the TCB subsets, inorder to expand the TCB from the hardware layer to the system layer and to the application layer. We will study the trusted pipeline mechanicsm based on the supporting of hardware trusted root, in order to ensure the space-isolating relation of the TCB subsets and conjunct the reference monitor of system layer and application layer. We will study the access control model which is suit the application layer, in order to guarantee the consistence of the system layer access control strategy and the application layer acess control strategy.
Eventually, results are obtained in the following four areas:
Firstly, the application environment security assurance framework based on the trusted computing technology is studied. A model of application environment securety assurance is proposed, in which the relations of secure safeguard secure mechanicsm and secure policy are formally described, this is important for make up secure application environment. On the base of this model, the application environment security assurance is come down to three aspects which are TCB trusted expanding layering designed access control mechanicsm and hierarchily secure policy. Via resolving these three problems the safeguard mechanicsm and policy of application environment are hang together. These form the entirely project of making up secure application environment.
Secondly, TCB trusted expanding model is studied. According to the actuality that there is almost no theory of TCB expanding, this paper proposed TCB trusted expanding model based on TCB subsets. In this model, TCB is divided into some TCB subsets according to the hierarchy of the secure policy, and the time-isolation and space-isolation relations between TCB subsets are formally described. On the base of trusted surporting relations of TCB subsets, the sufficient condition for judging whether the processs of TCB expanding is trusted or not is put forward and proved.
Thirdly, the formal model of trusted pipeline is studied. The trusted pipeline is the logic path of information flow. The definition and sort of trusted pipeline are informally described in this paper. The trusted pipeline for TCB expanding which is the sufficient condition for the space-isolation relation between two TCB subsets comes into being is one type of the trusted pipeline and it is the object which is mainly studied. In order to study the basic attribute of the TCB expanding pipeline, we bring forward the formal definition of the trusted pipeline and the roles for making up transmiting and withdrawing the trusted pipeline. At last, the theory of noninterference is imported to discuss the security of this model, and a project is proposed.
Fourthly, Application Object Oriented Access Control model is studied. This model which integrates the predominance task based access control model (TBAC) object oriented access control model and role based access control model (RBAC) can be used in production-oriented information system to enhance the secure level. In this model the task of workflow is abstracted as application class and the instance of task is abstracted as application object. The inside character and outside relations of application object are formally described. A set of security rules is brought forward to achieve granular access control, which restricts the operation of application object considering the context.
针对上述问题,本文重点研究了如何构建安全的应用环境,目的是提出应用环境安全保障框架,探讨相关的理论模型和技术问题,为构建安全的应用环境提供理论支撑。本文的研究思路是:从可信机制、安全机制和安全策略三个方面入手解决应用环境安全保障问题,首先通过TCB可信扩展将系统中所有安全机制和策略纳入TCB的保护范畴,保证其不被篡改和旁路;其次通过可信管道实现系统层和应用层安全机制的无缝连接,解决系统安全和应用安全脱节的问题;最后通过层次化设计的访问控制策略实现对应用层越权访问的有效控制。最终目标是在应用环境内达到可信机制支持下的硬件安全、系统安全和应用安全的统一
在论文研究过程中取得了以下四个方面的成果:
第一,提出基于可信计算的应用环境安全保障框架,明确了应用环境安全保障的思路。首先,分析了应用环境安全保障涉及的关键环节,明确了可信机制、安全机制和安全策略的关系;其次,建立了应用环境安全保障框架,通过系统层和应用层关联的访问控制机制和层次化的安全策略实现对应用层访问行为的有效控制。
第二,提出TCB可信扩展模型,解决TCB扩展的理论支撑问题。TCB边界的可信扩展是应用环境安全安全保障的基础和前提,目前关于TCB扩展的理论研究相对滞后。本文提出了基于TCB子集的TCB可信扩展模型,该模型依据安全策略将TCB层次化分割为TCB子集,形式化描述了TCB子集之间的时间隔离关系和空间隔离关系,在此基础上描述了TCB子集之间的可信支撑关系,最终给出了TCB可信扩展的必要条件,并证明了判定定理。
第三,提出可信管道形式化模型,解决系统层引用监视器和应用层引用监视器之间的无缝连接问题,使系统层安全机制对应用层安全机制形成有力的支撑。可信管道是应用环境安全保障框架中访问控制机制的核心组件,同时也是TCB可信扩展模型成立的关键因素。本文对可信管道进行了深入的研究,给出了可信管道的定义和分类,采用形式化方法研究了可信管道的构成元素及其建立、传输和撤销规则,并利用非传递无干扰模型分析了其安全性,最后给出了可信管道的实施方案和工作流程。
第四,提出面向应用对象的访问控制模型,解决缺乏适用的应用层访问控制策略问题。该模型将面向对象思想引入基于任务的访问控制模型,并从“用户-角色-应用-任务”的角度重新建模,通过应用对象的状态转换关系实现了将环境上下文纳入访问控制要素的目的,通过临时权限实现了逆向信息流,相对十同类其他模型具有更好的安全性和适用性。
Application environment which is the working environment of the users of the information system is the key tache of the "Information Security Assurance Framework". The lawful users communicate with the information system through the application environment while the unlawfull users destroy the secureity of the system mainly through the application environment. So the safeguard of the application environment is the leading edge of the information secureity recovery. Whether the application environment is secure or not has directly relation to the security of the information system. At present the researches on the secureity of application environment are focused on trusted hardware designing secure OS and network security etc. But there are at least two problems. Firstly, the safequard of OS and that of application system are out of joint. Secondly, combination of trust and security is not closely. All of these problems result in that the security of application layer is depended on the safeguard of the application software (such as authorization and privilege). The secure problem of application layer has become the shot board of the application environment security.
According to the hereinbefore problems, this paper is focused on how to make up a secure application environment. The purpose of this paper is to discuss the theories and key technologies about application environment security, bring forward the application environment security assurance framework, and provide academic and technicall support for making up the secure application environment. This paper is following the route of that resolve the problem application environment security assurance on the base of TCB expanding. We will work on the TCB trusted expanding model based on the TCB subsets, inorder to expand the TCB from the hardware layer to the system layer and to the application layer. We will study the trusted pipeline mechanicsm based on the supporting of hardware trusted root, in order to ensure the space-isolating relation of the TCB subsets and conjunct the reference monitor of system layer and application layer. We will study the access control model which is suit the application layer, in order to guarantee the consistence of the system layer access control strategy and the application layer acess control strategy.
