针对XML层访问控制模型的语义网安全性研究
|
摘要
随着信息化时代的到来,万维网已成为人们日常生活中不可或缺的一部分。然而其缺陷也是明显的,HTML在使网页变得越来越花哨的同时,对于信息的结构化描述却没有起到一点作用,语义网的概念正是针对这一问题而提出的。语义网安全性问题从分层的角度来考虑,XML安全的地位是不言而喻的。
本文专注于针对XML文档的访问控制,讨论了将传统的基于角色的访问控制模型与XML结合起来的问题,在总结分析前人在这一领域内大量研究模型的基础上,从既有RBAC模型的局限性和XML语言本身的特性这两个方面入手,注重融合,设计了一个名为SO-RBAC的适用于XML文档的访问控制模型。
本文在深化细粒度访问控制这一指导原则下,从XML文档高度结构化这一特性出发,强调了一种面向资源的思想,完善并明确化了授权扩散的概念,同时兼顾实用性与可操作性,结合使用CL与ACL,在细粒度访问控制中又引入了粗粒度辅助的机制。随后本文进一步设计了条件访问、带属性的角色这两个特性,给出了经典RBAC模型存在的两个明显不足在与授权扩散相结合的条件下的解决策略。最后,本文引入了一个授权冗余的概念,依据之对授权规则集进行了分类,并结合前述特性,设计了SO-RBAC模型的一个系统框架。
With the arrival of the times of information, the World Wide Web has becom an indispensable part of people's everyday life. However, its defect is also evident, informations on the web are presented mostly in an unstructured way and the HTML can do nothing about it, while making the web more and more flaring. The conception of Semantic Web is put forward right aiming at that issue. From the aspect of the layout of Semantic Web, the security of XML takes a significant position in the whole field of the security of Semantic Web.
This paper foucs on the access control mechanism for XML documents and discussed the issue of the combination of the trantional RBAC modle and the XML. On the basis of the abundant previous research achievement, this paper designs an access control model well suited for XML documents named as SO-RBAC, valuing syncretism and innovation, from both the aspects of the limitation of RBAC and the inner characteristics of XML.
This paper lays emphasis on a resource-oriented ideology due to the highly structured framework of XML documents, under the guidance of the the fine-grained access control principle, thus specifies and improved the conception of propagation of authorizations. At the same time, this paper also takes practicability into account, imports a corarse-grained access control mechanism into fined-grained access control as an assist, with the combination of CL and ACL. After that, this paper presented two characteristics named as conditional access control and roles with arrributes, presented a integrated strategy for two familiar short comings of classical RBAC model under the condition of the presence of propagation of authorizations. Finally, this paper introducs a conception of authorization redundancy classifying the authorization set into two parts according to it, and designs a systematic framework for SO-RBAC modle uniting previous merits.
本文专注于针对XML文档的访问控制,讨论了将传统的基于角色的访问控制模型与XML结合起来的问题,在总结分析前人在这一领域内大量研究模型的基础上,从既有RBAC模型的局限性和XML语言本身的特性这两个方面入手,注重融合,设计了一个名为SO-RBAC的适用于XML文档的访问控制模型。
本文在深化细粒度访问控制这一指导原则下,从XML文档高度结构化这一特性出发,强调了一种面向资源的思想,完善并明确化了授权扩散的概念,同时兼顾实用性与可操作性,结合使用CL与ACL,在细粒度访问控制中又引入了粗粒度辅助的机制。随后本文进一步设计了条件访问、带属性的角色这两个特性,给出了经典RBAC模型存在的两个明显不足在与授权扩散相结合的条件下的解决策略。最后,本文引入了一个授权冗余的概念,依据之对授权规则集进行了分类,并结合前述特性,设计了SO-RBAC模型的一个系统框架。
With the arrival of the times of information, the World Wide Web has becom an indispensable part of people's everyday life. However, its defect is also evident, informations on the web are presented mostly in an unstructured way and the HTML can do nothing about it, while making the web more and more flaring. The conception of Semantic Web is put forward right aiming at that issue. From the aspect of the layout of Semantic Web, the security of XML takes a significant position in the whole field of the security of Semantic Web.
This paper foucs on the access control mechanism for XML documents and discussed the issue of the combination of the trantional RBAC modle and the XML. On the basis of the abundant previous research achievement, this paper designs an access control model well suited for XML documents named as SO-RBAC, valuing syncretism and innovation, from both the aspects of the limitation of RBAC and the inner characteristics of XML.
