摘要
分布式环境下数据不可避免的要在大量分散节点间分发与流动,而在这种跨平台甚至跨域的分布式交互中,节点的可信性是分布式访问控制最重要的安全需求之一。可信计算技术以可信平台模块TPM为硬件信任根,从体系架构上解决了信任建立的问题,为分布式环境下平台节点的信任建立提供了新的解决途径。
本文从上述背景出发,基于可信计算和使用控制模型等关键技术对分布式访问控制进行理论研究和工程实践:(1)针对现有研究中分布式访问控制的粒度过粗、动态性不足等问题,研究更适合于分布式访问控制实施的体系架构和相关机制。(2)鉴于分布式系统的终端平台信任机制缺失,定义了终端平台的四类安全属性,在此基础上研究分布式环境下有效的终端平台信任建立方案。(3)总结了分布式访问控制架构中远程证明的隐私性保护、访问控制策略执行证明等特殊需求,分析了基于XACML的使用控制策略组织规范,在此基础上对现有远程证明方案进行扩展研究。(4)基于上述工作,我们实现了一个分布式访问控制架构原型系统——可信使用控制,并讨论了其在三种特定场景下的应用。
本文的贡献主要包括:(1)从信息流完整性出发扩展传统完整性模型Biba,提出了一种新颖的终端平台完整性保护和信任建立方案,该方案保留了Biba的进程间依赖语义但改善了Biba模型的单调性缺陷,解决了终端平台信任链构建问题。(2)设计了一种新颖的信任度评估方案,从主观行为和客观属性两方面量化终端平台信任度,并基于量化的信任实施远程证明和访问控制,解决了它们的粒度粗放、动态性不足等问题,并一定程度上保护了终端平台的隐私。据我所知,该信任评估方案及其在基于可信计算的分布式访问控制中的应用研究,尚属首次。(3)提出一种基于行为的使用控制策略执行证明方案,扩展了传统的远程证明,解决了策略执行行为的信任建立问题,增强了分布式访问控制架构的可验证性。(4)从使用控制及其实施的一般性进行研究,总结了分布式环境下终端平台的安全属性、使用控制策略的语意及分类等,丰富了分布式访问控制架构的设计理论,支持了分布式访问控制应用实践。
本文侧重于分布式访问控制的应用研究,针对复杂的实际需求建立应用模型并展开讨论,而不局限于使用控制模型的形式化语意,拓展了分布式访问控制研究的外延,对后继相关应用研究具有一定的启发和借鉴意义。
In highly distributed environments, data distribution and flow are inevitable between network nodes. Thus trustworthiness of the network nodes is one of the key security requirements for distributed access contrl in such cross-platform or even cross-domain interactions. Trusted computing takes TPM as its hardware root of trust and solves trust establishment from architectural view, which presents a new solution for trust establishment on network nodes platform.
Based on the abovebackground, this thesis proceeds the theoretical research and engineering practice of distributed access control with trusted computing and usage control model:(1) For the current research problems of distributed access control, such as too coarse granularity, lack of dynamic, proceed research on the architecture and related mechanisams which are more suitable for distributed access control. (2) According to lack of trust on the terminal platform in distributed system, define four security attributes of the terminal platform and research on the effective trust establishment approach in distributed environments. (3) Summarize special requirements in distributed access control architecture, such as privacy protection in remote attestation, enforcement attestation to access control policies ananlyze the specifications of XACML based usage control policies. On this basis above, proceed extend research on traditional remote attestation. (4) Based on the above-mentioned, we implement a prototype of distributed access control architecture:Trust Usage Control, and apply it in three specific scenarios.
Our contributions in this thesis are summarized as follow:(1) Propose a novel integrity protection and trust establishment approach from the view of information flow and extended Biba model, which keep the inter-process dependency semantics of Biba but ameliorates its monotonic behavior, which solve the problem of trust chain estabulishment on the terminal platform. (2) Design a novel trust evaluation mechanism, which evaluates from both the subjective behavior and the objective attributes. Evaluated trust is applied to remote attestation and access control to solve their problem of too coarse granularity and lack of dynamic. Besides, privacy protection is achieved to a certain extent. As far as I know, it is the first tentative research on this trust evaluation mechanism and its application in distributed access control based on trusted computing. (3) Propose a policy enforcement attestation approach which extends traditional remote attestation, so that the problem of trust establishment on the policy enforcement behavior of the terminal platform is solved and makes the distributed access control architecture more provable. (4) Conclude platform security attributes in distributed environments from the generality of usage control and its enforcement, as well as the semantics and classification of usage control policies, so that the design theory of distributed access control architecture is enriched and the application practice of distributed access control is supported.
