摘要
随着信息技术的迅猛发展和计算机网络的快速普及,基础信息网络与重要信息系统的基础性、全局性和战略性作用日益增强,已成为国家和社会发展新的重要战略资源。保障基础网络和重要信息系统安全,更好地维护国家安全、公共利益和社会稳定,是当前信息化发展中迫切需要解决的重大问题。
信息安全等级保护是国家信息安全保障工作的基本制度、基本策略、基本方法。访问控制机制是信息系统中敏感信息保护的核心,访问控制安全模型为信息系统访问控制机制提供基本的理论依据。本文以GB17859-1999和GB/T25070-2010为基本依据,在“一个中心”管理下的“三重保护”体系结构的基础上,研究了信息系统等级保护中的多级安全相关技术,提出了一系列的改进模型和技术方案,对于解决当前信息系统等级保护工作面临的问题,不仅具有一定的科学理论意义,而且具有重要的应用前景。
论文的主要工作及研究成果包括:
1、针对多级安全信息系统中的信息保护和共享问题,分析了多级安全信息系统的安全需求,将独立计算机系统中的BLP模型扩展至多级安全信息系统,给出了主、客体在信息系统中的新解释,引入了需享原则和多级客体的概念,建立了一个支持信息安全共享的信息系统多级安全模型,给出了该安全模型的形式化描述,定义了系统的安全访问规则,并证明了系统的安全性。新的安全模型允许信息系统中需要共享信息的部门之间安全地共享信息,同时保持了信息系统的多级安全性。
2、针对现有模型无法很好地同时兼顾机密性与完整性的问题,建立了一个机密性和完整性统一的访问控制模型,给出了模型的形式化描述,定义了模型的安全特性,并对其安全性进行了分析。新模型基于主、客体的机密性级别和完整性级别是相互独立的这一假设,从客体本身所具有的机密性和完整性这两种不同且又同时存在的安全属性出发,当主、客体的安全标记满足一定条件的情况下,根据客体安全类别中机密性和完整性的重要程度不同,由机密性检查室和完整性检查室有条件地在一定范围内调整主体的机密性级别和完整性级别,从而在一定程度上解决了系统的机密性和完整性。
3、在“一个中心”管理下的“三重保护”体系结构的基础上,提出了一个多级安全策略执行框架,通过将独立计算系统的可信计算基到扩展到整个信息系统,形成整个信息系统统一的安全策略执行机制,并在此框架的基础上提出了一个多级安全策略模型,同时实现访问控制和信息流控制,定义了信息系统中的用户、进程和各种设备在进行信息交换时需要遵循的策略,给出了模型的形式化描述,并对模型的安全性进行了证明。新的安全策略模型允许可信和不可信的计算机系统以及其他数据处理设备连接到具有单一安全管理中心的信息系统,能够处理不同密级的信息,为不同安全许可级别的用户提供服务。
4、针对我国信息系统等级保护工作在工程实践与标准方面缺乏统一、成熟的技术体系的现状,根据《信息系统等级保护安全设计技术要求》,以第四级信息系统为例,分析了第四级信息系统安全保护环境的安全需求、设计目标与技术要求,介绍了第四级信息系统安全保护环境的设计思路,重点讨论了第四级信息系统安全保护环境的多级安全机制与实现技术,并对计算节点子系统、安全区域边界子系统和安全管理子系统中与多级安全技术相关的功能给出了技术方案设计,从而为等级保护安全建设工作提供有益的参考。
With the rapid development of informationization process and computernetworks, the fundamental, global and strategic role of basic information networksand critical information systems are increasingly significant. Basic informationnetworks and critical information systems have become new and important strategicresources for the development of nation and socialty. Securing basic informationnetworks and critical information systems and better safeguarding state security,public interests and social stability are the major problem that urgent need solves inthe current information technology development.