Eventually, results are obtained in the following four areas:
Firstly, the application environment security assurance framework based on the trusted computing technology is studied. A model of application environment securety assurance is proposed, in which the relations of secure safeguard secure mechanicsm and secure policy are formally described, this is important for make up secure application environment. On the base of this model, the application environment security assurance is come down to three aspects which are TCB trusted expanding layering designed access control mechanicsm and hierarchily secure policy. Via resolving these three problems the safeguard mechanicsm and policy of application environment are hang together. These form the entirely project of making up secure application environment.
Secondly, TCB trusted expanding model is studied. According to the actuality that there is almost no theory of TCB expanding, this paper proposed TCB trusted expanding model based on TCB subsets. In this model, TCB is divided into some TCB subsets according to the hierarchy of the secure policy, and the time-isolation and space-isolation relations between TCB subsets are formally described. On the base of trusted surporting relations of TCB subsets, the sufficient condition for judging whether the processs of TCB expanding is trusted or not is put forward and proved.
Thirdly, the formal model of trusted pipeline is studied. The trusted pipeline is the logic path of information flow. The definition and sort of trusted pipeline are informally described in this paper. The trusted pipeline for TCB expanding which is the sufficient condition for the space-isolation relation between two TCB subsets comes into being is one type of the trusted pipeline and it is the object which is mainly studied. In order to study the basic attribute of the TCB expanding pipeline, we bring forward the formal definition of the trusted pipeline and the roles for making up transmiting and withdrawing the trusted pipeline. At last, the theory of noninterference is imported to discuss the security of this model, and a project is proposed.
Fourthly, Application Object Oriented Access Control model is studied. This model which integrates the predominance task based access control model (TBAC) object oriented access control model and role based access control model (RBAC) can be used in production-oriented information system to enhance the secure level. In this model the task of workflow is abstracted as application class and the instance of task is abstracted as application object. The inside character and outside relations of application object are formally described. A set of security rules is brought forward to achieve granular access control, which restricts the operation of application object considering the context.
引文
[1]沈吕祥.基于可信平台构筑积极防御的信息安全保障框架[J].信息安全与通信保密,9:17-19,2004.
[2]Information Assurance Technical Framework Release 3.1[R]. National Security Agency Information Assurance Solution Technical Directors,2002.
[3]Department of defense of U.S.A. Trusted computer system evaluation crieria [S]. Aug,1983. Department of Defence Standard.
[4]London:Department of Trade and Industry. Information Security Technology Evaluation Criteria (ITSEC):Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom [S].1991. www.iwar.org.uk/comsec/resources/standards/itsec.htm.
[5]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 1:Introduction and general model, iso/iec 15408-1 edition [S].1999.
[6]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 2:Security functional requirements, iso/iec 15408-2 edition [S].1999.
[7]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 3:Security assurance requirements, iso/iec 15408-3 edition [S].1999.
[8]GB17859-1999.计算机信息系统安全保护等级划分准则[S].1999.
[9]Matt Bishop. Computer Security:Art and Science[M]. Published by Arrangement with the Original Publisher, Pearson Education, Inc,2003.
[10]J. Joshi. A. Ghafoor. et al. Digit government security Infrastructure Design Challenge[J]. IEEE Computer, 34(2):66-72,2001.
[11]G. Stoneburner. Underlying Technical Models for Information Technology Security[S].NIST Publication 800-xx, Draft Version 0.2,2001.
[12]P. Lamsal. Understanding Trust and security[DB/OL]. Oct 2001. http://www.cs. Helsinki. fi/u/lamsal/papers/Understandingtrustandsecurity.pdf.
[13]Birgit Pfitzmann, James Riordan, Christian Stuble, Michael Waidner, Arnd Weber. The PERSEUS System Architecture[R]. IBM Technical Report NO.93381, IBM Research Division, Zurich,2001.
[14]J. Liedke. L4 Reference Manual[R]. GMD/IBM Watson Technical Report.1996.
[15]M. Hohmuth. The Fiasco kernel, requirements definition[R]. Technical Report ISSN 1430-211X, Dresden University Technology, Dept. Computer Science. December 1998.
[16]J. Liedke. On μ-kernel Construction[C]. In Proceedings of Symposium on Operating System Principles (SOSP),1995.
[17]H. Hartig, M. Hohmuth, N. Feske, C. Helmuth, A. Lackorzynski, F. Mehnert and M. Peter.The Nizza Secure-System Architecture[C]. In IEEE CollaborateCom 2005. San Jose, USA. Dec2005.
[18]Secure Computing Corporation. DTOS Lessons Learned Report[R]. CDRL Sequence No.A008,Secure Computing Corporation, Rosevile, Minnesota, Jun 1997.
[19]Secure Computing Corporation. Assurance in the Fluke Microkernel:Final Report[R]. CDRL Sequence NO.A002, Secure Computing Corporation,2675 Long Lake Road, Roseville,Minnesota 55113, Apr 1999.
[20]Peter A. Loscocco. Stephen D. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[R]. Technical report. NSA and NAI labs, Jan 2001.
[21]National Computer Security Center. Trusted Network Interpretation of the Trusted Computing System Evaluation Criteria[R]. NCSC-TG-005. USA:DOD,1987.
[22]National Computer Security Center. Trusted Database Interpretation of the Trusted Computing System Evaluation Criteria[R]. NCSC-TG-005. USA:DOD,1987.
[23]T. T. Committee. Trusted computing platform alliance (TCPA) main specification vl.1b. Technical report. TCPA Alliance[DB/OL], February 2002, https://www.trusted computinggroup.org.
[24]Trusted Computing Group. Main Specification Version 1.1b. [DB/OL]. https://www.trustedcomputinggroup.org. Feb 2002.
[25]Trusted Computing Group. TCG 规范列表[DB/OL]. https://www.trustedcomputing group.org/specs.