This thesis focuses on the practical application research to distributed access control. We build our application model against complicated practical requirements, which is not restricted to the formal semantics of usage control model. As a result, we enlarge the research extension of distributed access control, so that it could be a inspiration and reference to relative subsequent application research.
引文
[1]中国互联网络信息中心.中国互联网络发展状况统计报告(2008/7)[EB/OL]. [2009-02-09]. http://www.cnnic.net.cn/uploadfiles/doc/2008/7/23/170424.doc
[2]CERT/CC. Vulnerability Remediation Statistics 2000-2008[EB/OL]. [2009-02-09]. http://www.cert.org/stats/vulnerability_remediation.html
[3]CERT/CC. Historical Statistics 1995-2003[EB/OL]. [2009-02-09]. http://www.cert.org/stats/historical.html
[4]Trusted Computing Group. TPM Main Part 1 Design Principles Specification, Version 1.2. Level 2 Revision 103 [EB/OL].9 July,2007. http://www.trustedcomputinggroup.org/resources/tpm_main_specification.
[5]Trusted Computing Group. TPM Main Part 2 TPM Structures Specification, Version 1.2. Level 2 Revision 103 [EB/OL].26 October,2006. http://www.trustedcomputinggroup.org/resources/tpm_main_specification.
[6]Trusted Computing Group. TPM Main Part 3 Commands Specification, Version 1.2 Level 2 Revision 103 [EB/OL].26 October,2006. http://www.trustedcomputinggroup.org/resources/tpm_main_specification.
[7]Trusted Computing Group. TCG Software Stack Specification, Version 1.2 [EB/OL].7 March,2007. http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification.
[8]Trusted Computing Group. TCG Trusted Network Connect, TNC Architecture for Interoperability Specification Version 1.4 Revision 4 [EB/OL].18 May 2009. http://www. trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[9]Microsoft. Security Model for the Next-Generation Secure Computing Base [EB/OL]. http://www.microsoft.com/resources/ngscb/documents/ngscb_security_model.doc,2003.
[10]Intel. LaGrande Technology Architectural Overview[EB/OL]. http://www.intel.com/tech nology/security/downloads/LT_Arch_Overview.pdf,2003.
[11]国家密码管理局.可信计算密码支撑平台功能与接口规范[EB/OL].2007年12月.http://www.oscca.gov.cn/
[12]Ernest F. Brickell, Jan Camenisch, Liqun Chen:Direct anonymous attestation. ACM Conference on Computer and Communications Security 2004:132-145
[13]M.Y.Becker and P.Sewell.Cassandra:flexible trust management, applied to electronic health records. In:B. Werner ed. Proceedings of the 17th IEEE Computer Security Foundations Workshop. Pacific Grove,CA,USA.2004.Los Alamitos:IEEE CS Press,2004. 139-154
[14]DoD,Trusted Computer System Evaluation Criteria(TCSEC),DoD 5200.28-STD
[15]Lampson, B.W., Dynamic Protection Structures. AFIPS Conference Proceedings,1969. 27-38
[16]Ware, W.H., Security Controls for Computer Systems(U):Report of Defense Science Board Task Force on Computer Security, Santa Monica, CA:The RAND Corporation, February 1970
[17]Anderson, J.P., Computer Security Technology Planning Study Volume II, ESD-TR-73-51,Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA,01730, October 1972
[18]B.W. Lampson. Protection. In:Proceedings of the 5th Princeton Symposium on Information Science and Systems. Princeton, New Jersey, USA.1971.437-443. Reprinted in ACM Operating Systems Review.1974,8(1):18-24
[19]G.S. Graham and P.J. Denning. Protection-principles and practice. In:Proceedings of the 1972 Spring Jt. Computer Conference. Atlantic City, N.J, USA.1972. Montvale, N.J, USA: AFIPS Press.1972.417-429
[20]M.A. Harrison, W.L. Ruzzo, and J.D. Ullman. Protection in operating systems. Communications of the ACM,1976,19(8):461-471
[21]D.E. Bell, L.J. LaPadula. Secure Computer Systems:Mathematical Foundations. Technical Report ESD-TR-278,Vol.Ⅰ,Mitre Corp.,Bedford,MA,1973
[22]D.E. Bell, L.J. LaPadula. Secure Computer Systems:a Mathematical Model. Technical Report ESD-TR-278,Vol.Ⅱ,Mitre Corp.,Bedford,MA,1973
[23]D.E. Bell, L.J. LaPadula. Secure Computer Systems:A Refinement of The Mathematical Model. Technical Report ESD-TR-278,Vol.Ⅲ,Mitre Corp., Bedford,MA,1974
[24]D.E. Bell, L.J. LaPadula. Secure Computer System:Unified Exposition and MULTICS Interpretation. Technical Report ESD-TR-306,Mitre Corp, Bedford, MA,USA,1976
[25]K. J. BIBA. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre Corporation, Mitre Corp, Bedford MA, June 1975.
