带有空间特性角色约束的研究
|
摘要
空间数据库和基于移动用户位置的信息服务正得到日益广泛的应用,对访问控制模型也具有特殊要求:用户地理位置的变化通常会引起用户权限的动态变化。因此,空间信息在访问控制模型中是一个关键的上下文参数。然而,传统的访问控制模型(如,强制访问控制、自主访问控制、基于角色的访问控制)都是典型的非上下文敏感的,它们需要复杂而又静态的认证基础设施。因此,不能够适应空间数据库的访问控制要求。
为了满足上述要求,需要提出一种支持空间能力的访问控制模型。在位置感知的应用程序中,用户经常被分组为不同类别,因此基于角色访问控制(RBAC)模型是个合理的选择。在空间环境下,角色所具有权限的施用受到角色作用域的制约。只有当用户所处的当前空间位置在其所扮演角色的空间域范围内才能被授予对客体的操作权限。系统在进行访问控制决策时必须根据客体和用户的空间位置来授予或取消权限。将现有的RBAC模型应用到空间数据的访问控制时,必须对其进行改进,增加对空间数据安全特性的支持。以适应空间数据库中用户权限与其所处空间位置之间的映射关系。
本文以空间数据库管理系统PostgreSQL(以下简称PG)为平台,研究支持空间特性的角色访问控制模型Spatial-RBAC(SpatialRole-Based Access Control)的特性,以增强RBAC模型对空间特性的描述能力,丰富和完善空间数据库安全理论,为军事、银行、证券等信息敏感行业建立更为严密的信息安全防护体系奠定理论基础。具体研究内容包括:
(1)根据约束集的可满足性、无互斥、无冗余等要求,定义了在空间环境下的空间区域约束、空间职责分离约束和空间角色激活基数约束。并给出了各种约束的形式化描述;
(2)详细研究了空间职责分离约束的实施策略,使用最小空间互斥角色约束作为实施机制,能有效避免冗余约束准确实施空间职责分离约束;
(3)根据互斥用户集、互斥角色集、互斥权限集,构建了具体的空间约束库;
(4)研究了空间约束的触发机制,当用户在一个空间区域内建立会话,如果存在与该会话相关约束,系统自动触发该约束,控制会话运行。如果不存在与该会话相关约束,则会话一直运行到结束或有其他会话中止当前这个会话为止。从而最终建立一个精确、通用、空间描述能力强的Spatial-RBAC模型。
(5)从访问控制策略方面对PG的设计方案进行阐述,提出了一种基于空间角色的数据库访问控制系统方案,该方案将Spatial-RBAC模型嵌入到PG服务器端的访问代理程序中,整个系统由授权管理和访问代理两个子系统组成,增强了PG的访问控制能力。
Securing access to data in location-based services and mobile applications pose interesting security requirements against spatially aware access control systems.In particular,the permissions assigned to users depend on their physical positions in a reference space.However,traditional access control model does not specify these spatial requirements.
To deal with the requirements listed above,an access control model with spatial capabilities is needed.Since in location-aware applications users are often grouped in distinct categories,RBAC models represent a reasonable choice.Under spayial environment,the permissions assigned to users depend on their position in a reference space;users often belong to well defined categories;objects to which permissions must be granted are located in that space;access control policies must grant permissions based on object locations and user positions.It is necessary to study RBAC further.In this paper,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions.
Based on PostgreSQL,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions,in order to strengthen the capability of safety expression for RBAC with spatial characters,optimize the theory of secure DBMS and afford the theory to build the stricter system for bank,bond and military.
Our contributions in this paper are as follows.
(1) According to the analysis of the location feature of a spatial object,combining the necessity of spatial constraints and the non-conflict condition of spatial constraints with the satisfiability of spatial constraints sets and relevance between the different classes of constraints,the constraints with spatial characters are divided into three different classes:the constraints on spatial region,spatial separation of duty constraint and constraints on cardinality of spatial role activation.We also formalize all the constraints with spatial characters.