Information security classified protection is the basic system, basic strategy andbasic approach of protecting national information security. Access control mechanismis the core of protecting sensitive information in information systems. Access controlsecurity models provide a theoretical basis for access control mechanisms ofinformation systems. In this dissertation, we focus on the multi-level securitytechnologies for information system classified protection and propose a series ofimproved models and technical solutions according to the technical standardGB17859-1999and GB/T25070-2010and based on the architecture of “one centerand triple protection”. Our works not only have a certain theoretical significance, butalso have important potential applications for solving the problems faced by theinformation system classified protection.
Our main works and contributions are as follows:
1. To address the problem of protection and sharing of information ininformation systems with multi-level security, we first analyse the securityrequirements of information systems with multi-level security. Second, we extend theBLP model of the stand-alone computer system to the information system withmulti-level security, give new explanation for interpretations of subjects and objects ininformation systems, introduce the principle of need-to-share and the notion ofmulti-level object, and develop a new multi-level security model of informationsystem for securely sharing information. Finally, we present the formal description ofthe security model, define the full set of access rules that apply to the system, andprove the security of the information system. The new security model allowsinformation being securely shared with the right users and protected from the wronguser, while maintaining the multi-level security of information systems.
2. In order to solve the issue that existing security models can not combineconfidentiality and integrity very well, we propose a new access control model whichunites the confidentiality and integrity. Then, we give the formal description of themodel, define the security property of the model, and analyse the security of the model. The new model is based on the assumption that confidentiality levels andintegrity levels of subjects and objects are independent. Confidentiality and integrityare two different security attributes of the object itself and exist at the same time.When security labels of the subject and object meet certain conditions, the modeladjusts confidentiality level or integrity level of the subject depending on the degreeof importance of confidentiality and integrity of the object security class. The newmodel resolves the question of the confidentiality and integrity of the informationsystem to a certain extent.
3. Based on the architecture of “one center and triple protection”, we firstpropose a multi-level security policy enforcement framework that extend the trustedcomputing base of the stand-alone computer system to the entire information systemand form a united security policy enforcement mechanism of the entire informationsystem. Second, we establish a multi-level security policy model on the basis of theframework. The multi-level security policy model can implement access control andinformation flow control. Then, we define the policies which users, processes anddevices in information systems need to follow when they exchange information.Finally, we present the formal description of the security policy model and prove thesecurity of the model. The new security policy model allows trusted and untrustedcomuter systems and other data processing device to connect to the informationsystem with a single security management center, processes sensitive informationwith different classifications, and provides services for users with different securityclearance levels.
4. Because lacking of unified, mature technology systems in engineering practiceand standards for information system classified protection, we first analyse securityrequirements, design goals, and technical requirements of the fourth-class informationsystem according to “Technical requirements of security design for informationsystem classified protection”. Then we introduce design ideas of secure protectionenvironment in the fourth-class information system and fully discuss multi-levelsecurity mechanism and implementation technology of secure protection environmentin the fourth-class information system. Finally, we develop technical solutions offeatures relative to multi-level security technology in computing node subsystem,secure area boundary subsystem and security management subsystem, trying toprovide a useful reference for security construction of information system classifiedprotection.
引文
1U.S. Department of Defense. Department of Defense Trusted Computer SystemEvaluation Criteria[S]. Washington: U.S. Department of Defense,1985.
2Office for Official Publications of the European Communities. Information TechnologySecurity Evaluation Criteria (ITSEC)[S]. Luxembourg: Office for Official Publications ofthe European Communities,1991.
3Common Criteria Editorial Board. Common Criteria for Information Technology SecurityEvaluation[S]. Common Criteria Editorial Board,1996.
4The U.S. government. The National Strategy to Secure Cyberspace[EB/OL]. Washington:The White House,2003-02[2011/03/16].http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf
5U.S. National Institute of Standards and Technology. FIPS PUB199Standards forSecurity Categorization of Federal Information and Information Systems[S]. Maryland:National Institute of Standards and Technology,2004.