[26]D. D. CLARK and D. R. WILSON. A comparison of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, May 1987.
[27]Brewer, D.F.C., and M.J. Nash. The Chinese Wall Security Policy. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, April 1989.215-228
[28]D. Ferraiolo, R. Huhn. Role-based Access Control. In:Proceedings of the 15th NIST-NCSC National Computer Security Conference, Baltimore, MD, USA. October 1992,13-16
[29]Ferraiolo, D. Gilbert, and N. Lynch. An Examination of Federal and Commercial Access Control Policy Needs. In Proceedings of the NIST-NSA National Computer Security Conference,1993.107-116
[30]I. Mohammed, D.V. Dilts. Design for Dynamic User-role-based Security. Computer& Security.1994,13(8):661-671
[31]Ferraiolo, D.F., J. Cugini, and D.R. Kuhn. Role-Based Access Control (RBAC):Features and Motivations. In Proceedings of the 11th Annual Computer Security Application Conference, New Orleans, LA, December 11-15 1995.241-248
[32]Sandhu, R. S.. Role-Based Access Control:A Multidimensional View. In proceedings of the 10th Annual Computer Security Applications Conference, December 1994.54-62
[33]R.Sandhu, E.Coyne, H.Feinstein, and C.Youman. Role-based Access Control Models. IEEE Computer,1996,29(2):38-47
[34]R. Sandhu, Q. Muawer. How to Do Discretionary Access Control Using Roles. In: Proceedings of the third ACM Workshop on Role-based Access Control, Youman C and Jaeger T, Chairs. New York, NY, USA:ACM Press,1998.47-54
[35]S. Osborn, R. Sandhu, Q. Munawer. Configuring Role-based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security,2000,3(2):85-106
[36]R. Sandhu, V. Bhamidipati, Q. Munawer. The ARBAC97 Model for Role-Based Administration of Roles. ACM Transaction on Information and System Security, 1999,2(1):105-135
[37]R. Sandhu, Q. Munawer. The ARBAC99 Model for Administration of Roles. In proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, Arizona, December 1999. IEEE Computer Society,229-239
[38]S. Oh, R. Sandhu. A Model for Role Administration Using Organization Structure. In proceedings of the seventh ACM symposium on Access control models and technologies, Monterey, California, USA, New York:ACM Press,2002.155-162
[39]G. J.Ahn, R. Sandhu. Role-based Authorization Constraints Specification. ACM Transactions on Information and System Security,2000,3(4):207-226
[40]R. Sandhu and Venkata Bhamidipati. The URA97 model for role-based user-role assignment. In proceedings of IFIP WG 11.3 Workshop on Database Security, August 1997.147-152
[41]R. Sandhu and Qamar Munawer. The ARBAC99 model for administration of roles. In proceedings of the Annual Computer Security Applications Conference.1999.17-26
[42]R. Sandhu,V. Bhaidipati, and Q. Munawer. The ARBAC97 model from role-based administration of roles. ACM Transactions of Information and System Security, 1999,2(1):105-135
[43]Najam Perwaiz and Ian Sommerville. Structured management of role-permission relationships. In proceedings of 6th ACM Symposium on Access Control Models and Technologies,May 2001.75-86
[44]Oh, S. and R. Sandhu. A Model for Role Administration Using Organization Structure. In proceedings of the 7th ACM Symposium on Access Control Models and Technologies,2002. 155-162
[45]E. Barka and R. Sandhu. A Role-Based Delegation Model and Some Extensions. In proceedings of 23rd National Information Systems Security Conference. Baltimore,Maryland,USA.2000