This paper lays emphasis on a resource-oriented ideology due to the highly structured framework of XML documents, under the guidance of the the fine-grained access control principle, thus specifies and improved the conception of propagation of authorizations. At the same time, this paper also takes practicability into account, imports a corarse-grained access control mechanism into fined-grained access control as an assist, with the combination of CL and ACL. After that, this paper presented two characteristics named as conditional access control and roles with arrributes, presented a integrated strategy for two familiar short comings of classical RBAC model under the condition of the presence of propagation of authorizations. Finally, this paper introducs a conception of authorization redundancy classifying the authorization set into two parts according to it, and designs a systematic framework for SO-RBAC modle uniting previous merits.
引文
1 Tim Bemers-Lee, Mark Fischetti. Weaving the Web The Original Design and Ultimate Destiny of the World Wide Web by Its Inventor. IEEE Transactions on Professional Communication. Vol.43 No.2 JUNE 2000: 217-218
2 Tim Berners-Lee. Semantic Web-XML2000. http://www.w3.org/2000/Talks/1206-xm12k-tb1/
3 Frank van Harmelen. The Semantic Web What, Why, How, and when. IEEE Computer Society. Vol.5 No.3 March 2004
4 Jake Wu, Panos Periorellis. Authorization-Authentication Using XACML and SAML. Technical Report Series. CS-TR-907. May 2005.
5 Bhavani Thuraisingham. Security Issues for the Semantic Web. Computer Software and Applications Conference, 2003. COMPSAC 2003. Proceedings. 27th Annual International. 3-6 Nov. 2003: 633-638
6 Stefan Decker, Sergey Melnik, Frank Van Harmelen. The Semantic Web-The Roles Of XML and RDF. Internet Computing, IEEE. Volume 4 Issue 5 Sept.-Oct. 2000: 63-73
7 David Ferraiolo, Richard Kuhn. Role-based Access Control. Proceedings of 15th National Computer Security Conference. 1992
8 Ravi S.Sandhu, Edward J.coyne, Hal L.Feinstein. Role-Based Access Control Models. Computer. Volume 29 Issue 2 Feb.1996: 38-47
9 Ravi Sandhu, Venkata Bhamidipati. The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline. Proceedings of 2nd ACM Workshop on Role-Based Access Control. November 1997
10 David F. Ferraiolo, Ravi Sandhu, Serban Gavrila. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security. Vol.4 No.3 August 2001: 224-274
11 David F. Ferraiolo, Janet A. Cugini, D. Richard Kuhn. Role-Based Access Control (RBAC) Features and Motivations. Proceeding of 11th Annual Computer Security Application Conference. December 1995: 241-248
12 Ravi Sandhu, David Ferraiolo, Richard Kuhn. The NIST Model for Role-Based Access Control: Towards A Unifed Standard. Proceedings of the 5th ACM workshop on Role-based access control. 2000: 47-63
13 Gail-Joon Ahn, Ravi Sandhu. Role-based Authorization constraints Specification. ACM Transactions Information System Security (TISSEC). November 2000
14 Richard T. Simon., Mary Ellen Zurko. Separation of Duty in Role-Based Environments. Computer Security Foundations Workshop. Proceedings, 10th. 10-12 June 1997: 183-194
15 Ravi Sandhu, Pierangela Samarati. Access Control Principles and Practice. Communications Magazine, IEEE. Volume 32 Issue 9 Sept. 1994: 40-48
16 Elisa Bertino, Piero Andrea Bonatti, Elena Ferrari. TRBAC A Temporal Role-Based Access Control Model. ACM Transactions on Information and System Security (TISSEC). August 2001 4(3): 191-233
17 Scott Cantor, John Kemp, Rob Philpott, Eve Maler. Assertions and Protocols for the OASIS Security Assertion Markup Language(SAML). sstc-saml-core-2.0-cd-02. November 2004
18 James B.D. Joshi, Elisa Bertino. A Generalized Temporal Role-Based Access Control Model. Knowledge and Data Engineering, IEEE Transactions. Volume 17 Issue 1 Jan. 2005: 4-23
19 Andr'as Belokosztolszki, David M. Eyers, Ken Moody. Policy Contexts Controlling Information Flow in Parameterised RBAC. Proceedings of the 4th International Workshop on Policies for Distributed Systems and Networks (POLICY'03)