[26]Common Criteria Project Sponsoring Orgnizations. Common Criteria for Information Technology Security Evaluation [S]. ISO/IEC International Standard (IS) 15408 1-3. Vertion 2.1.1999.
[27]沈昌祥,张焕国,王怀民,等.可信计算的研究与发展[J].中国科学:信息科学,2010,40(2):139-166.
[28]Trusted Computing Group. TCG Specification Architecture Overview Specification Revision 1.2[DB/OL]. https://www.trustedcomputinggroup.org. Apr 2004.
[29]Trusted Computing Group. Trusted Platform Module Main Specification, Part 1:Design Principles, Part 2:TPM Structures, Part 3:Commands, Version 1.2. Revision 62[DB/OL]. https://www.trustedcomputinggroup.org. Oct 2003.
[30]P. England, M. Peinado. Authenticated Operation of Open Computing Devices[C]. In Proc.7th Australian Conf. Info. Sec. and Privacy, pages 346-361,2002.
[31]Peng G J, Pan X C, Zhang H G, et al. Dynamic trustiness authentication framework based on software's behavior integrity[C]. In Proceedings of the 9th International Confrence for Young Computer Scientist (ICYCS 2008). Hunan:2008:2283-2288.
[32]张兴,沈昌样.一种新的可信平台控制模块设计方案[J].武汉大学学报:信息科学版,2008.33(10):1011-1014.
[33]B.Lampson. Dynamic protection structures[J]. In Proceedings of the AFIPS Fall Joint Computer Conference, volume 35, pages 27-38, Nov.1969.
[34]B.Lampson. Protection[C]. In Proceedings of the Fifth Princeton Symposium of Information Science and Systems, pages 437-443, Mar.1971.
[35]J.P.Anderson. Computer Security Technology Planning Study[R]. Technical Report esdtr-73-51. Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA,1972.
[36]B. W. Lampson. A Note on the Connement Problem[J]. Communications of the ACM.1973. 16(10):613-615.
[37]D.Bell, L.LaPadula. Secure Computer Systems:Mathematical Foundations[R]. MTR 2547. MITRE Corp., Bedford, MA, Mar.1973.
[38]J.H.Saltzer, M.D.Schroeder. The Protection of Information in Computer Systems[C]. In Proceedings of the IEEE, pages 1278-1303, Sept.1975.
[39]Michael A.Harrison, Walter L.Ruzzoand, Jeffrey D.Ullman. Protection in Operating Systems[J]. Communications of the ACM,19(8):461-471, Aug.1976.
[40]D.Bell, L.LaPadula. Secure Computer Systems:Unified Exposition and Multics Interpretation[R]. MTR 2997, MITRE Corp., Bedford, MA, Mar,1976.
[41]W.L.Schiller. The Design and Specification of a Security Kernel for the pdp-11/45[R]. Technical Report MTR-2709, MITRE Corp., Bedford, MA, Jun.1973.
[42]G.J.Popek. M.Kampe, C.S.Kline, E.J.Walton. Ucla Data Secure Unix[C]. Proceedings of the National Computer Conference, volume 48, pages 355-364, Arlington, VA, USA,1979. AFIPS Press.
[43]E.J.McCauley, P.J.Drongowski. Ksos:The Design of a Secure Operating System[C]. Proceedings of the National Computer Conference, volume 48, pages 345-353, Arlington, VA, USA,1979. AFIPS Press.
[44]RGNeumann. A Provably Secure Operating System:Final Report[R]. Technical Report DAAB03-73-C-1454, Stanford Research Institute, Menlo Park, California 94025, Jun.1975.
[45]Virgil D.Gligor, C.S.Chandersekaran, Robert S. Chapman et al. Design and Implementation of Secure Xenix[C]. IEEE Transactions on Software Engineering. Vol.SE-13, No.2:pages 208-221,1987.
[46]Virgil D.Gligor, C.S.Chandersekaran, Wen-der Jiang et al. A New Security Testing Method and its Application to the Secure Xenix Kernel[C]. IEEE Transactions on Software Engineering. Vol.SE-13, No.2: pages 169-183,1987.
[47]Virgil D.Gligor, C.S.Chandersekaran, Robert S. Chapman et al. Design and Implementation of Secure Xenix[C]. IEEE Transactions on Software Engineering. Vol.SE-13. No.2:pages 208-221,1987.
[48]Virgil D.Gligor. C.S.Chandersekaran, Wen-der Jiang et al. A New Security Testing Method and its Application to the Secure Xenix Kernel[J]. IEEE Transactions on Software Engineering.Vol.SE-13, No.2: pages 169-183.1987.
[49]Secure Computing Corporation. Roseville, Minnesota[R]. DTOS Lessons Learned Report, cdrl sequence no.a008 edition, Jun.1997.
[50]Secure Computing Corporation,2675 Long Lake Road Roseville, Minnesota,55113. Assurance in the Fluke Microkernel:Final Report[R]. cdrlsequence no.a002 edition, Apr.1999.
[51]Peter Loscocco, Stephen Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[R]. Technical Report, NSA andNAI labs, Jan.2001.
[52]Huagang Xie. LIDS Hacking HOWTO, v1.0[DB/OL]. http://www.lids.org/lids-howto/ lidshacking-howto.ps,2000.
[53]谢华刚.安全Linux内核.“十五”863 Linux及相关软件发展研讨会发言文集[C],共创软件联盟主办,北京,2001:85-89.
[54]茅兵.基于 Linux的安全操作系统的开发[C].2000年中国自由软件发展战略研讨会暨第一届中国自由软件应用论坛会刊.2000,31:22-25.
[55]刘海峰,卿斯汉,刘文清.安全操作系统审计的设计与实现[J].计算机研究与发展,2001,38(10):1262-1268.
[56]刘文清,卿斯汉,刘海峰.一个修改BLP安全模型的设计及在SecLinux上的应用[J].软件学报,2002,13(4):567-573.
[57]任党恩.安全Linux操作系统审计子系统的设计与实现[D].北京:中国科学院软件研究所,2000.
[58]银河麒麟项目组.关于银河麒麟操作系统的说明[R],国防科技大学计算机学院,2006.
[59]罗军.Linux安全增强技术[C].“十五”63 Linux及相关软件发展研讨会发言文集,共创软件联盟.北京,2001:77-80.