[46]L. Zhang, G. J.Ahn, and B.T. Chu. A rule-based Framework for Role-Based Delegation. In proceedings of 6th ACM Symposium on Access Control Models and Technologies. Chatilly, Virginia, USA. New York, NY USA:ACM Press.2001.153-162
[47]X. Zhang, S. Oh and R. Sandhu. PBDM:A flexible delegation model in RBAC. In proceedings of 8th ACM Symposium on Access Control Models and Technologies. Como, Italy. New York, NY USA:ACM Press.2003.149-157
[48]L. Zhang, G.J. Ahn and B.T. Chu. A role-based delegation framework for healthcare information systems.In:Proc.7th ACM Symposium on Access Control Models and Technologies.Monterey,CA,USA.2002.New York, NY,USA:ACM Press,2002.125-134
[49]Jaehong Park, Ravi Sandhu. Towards usage control models beyond traditional access control. In proceedings of the 7th ACM symposium on access control models and technologies, June 2002.
[50]R. Sandhu, J. Park. Usage Control:A Unified Framework for Next Generation Access Control. In proceedings of the 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, St. Petersburg, Russia, September 2003, LCNS 2776:17-31
[51]Jaehong Park, Ravi Sandhu. The UCONABC usage control model. ACM Transactions on Information and System Security (TISSEC), Volume 7 Issue 1, February 2004
[52]Coen MH, Phillips B, Warshawsky N. Meeting the computational needs of intelligent environments:the metaglue system. In:Nixon P, Lacey G, Dobson S eds. Proceedings of the 1st International Workshop on Managing Interactions in Smart Environments. Berlin: Springer-Verlag,1999.201-212
[53]W. A. Arbaugh, D. J. Farber, J. M. Smith. A reliable bootstrap architecture[C]. In Proceedings of IEEE Symposium on Security and Privacy, pages 65-71, May 1997.
[54]Selhorst M., Stueble C.:Trusted GRUB, University of Bochum,2004 [EB/OL]. http://www.prosec.rub.de/trusted_grub.html
[55]IBM. TCG Grub,2005 [EB/OL]. http://trousers.sourceforge.net/grub.html
[56]GNU GRUB [EB/OL]. http://www.gnu.org/software/grub/
[57]Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. Linux Security Modules:General Security Support for the Linux Kernel. In Proceedings of the 1 lth USENIX Security Symposium, September 2002.
[58]N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot-a coprocessor-based kernel runtime integrity monitor. In Proceedings of USENIX Security Symposium, pages 179-194, 2004.
[59]Reiner SAILER, Xiaolan ZHANG, Trent JAEGER, and Leendert van DOORN. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium, August 9-13,2004, San Diego, CA, USA, pages 223-238,2004.
[60]David Safford, Mimi Zohar. A Trusted Linux Client (TLC). Technical Report [EB/OL]. http://www.research.ibm.com/gsal/tcpa/tlc.pdf
[61]Microsoft. Trusted platform module services in windows longhorn,2005 [EB/OL]. http://www.microsoft.com/resources/ngscb/.
[62]Elaine Shi, Adrian Perrig, and Leendert van Doom. BIND:A fine-grained attestation service for secure distributed systems. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 154-168,2005.
[63]Xinwen Zhang, Michael J. Covington, Songqing Chen and Ravi Sandhu. Securebus: towards application-transparent trusted computing with mandatory access control. In:2nd ACM symposium on Information, computer and communications security, pages 117-126. ACM Press, New York,2007.