6国家质量技术监督局. GB17859-1999计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社,1999.
7信息安全等级保护评估中心. GB/T22240-2008信息安全技术信息系统安全等级保护定级指南[S].北京:中国标准出版社,2008.
8公安部,国家保密局,国家密码管理局等.关于信息安全等级保护工作的实施意见(公通字[2004]66号)[EB/OL].北京:公安部办公厅,2004[2011-03-16].http://www.moe.edu.cn/dengbao/dengbao/2004_66.pdf.
9公安部,国家保密局,国家密码管理委员会办公室等.信息安全等级保护管理办法(公通字[2007]43号)[EB/OL].北京:公安部办公厅,2007[2011-03-16].http://www.moe.edu.cn/dengbao/dengbao/2007_43.pdf.
10公安部第一研究所. GB/T25070-2010信息安全技术信息系统等级保护安全设计技术要求[S].北京:中国标准出版社,2010.
11BISHOP M.计算机安全学——安全的艺术与科学[M].北京:电子工业出版社,2005.
12NIST. Minimum Security Requirements for Federal Information and Information Systems,Technical Report200[R]. Maryland: National Institute of Standards and Technology,2006.
13BELL D E, LAPADULA L J. Secure Computer Systems: Mathematical Foundations,MTR-2547, Vol. I[R]. Massachusetts: The MITRE Corporation,1973.
14LAPADULA L J, BELL D E. Secure Computer Systems: A Mathematical Model,MTR-2547Vol. II[R]. Massachusetts: The MITRE Corporation,1973.
15BELL D E. Secure Computer Systems: A Refinement of the Mathematical Model,MTR-2547Vol. III[R]. Massachusetts: The MITRE Corporation,1973.
16BELL D E. Secure Computer Systems: A Retrospective[C]. Proceedings of1983IEEESymposium on Security and Privacy, Washington: IEEE Computer Society Press,1983:161-162.
17BELL D E, LAPADULA L J. Secure Computer Systems: Unified Exposition and MulticsInterpretation, MTR-2997[R]. Massachusetts: The MITRE Corporation,1976.
18WALDHART N A. The Army Secure Operating system[C]. Proceedings of1990IEEESymposium on Security and Privacy, Washington: IEEE Computer Society Press,1990:50-60.
19DIVITO B L, PALMQUIST P H, ANDERSON E R, et al. Specification and Verificationof the ASOS Kernel[C]. Proceedings of1990IEEE Symposium on Security and Privacy,Washington: IEEE Computer Society Press,1990:61-75.
20BENZEL T V. Analysis of a Kernel Verification[C]. Proceedings of1984IEEESymposium on Security and Privacy, Washington: IEEE Computer Society Press,1984:125-133.
21SALTZER J H, SCHROEDER M D. The Protection of Information in ComputerSystems[J]. Proceedings of the IEEE,1975,63(9):1278-1308.
22LIN T Y. Bell and LaPadula Axioms: A “New” Paradigm for an “Old” Model[C].Proceedings on the1992-1993workshop on New security paradigms, New York,1993:82-93.
23FEIERTAG R J, LEVITT K N, ROBINSON L. Proving Multilevel Security of a SystemSesign[J]. ACM SIGOPS Operating Systems Review,1977,11(5):57-65.
24何建波,卿斯汉,王超.对一类多级安全模型安全性的形式化分析[J].计算机学报,2006,29(8):1468-1479.
25LIANG B, LIU H, SHI W C, et al. Enforcing the Principle of Least Privilege with aState-based Privilege Control Model[C]. Lecture Notes in Computer Science, Berlin:Springer,2005,3439:109-120.
26BELL D E. Secure Computer Systems: A Network Interpretation[C]. Proceedings of theSecond Aerospace Computer Security Conference, McLean, Virginia,1986:32-39.