(2) There are often multiple Mutually Exclusive Spatial Roles(MESR) constraints that can enforce the same Spatial Separation of Duty policy(SSoD). Although the different MESR constraints can enforce the same effect on the same session,we have found that the different MESR constraints are varying greatly in the enforcement efficiency.The more precise the MESR sets are defined for enforcing an SSoD policy,the less overhead the system is suffered.In this paper,we argue that enforcement of SSoD policies is realized by specifying minimal MESR constraints. By comparing the different MESR constraints which can enforce the same SSoD,we conclude the minimal MESR constraints can avoid redundant restrictiveness effectively and enforce the SSoD policy precisely.We also present an algorithm that generates all minimal MESR constraints that are precise for enforcing one SSoD policy.
(3) According to conflict set of users,conflict set of roles and conflict set of permissions,constraints base are constructed.
(4) When a session is established in a spatial region by users,the related constraints concern on this session will be triggered and control the session process during its life automatically.On-When-Then-Else authorization rules(or enhanced ECA rules) are used for enforcing RBAC with spatial characteristics.We show the mapping between the basic elements in RBAC with spatial characteristics and the OWTE rule specification.We establish OWTE rules as an enforcement mechanism for the realization of role-based constraint with spatial characteristics at different granularities.
(5) We have proposed a system schema that performs database access control base on spatial role according to the spatial DBMS PostgreSQL.The schema embedded the access control function into an access agent program of the server to control user's access to database resource with a high degree of granularity.The system consists of the privilege management subsystem and the access agent subsystem,which improves the security of PostgreSQL.
为了满足上述要求,需要提出一种支持空间能力的访问控制模型。在位置感知的应用程序中,用户经常被分组为不同类别,因此基于角色访问控制(RBAC)模型是个合理的选择。在空间环境下,角色所具有权限的施用受到角色作用域的制约。只有当用户所处的当前空间位置在其所扮演角色的空间域范围内才能被授予对客体的操作权限。系统在进行访问控制决策时必须根据客体和用户的空间位置来授予或取消权限。将现有的RBAC模型应用到空间数据的访问控制时,必须对其进行改进,增加对空间数据安全特性的支持。以适应空间数据库中用户权限与其所处空间位置之间的映射关系。
本文以空间数据库管理系统PostgreSQL(以下简称PG)为平台,研究支持空间特性的角色访问控制模型Spatial-RBAC(SpatialRole-Based Access Control)的特性,以增强RBAC模型对空间特性的描述能力,丰富和完善空间数据库安全理论,为军事、银行、证券等信息敏感行业建立更为严密的信息安全防护体系奠定理论基础。具体研究内容包括:
(1)根据约束集的可满足性、无互斥、无冗余等要求,定义了在空间环境下的空间区域约束、空间职责分离约束和空间角色激活基数约束。并给出了各种约束的形式化描述;
(2)详细研究了空间职责分离约束的实施策略,使用最小空间互斥角色约束作为实施机制,能有效避免冗余约束准确实施空间职责分离约束;
(3)根据互斥用户集、互斥角色集、互斥权限集,构建了具体的空间约束库;
(4)研究了空间约束的触发机制,当用户在一个空间区域内建立会话,如果存在与该会话相关约束,系统自动触发该约束,控制会话运行。如果不存在与该会话相关约束,则会话一直运行到结束或有其他会话中止当前这个会话为止。从而最终建立一个精确、通用、空间描述能力强的Spatial-RBAC模型。
(5)从访问控制策略方面对PG的设计方案进行阐述,提出了一种基于空间角色的数据库访问控制系统方案,该方案将Spatial-RBAC模型嵌入到PG服务器端的访问代理程序中,整个系统由授权管理和访问代理两个子系统组成,增强了PG的访问控制能力。
Securing access to data in location-based services and mobile applications pose interesting security requirements against spatially aware access control systems.In particular,the permissions assigned to users depend on their physical positions in a reference space.However,traditional access control model does not specify these spatial requirements.