[64]Ahmad-Reza Sadeghi, Christian Stuble, Norbert Pohlmann. European Multilateral Secure Computing Base [EB/OL]. http://www.emscb.de/content/pages/Einleitung.htm
[65]T. Garfinkel, B. Pfaff, J. Chow. Terra:A virtual machine-based platform for trusted computing[C]. In Proceedings of Symposium on Operating System Principles (SOSP), Oct. 2003.
[66]P. Barham, B. Dragovic, K. Fraser, etc al.. Xen and the Art of Virtualization [C]. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, Bolton Landing, NY, Oct.2003.
[67]R. Sailer, E. Valdez, T. Jaeger, et al. A secure hypervisor approach to trusted virtualized systems[R]. IBM Research Report,2005.
[68]R.Sailer, T. Jaeger, E. Valdez, et al. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor [C]. In Proceedings of the 2005 Annual Computer Security Applications Conference (ACSAC),2005.249-258.
[69]Trent Jaeger, Reiner Sailer, Yogesh Sreenivasan. Managing the Risk of Covert Information Flows in Virtual Machine Systems[C]. ACM Symposium on Access Control Models and Technologies (SACMAT), June 2007.
[70]J. Linwood Griffin, Trent Jaeger, R. Perez. Trusted Virtual Domains:Toward secure distributed services[C]. In Proceedings of the First Workshop on Hot Topics in Systems Dependability, June 2005.
[71]Dirk Kuhlmann, Rainer Landfermann, Harigovind Ramasamy. An Open Trusted Computing Architecture-Secure virtual machines enabling user-defined policy enforcement [EB/OL]. http://www.opentc.net/otc_HighLeveLOverview/
[72]Mario Strasser. A Software-based TPM Emulator for Linux [D]. Department of Com-puter Science Swiss Federal Institute of Technology Zurich.
[73]Stefan Berger, Ramon Caceres, Kenneth A. Goldman, et al. vTPM:Virtualizing the Trusted Platform Module [R]. IBM Research Division Thomas J. Watson Research Center. Tech Rep:RC23879,2006.
[74]Jonathan Poritz, Matthias Schunter, Els Van Herreweghen, Michael Waidner. Property Attestation-Scalable and Privacy-friendly Security Assessment of Peer Computers [R]. IBM Research, Technical Report RZ 3548, October 5,2004.
[75]A. Sadeghi, C. Stuble. Property-based Attestation for Computing Platforms:Caring about properties, not mechanisms [C]. New Security Paradigms Workshop, Nova Scotia, Canada, ACM Press:67-77, September 2004.
[76]Liqun Chen, Rainer Landfermann, Hans Lohr. A protocol for property-based attestation [C]. In Proceedings of the first ACM workshop on Scalable trusted computing, Nova Scotia Canada, ACM Press:7-16,2006.
[77]Ulrich Kuhn, Marcel Selhorst, Christian Stuble. Realizing property-based attestation and sealing with commonly available hard-and software [C]. In Proceedings of the 2007 ACM workshop on Scalable trusted computing, Alexandria, Virginia, USA, November 2007.
[78]Sean Smith. Trusted Computing Platforms-Design and Applications [M], New York: Springer 2005.
[79]NSA. Security-Enhanced Linux, August 2007 [EB/OL]. http://www.nsa.gov/selinux/
[80]Tal Garfinkel, Mendel Rosenblum, Dan Boneh. Flexible OS Support and Applications. For Trusted Computing [C]. In 9th Workshop on Hot Topics in. Operating Systems (HotOS IX), Kauai, Hawaii, May 18-21,2003.
[81]V. Haldar, D. Chandra, and M. Franz, Semantic Remote Attestation:A Virtual Machine. Directed Approach to Trusted Computing[C]. In Proceeding of USENIX Virtual Machine Research. and Technology Symposium, May 2004.
[82]A Seshadri, A Perrig, L van Doom, P Khosla. SWATT:SoftWare-based ATTestation for Embedded Devices[C]. In Proceedings of the IEEE Security& Privacy Conference, IEEE, Oakland, CA, May 2004.
[83]S. Yoshihama, T. Ebringer, M. Nakamura, S. Munetoh and H. Maruyama. WS-Attestation: Efficient and Fine-Grained Remote Attestation on Web Services [R]. In Proceedings of International Conference on Web Services. IBM Research, Technical Report:RT0598.2005.
