摘要
过去几十年,许多软件设计者都假设软件不易被篡改。而如今,随着软件应用的迅速普及,软硬件防篡改的要求越加重要。在许多应用中只有合法的、没篡改的客户端应用可以被允许访问相关服务。一个授权实体需要能验证远程证实平台上运行的客户端软件是否被篡改,如果侦测到有篡改行为发生,验证者将会把客户端从网络上断开,并停止向客户端提供服务,或者迫使客户端停止其应用的执行。
作为可信计算的重要特征之一,可信远程证明是通过发出证明请求的一方确认远程证实平台的身份和平台状态配置信息的过程,即确认远程平台是否可信的过程。计算机的变化在运行远程证明的过程中可以被证明请求者检测出,从而避免向受到安全威胁的计算机发送重要命令或私有信息。远程证明机制可用于限制客户非法应用,它针对性地选择远程执行的应用程序,可以有效的防止恶意程序或有缺陷的应用程序对服务的滥用,减少误用木马程序,并避免与恶意终端的连接,并通过这些限制,达到增强终端可信性,加强系统安全的目的。
本文的主要贡献在于:
(1)按远程证明实现的方式,将远程证明模型分为基于二进制的远程证明模型、混合远程证明模型、基于软件的远程证明模型以及其他远程证明模型四大类。对四类证明模型的优缺点进行了对比分析,归纳出现有模型中存在的问题,从中得出混合远程证明模型中基于属性的远程证明模型的合理性,奠定了本文远程证明模型的基础。
(2)提出了基于双线性对的远程证明模型BPBA。BPBA模型继承了属性远程证明思想,模型中包含了属性—配置协议、签名协议、验证协议以及撤销协议四个协议。模型以双线性对为实现基础,有效的缓解了PBA中因RSA密码体制而造成的密钥长度较长、计算量大、计算效率低以及安全性能较低的问题。模型中加入可信计算平台各种参数以抵御重放攻击,算法中应用了信息隐藏技术,对证书进行隐藏,从而防止了任何拥有源证书的用户对证书的滥用。
(3)研究BPBA模型在云计算环境中的应用,提出了基于云计算的远程证明模型CBA。CBA模型首先解决了云计算中远程证明的实现基础:TPM和密钥(包括AIK密钥和EK密钥)的管理模式,并对CBA实现的云计算框架进行了详细定义。模型是在BPBA的基础上建立的,同样包含了属性—配置协议、签名协议、验证协议以及撤销协议四个协议。CBA模型将远程证明的研究范围拓展至云计算领域中,并切实地解决了云计算中实现远程证明所存在的问题。
(4)通过比较安全模型中主流模型的优点以及缺点,结合BLP模型和Clark Wilson模型的优点提出了一个新的安全模型,并给出了模型的定义以及相应的公理,同时,通过将BPBA和CBA的思想融入其中,对安全模型中的主体验证其可信性,保证了主客体的读写安全以及数据完整性。而模型对域隔离公理的应用则对主体访问客体范围进行了有效的限制。
In the past few decades, many software designers assume that the software can not easily be tampered with. Today, with the popularity of software applications, tamper-resistant requirements have become increasingly important. In many applications, the only legitimate, non-tampered client application can be allowed access to services. An authorized entity needs to be able to verify whether the client software on the remote platform has been tampered or not, and the client will be untrusted to the verifier if any tampering behavior is detected.
Trusted remote attestation is an important characteristic of trusted computing. It can help the requesting party to confirm the identity and the configuration information of the remote platform, and also can determine the trusted of the remote platform. The verifier is able to dectect the computer changes through attestation process, thus avoiding unsafe or damaged safety computer to send a private message or command. The server uses the remote attestation mechanism to limit the client application, prevent a malicious program or defective application to be used abusely, and avoid communicating with malicious terminal. So the purpose of reinforcing the terminal trusted and system security can be achieved through these limitations.
In this thesis, we carried out a detailed introduction to the definition of trusted computing, trusted computing platform and trused remote attestation. The main contribution is as follows:
(1) Remote attestation model is divided into four major categories including binary-based remote attestation model, hybrid remote attestation model, software-based remote attestation models and other remote attestation model. A detailed analysis of the advantages and disadvantages of all the categories is made, and thereby make a decision that the property based remote attesatation model which is a kind of hybrid remote attestation model is a resonable model. And it is suitable for our remote attesttation model.