[60]K. Biba. Integrity considerations for secure computer systems[R]. Technical Report 76-372. U. S. Air Force Electronic Systems Division.1977.
[61]R. S. Sandhu. Lattice-Based Access Control Models[J]. IEEE Computer,26(11):9-19,1993.
[62]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究[J].计算机研究与发展,2005,42(2):322-328.
[63]李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学E辑,2004,36(4):347-356.
[64]R. S. Sandhu, E. Coyne, et al. Role-Based Access Control Models[J]. IEEE Computer. IEEE Press. 29(2):38-47,1996.
[65]H. Mantel, D. Sands. Controlled declassification based on intransitive noninterference[C]. Proc. APLAS. 129-145,2004.
[66]A. C. Myers, A. Sabelfeld, S. Zdancewic. Enforcing robust declassification[C].17th IEEE Computer Security Foundations Workshop,172-186,2004.
[67]D. D. Clark, D. R. Wilson. A Comparison of Commercial and Military Computer Security Policity[C]. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA,184-194,1987.
[68]L. Badger, D. F. Swme, et al. Practical domain and type enforcement for UNIX[C]. Proceedings of IEEE Symposium on Security and Privacy,66-77,1995.
[69]季庆光.卿斯汉,贺也平.基于DTE技术的究整性保护形式模型[J].中国科学E辑,2005,35(6):570-587.
[70]F. C. B. David, J. N. Michael. The Chinese Wall Security Policy[C]. Proceedings of IEEE Symposium on Security and Privacy,206-214,1989.
[71]Trusted Computing Group. TCG Specification Architecture Overview[DB/OL]. https://WWW.trustedcomputinggroup.org/groups/TCG_1-0-Architecture_Overview.pdf.
[72]R.Shirey. Security Architecture for Internet Protocols:A Guide for Protocol Designs and Standards[DB/OL]. Internet Draft:draft-irtf-psrg-secarch-sect 1-OO.txt,1994.
[73]李守鹏,孙红波.信息系统安全策略研究[J].电子学报,2003,31(7):977-980.
[74]赵勇,重要系统安全体系结构及实用模型研究[D].北京:北京交通大学,2008.
[75]黄强.基于可信计算的终端安全体系结构研究[D].武汉:海军工程大学,2007.
[76]张俊.生产型信息系统终端安全研究[D].武汉:海军工程大学,2010.
[77]沈吕祥,张焕国,冯登国,等.信息安全综述[J].中国科学E辑:信息科学,2007,37:129-150.
[78]张焕国,罗捷,金刚,等.可信计算研究进展[J].武汉大学学报(理学版),2006,52:513-518.
[79]刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报.2009,30(2):52-58.
[80]蔡谊,郑志蓉,沈吕祥.基于多级安全策略的二维标识模型[J].计算机学报,2004,27(5):619—624.
[81]Trusted Computing Group. TCG Specification Architecture Overview [DB/OL]. https://www.trustedcomputinggroup.org/groups/TCG_1-0-Architecture_Overview.pdf.
[82]Grace H. Nibaldi. Specification of a Trusted Computing Base[C]. M79-228, The MITRE Corporation, Bedford, MA, USA,1979.
[83]Grace H. Nibaldi. Proposed Technical Evaluation Criteria for Trusted Computer Systems[C]. M79-225, The MITRE Corporation, Bedford, MA, USA, Oct 1979.
[84]Inter Trusted Execution Technology. Software Development Guide Measured Launched Enviorenment Developer's Guide[S]. Document Number:315168-005.2008.
[85]赵波,严飞,余发江,等,译.可信计算[M].北京:机械工业出版社,2009.
[86]D.Gambetta. Can we trust trust[C]. In D.Gambetta, editor, Trust:Making and Breaking Cooperative Relations, chapter 13, pages 213-237. Depart-ment of Sociology,University of Oxford, electronic edition, 2000.
[87]A.Josang. The right type of trust for distributed systems[C]. In C.Meadows., editor, Proc. of the 1996 New Security Paradigms Workshop. ACM.,1996.
[88]M. Carbone and M.Nielson. A formal model for trust in dynamic networks[C]. In Proc. of IEEE International Conference on SoftEngineering and Formal Methods(SEFM03)., pages 54-61, IEEE Computer Society Press,2003.
[89]H.D.Mills, R.C.Linger, A.R.Hevner. Principles of Information Systems Analysis and Design[M]. Academic Press,1986.
[90]蔡谊.支持可信操作平台的安全操作系统研究[D].武汉:海军工程大学,2005.
[91]胡俊.高安全级别可信操作系统实现研究[D].北京:中国科学院信息安全国家重点实验室,2008.
[92]A. Acharya, M. Raje. MAPBox:Using parameterized behavior classes to confine untrusted applications[C]. Proc.9th USENIX Security Symposium, Aug 2000.
[93]A. Alexandrov, P. Kiniee, K. Schauser. Consh:Confined Execution Environment for Internet Computations (1999) [EB/OL]. http://www.Cs.ucsb.edu/berto/papers/99-usenix-consh.ps,1998.
[94]D. S. Peterson. M. Bishop, R. Pandey. A flexible containment mechanism for executing untrusted code[C]. Proc.11th USENIX Security Symposium, August 2002.
[95]Federal Criteria Project. Federal Criteria for Information Technology Security, Volume I [S], Protection Profile Development. Version 1.0. National Institute of Standards and Technology and National Security Agency, Dec 1992.
[96]James P.O'Connor, Mohammed S. Hasan, Mark S. Smith. TCB Subset DBMS Architecture Project[R]. Rome Laboratory Air Force Materiel Command, New York,1996.
[97]张焕国,罗捷,金刚等,可信计算研究进展[J].武汉大学学报(理学版),2006,52(5).
[98]张兴.无干扰可信模型及可信平台体系结构实现研究[D].郑州:信息工程大学,2009.
[99]郑志蓉.面向应用对象安全的操作系统安全结构框架研究[D].武汉:海军工程大学,2005.
[100]Zhang Jun, Hu Wei, Gao Feng. Construction of VPN Gateway Based on FreeS/WAN under Linux[C]. ICSP2008.