[84]S. Chakraborty, I. Ray. TrustBAC:Integrating Trust Relationships into the RBAC Model for Access Control in Open Systems. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, pages 49-58. California, USA,2006.
[85]N. Li, J.C. Mitchell, W.H. Winsborough. Design of a Role-based Trust Management Framework. In Proceedings of the IEEE Symposium on Security and Privacy, pages 114-130, Washington,2002.
[86]E. Bertino, B. Catania, M. L. Damiani. GEO-RBAC:A spatially aware RBAC. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, pages 29-37, New York,2005.
[87]Fujun Feng, Chuang Lin, Dongsheng Peng and Junshan Li. A Trust and Context Based Access Control Model for Distributed Systems. In Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications, Pages 629-634, Washington,2008.
[88]Mana, Antonio and Ernesto Pimentel. An Efficient Software Protection Scheme. In Proceedings of the 16th International Conference on Information Security:Trusted Information,385-401,2001.
[89]Ravi Sandhu, Xinwen Zhang, Peer-to-peer access control architecture using trusted computing technology, In Proceedings of the tenth ACM symposium on Access control models and technologies, Stockholm, Sweden, June 01-03,2005
[90]Masoom Alam, Jean-Pierre Seifert, Qi Li, Xinwen Zhang. Usage control platformization via trustworthy SELinux. In proceedings of the 2008 ACM symposium on Information, computer and communications security, March 2008
[91]Agreiter Berthold, Muhammad Alam, Ruth Breu, Michael Hafner, Alexander Pretschner, Jean-Pierre Seifert, Xinwen Zhang. A technical architecture for enforcing usage control requirements in service-oriented architectures. In Proceedings of the 2007 ACM workshop on Secure web services, November 2007.
[92]David Kyle, Jose Carlos Brustoloni. Uclinux:a linux security module for trusted-computing-based usage controls enforcement. In Proceedings of the 2007 ACM workshop on Scalable trusted computing, November 02-02,2007, Alexandria, Virginia, USA.
[93]Martinelli, F., Mori, P., Vaccarelli, A.. Towards Continuous Usage Control on Grid Computational Services. In Proceedings of the Autonomic and Autonomous Systems and International Conference on Networking and Services,2005.
[94]Masayuki Nakae, Xinwen Zhang, Ravi Sandhu. A general design towards secure ad-hoc collaboration. In Proceedings of the 2006 ACM Symposium on Information computer and communications security, March 2006.
[95]Xinwen Zhang, Masayuki Nakae, Michael J. Covington, Ravi Sandhu. A usage-based authorization framework for collaborative computing systems. In Proceedings of the eleventh ACM symposium on Access control models and technologies, June 2006.
[96]Lau Cheuk Lung, Marcelo Shinji Higashiyama, Rafael R. Obelheiro, Joni da Silva Fraga. Adapting the UCON_ABC Usage Control Policies on CORBASec Infrastructure. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops,2007.
[97]Min Xu, Xuxian Jiang, Ravi Sandhu, Xinwen Zhang. Towards a VMM-based usage control framework for OS kernel integrity protection. In Proceedings of the 12th ACM symposium on Access control models and technologies, June 2007
[98]Trent JAEGER, Reiner SAILER, Umesh SHANKAR. PRIMA:policy-reduced integrity measurement architecture. In Proceedings of the eleventh ACM symposium on Access control models and technologies,2006.
[99]Neil VACHHARAJANI, Matthew J. BRIDGES, Jonathan CHANG, Ram RANGAN, Guilherme OTTONI, Jason A. BLOME, George A. REIS, Manish VACHHARAJANI, David Ⅰ. AUGUST. RIFLE:An architectural framework for user-centric information-flow security. In Proceedings of the 37th International Symposium on Microarchitecture,2004.
[100]Jedidiah R. CRANDALL and S. Felix WU. Minos:Architectural Support for Protecting Control Data. ACM Transactions on Architecture and Code Optimization, Vol.3, No.4, Pages 359-389, December 2006.
[101]Timothy FRASER. Lomac:Low water-mark integrity protection for cots environments. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, page 230, Washington, DC, USA,2000. IEEE Computer Society.