To deal with the requirements listed above,an access control model with spatial capabilities is needed.Since in location-aware applications users are often grouped in distinct categories,RBAC models represent a reasonable choice.Under spayial environment,the permissions assigned to users depend on their position in a reference space;users often belong to well defined categories;objects to which permissions must be granted are located in that space;access control policies must grant permissions based on object locations and user positions.It is necessary to study RBAC further.In this paper,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions.
Based on PostgreSQL,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions,in order to strengthen the capability of safety expression for RBAC with spatial characters,optimize the theory of secure DBMS and afford the theory to build the stricter system for bank,bond and military.
Our contributions in this paper are as follows.
(1) According to the analysis of the location feature of a spatial object,combining the necessity of spatial constraints and the non-conflict condition of spatial constraints with the satisfiability of spatial constraints sets and relevance between the different classes of constraints,the constraints with spatial characters are divided into three different classes:the constraints on spatial region,spatial separation of duty constraint and constraints on cardinality of spatial role activation.We also formalize all the constraints with spatial characters.
(2) There are often multiple Mutually Exclusive Spatial Roles(MESR) constraints that can enforce the same Spatial Separation of Duty policy(SSoD). Although the different MESR constraints can enforce the same effect on the same session,we have found that the different MESR constraints are varying greatly in the enforcement efficiency.The more precise the MESR sets are defined for enforcing an SSoD policy,the less overhead the system is suffered.In this paper,we argue that enforcement of SSoD policies is realized by specifying minimal MESR constraints. By comparing the different MESR constraints which can enforce the same SSoD,we conclude the minimal MESR constraints can avoid redundant restrictiveness effectively and enforce the SSoD policy precisely.We also present an algorithm that generates all minimal MESR constraints that are precise for enforcing one SSoD policy.
(3) According to conflict set of users,conflict set of roles and conflict set of permissions,constraints base are constructed.
(4) When a session is established in a spatial region by users,the related constraints concern on this session will be triggered and control the session process during its life automatically.On-When-Then-Else authorization rules(or enhanced ECA rules) are used for enforcing RBAC with spatial characteristics.We show the mapping between the basic elements in RBAC with spatial characteristics and the OWTE rule specification.We establish OWTE rules as an enforcement mechanism for the realization of role-based constraint with spatial characteristics at different granularities.
(5) We have proposed a system schema that performs database access control base on spatial role according to the spatial DBMS PostgreSQL.The schema embedded the access control function into an access agent program of the server to control user's access to database resource with a high degree of granularity.The system consists of the privilege management subsystem and the access agent subsystem,which improves the security of PostgreSQL.
引文
[1]PostgreSQL全球开发组文档.http//www.postgresql.org/docs/8.0/interactive/index/html.
[2]萨师煊,王珊.数据库系统概论(第三版).北京:高等教育出版社,2001.
[3]Department of Defense of U.S.A..DEPARTMENT OF DEFENSE TRUSTEDCOMPUTER SYSTEM EVALUATION CRITERIA,Dec.1985.
[4]Sandhu R,Coyne E.Role-based access control models.IEEE Computer,1996,29(2):38-47.
[5]D.F.Ferraiolo,R.Sandhu,S.Gavrila,D.R.Kuhn,and R.Chandramouli.Proposed NIST standard for role-based access control.ACM Trans.On Information and System Security,2001,4(3):224-274.
[6]D.F.Ferraiolo,D.R.Kuhn,and R.Chandramouli.Role-Based Access Control.Artech House,2003.
[7]Covington M,Long W,Srinivasan S,et al.Securing context-aware applications using environment roles.In:Proceedings of the 6th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2001.10-20.
[8]Cuppens F,Mi(?)ge A.Modelling contexts in the Or-BAC model.Proceedings of the 19th Annual Computer Security Applications Conference.Washington:IEEE Computer Society Press,2003.416-427.