[101]廖建华,赵勇,沈昌祥.基于管道的TCB扩展模型[J].北京工业大学学报,2010,36(5):592-596.
[102]Trostle J. Timing attacks against trusted path[C]. In Proceedings of IEEE Symposium on Security and Privacy, Berkley. California, USA,1998.
[103]J. A. Goguen, J. Meseguer. Security policies and security models[C]. Proc. of the 1982 IEEE Symposium on Security and Privacy, IEEE Computer Society Press,11-20, Apr 1982.
[104]J. McLean. Security models and information flow[C]. Proc. of 1990 IEEE Symposium on Research in Security and Privacy, IEEE Press,177-186,1990.
[105]C. O. Halloran. A calculus of information flow[C]. Proc. of First European Symposium on Research in Computer Security (SORICS 1990),147-159,1990.
[106]D. Sutherland. A model of information[C]. Proc. of the ninth National Computer Security Conference, 175-183,1986.
[107]J. T. Wittbold, D. M. Johnson. Information flow in non-deterministic systems[C]. Proc. of the 1990 IEEE Symposium on Research on Security and Privacy,144-161,1990.
[108]J. Rushby. Noninterference, transitivity, and channel-control security policies[R]. Technical Report. CSL-92-02, Menlo Park:Stanford Research Institute,1992.
[109]Steve Zdancewic, Challenges for Information-flow Security[C]. Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence(PLID'O4),2004.
[110]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,23(10):1064-107.
[111]陈伟鹤,殷新春,茅兵,谢立.基于任务和角色的双重Web访问控制模型[J].计算机研究与发展,2004,41(9):1466-1473.
[112]Thomos R K, Sandhu R. Task-based Authentication Control (TABC):A Family of Models for Active and Enterprise-oriented authentication management[C]. Proceedings of the IFIP WG11.3 Workshop on Database Security. Lake Tahoe, California, August 11-13,1997. London:Chapman & Hall,1997, 166-181.
[113]D.E.Denning. A Lattice Model of Secure Information Flow[J]. Communication of the ACM, pages 236-243, May 1976.
[114]R.S.Sandhu. Lattice-Based Access Control Models[J]. IEEE Computer,26(11):9-19,1993.
[115]盛可军.基于组织机构的应用区域边界安全体系结构的研究[D].武汉:海军工程大学,2005.
[116]梁彬,孙玉芳,石文昌,等.一种改进的以基于角色的访问控制实施BLP模型及其变种的方法[J].计算机学报,2004,27(5):636-644.
[117]David F. Ferraiolo, John F. Barkley, D. Richard Kuhn. A role based access control model an reference implementation within a corporate[C]. ACM Transactions on Information and System Security (TISSEC) (February 1999) Volume:2 Issue:1.
[118]Thomos R K, Sandhu R. Task-based Authentication Control (TABC):A Family of Models for Active and Enterprise-oriented authentication management[C]. Proceedings of the IFIP WG11.3 Workshop on Database Security. Lake Tahoe, California, August 11-13,1997. London:Chapman & Hall.1997, 166-181.
[119]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(01):76-82.
[120]赵勇,刘吉强,韩臻,沈昌祥.基于任务的访问控制模型研究[J].计算机工程.2008,34(5):28-30.
[121]Thomas RK, Sandhu RS. Towards a task-based paradigm for flexible and adaptable access control in distributed applications[C]. In:Proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops.1993.138-142.
[122]Thomas RK, Sandhu RS. Task-Based authorization:a research project in next-generation active security models for workflows[C]. In:NSF Workshop on Workflow and Process Automation in Information Systems:State-of-the-Art and Future Directions.1996.
[123]汀成为,郑小军,彭木昌.面向对象分析、设计和应用[M].北京:国防工业出版社,1992.
[124]许春根,严悍,刘凤玉.对象式基于角色的访问控制模型的规范化描述[J].小型微型计算机系统,2003,24(5):853-858.
[125]訾小超,茅兵,谢立.而向对象访问控制模型的研究和实现[J].计算机应用与技术,2004,21(1):4-6.
[126]刘巍伟.基于可信计算技术的移动代码安全研究[D].北京:北京交通大学,2009.
[127]P. Loscocco, S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[C]. USENIX Annual Technical Conference, USENIX Association, Berkeley, CA, USA:USENIX Press,2001,29-42.
[2]Information Assurance Technical Framework Release 3.1[R]. National Security Agency Information Assurance Solution Technical Directors,2002.
[3]Department of defense of U.S.A. Trusted computer system evaluation crieria [S]. Aug,1983. Department of Defence Standard.
[4]London:Department of Trade and Industry. Information Security Technology Evaluation Criteria (ITSEC):Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom [S].1991. www.iwar.org.uk/comsec/resources/standards/itsec.htm.
[5]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 1:Introduction and general model, iso/iec 15408-1 edition [S].1999.
[6]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 2:Security functional requirements, iso/iec 15408-2 edition [S].1999.
[7]International Standards Organisation (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 3:Security assurance requirements, iso/iec 15408-3 edition [S].1999.
[8]GB17859-1999.计算机信息系统安全保护等级划分准则[S].1999.
[9]Matt Bishop. Computer Security:Art and Science[M]. Published by Arrangement with the Original Publisher, Pearson Education, Inc,2003.
[10]J. Joshi. A. Ghafoor. et al. Digit government security Infrastructure Design Challenge[J]. IEEE Computer, 34(2):66-72,2001.
[11]G. Stoneburner. Underlying Technical Models for Information Technology Security[S].NIST Publication 800-xx, Draft Version 0.2,2001.
[12]P. Lamsal. Understanding Trust and security[DB/OL]. Oct 2001. http://www.cs. Helsinki. fi/u/lamsal/papers/Understandingtrustandsecurity.pdf.
[13]Birgit Pfitzmann, James Riordan, Christian Stuble, Michael Waidner, Arnd Weber. The PERSEUS System Architecture[R]. IBM Technical Report NO.93381, IBM Research Division, Zurich,2001.
[14]J. Liedke. L4 Reference Manual[R]. GMD/IBM Watson Technical Report.1996.
[15]M. Hohmuth. The Fiasco kernel, requirements definition[R]. Technical Report ISSN 1430-211X, Dresden University Technology, Dept. Computer Science. December 1998.