[102]J. GUTTMAN, A. HERZOG, and J. RAMSDELL. Information flow in operating systems: Eager formal methods. In Workshop on Issues in the Theory of Security,2003.
[103]黄强沈昌祥陈幼蕾方艳湘.基于可信计算的保密和完整性统一安全策略[J].计算机工程与应用,2006,42(10):15-18
[104]Sean W. SMITH. Outbound authentication for programmable secure coprocessors. In Proceedings of the 7th European Symposium on Research in Computer Security, pages 72-89, London, UK,2002. Springer-Verlag.
[105]Dieter GOLLMANN. Computer Security [M]. John Wiley& Sons Press, London,1999.
[106]W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. In Proceedings of the 8th National Computer Security Conference, Gaithersburg, Maryland, 1985.
[107]B. Balacheff, Liqun Chen, Siani Pearson, David Plaquin, and Graeme Proudler. Trusted Computing Platforms:TCPA Technology In Context. Prentice Hall PTR, July 2002.
[108]X. Zhang, M. Nakae, M. J. Covington, and R. Sandhu. Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur.,11(1):1-36, 2008.
[109]Daniel J. T. Chong, Robert H. Deng. Privacy-enhanced superdistribution of layered content with trusted access control. In Proceedings of the ACM Workshop on Digital Rights Management, Alexandria, VA:37-44, October 2006.
[110]R. Mori and M. Kawahara. Superdistribution:The concept and the architecture. Transaction of the IEICE, E73 (7):1133-1146, July 1990.
[111]Trusted Computing Group. TNC IF-T:Binding to TLS, Version 1.0. Revision 16 [EB/OL]. 18 May,2009. https://www.trustedcomputinggroup.org/home. http://www. trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[112]Trusted Computing Group. TNC IF-MAP Binding for SOAP, Version 1.1. Revision 5 [EB/OL].18 May,2009. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[113]Trusted Computing Group. TNC IF-TNCCS, Version 1.2. Revision 6 [EB/OL].18 May, 2009. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[114]Trusted Computing Group. TNC IF-IMC, Version 1.2. Revision 8 [EB/OL].5 Febrary, 2007. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[115]Trusted Computing Group. TNC IF-IMV, Version 1.2. Revision 8 [EB/OL].5 Febrary, 2007. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[116]Trusted Computing Group. TNC IF-PEP:Protocol Bindings for RADIUS, Version 1.2. Revision 8 [EB/OL].5 Febrary,2007. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
[117]Trusted Computing Group. IWG IF-PTS, Version 1.0. Revision 1.0 [EB/OL].17 November, 2006. http://www.trustedcomputinggroup.org/
[118]崔永泉.协作计算环境下基于使用控制模型的访问控制研究[D]:[博士].武汉:华中科技大学,2007.
[119]Masoom Alam, Xinwen Zhang, Mohammad Nauman. Model-based Behavioral Attestation (MBA). In Proceedings of the 13th ACM symposium on Access control models and technologies, pagesl75-184, New York, USA,2008.
[120]Xiaoyong Li, Changxiang Shen and Xiaodong Zuo. An Efficient Attestation for Trustworthiness of Computing Platform. In IIH-MSP, pages 625-630,2006.
[121]M. Alam, X. Zhang, M. Nauman, and T. Ali. Behavioral Attestation for Web Services (BA4WS). In Proceedings of the ACM Workshop on Secure Web Services (SWS) located at 15th ACM Conference on Computer and Communications Security (CCS-15), New York, NY, USA,2008. ACM Press.
[122]D. Gambetta. Trust:Making and Breaking Cooperative Relations. UK:Oxford Press,1998.
[123]张焕国,罗捷,金刚等.可信计算研究进展[J].武汉大学学报(理学版),2006,52(5):513-518.
[124]秦宇.可信虚拟平台安全机制研究[D]:[博士].北京:中国科学院软件研究所,2008.
[125]徐震,沈丽红,汪丹.一种可配置的可信引导系统[J].中国科学院研究生院学报,2008,25(5),626-630.
[126]Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux Kernel Integrity Measurement Using Contextual Inspection [C]. In Proceedings of the 2007 ACM workshop on Scalable trusted computing. Alexandria, Virginia, USA.21-29.