27MAYER F L. An Interpretation of a Refined Bell-La Padula Model for the TMachKernel[C]. Proceedings of the Fourth Aerospace Computer Security ApplicationsConference, Washington: IEEE Computer Society Press,1988:368-378.
28LEE T M P. Using Mandatory Integrity to Enforce “Commercial” Security[C]. IEEESymposium on Security and Privacy, Washington: IEEE Computer Society Press,1988:140-146.
29SCHELL R, TAO T, HECKMAN M. Designing the GEMSOS Security Kernel forSecurity and Performance[C]. Proceedings of the8th National Computer SecurityConference, Maryland,1985:108-119.
30Secure Computing Corporation. Assurance in the Fluke Microkernel: Formal Top-LevelSpecification, CDRL A004[R]. Minnesota: Secure Computing Corporation,1999.
31LOSCOCCO P, SMALLEY S. Integrating Flexible Support for Security Policies into theLinux Operating System[R]. Washington: National Security Agency,2001.
32何建波,卿斯汉,王超.对两个改进的BLP模型的分析[J].软件学报,2007,18(6):1501-1509.
33MCLEAN J. Reasoning about Security Models[C]. Proceedings of1987IEEESymposium on Security and Privacy, Washington: IEEE Computer Society Press,1987:123-133.
34石文昌.安全操作系统开发方法的研究与实施[D].北京:中国科学院软件研究所,2001.
35石文昌,梁洪亮,孙玉芳.主体当前敏感标记动态确定方案研究[J].电子学报,2001,29(8):1046-1049.
36梁洪亮,孙玉芳,赵庆松,等.一个安全标记公共框架的设计与实现[J].软件学报,2003,14(3):547-552.
37季庆光,卿斯汉,贺也平.一个改进的可动态调节的机密性策略模型[J].软件学报,2004,15(10):1547-1557.
38季庆光.高安全等级操作系统形式设计的研究[D].北京:中国科学院软件研究所,2004.
39武延军,梁洪亮,赵琛.一个支持可信主体特权最小化的多级安全模型[J].软件学报,2007,18(3):730-738.
40刘克龙,丁丽.基于“安全主体访问”概念对BLP模型的改造[J].通信学报,2007,28(12):25-32.
41ZHANG X F, XU F, LIU Y, et al. Trust Extended Dynamic Security Model and ItsApplication in Network[J]. Lecture Notes in Computer Science,2006,4325:404-415.
42张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报,2007,35(8):1511-1515.
43聂晓伟,冯登国.基于动态可信度的可调节安全模型[J].通信学报,2008,29(10):37-44.
44HICKS B, RUEDA S, ST. CLAIR L, et al. A Logical Specification and Analysis forSELinux MLS Policy[J]. ACM Transactions on Information and System Security,2010,13(3):26:1-26:31.
45刘彦明,董庆宽,李小平. BLP模型的完整性增强研究[J].通信学报,2010,31(2):100-106.
46BIBA K. Integrity Considerations for Secure Computer Systems, MTR-3153[R].Massachusetts: The MITRE Corporation,1977.
47CLARK D D, WILSON D R. A Comparison of Commercial and Military ComputerSecurity Policies[C]. Proceedings of1987IEEE Symposium on Security and Privacy,Washington: IEEE Computer Society Press,1987:184-194.
48MAYFIELD T, ROSKOS, E J, WELKE S R, et al. Integrity in Automated InformationSystems[R]. Washington: U. S. National Computer Security Center,1991.
49ABRAMES M D, JOYCE M V. Trusted System Concepts[J]. Computers and Security,1995,14(1):45-56.
50卿斯汉,温红子,雷浩,等.基于Clark-Wilson完整性策略的安全监视模型[J].软件学报,2004,15(8):1124-1132.
51BREWER D F C, NASH M J. The Chinese Wall Security Policy[C]. Proceedings of1989IEEE Symposium on Security and Privacy, Washington: IEEE Computer Society Press,1989:206-214.