[16]J. Liedke. On μ-kernel Construction[C]. In Proceedings of Symposium on Operating System Principles (SOSP),1995.
[17]H. Hartig, M. Hohmuth, N. Feske, C. Helmuth, A. Lackorzynski, F. Mehnert and M. Peter.The Nizza Secure-System Architecture[C]. In IEEE CollaborateCom 2005. San Jose, USA. Dec2005.
[18]Secure Computing Corporation. DTOS Lessons Learned Report[R]. CDRL Sequence No.A008,Secure Computing Corporation, Rosevile, Minnesota, Jun 1997.
[19]Secure Computing Corporation. Assurance in the Fluke Microkernel:Final Report[R]. CDRL Sequence NO.A002, Secure Computing Corporation,2675 Long Lake Road, Roseville,Minnesota 55113, Apr 1999.
[20]Peter A. Loscocco. Stephen D. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[R]. Technical report. NSA and NAI labs, Jan 2001.
[21]National Computer Security Center. Trusted Network Interpretation of the Trusted Computing System Evaluation Criteria[R]. NCSC-TG-005. USA:DOD,1987.
[22]National Computer Security Center. Trusted Database Interpretation of the Trusted Computing System Evaluation Criteria[R]. NCSC-TG-005. USA:DOD,1987.
[23]T. T. Committee. Trusted computing platform alliance (TCPA) main specification vl.1b. Technical report. TCPA Alliance[DB/OL], February 2002, https://www.trusted computinggroup.org.
[24]Trusted Computing Group. Main Specification Version 1.1b. [DB/OL]. https://www.trustedcomputinggroup.org. Feb 2002.
[25]Trusted Computing Group. TCG 规范列表[DB/OL]. https://www.trustedcomputing group.org/specs.
[26]Common Criteria Project Sponsoring Orgnizations. Common Criteria for Information Technology Security Evaluation [S]. ISO/IEC International Standard (IS) 15408 1-3. Vertion 2.1.1999.
[27]沈昌祥,张焕国,王怀民,等.可信计算的研究与发展[J].中国科学:信息科学,2010,40(2):139-166.
[28]Trusted Computing Group. TCG Specification Architecture Overview Specification Revision 1.2[DB/OL]. https://www.trustedcomputinggroup.org. Apr 2004.
[29]Trusted Computing Group. Trusted Platform Module Main Specification, Part 1:Design Principles, Part 2:TPM Structures, Part 3:Commands, Version 1.2. Revision 62[DB/OL]. https://www.trustedcomputinggroup.org. Oct 2003.
[30]P. England, M. Peinado. Authenticated Operation of Open Computing Devices[C]. In Proc.7th Australian Conf. Info. Sec. and Privacy, pages 346-361,2002.
[31]Peng G J, Pan X C, Zhang H G, et al. Dynamic trustiness authentication framework based on software's behavior integrity[C]. In Proceedings of the 9th International Confrence for Young Computer Scientist (ICYCS 2008). Hunan:2008:2283-2288.
[32]张兴,沈昌样.一种新的可信平台控制模块设计方案[J].武汉大学学报:信息科学版,2008.33(10):1011-1014.
[33]B.Lampson. Dynamic protection structures[J]. In Proceedings of the AFIPS Fall Joint Computer Conference, volume 35, pages 27-38, Nov.1969.
[34]B.Lampson. Protection[C]. In Proceedings of the Fifth Princeton Symposium of Information Science and Systems, pages 437-443, Mar.1971.
[35]J.P.Anderson. Computer Security Technology Planning Study[R]. Technical Report esdtr-73-51. Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA,1972.
[36]B. W. Lampson. A Note on the Connement Problem[J]. Communications of the ACM.1973. 16(10):613-615.
[37]D.Bell, L.LaPadula. Secure Computer Systems:Mathematical Foundations[R]. MTR 2547. MITRE Corp., Bedford, MA, Mar.1973.
[38]J.H.Saltzer, M.D.Schroeder. The Protection of Information in Computer Systems[C]. In Proceedings of the IEEE, pages 1278-1303, Sept.1975.
[39]Michael A.Harrison, Walter L.Ruzzoand, Jeffrey D.Ullman. Protection in Operating Systems[J]. Communications of the ACM,19(8):461-471, Aug.1976.
[40]D.Bell, L.LaPadula. Secure Computer Systems:Unified Exposition and Multics Interpretation[R]. MTR 2997, MITRE Corp., Bedford, MA, Mar,1976.
[41]W.L.Schiller. The Design and Specification of a Security Kernel for the pdp-11/45[R]. Technical Report MTR-2709, MITRE Corp., Bedford, MA, Jun.1973.
[42]G.J.Popek. M.Kampe, C.S.Kline, E.J.Walton. Ucla Data Secure Unix[C]. Proceedings of the National Computer Conference, volume 48, pages 355-364, Arlington, VA, USA,1979. AFIPS Press.
[43]E.J.McCauley, P.J.Drongowski. Ksos:The Design of a Secure Operating System[C]. Proceedings of the National Computer Conference, volume 48, pages 345-353, Arlington, VA, USA,1979. AFIPS Press.
[44]RGNeumann. A Provably Secure Operating System:Final Report[R]. Technical Report DAAB03-73-C-1454, Stanford Research Institute, Menlo Park, California 94025, Jun.1975.
[45]Virgil D.Gligor, C.S.Chandersekaran, Robert S. Chapman et al. Design and Implementation of Secure Xenix[C]. IEEE Transactions on Software Engineering. Vol.SE-13, No.2:pages 208-221,1987.
[46]Virgil D.Gligor, C.S.Chandersekaran, Wen-der Jiang et al. A New Security Testing Method and its Application to the Secure Xenix Kernel[C]. IEEE Transactions on Software Engineering. Vol.SE-13, No.2: pages 169-183,1987.
[47]Virgil D.Gligor, C.S.Chandersekaran, Robert S. Chapman et al. Design and Implementation of Secure Xenix[C]. IEEE Transactions on Software Engineering. Vol.SE-13. No.2:pages 208-221,1987.