(2) A bilinear pairing based remote attestation model (BPBA) is provided in the thesis. It inherits the ideology of the property based attestation model (PBA). There are four protocols in BPBA model:Attribute-Configuration protocol, Signing protocol, Verfication protocol and Revocation protocol. The computational efficiency of the BPBA model with respect to PBA model has increased significantly. BPBA model is established on bilinear pairing while PBA model is setup by RSA key. Bilinear pairings is based on elliptic curve cryptography, one of its significant advantages are that with respect to the RSA key, the bilinear pairings can use more shorter key length, so that we can use smaller bandwidth and memory requirements. On the other hand, BPBA model includes many trusted computing platform parameters in order to resist replay attacks, and take use of information hiding technology to hide certificates and effectively preventing anyone with a source of certificate misuse of the certificate.
(3) We have a detailed study of the TPM and AIK management in the cloud computing environment and conduct cloud computing environment remote attestation protocol (CBA) based on the BPBA model. There are also four protocols defined in CBA model which play the same role as BPBA and run between different participants.
(4) We compare the advantages and disadvantages of the mainstream security model, and provide a new security model with detailed definitions and rules. To verify the trusted of principal in the model, we can make use of BPBA and CBA. The model introduces BLP model and Clark Wilson model to ensure security and data integrity of principal to read and write; What's more, the principal access scope can be controled by domain isolation axiom.
引文
[1]赵佳.可信认证关键技术研究[D].北京交通大学,2008.
[2]Trusted Computing Group [EB/OL]. https://www.trustedcomputinggroup.org. Nov, 2011.
[3]Trusted Computing Platform Alliance. TCPA Design Philosophies and Concepts Version 1.0[S]. https://www.trustedcomputinggroup.org. Jan 2001.
[4]Trusted Computing Group. TCG Infrastructure Working Group Reference Architecture for Interoperability (Parti) Specification Versionl.0[S], https://www. Trustedcomputinggroup.org. June,2005.
[5]Trusted Computing Group. TCG PC Specific Implemenation Specification Version 1.1 [S], https://www.trustedcomputinggroup.org. Aug,2003.
[6]Trusted Computing Group. Protection profile of PC client specific trusted platform module TPM Family 1.2[EB/OL]. http://www.trustedcomputinggroup.org/resources/ tpm_12jprotection_profile/, Dec,2011.
[7]Trusted Computing Group. TCG Specification architecture overview specification revision 1.2 [EB/OL]. http://www.trustedcomputinggroup.org, Nov,2011.
[8]Sailer R, Zhang X, Jaeger T, and van Doom L. Design and implementation of a TCG-based integrity measurement architecture. In:Proceedings of the 13th USENIX Security Symposium. USENIX, Aug,2004,223-238.
[9]Seshadri, A., A. Perrig, van Doom L. and Khosla P. K, SWATT. SoftWare-based ATTestation for Embedded Devices, in:2004 IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, CA, USA,9-12 May 2004,272-282.
[10]Seshadri A., Luk M, Perrig A, van Doom L. and Khosla P. K, Externally Verifiable Code Execution, Commununications of the ACM 49,2006,45-49.
[11]Zhang Huanguo, Wang fan. A Behavior Based Remote Trust Attestation Model. Wuhan University Journal of Nature Sciences,2006,11(6):1819-1822.
[12]李晓勇,左晓栋,沈昌祥.基于系统行为的计算平台可信证明.电子学报,2007(35).
[13]Haldar, V., D. Chandra and M. Franz, Semantic Remote Attestation-Virtual Machine Directed Approach to Trusted Computing, in:Proceedings of the 3rd Virtual Machine Research and Technology Symposium, San Jose, CA, USA, May 6-7,2004, 29-41.
[14]Sadeghi, A.-R. and C.StUble, Property-based attestation for computing platforms: caring about properties, not mechanisms., in:C.Hempelmann and V. Raskin, editors, Proceedings of the New Security Paradigms Workshop 2004, Nova Scotia, Canada, September 20-23,2004,67-77.