52BADGER L, STERNE D F, SHERMAN D L, et al. Practical Domain and TypeEnforcement for UNIX[C]. Proceedings of1995IEEE Symposium on Security andPrivacy, Washington: IEEE Computer Society Press,1995:66-77.
53BOEBERT W E, KAIN R Y. A practical Alternative to Hierarchical Integrity Policies[C].Proceedings of the8th National Computer Security Conference, Maryland,1985:18-27.
54KARGER P A, AUSTEL V R, TOLL D C. A New Mandatory Security Policy CombiningSecrecy and Integrity, RC21717[R], New York: IBM Research Division,2000.
55张相锋,孙玉芳. Biba模型中严格完整性政策的动态实施[J].计算机研究与发展,2005,42(5):746-754.
56卿斯汉,沈昌祥.高等级安全操作系统的设计[J].中国科学(E辑:信息科学),2007,37(2):238-253.
57周洲仪,贺也平,梁洪亮.基于Biba和Clark-Wilson策略的混合强制完整性模型[J].软件学报,2010,21(1):98-106.
58SCHELLHORN G, REIF W, SCHAIRER A, et al. Verification of a Formal SecurityModel for Multiapplicative Smart Cards[C]. Proceedings of the6th European Symposiumon Computer Security(ESORICS2000), Toulouse,2000:17-36.
59SCHWAN M. An Extended Model of Security Policy for Multi-Applicative SmartCards[C]. Proceedings of the2nd ACM Symposium on Information, Computer andCommunications Security, New York,2007:226-233.
60KANG J M, SHIN W, Park C G. et al. Extended BLP Security Model Based on ProcessReliability for Secure Linux Kernel[C]. Proceedings of the2001Pacific RimInternational Symposium on Dependable Computing, Washington: IEEE ComputerSociety,2001:299-303.
61IRVINE C E, LEVIN T E, NGUYEN T D, et al. Overview of a High AssuranceArchitecture for Distributed Multilevel Security[C]. Proceedings of the2004IEEEWorkshop on Information Assurance and Security, Washington: IEEE Computer Society,2004:38-45.
62LIU Y H, CHEN X S. A New Information Security Model based on BLP Model and BibaModel[C]. Proceedings of7th International Conference on Signal Processing, Chengdu:IEEE Computer Society,2004:2645-2648.
63刘益和.应用区域边界安全体系结构的模型研究[D].成都:四川大学,2005.
64LIU Y H, LI X W. Lattice Model Based on a New Information Security Function[C].2005International Symposium on Autonomous Decentralized Systems, Washington:IEEE Computer Society,2005:566-569.
65蔡谊,郑志蓉,沈昌祥.基于多级安全策略的二维标识模型[J].计算机学报,2004,27(5):619-624.
66蔡谊.支持可信操作平台的安全操作系统研究[D].武汉:海军工程大学,2005.
67李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学(E辑:信息科学),2006,36(4):347-356.
68ZHANG X F, SHEN C X. Reliability Extended Security Model CombiningConfidentiality and Integrity[C]. Proceedings of the8th International Conference onSignal Processing, Guilin: IEEE Computer Society,2006:1-4.
69黄强,沈昌祥,陈幼雷,等.基于可信计算的保密性和完整性统一安全策略[J].计算机工程与应用,2006,42(10):15-18.
70权义宁,胡予濮.改进的操作系统安全访问控制模型[J].西安电子科技大学学报(自然科学版).2006,33(4):539-542.
71周正,刘毅,沈昌祥.一种新的保密性与完整性统一安全策略[J].计算机工程与应用,2007,43(34):1-2.
72张俊,周正,李建,等.基于MLS策略的机密性和完整性动态统一模型[J].计算机工程与应用,2008,44(12):19-21.