[9]Wilikens M,Feriti S,Sanna A,et al.A context-related authorization and access control method based on RBAC:A case study from the health care domain.Proceedings of the 7th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2002.117-124.
[10]Georgiadis C,Mavridis I,Pangalos G,et al.Flexible team-based access control using contexts.Proceedings of 6th ACM symposium on Access Control Models and Technologies.New York:ACM Press,2001.21-27.
[11]Thomas R.Team-based access control(TMAC):A primitive for applying role-based access controls in collaborative environments.Proceedings of 2nd ACM Workshop on Role-based Access Control.New York:ACM Press,1997.13-19.
[12]Wolf R,Keinz T,Schenider M.A model for context-dependent access control for web-based services with role-based approach.Proceedings of 14th International Workshop on Database and Expert Systems Applications.Washington:IEEE Computer Society Press,2003.209-214.
[13]Kumar A,Karnik N,Chafle G.Context sensitivity in role-based access control.ACM SIGPOS Op Syst Rev,2002,36(3):53-66.
[14]Covington M,Moyer M,Ahamad M.Generalized role-based access control for securing future applications.Proceedings of 23rd National Information Systems Security Conference.Washington:IEEE Computer Society Press,2003.416-427.
[15]Cholewka D G,Botha R H,Eloff J H P.A context sensitive access control model and prototype implementation.Proceedings of the IFEP TC11 15th International Conference on Information Security.Reventer:Kluwer,2000.341-350.
[15]Hulsebosch R J,Salden A H,Bargh MS,et al.Context-sensitive access control.Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005.111-119.
[16]Denning D E.A lattice model of secure information flow.Comm ACM,1976,19(5):236-243.
[17]Hansen F,Oleshchuk V.Spatial role-based access control model for wireless networks.Proceedings of IEEE Vehicular Technology Conference (VTC).Washington:IEEE Computer Society Press,2003.2093-2097.
[18]Ardagna C A,Cremonini M,Damiani E,et al.Supporting location-based conditions in access control policies.Proceedings of the 2006 ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2006.212-222.
[19]HANSEN.F,et al.Spatial role-based access control model for wireless networks.Proceedings of the 58th IEEE Vehicular Technology Conference (VTC'03).IEEE Computer Society,Orlando,USA,2093-2097.
[20]Bertino E,Catania B,Damiani M L,et al.GEO-RBAC:A spatially aware RBAC.Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005.29-37.
[21]Egenhofer,M.,Frank,A.U.,and Jackson,J.P.A topological data model for spatial databases.SSD'89,Design and Implementation of Large Spatial Database,First Symposium,1989,47-66.
[22]Gail-Joon Ahn,Ravi Sandhu.Role-based authorization constraints specification,[J].ACM Transactions on Information and System Security (TISSEC),Nov.2000.3(4):207-226.
[23]Ahn,G-J.The RCL2000 language for specifying role-based authorization constraints[D].Fairfax,VA:George Mason University.1999.
[24]James B D Joshi,Elisa Bertino,Basit Shafiq et al.Dependencies and Separation of Duty Constraints in GTRBAC.2003.ACM 1-58113-681-1.
[25]James Joshi,Elisa Bertino,Usman Latif.A Generalized Temporal Role-Based Access Control Model.[J].IEEE Trans.Knowl.Data Eng.2005,17(1):4-23.
[26]Elisa Bertino,Piero Andrea Bonatti,Elenta Ferrari.A Temporal Role-Based Access Control Model [J].ACM Transactions On Information and System security.2001.
[27]鞠时光.可视化空间数据库查询语言CQL,计算机学报,1999,22(22):205-211.
[28]CLARK,D.D.AND WILSON,D.R.A comparision of commercial and military computer security policies.Proceedings of the 1987 IEEE Symposium on Security and Privacy.IEEE Computer Society Press,1987.184-194.
[29]ANSI INCITS 359.American national standard for information technology-role based access control.2004.