[48]Virgil D.Gligor. C.S.Chandersekaran, Wen-der Jiang et al. A New Security Testing Method and its Application to the Secure Xenix Kernel[J]. IEEE Transactions on Software Engineering.Vol.SE-13, No.2: pages 169-183.1987.
[49]Secure Computing Corporation. Roseville, Minnesota[R]. DTOS Lessons Learned Report, cdrl sequence no.a008 edition, Jun.1997.
[50]Secure Computing Corporation,2675 Long Lake Road Roseville, Minnesota,55113. Assurance in the Fluke Microkernel:Final Report[R]. cdrlsequence no.a002 edition, Apr.1999.
[51]Peter Loscocco, Stephen Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[R]. Technical Report, NSA andNAI labs, Jan.2001.
[52]Huagang Xie. LIDS Hacking HOWTO, v1.0[DB/OL]. http://www.lids.org/lids-howto/ lidshacking-howto.ps,2000.
[53]谢华刚.安全Linux内核.“十五”863 Linux及相关软件发展研讨会发言文集[C],共创软件联盟主办,北京,2001:85-89.
[54]茅兵.基于 Linux的安全操作系统的开发[C].2000年中国自由软件发展战略研讨会暨第一届中国自由软件应用论坛会刊.2000,31:22-25.
[55]刘海峰,卿斯汉,刘文清.安全操作系统审计的设计与实现[J].计算机研究与发展,2001,38(10):1262-1268.
[56]刘文清,卿斯汉,刘海峰.一个修改BLP安全模型的设计及在SecLinux上的应用[J].软件学报,2002,13(4):567-573.
[57]任党恩.安全Linux操作系统审计子系统的设计与实现[D].北京:中国科学院软件研究所,2000.
[58]银河麒麟项目组.关于银河麒麟操作系统的说明[R],国防科技大学计算机学院,2006.
[59]罗军.Linux安全增强技术[C].“十五”63 Linux及相关软件发展研讨会发言文集,共创软件联盟.北京,2001:77-80.
[60]K. Biba. Integrity considerations for secure computer systems[R]. Technical Report 76-372. U. S. Air Force Electronic Systems Division.1977.
[61]R. S. Sandhu. Lattice-Based Access Control Models[J]. IEEE Computer,26(11):9-19,1993.
[62]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究[J].计算机研究与发展,2005,42(2):322-328.
[63]李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学E辑,2004,36(4):347-356.
[64]R. S. Sandhu, E. Coyne, et al. Role-Based Access Control Models[J]. IEEE Computer. IEEE Press. 29(2):38-47,1996.
[65]H. Mantel, D. Sands. Controlled declassification based on intransitive noninterference[C]. Proc. APLAS. 129-145,2004.
[66]A. C. Myers, A. Sabelfeld, S. Zdancewic. Enforcing robust declassification[C].17th IEEE Computer Security Foundations Workshop,172-186,2004.
[67]D. D. Clark, D. R. Wilson. A Comparison of Commercial and Military Computer Security Policity[C]. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA,184-194,1987.
[68]L. Badger, D. F. Swme, et al. Practical domain and type enforcement for UNIX[C]. Proceedings of IEEE Symposium on Security and Privacy,66-77,1995.
[69]季庆光.卿斯汉,贺也平.基于DTE技术的究整性保护形式模型[J].中国科学E辑,2005,35(6):570-587.
[70]F. C. B. David, J. N. Michael. The Chinese Wall Security Policy[C]. Proceedings of IEEE Symposium on Security and Privacy,206-214,1989.
[71]Trusted Computing Group. TCG Specification Architecture Overview[DB/OL]. https://WWW.trustedcomputinggroup.org/groups/TCG_1-0-Architecture_Overview.pdf.
[72]R.Shirey. Security Architecture for Internet Protocols:A Guide for Protocol Designs and Standards[DB/OL]. Internet Draft:draft-irtf-psrg-secarch-sect 1-OO.txt,1994.
[73]李守鹏,孙红波.信息系统安全策略研究[J].电子学报,2003,31(7):977-980.
[74]赵勇,重要系统安全体系结构及实用模型研究[D].北京:北京交通大学,2008.
[75]黄强.基于可信计算的终端安全体系结构研究[D].武汉:海军工程大学,2007.
[76]张俊.生产型信息系统终端安全研究[D].武汉:海军工程大学,2010.
[77]沈吕祥,张焕国,冯登国,等.信息安全综述[J].中国科学E辑:信息科学,2007,37:129-150.
[78]张焕国,罗捷,金刚,等.可信计算研究进展[J].武汉大学学报(理学版),2006,52:513-518.
[79]刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报.2009,30(2):52-58.
[80]蔡谊,郑志蓉,沈吕祥.基于多级安全策略的二维标识模型[J].计算机学报,2004,27(5):619—624.
[81]Trusted Computing Group. TCG Specification Architecture Overview [DB/OL]. https://www.trustedcomputinggroup.org/groups/TCG_1-0-Architecture_Overview.pdf.
[82]Grace H. Nibaldi. Specification of a Trusted Computing Base[C]. M79-228, The MITRE Corporation, Bedford, MA, USA,1979.
[83]Grace H. Nibaldi. Proposed Technical Evaluation Criteria for Trusted Computer Systems[C]. M79-225, The MITRE Corporation, Bedford, MA, USA, Oct 1979.
[84]Inter Trusted Execution Technology. Software Development Guide Measured Launched Enviorenment Developer's Guide[S]. Document Number:315168-005.2008.
[85]赵波,严飞,余发江,等,译.可信计算[M].北京:机械工业出版社,2009.
[86]D.Gambetta. Can we trust trust[C]. In D.Gambetta, editor, Trust:Making and Breaking Cooperative Relations, chapter 13, pages 213-237. Depart-ment of Sociology,University of Oxford, electronic edition, 2000.
[87]A.Josang. The right type of trust for distributed systems[C]. In C.Meadows., editor, Proc. of the 1996 New Security Paradigms Workshop. ACM.,1996.
[88]M. Carbone and M.Nielson. A formal model for trust in dynamic networks[C]. In Proc. of IEEE International Conference on SoftEngineering and Formal Methods(SEFM03)., pages 54-61, IEEE Computer Society Press,2003.