[127]Mark Thober, J. Aaron Pendergrass, and C. Durward McDonell. Improving coherency of runtime integrity measurement [C]. In Proceedings of the 2008 ACM workshop on Scalable trusted computing. Alexandria, Virginia, USA.2008. Pages 51-60.
[128]QIN Yu, FENG Dengguo, LIU Chunyong. TPM Context Manager and Dynamic Configuration Management for Trusted Virtualization Platform. Wu Han University Journal of Natural Science 2008,13 (5),001-005.
[129]Geoffrey Strongin. Trusted computing using AMD "Pacifica" and "Presidio" secure virtual machine technology [R]. Advanced Micro Devices, Inc., Austin, TX 78741, USA.2005.
[130]汪丹,冯登国.基于可信虚拟平台的数据封装方案[J].计算机研究与发展,2009,46(8),1325-1333.
[131]冯登国,秦宇.可信计算环境证明方法研究[J].计算机学报.2008,31(9),1640-1652.
[132]秦宇,冯登国.基于组件属性的远程证明[J].软件学报,2009,20(6),1625-1641
[133]Jan Camenisch. Better Privacy for Trusted Computing Platforms:(Extended Abstract). ESORICS 2004.Pages 73-88.
[134]B. Smyth, L. Chen, and M. Ryan. Direct anonymous attestation (DAA):ensuring privacy with corrupt administrators. In F. Stajano, editor, Proceedings of Fourth European Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS 2007), volume 4572 of LNCS, pages 218-231. Springer-Verlag,2007.
[135]Michael Backes, Matteo Maffei, Dominique Unruh. Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol. In Proceedings of the IEEE Symposium on Security and Privacy 2008, pages 202-215. May 2008.
[136]Adrian Leung, Liqun Chen, Chris J. Mitchell. On a Possible Privacy Flaw in Direct Anonymous Attestation (DAA). In Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies:Trusted Computing-Challenges and Applications (TRUST 2008), pages 179-190. Villach, Austria.
[137]Brickell, E., Chen, L., Li, J.:A new direct anonymous attestation scheme from bilinear maps. In In the 1st international conference on Trusted Computing and Trust in Information Technologies:Trusted Computing-Challenges and Applications (TRUST 2008), pages 166-178. Villach, Austria.
[138]CHEN Xiaofeng FENG Dengguo. Direct Anonymous Attestation for Next Generation TPM. JOURNAL OF COMPUTERS,2008,3(12),43-50.
[139]聂晓伟,冯登国.基于可信平台的一种访问控制策略框架——TXACML [J].计算机研究与发展,2008,45(10),1676-1686.
[140]YU Aimin, FENG Dengguo. BBACIMA:a Trustworthy Integrity Measurement Architecture through Behavior-Based TPM Access Control [J]. Wu Han University Journal of Natural Science,2008,13 (5),513-518.
[141]Gu L, Ding X, Deng R, Xie B, Mei H. Remote Attestation on Program Execution. In Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing. New York, NY, USA,2008..
[142]Mohammad Nauman, Masoom Alam, Xinwen Zhang, and Tamleek Ali. Remote Attestation of Attribute Updates and Information Flows in a UCON System. In Proceedings of the 2nd International Conference on Trusted Computing, LNCS 5471, pages 63-80,2009.
[143]Zhang X, Sandhu R, Parisi-Presicce F. Safety Analysis of Usage Control Authorization Models. In Proceedings of the 2006 ACM Symposium on Information, computer and communications security. New York, NY, USA:ACM; 2006. pages:243-254.
[144]Myers AC. JFlow:Practical Mostly-static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. New York, NY, USA:ACM; 1999. Page(s) 228-241.
[145]Haldar V, Chandra D, Franz M. Practical, Dynamic Informationflow for Virtual Machines. In Proceedings of the 2nd International Workshop on Programming Language Interference and Dependence,2005.
[146]Nair SK, Simpson PND, Crispo B, Tanenbaum AS. A Virtual Machine Based Information Flow Control System for Policy Enforcement. Electronic Notes in Theoretical Computer Science.2008; 197(1):3-16.