[15]Liqun Chen. A Protocol for PropertyBased Attestation, STC 06, Alexandria, Virginia, USA. ACM, November 3,2006,7-16.
[16]Camenisch J and Lysyanskaya A. A signature scheme with efficient protocols. In Third Conference on Security in Communication Networks-SCN'02, Springer-Verlag, Berlin Germany,2002,2576:268-289.
[17]Pedersen T. P. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, editor, Advances in Crypto logy-CRYPTO'91,1992, LNCS 576:129-140. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany,1992. Extended abstract.
[18]Xiao-Yong Li, Li-Tao Zhou, Yong Shi, Yu Guo:A trusted computing environment model in cloud architecture. ICMLC 2010,2010,2843-2848.
[19]徐梓耀,贺也平,邓灵莉.一种保护隐私的高效远程验证机制[J].软件学报,2011,22(2):339-352.
[20]Chen Ting, Yu, Huiqun. Bilinear parings in property-based attestation. Journal of Computers,2011,6(2):297-304.
[21]Ting Chen, Huiqun Yu, Wei Chen. A Protocol for Bilinear Parings-Based Attestation. In:Proceedings of the 2010 2nd International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC 2010),2010,1: 256-260.
[22]Ting Chen, Huiqun Yu. The improved research on property-based remote attestation. In:Proceedings of the 2010 International Conference on Computer Application and System Modeling (ICCASM 2010),2010,320-324.
[23]Ting Chen; Huiqun Yu. Research on the encryption and digital signatures in remote attestation from elliptic curve group. Applied Mathematics & Information Sciences, May,2013,7(3):963-971.
[24]Department of defense computer security center.Department of defense trusted computer system evaluation criteria. DoD, USA, Dec.1985
[25]National Computer Seeurity Center.Trusted network interpretation of the trusted computer system evaluation criteria, NCSC-TG-005, USA, DoD, July,1987.
[26]National Computer Security Center. Trusted database management system interpretation, NCSC-TG-021, USA, DoD, April,1991.
[27]T. C. P Allianee. TCPA Design Philosophies and Concepts Versionl.O, Jan.2001 [EB/OL]. https://www.trustedcomputinggroup. org.
[28]Microsoft. Microsoft Palladium:ABusiness Overview. August 2002 [EB/OL]. http:// www.microsoft.com/presspass/features/2002/jul02/0724Palladiumwp.asp.
[29]Microsoft.Microsoft Next Generation Secure Computing Base-Technical FAQ.May 2003 [EB/OL]. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/news/NGSCB.asp.
[30]The open trusted computing (OpenTC) consortium. General activities of OpenTC, Jan.2006 [EB/OL]. http://www.opentc.net/activities.
[31]中国国家密码管理局.可信计算密码支撑平台功能与接口规范[EB/OL]. http://www.oscca.gov.en/Doc/6/News_1132.html. Dec,2010.
[32]Algirdas Avizienis, Jean-claude Laprie, Brian R, Carl L. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing,2004, 1(1):11-33.
[33]A.Avi_zienis is with Vytautas Magnus University, K. Donelaicio 58 LT-3000 Kaunas, Lithuania and the University of California at Los Angeles,4731 Boelter Hall, Los Angeles, CA 90024-1596.
[34]Zhu B., Jajodia S, Mohan S. Kankanhalli. Building trust in Peer-to-Peer systems:A review [J]. Int J Secur Netw.2006,1(1/2):103-112.
[35]Gambetta D. Can we trust trust? D. Gambetta, editor. Trust:Making and breaking cooperative relations [M], New York:Oxford:Basil Blackwell,1990. pp:213-237.
[36]McKnight D.H, Chervany N.L. The meanings of trust[R]. University of Minnesota, Management Information Systems Reseach Center.1996.
[37]McKnight D.H, Chervany N. L. Trust and distrust definitions:One bite at a time [A]. Proceedings of the workshop on Deception, Fraud, and Trust in Agent Societies held during the Autonomous Agents Conference:Trust in Cyber-societies, Integrating the Human and Artificial Perspectives [C]. Springer-Verlag,2001,27-54.
[38]Grandison T. Trust management for internet applications [D]. London:Imperial College of Science, Technology and Medicine, University of London,2003.