[89]H.D.Mills, R.C.Linger, A.R.Hevner. Principles of Information Systems Analysis and Design[M]. Academic Press,1986.
[90]蔡谊.支持可信操作平台的安全操作系统研究[D].武汉:海军工程大学,2005.
[91]胡俊.高安全级别可信操作系统实现研究[D].北京:中国科学院信息安全国家重点实验室,2008.
[92]A. Acharya, M. Raje. MAPBox:Using parameterized behavior classes to confine untrusted applications[C]. Proc.9th USENIX Security Symposium, Aug 2000.
[93]A. Alexandrov, P. Kiniee, K. Schauser. Consh:Confined Execution Environment for Internet Computations (1999) [EB/OL]. http://www.Cs.ucsb.edu/berto/papers/99-usenix-consh.ps,1998.
[94]D. S. Peterson. M. Bishop, R. Pandey. A flexible containment mechanism for executing untrusted code[C]. Proc.11th USENIX Security Symposium, August 2002.
[95]Federal Criteria Project. Federal Criteria for Information Technology Security, Volume I [S], Protection Profile Development. Version 1.0. National Institute of Standards and Technology and National Security Agency, Dec 1992.
[96]James P.O'Connor, Mohammed S. Hasan, Mark S. Smith. TCB Subset DBMS Architecture Project[R]. Rome Laboratory Air Force Materiel Command, New York,1996.
[97]张焕国,罗捷,金刚等,可信计算研究进展[J].武汉大学学报(理学版),2006,52(5).
[98]张兴.无干扰可信模型及可信平台体系结构实现研究[D].郑州:信息工程大学,2009.
[99]郑志蓉.面向应用对象安全的操作系统安全结构框架研究[D].武汉:海军工程大学,2005.
[100]Zhang Jun, Hu Wei, Gao Feng. Construction of VPN Gateway Based on FreeS/WAN under Linux[C]. ICSP2008.
[101]廖建华,赵勇,沈昌祥.基于管道的TCB扩展模型[J].北京工业大学学报,2010,36(5):592-596.
[102]Trostle J. Timing attacks against trusted path[C]. In Proceedings of IEEE Symposium on Security and Privacy, Berkley. California, USA,1998.
[103]J. A. Goguen, J. Meseguer. Security policies and security models[C]. Proc. of the 1982 IEEE Symposium on Security and Privacy, IEEE Computer Society Press,11-20, Apr 1982.
[104]J. McLean. Security models and information flow[C]. Proc. of 1990 IEEE Symposium on Research in Security and Privacy, IEEE Press,177-186,1990.
[105]C. O. Halloran. A calculus of information flow[C]. Proc. of First European Symposium on Research in Computer Security (SORICS 1990),147-159,1990.
[106]D. Sutherland. A model of information[C]. Proc. of the ninth National Computer Security Conference, 175-183,1986.
[107]J. T. Wittbold, D. M. Johnson. Information flow in non-deterministic systems[C]. Proc. of the 1990 IEEE Symposium on Research on Security and Privacy,144-161,1990.
[108]J. Rushby. Noninterference, transitivity, and channel-control security policies[R]. Technical Report. CSL-92-02, Menlo Park:Stanford Research Institute,1992.
[109]Steve Zdancewic, Challenges for Information-flow Security[C]. Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence(PLID'O4),2004.
[110]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,23(10):1064-107.
[111]陈伟鹤,殷新春,茅兵,谢立.基于任务和角色的双重Web访问控制模型[J].计算机研究与发展,2004,41(9):1466-1473.
[112]Thomos R K, Sandhu R. Task-based Authentication Control (TABC):A Family of Models for Active and Enterprise-oriented authentication management[C]. Proceedings of the IFIP WG11.3 Workshop on Database Security. Lake Tahoe, California, August 11-13,1997. London:Chapman & Hall,1997, 166-181.
[113]D.E.Denning. A Lattice Model of Secure Information Flow[J]. Communication of the ACM, pages 236-243, May 1976.
[114]R.S.Sandhu. Lattice-Based Access Control Models[J]. IEEE Computer,26(11):9-19,1993.
[115]盛可军.基于组织机构的应用区域边界安全体系结构的研究[D].武汉:海军工程大学,2005.
[116]梁彬,孙玉芳,石文昌,等.一种改进的以基于角色的访问控制实施BLP模型及其变种的方法[J].计算机学报,2004,27(5):636-644.
[117]David F. Ferraiolo, John F. Barkley, D. Richard Kuhn. A role based access control model an reference implementation within a corporate[C]. ACM Transactions on Information and System Security (TISSEC) (February 1999) Volume:2 Issue:1.
[118]Thomos R K, Sandhu R. Task-based Authentication Control (TABC):A Family of Models for Active and Enterprise-oriented authentication management[C]. Proceedings of the IFIP WG11.3 Workshop on Database Security. Lake Tahoe, California, August 11-13,1997. London:Chapman & Hall.1997, 166-181.
[119]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(01):76-82.
[120]赵勇,刘吉强,韩臻,沈昌祥.基于任务的访问控制模型研究[J].计算机工程.2008,34(5):28-30.
[121]Thomas RK, Sandhu RS. Towards a task-based paradigm for flexible and adaptable access control in distributed applications[C]. In:Proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops.1993.138-142.
[122]Thomas RK, Sandhu RS. Task-Based authorization:a research project in next-generation active security models for workflows[C]. In:NSF Workshop on Workflow and Process Automation in Information Systems:State-of-the-Art and Future Directions.1996.
[123]汀成为,郑小军,彭木昌.面向对象分析、设计和应用[M].北京:国防工业出版社,1992.
[124]许春根,严悍,刘凤玉.对象式基于角色的访问控制模型的规范化描述[J].小型微型计算机系统,2003,24(5):853-858.
[125]訾小超,茅兵,谢立.而向对象访问控制模型的研究和实现[J].计算机应用与技术,2004,21(1):4-6.
[126]刘巍伟.基于可信计算技术的移动代码安全研究[D].北京:北京交通大学,2009.
[127]P. Loscocco, S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System[C]. USENIX Annual Technical Conference, USENIX Association, Berkeley, CA, USA:USENIX Press,2001,29-42.