73ZHANG J, YUN L J, ZHOU Z. Research of BLP and Biba Dynamic Union Model basedon Check Domain[C]. Proceedings of the7th International Conference on MachineLearning and Cybernetics, Kunming: IEEE Computer Society,2008:3679-3683.
74张俊.生产型信息系统终端安全研究[D].武汉:海军工程大学,2010.
75黄勇,陈小平,陈文智,等.支持动态调节的保密性和完整性统一模型[J].浙江大学学报(工学版).2009,43(8):1377-1382.
76黄勇.安全系统形式化设计与分析研究[D].浙江大学,2009.
77刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报.2009,30(2):52-58.
78National Computer Security Center. Trusted Network Interpretation of the TrustedComputer System Evaluation Criteria[S]. Maryland: National Computer Security Center,1987.
79ANDERSON J P. A Unification of Computer and Network Security Concepts[C].Proceedings of1985IEEE Symposium on Security and Privacy. Oakland, CA: IEEEComputer Society Press,1985:77-87.
80WALKER S T, Network Security Overview[C]. Proceedings of1985IEEE Symposiumon Security and Privacy, Oakland, CA: IEEE Computer Society Press,1985:62-76.
81LU Wen-pai, SUNDARESHAN M K. A Model for Multilevel Security in ComputerNetworks[J]. IEEE Transactions on Software Engineering,1990,16(6):647-659.
82VARADHARAJAN V. Network Security Policy Models[C]. Lecture Notes in ComputerScience. Berlin: Springer,1990,453:74-95.
83MCCULLOUGH D. A Hookup Theorem for Multilevel Security[J]. IEEE Transactionson Software Engineering,1990,16(6):563-568.
84司天歌,张尧学,戴一奇.局域网络中的L-BLP安全模型[J].电子学报,2007,35(5):1005-1008.
85SINGH M, PATTERH M S. Formal Specification of Common Criteria based AccessControl Policy Model[J]. International Journal of Network Security,2010,11(3):112-121.
86CLARK P C, LEVIN T E, IRVINE C E, et al. DNS and Multilevel Secure Networks:Architectures and Recommendations, NPS-CS-09-004[R]. California: Center forInformation Systems Security Studies and Research,2009.
87HONG K Y, KIM C. On a Network Security Model for the Secure Information Flow onMultilevel Secure Network[C]. Proceedings of the Third International Conference onInformation and Communications Security, Berlin: Springer-Verlag,2001:364-370.
88WILLIAMS J C, DINOLT G W. A Formal Model of a Trusted File Server[C],Proceedings of1989IEEE Symposium on Security and Privacy, Washington: IEEEComputer Society Press,1989:157-166.
89IRVINE C E. A Multilevel File System for High Assurance[C]. Proceedings of1995IEEE Symposium on Security and Privacy, Oakland, CA: IEEE Computer Society Press,1995:78-87.
90ROBINSON J C, ALVES-FOSS J. A High Assurance MLS File Server[J]. ACM SIGOPSOperating Systems Review,2007,41(1):45-53.
91刘克龙,卿斯汉,冯登国.一种基于BLP模型的安全Web服务器系统[J].计算机学报,2003,26(10):1280-1287.
92刘克龙.安全Linux操作系统及安全Web系统的形式化建模与实现[D].北京:中国科学研究院,2001.
93KIM H, SHIN W, RAMAKRISHNA R S, et al. Design and Implementation of anExtended Reference Monitor for Trusted Operating Systems[J]. Lecture Notes inComputer Science.2006,3903:235-247.
94单智勇,石文昌. STBAC:一种新的操作系统访问控制模型[J].计算机研究与发展,2008,45(5):758-764.
95JAFARIAN J H, AMINI M, JALILI R. A Context-Aware Mandatory Access ControlModel for Multilevel Security Environments[C]. Proceedings of the27th InternationalConference on Computer Safety, Reliability, and Security. Berlin: Springer,2008:401-414.