20 Fang Chen, Ravi S. Sandhu. Constraints for Role-Based Access Control. Proceedings of 1st ACM Workshop on Role-Based Access Control. 1995: 39-46
21 Ravi S.Sandhu, Edward J.coyne, Hal L.Feinstein, Charles E.Youman. Role-Based Access Control A Multi-Dimensional View. Proceeding 10th Annual Computer Security Applications Conference. December 1994
22 Ravi Sandhu, Qamar Munawer. The RRA97 Model for Role-Based Administration of Role Hierarchies. Computer Security Applications Conferenc. Proceedings, 14th Armual 7-11 Dec. 1998: 39-49
23 Elisa Bertino, Protecting XML Documents-Position paper. Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International 25-27 Oct. 2000: 132-133
24 Elisa Bertino, Elena Ferrari, Securing XML Documents with Author-x. Internet Computing, IEEE. Volume 5 Issue 3 May-June 2000: 21-31
25 Elisa Bertino, Silvana Castano, Elena Ferrari, Marco Mesiti. Specifying and enforcing access control policies for XML document sources. World Wide Web, Baltzer Science Publishers. Vol.3 No.3 2000
26 Vijay Parmar, Hongchi Shi. XML Access Control for Semantically Related XML Documents. System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on 6-9 Jan 2003: 10
27 Somchai Chatvichienchai, Mizuho Iwaihara, Yahiko Kambayashi. Translating Content-Based Authorizations for XML Documents. Web Information Systems Engineering, 2003. WISE 2003. Proceedings of the Fourth International Conference on 10-12 Dec. 2003: 103-112
28 Ernesto Damiani, Sabrina De Capitani Di Vimereati, Stefano Paraboschi. A Fine-Grained Access Control System for XML Documents. ACM Transactions on Information and System Security. Vol.5 No.2 May 2002: 169-202.
29 Jing Wu, Jennifer Seberry, Yi Mu, Chun Ruan. Delegatable Access Control for Fine-Grained XML. Parallel and Distributed Systems, 2005. Proceedings. 11th International Conference. Volume 2, 20-22 July 2005: 270-274
30 Hao He, Raymond. A Role-Based Access Control Model For XML Repositories. Web Information Systems Engineering, 2000. Proceedings of the First International Conference. Volume 1, 19-21 June 2000: 138-145
31 V. Cridlig, R. State, O. Festor. An Integrated Security Framework for XML. Integrated Network Management, 2005. IM 2005.2005 9th IFIP/IEEE International Symposium. 15-19 May 2005: 587-600
32 Simon Godik, Tim Moses. OASIS eXtensible Access Control Markup language(XACML). draft-xacml-v0.13.9 May 2002
33 R. K. Thomas, R. S. Sandhu. Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. Proceedings of the IFIP WG11.3 Workshop on Database Security. August 11-13, 1997
34 Andrew S.Tanenbaum.Compmer Networks.4th ed.北京:清华大学出版社,2004
35 Mark Birbeck.Professional XML.2nd ed.北京:机械工业出版社,2002
36 Charles F.Goldfarb,Paul Prescod.XML HandBook.4th ed.北京:电子工业出版社,2003
37 Chuck White,Liam Quin,Linda Burman.Mastering XML.Premium ed.北京:电子工业出版社,2002
38 Blake Doumaee.XML Security.1st ed.北京:清华大学出版社,2003
39 俞诗鹏.基于角色访问控制的理论与应用研究.硕士学位论文.北京大学数学学院信息科学系
40 许春根,严悍,刘凤玉.基于角色访问控制技术的UML表示.计算机工程与应用.2001(8):9-12
41 芮国荣,邢桂芬.基于角色和规则的访问控制.计算机应用.2005 25(4):864-869
42 黄益民,平玲娣,潘雪增.一种基于角色的访问控制扩展模型及其实现.计算机研 究与发展.2003 14(10):1521-1528
43 刘婷婷,汪惠芬,张友良.支持授权的基于角色的访问控制模型及实现.计算机辅助设计与图形学学报.2004 16(4):414-419
44 吕宜红,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析.北京理工大学学报.2002 22(5):611-614
45 叶春晓,符云清,吴中福.RBAC中权限扩展的实现.计算机工程.2005 31(9):141-172
46 赵遐,怀进鹏.基于XML的多粒度访问控制系统.计算机工程与应用.2002(21):155-159
47 傅海英,李晖,王育民.XML访问控制技术研究.学术与技术.2002(9):17-20
48 刘云,钟昊,王毅.一种XML访问控制模型及其应用.小型微型计算机系统.2005 26(5):739-742
49 唐韶华.XML的授权与访问控制方法.小型微型计算机系统.2005 26(3):425-430
50 高扬,张家钰,吴敏.利用RBAC实现对XML文档的安全访问控制.微机发展.2005 15(4):98-101
51 黄建,卿斯汉,温红子.带时间特性的角色访问.控制软件学报.2003 14(11):1944-1954
52 邓集波,洪帆.基于任务的访问控制模型.软件学报.2003 14(1):76-82
2 Tim Berners-Lee. Semantic Web-XML2000. http://www.w3.org/2000/Talks/1206-xm12k-tb1/
3 Frank van Harmelen. The Semantic Web What, Why, How, and when. IEEE Computer Society. Vol.5 No.3 March 2004
4 Jake Wu, Panos Periorellis. Authorization-Authentication Using XACML and SAML. Technical Report Series. CS-TR-907. May 2005.