[39]赵波,张焕国,李晶,等.可信PDA计算平台系统结构与安全机制[J].计算机学报,2010.33(1):82-91.
[40]Collberg C, Thomborson C. Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection [J]. IEEE Transactions on Software Engineering,2002,28(8): 735-746.
[41]Naumovich G, Memon N. Preventing piracy, reverse engineering, and tampering [J]. Computer,2003,36(7):64-71.
[42]David Aucsmith. Tamper Resistant Software:An Implementation [A]. In:R. J. Anderson, editor, Proceedings of First International Information Hiding Workshop (IHW) [C], Cambridge, England,1996, published in Lecture Notes in Computer Science (LNCS),1997,1174:317-333.
[43]Gartner Says Cloud Computing Will Be As Influential As E-business, http://www. gartner.com/it/page.jsp?id=707508, June,2008.
[44]Armbrust, M., et al.:Above the Clouds:A Berkeley View of Cloud Computing. In: Technical Report No.UCB/EECS-2009-28 (2009), doi:http://www.eeec.berkeley.edu/ Pubs/TechRpts/2009/EEEC-2009-28.htm, http://www.cloudtech.org/2010/07/19/cloud-computing-%E2%80%93-the-emerging-computing-technology/.
[45]Sheikh Mahbub Habib, Sebastian Ries, Max Muhlhauser:Cloud Computing Landscape and Research Challenges Regarding Trust and Reputation.
[46]Steve Hanna. Cloud computing:Finding the silver lining, juniper networks,2009.
[47]Lim, C.:Cloud Computing Security Technology. Review of KIISC,2009,19(3):14-17.
[48]Hyokyung Chang and Euiin Choi:Challenges and Security in Cloud Computing, In: FGCN 2010, Part Ⅱ, CCIS 120, Springer-Verlag Berlin Heidelberg,2010, pp: 214-217.
[49]Andrei, T.:Cloud Computing Challenges and Related Security Issues, http://www. cs.wustl.edu/-jain/cse571-09/ftp/cloud.pdf, May,2009.
[50]Gartner, Assessing the Security Risks of Cloud Computing, http://www.gartner.com/ Display_Document?id=685308, June 2008.
[51]Brodkin, J.:Gartner:Seven cloud-computing security risks, Infoword, http://www. infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_Risksl.htm 1, (July 2008).
[52]Menezes A.J, Elliptic curve public key cryptosystems. Kluwer Academic Publishers, 1993.
[53]Menezes A.J, Okamoto T and Vanstone S. Reducing elliptic curve logarithm to logarithms in a finite field. IEEE Transaction on Information Theory,1993,39: 1639-1646.
[54]Barreto, P.S.L.M., Naehrig, M. Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. Springer, Heidelberg,2006, LNCS 3897: 319-331.
[55]Frey G, Ruck H. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics Computation,1994,62(206):865-874.
[56]Paterson KG. Cryptography from Pairing-Advances in Elliptic Curve Cryptography. Cambridge:Cambridge University Press,2005,215-252.
[57]Miller VS. The Weil pairing and its efficient calculation. Journal of Cryptology,2004, 17(4):235-261.
[58]Stange KE. The Tate pairing via elliptic nets. In:Takagi T, ed. Proc. of the Pairing 2007. Berlin, Heidelberg:Springer-Verlag,2007, LNCS 4575:329-348.
[59]Barreto PSLM, Galbraith S,O'hEigeartaigh C, Scott M. Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography,2007,42(3): 239-271.
[60]Hess F, Smart P, Vercauteren F. The Eta pairing revisited. IEEE Trans, on Information Theory,2006,52 (10):4595-4602.
[61]Anna Lysyanskaya, Ron Rivest, Amit Sahai, and Stefan Wolf, Pseudonym systems. InHoward Heys and Carlisle Adams, editors, Selected Areas in Cryptography, volume 1758 of Lecture Notes in Computer Science. Springer Verlag,1999.
[62]Camenisch J and Lysyanskaya A, Signature schemes and anonymous credentials from bilinear maps. In:Franklin, M. (ed.) CRYPTO 2004, Springer, Heidelberg, LNCS, 2004,3152:56-72.
[63]张宗洋.承诺和零知识的非延展属性研究[D].上海交通大学,2012.