96JAFARIAN J H, AMINI M, JALILI R. A Dynamic Mandatory Access Control Model[C].Proceedings of the13th International CSI Computer Conference, Berlin: Springer Verlag,2008:862-866.
97WINJUM E, M LMANN B K. A Multidimensional Approach to Multilevel Security[J].Information Management&Computer Security,2008,16(5):436-448.
98LIU W P. A Novel Duality and Multi-Level Security Model Based on Trusted State[J].Communications in Computer and Information Science.2011,86:730-738.
99谢钧,许峰,黄皓.基于可信级别的多级安全策略及其状态机模型[J].软件学报,2004,15(11):1700-1708.
100廖建华,赵勇,沈昌祥.基于管道的TCB扩展模型[J].北京工业大学学报,2010,36(5):592-596.
101李勇,李光,沈昌祥.可信管道模型研究[J].计算机工程与应用,2011,47(26):70-73.
102李勇,王飞,胡俊,等. TCB可信扩展模型研究[J].计算机工程与应用,2010,46(13):1-3.
103杨智,金舒原,段洣毅,等.多级安全中敏感标记的最优化挖掘[J].软件学报,2011,22(5):1020-1030.
104CHAUDHURI A, NALDURG P, RAJAMANI S K. EON: Modeling and AnalyzingDynamic Access Control Systems with Logic Programs[C]. Proceedings of the15thACM Conf. on Computer and Communications Security, New York: ACM Press,2008:381-390.
105赵勇.重要信息系统安全体系结构及实用模型研究[D].北京:北京交通大学,2008.
106唐为民.军事信息系统安全保护体系结构与关键技术研究[D].北京:北京交通大学,2009.
107范艳芳.重要信息系统强制访问控制模型研究[D].北京:北京交通大学,2011.
108FAN Y F, HAN Z, LIU J Q, et al. A Mandatory Access Control Model with EnhancedFlexibility[C]. Proceedings of the2009International Conference on MultimediaInformation Networking and Security, Wuhan: IEEE Computer Society,2009:120-124.
109范艳芳,韩臻,赵勇,等.用于公文流转的强制访问控制模型[J].北京工业大学学报,2010,36(5):694-697.
110范艳芳,韩臻,曹香港,等.基于时间限制的多级安全模型[J].计算机研究与发展,2010,47(3):508-514.
111李守鹏,孙红波.信息系统安全模型研究[J].电子学报,2003,31(10):1491-1495.
112DOAN T, MICHEL L D, DEMURJIAN A, et al. Stateful Design for Secure InformationSystems[C]. Proceedings of3rd International Workshop on Security in InformationSystems, Florida: INSTICC Press,2005:277-286.
113ZHOU J, ALVES-FOSS J. Security Policy Refinement and Enforcement for the Designof Multi-Level Secure Systems[J]. Journal of Computer Security,2008,16(2):107-131.
114SOUDAIN N, RAGGAD B G, ZOUARI B. A Formal Design of Secure InformationSystems by Using a Formal Secure Data Flow Diagram[C]. Proceedings of the4thInternational Conference on Risks and Security of Internet and Systems, Toulouse: IEEEComputer Society,2009:131-134.
115ABASSI R, FATMI S. Dealing with Multi Security Policies in CommunicationNetworks[C]. Proceedings of the Fifth International Conference on Networking andServices, Washington: IEEE Computer Society Press,2009:282-287.
116TIAN, Z H, Wang, B L, Ye, J W, et al. A Security BLP Model Used in ClassifiedProtection System[C]. Proceedings of the6th IEEE Joint International InformationTechnology and Artificial Intelligence Conference, Chongqing: IEEE Computer Society,2011:211-215.
117TIAN, Z H, Wang, B L, Ye, Z W, et al. The Survey of Information System SecurityClassified Protection[J]. Lecture Notes in Electrical Engineering,2011,98:975-980.