5 Bhavani Thuraisingham. Security Issues for the Semantic Web. Computer Software and Applications Conference, 2003. COMPSAC 2003. Proceedings. 27th Annual International. 3-6 Nov. 2003: 633-638
6 Stefan Decker, Sergey Melnik, Frank Van Harmelen. The Semantic Web-The Roles Of XML and RDF. Internet Computing, IEEE. Volume 4 Issue 5 Sept.-Oct. 2000: 63-73
7 David Ferraiolo, Richard Kuhn. Role-based Access Control. Proceedings of 15th National Computer Security Conference. 1992
8 Ravi S.Sandhu, Edward J.coyne, Hal L.Feinstein. Role-Based Access Control Models. Computer. Volume 29 Issue 2 Feb.1996: 38-47
9 Ravi Sandhu, Venkata Bhamidipati. The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline. Proceedings of 2nd ACM Workshop on Role-Based Access Control. November 1997
10 David F. Ferraiolo, Ravi Sandhu, Serban Gavrila. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security. Vol.4 No.3 August 2001: 224-274
11 David F. Ferraiolo, Janet A. Cugini, D. Richard Kuhn. Role-Based Access Control (RBAC) Features and Motivations. Proceeding of 11th Annual Computer Security Application Conference. December 1995: 241-248
12 Ravi Sandhu, David Ferraiolo, Richard Kuhn. The NIST Model for Role-Based Access Control: Towards A Unifed Standard. Proceedings of the 5th ACM workshop on Role-based access control. 2000: 47-63
13 Gail-Joon Ahn, Ravi Sandhu. Role-based Authorization constraints Specification. ACM Transactions Information System Security (TISSEC). November 2000
14 Richard T. Simon., Mary Ellen Zurko. Separation of Duty in Role-Based Environments. Computer Security Foundations Workshop. Proceedings, 10th. 10-12 June 1997: 183-194
15 Ravi Sandhu, Pierangela Samarati. Access Control Principles and Practice. Communications Magazine, IEEE. Volume 32 Issue 9 Sept. 1994: 40-48
16 Elisa Bertino, Piero Andrea Bonatti, Elena Ferrari. TRBAC A Temporal Role-Based Access Control Model. ACM Transactions on Information and System Security (TISSEC). August 2001 4(3): 191-233
17 Scott Cantor, John Kemp, Rob Philpott, Eve Maler. Assertions and Protocols for the OASIS Security Assertion Markup Language(SAML). sstc-saml-core-2.0-cd-02. November 2004
18 James B.D. Joshi, Elisa Bertino. A Generalized Temporal Role-Based Access Control Model. Knowledge and Data Engineering, IEEE Transactions. Volume 17 Issue 1 Jan. 2005: 4-23
19 Andr'as Belokosztolszki, David M. Eyers, Ken Moody. Policy Contexts Controlling Information Flow in Parameterised RBAC. Proceedings of the 4th International Workshop on Policies for Distributed Systems and Networks (POLICY'03)
20 Fang Chen, Ravi S. Sandhu. Constraints for Role-Based Access Control. Proceedings of 1st ACM Workshop on Role-Based Access Control. 1995: 39-46
21 Ravi S.Sandhu, Edward J.coyne, Hal L.Feinstein, Charles E.Youman. Role-Based Access Control A Multi-Dimensional View. Proceeding 10th Annual Computer Security Applications Conference. December 1994
22 Ravi Sandhu, Qamar Munawer. The RRA97 Model for Role-Based Administration of Role Hierarchies. Computer Security Applications Conferenc. Proceedings, 14th Armual 7-11 Dec. 1998: 39-49
23 Elisa Bertino, Protecting XML Documents-Position paper. Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International 25-27 Oct. 2000: 132-133
24 Elisa Bertino, Elena Ferrari, Securing XML Documents with Author-x. Internet Computing, IEEE. Volume 5 Issue 3 May-June 2000: 21-31
25 Elisa Bertino, Silvana Castano, Elena Ferrari, Marco Mesiti. Specifying and enforcing access control policies for XML document sources. World Wide Web, Baltzer Science Publishers. Vol.3 No.3 2000
26 Vijay Parmar, Hongchi Shi. XML Access Control for Semantically Related XML Documents. System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on 6-9 Jan 2003: 10
27 Somchai Chatvichienchai, Mizuho Iwaihara, Yahiko Kambayashi. Translating Content-Based Authorizations for XML Documents. Web Information Systems Engineering, 2003. WISE 2003. Proceedings of the Fourth International Conference on 10-12 Dec. 2003: 103-112
28 Ernesto Damiani, Sabrina De Capitani Di Vimereati, Stefano Paraboschi. A Fine-Grained Access Control System for XML Documents. ACM Transactions on Information and System Security. Vol.5 No.2 May 2002: 169-202.