[30]Gavrila S I,Barkley J F.Formal specification for role based access control user/role and role/role relationship management.Proceedings of the 3rd ACM Workshop on Role-Based Access Control.New York:ACM Press,1998.81-90.
[31]GAREY,M.R.AND JOHNSON,D.J.Computers And Intractability:A Guide to the Theory of NP Completeness.W.H.Freeman and Company.1979.
[32]OPEN GIS CONSORTIUM.Open GIS geography markup language (GML) implementation specification.Version 3.00.2003.
[33]OPEN GIS CONSORTIUM.Open Gis Simple Features Specification for SQL.Revision 1.1,1999.
[34]FORLIZZl,L.,KUIJPERS,B.,AND NARDELLI,E.Region-based querz languages for spatial databases in the topological data model.Proceedings of the 8th International Symposium on Spatial and Temporal Databases (SSTD'03).Lecture Notes in Computer Science.Springer-Verlag,Greece,2003.344-361.
[35]Egenhofer,M.,ELISEO CLEMENTINI,and PAOLINO DI FELICE.Topological relations between regions with holes.International Journal of Geographical Information System 8(2):1994,129-144.
[36]R.Adaikkalavan and S.Chakravarthy.SnoopIB:Interval-Based Event Specification and Detection for Active Databases.Proc.of ADBIS.Sept.2003.
[37]A.P.Buchmann et al.Rules in an Open System:The REACH Rule System.Springer 1993,111-126.
[2]萨师煊,王珊.数据库系统概论(第三版).北京:高等教育出版社,2001.
[3]Department of Defense of U.S.A..DEPARTMENT OF DEFENSE TRUSTEDCOMPUTER SYSTEM EVALUATION CRITERIA,Dec.1985.
[4]Sandhu R,Coyne E.Role-based access control models.IEEE Computer,1996,29(2):38-47.
[5]D.F.Ferraiolo,R.Sandhu,S.Gavrila,D.R.Kuhn,and R.Chandramouli.Proposed NIST standard for role-based access control.ACM Trans.On Information and System Security,2001,4(3):224-274.
[6]D.F.Ferraiolo,D.R.Kuhn,and R.Chandramouli.Role-Based Access Control.Artech House,2003.
[7]Covington M,Long W,Srinivasan S,et al.Securing context-aware applications using environment roles.In:Proceedings of the 6th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2001.10-20.
[8]Cuppens F,Mi(?)ge A.Modelling contexts in the Or-BAC model.Proceedings of the 19th Annual Computer Security Applications Conference.Washington:IEEE Computer Society Press,2003.416-427.
[9]Wilikens M,Feriti S,Sanna A,et al.A context-related authorization and access control method based on RBAC:A case study from the health care domain.Proceedings of the 7th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2002.117-124.
[10]Georgiadis C,Mavridis I,Pangalos G,et al.Flexible team-based access control using contexts.Proceedings of 6th ACM symposium on Access Control Models and Technologies.New York:ACM Press,2001.21-27.
[11]Thomas R.Team-based access control(TMAC):A primitive for applying role-based access controls in collaborative environments.Proceedings of 2nd ACM Workshop on Role-based Access Control.New York:ACM Press,1997.13-19.
[12]Wolf R,Keinz T,Schenider M.A model for context-dependent access control for web-based services with role-based approach.Proceedings of 14th International Workshop on Database and Expert Systems Applications.Washington:IEEE Computer Society Press,2003.209-214.
[13]Kumar A,Karnik N,Chafle G.Context sensitivity in role-based access control.ACM SIGPOS Op Syst Rev,2002,36(3):53-66.
[14]Covington M,Moyer M,Ahamad M.Generalized role-based access control for securing future applications.Proceedings of 23rd National Information Systems Security Conference.Washington:IEEE Computer Society Press,2003.416-427.
[15]Cholewka D G,Botha R H,Eloff J H P.A context sensitive access control model and prototype implementation.Proceedings of the IFEP TC11 15th International Conference on Information Security.Reventer:Kluwer,2000.341-350.