118LANDWEHR C E, HEITMEYER C L, MCLEAN J D. A Security Model for MilitaryMessage Systems[J]. ACM Transactions on Computer Systems,1984,2(3):198-222.
119LANDWEHR C E, HEITMEYER C L, MCLEAN J D. A Security Model for MilitaryMessage Systems: Retrospective[C]. Proceedings of the17th Annual Computer SecurityApplications Conference. Washington: IEEE Computer Society Press,2001:174-190.
120HUANG Q, SHEN C X. A New MLS Mandatory Policy Combining Secrecy and IntegrityImplemented in Highly Classified Secure Level OS[C]. Proceedings of the7thInternational Conference on Signal Processing, Chengdu: IEEE Computer Society,2004:2409-2412.
121RUSHBY J. RANDALL B. A Distributed Secure System[J]. Computer,1983,16(7):1-17.
122SIDHU D P, GASSER M. A Multilevel Secure Local Area Network[C]. Proceedings of1982IEEE Symposium on Security and Privacy, Oakland, CA:1982:137-143.
123ESTRIN D. Non-Discretionary Controls for Inter-Organization Networks[C].Proceedings of1985IEEE Symposium on Security and Privacy, Washington: IEEEComputer Society Press,1985:56-61.
124WILSON J D. Multilevel Secure Local Area Network Project[R]. California: NavalPostgraduate School Center for INFOSEC Studies and Research,2000.
125WILSON J D. A Trusted Connection Framework for Multilevel Secure Local AreaNetworks[D]. California: Naval Postgraduate School,2000.
126IRVINE C E, NGUYEN T D, LEVIN T E. High Assurance Testbed for MultilevelInteroperability, NPS-CS-05-02[R]. California: Center for Information Systems SecurityStudies and Research,2004.
127IRVINE C E, LEVIN T E, WILSON J D, et al. An Approach to Security RequirementsEngineering for a High Assurance System[J]. Requirements Engineering,2002,7(4):192-208.
128IRVINE C E, SHIFFLETT D J, CLARK P C, et al. MYSEA Security Architecture,NPS-CS-02-006[R]. California: Center for Information Systems Security Studies andResearch,2002.
129NGUYEN T D, LEVIN T E, IRVINE C E. MYSEA Testbed[C]. Proceedings of6th IEEESystems, Man and Cybernetics Information Assurance Workshop, New York: IEEEComputer Society Press,2005:438-439.
130PORTNER A D. A Prototype of Multilevel Data Integration in the MYSEA Testbed[D].California: Naval Postgraduate School,2007.
131NGUYEN T D, IRVINE C E, LEVIN T E. A Testbed for High Assurance and DynamicSecurity, NPS-CS-08-010[R]. California: Office of Naval Research and the NationalReconnaissance Office,2008.
132IRVINE C E, NGUYEN T D, SHIFFLETT D J, et al. MYSEA: The Monterey SecurityArchitecture[C]. Proceedings of the2009ACM workshop on Scalable trusted computing.New York: ACM,2009:39-48.
133HARRISON W S, HANEBUTTE N, OMAN P, et al. The MILS Architecture for a SecureGlobal Information Grid[J]. Journal of Defense Software Engineering,2005,18(10):20-25.
134ALVES-FOSS J, OMAN P, TAYLOR C, et al. The MILS Architecture forHigh-Assurance Embedded Systems[J]. International Journal of Embedded Systems,2006,2(3-4):239-247.
135WAHSHEH L, ALVES-FOSS J. Specifying and Enforcing a Multi-Policy Paradigm forHigh Assurance Multi-Enclave Systems[J]. Journal of High Speed Networks,2006,15(3)315-327.
136范红,胡志昂,金丽娜.信息系统等级保护安全设计技术实现与使用[M].北京:清华大学出版社,2010.
137胡志昂.信息系统等级保护安全建设技术方案设计实现与应用[M].北京:电子工业出版社,2010.