29 Jing Wu, Jennifer Seberry, Yi Mu, Chun Ruan. Delegatable Access Control for Fine-Grained XML. Parallel and Distributed Systems, 2005. Proceedings. 11th International Conference. Volume 2, 20-22 July 2005: 270-274
30 Hao He, Raymond. A Role-Based Access Control Model For XML Repositories. Web Information Systems Engineering, 2000. Proceedings of the First International Conference. Volume 1, 19-21 June 2000: 138-145
31 V. Cridlig, R. State, O. Festor. An Integrated Security Framework for XML. Integrated Network Management, 2005. IM 2005.2005 9th IFIP/IEEE International Symposium. 15-19 May 2005: 587-600
32 Simon Godik, Tim Moses. OASIS eXtensible Access Control Markup language(XACML). draft-xacml-v0.13.9 May 2002
33 R. K. Thomas, R. S. Sandhu. Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. Proceedings of the IFIP WG11.3 Workshop on Database Security. August 11-13, 1997
34 Andrew S.Tanenbaum.Compmer Networks.4th ed.北京:清华大学出版社,2004
35 Mark Birbeck.Professional XML.2nd ed.北京:机械工业出版社,2002
36 Charles F.Goldfarb,Paul Prescod.XML HandBook.4th ed.北京:电子工业出版社,2003
37 Chuck White,Liam Quin,Linda Burman.Mastering XML.Premium ed.北京:电子工业出版社,2002
38 Blake Doumaee.XML Security.1st ed.北京:清华大学出版社,2003
39 俞诗鹏.基于角色访问控制的理论与应用研究.硕士学位论文.北京大学数学学院信息科学系
40 许春根,严悍,刘凤玉.基于角色访问控制技术的UML表示.计算机工程与应用.2001(8):9-12
41 芮国荣,邢桂芬.基于角色和规则的访问控制.计算机应用.2005 25(4):864-869
42 黄益民,平玲娣,潘雪增.一种基于角色的访问控制扩展模型及其实现.计算机研 究与发展.2003 14(10):1521-1528
43 刘婷婷,汪惠芬,张友良.支持授权的基于角色的访问控制模型及实现.计算机辅助设计与图形学学报.2004 16(4):414-419
44 吕宜红,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析.北京理工大学学报.2002 22(5):611-614
45 叶春晓,符云清,吴中福.RBAC中权限扩展的实现.计算机工程.2005 31(9):141-172
46 赵遐,怀进鹏.基于XML的多粒度访问控制系统.计算机工程与应用.2002(21):155-159
47 傅海英,李晖,王育民.XML访问控制技术研究.学术与技术.2002(9):17-20
48 刘云,钟昊,王毅.一种XML访问控制模型及其应用.小型微型计算机系统.2005 26(5):739-742
49 唐韶华.XML的授权与访问控制方法.小型微型计算机系统.2005 26(3):425-430
50 高扬,张家钰,吴敏.利用RBAC实现对XML文档的安全访问控制.微机发展.2005 15(4):98-101
51 黄建,卿斯汉,温红子.带时间特性的角色访问.控制软件学报.2003 14(11):1944-1954
52 邓集波,洪帆.基于任务的访问控制模型.软件学报.2003 14(1):76-82