[15]Hulsebosch R J,Salden A H,Bargh MS,et al.Context-sensitive access control.Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005.111-119.
[16]Denning D E.A lattice model of secure information flow.Comm ACM,1976,19(5):236-243.
[17]Hansen F,Oleshchuk V.Spatial role-based access control model for wireless networks.Proceedings of IEEE Vehicular Technology Conference (VTC).Washington:IEEE Computer Society Press,2003.2093-2097.
[18]Ardagna C A,Cremonini M,Damiani E,et al.Supporting location-based conditions in access control policies.Proceedings of the 2006 ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2006.212-222.
[19]HANSEN.F,et al.Spatial role-based access control model for wireless networks.Proceedings of the 58th IEEE Vehicular Technology Conference (VTC'03).IEEE Computer Society,Orlando,USA,2093-2097.
[20]Bertino E,Catania B,Damiani M L,et al.GEO-RBAC:A spatially aware RBAC.Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005.29-37.
[21]Egenhofer,M.,Frank,A.U.,and Jackson,J.P.A topological data model for spatial databases.SSD'89,Design and Implementation of Large Spatial Database,First Symposium,1989,47-66.
[22]Gail-Joon Ahn,Ravi Sandhu.Role-based authorization constraints specification,[J].ACM Transactions on Information and System Security (TISSEC),Nov.2000.3(4):207-226.
[23]Ahn,G-J.The RCL2000 language for specifying role-based authorization constraints[D].Fairfax,VA:George Mason University.1999.
[24]James B D Joshi,Elisa Bertino,Basit Shafiq et al.Dependencies and Separation of Duty Constraints in GTRBAC.2003.ACM 1-58113-681-1.
[25]James Joshi,Elisa Bertino,Usman Latif.A Generalized Temporal Role-Based Access Control Model.[J].IEEE Trans.Knowl.Data Eng.2005,17(1):4-23.
[26]Elisa Bertino,Piero Andrea Bonatti,Elenta Ferrari.A Temporal Role-Based Access Control Model [J].ACM Transactions On Information and System security.2001.
[27]鞠时光.可视化空间数据库查询语言CQL,计算机学报,1999,22(22):205-211.
[28]CLARK,D.D.AND WILSON,D.R.A comparision of commercial and military computer security policies.Proceedings of the 1987 IEEE Symposium on Security and Privacy.IEEE Computer Society Press,1987.184-194.
[29]ANSI INCITS 359.American national standard for information technology-role based access control.2004.
[30]Gavrila S I,Barkley J F.Formal specification for role based access control user/role and role/role relationship management.Proceedings of the 3rd ACM Workshop on Role-Based Access Control.New York:ACM Press,1998.81-90.
[31]GAREY,M.R.AND JOHNSON,D.J.Computers And Intractability:A Guide to the Theory of NP Completeness.W.H.Freeman and Company.1979.
[32]OPEN GIS CONSORTIUM.Open GIS geography markup language (GML) implementation specification.Version 3.00.2003.
[33]OPEN GIS CONSORTIUM.Open Gis Simple Features Specification for SQL.Revision 1.1,1999.
[34]FORLIZZl,L.,KUIJPERS,B.,AND NARDELLI,E.Region-based querz languages for spatial databases in the topological data model.Proceedings of the 8th International Symposium on Spatial and Temporal Databases (SSTD'03).Lecture Notes in Computer Science.Springer-Verlag,Greece,2003.344-361.
[35]Egenhofer,M.,ELISEO CLEMENTINI,and PAOLINO DI FELICE.Topological relations between regions with holes.International Journal of Geographical Information System 8(2):1994,129-144.
[36]R.Adaikkalavan and S.Chakravarthy.SnoopIB:Interval-Based Event Specification and Detection for Active Databases.Proc.of ADBIS.Sept.2003.
[37]A.P.Buchmann et al.Rules in an Open System:The REACH Rule System.Springer 1993,111-126.