[64]Schnorr C P. Security of blind discrete log signatures against interactive attacks. ICICS 2001, LNCS 2229, Springer-Verlag, Berlin,2001,1-12.
[65]陈婷,王永全.远程证明方法的研究综述.世界科技研究与发展,2010,31(6): 1069-1073.
[66]Torben Pryds Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing [A]. In:J. Feigenbaum, editor, Advances in Cryptology-CRYPTO'91 [C], LNCS 576:129-140. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany,1992. Extended abstract.
[67]Seshadri A, Luk M, Perrig A, L van Doom, P. Khosla. Externally Verifiable Code Execution [J]. Communications of the ACM,2006,49 (9):45-49.
[68]Zhang Huanguo, Wang fan. A Behavior-Based Remote Trust Attestation Model [J]. Wuhan University Journal of Nature Sciences,2006,11(6):1819-1822.
[69]李晓勇,左晓栋,沈昌祥.基于系统行为的计算平台可信证明[J].电子学报,2007,35(7):1234-1239.
[70]Alam M, Nauman M, Zhang X, et al. Behavioral attestation for web services based business processes [J]. International Journal of Web Services Research,2010,7(3): 52-72.
[71]彭国军.基于行为完整性的软件动态可信理论与技术研究[D].武汉:武汉大学,2008.
[72]庄璟,蔡勉,李晨.基于软件行为的可信动态度量[J].武汉大学学报(理学版),2010,56(2):133-137.
[73]Gordom D.Discrete logarithms in GF (p) using the number field sieve [JJ.SIAM Journal on Discrete Mathmatics,1993,6:124-138.
[74]Thome E. Computation of discrete logarithms in F2607 [A]. Advances in Cryptology-ASCACRYPTO'2001 [C],2001, LNCS 2248:107-124.
[75]张永毅.双线性对快速计算分析与实现[D].西安电子科技大学,2010.
[76]Miller V. Use of elliptic curve in cryptography [A]. Advances in Cryptology CRYPTO'85[C], LNCS,1986,218(483):417-426.
[77]Silverman J.H.The arithmetic of Elliptic Curves.Springer-Verlag, GTM 106,1986.
[78]Knuth D.E.The art of computer programming:Seminumerical Algorithms. Reading, MA:Addison-Wesley,1969.
[79]EIGamal T.A public key cryptosystem and a signature scheme based on discrete logarithms.IEEE Trans.on Information Theory,1985,31:469-472.
[80]Amazon Web Services [EB/OL]. http://aws.amazon.com/.
[81]Hadoop [EB/OL]. http://hadoop.apache.org/core.
[82]Zookeeper [EB/OL]. http://hadoop.apache.org/zookeeper/.
[83]Google app engine [EB/OL]. http://appengine.google.com.
[84]Microsoft azure [EB/OL]. http://www.microsoft.com/azure.
[85]Salesforce.com [EB/OL]. http://www.force.com/.
[86]Hazelhurst S.Scientific Computing Using Virtual Highperformance Computing:A Case Study Using the Amazon Elastic Computing Cloud [C]. In:Proceedings of the 2008 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries: riding the wave of technology, Wilderness, South Africa,2008:94-103.
[87]Google Docs [EB/OL]. http://docs.google.com.
[88]BERGER S, CACERES R, GOLDMAN K A. vTPM:vitalizing the trusted platform module[R]. In:Proc. of USENIX-SS'06, Berkeley, CA, USA,2006.
[89]孙宇琼,宋成,辛阳,蒋辉柏,杨义先.可信虚拟平台中的双AIK签名机制.计算机工程,2011,37(16):114-116.
[90]石磊,邹德清,金海.Xen虚拟化技术[M].武汉:华中科技大学出版社,2009.
[91]冯登国,秦宇.可信计算环境证明方法研究.计算机学报,2008,31(9):1640-1652.
[92]颜文波.可信平台中基于属性的远程证明系统[D].华中科技大学,2007.
[93]洪帆,张弛.基于属性证书的特权管理基础设施.微计算机应用,2005,26(4):398-401.
[94]程安潮,余奇,姚磬.基于属性证书的PMI授权管理模型应用研究.华中科技大学学报,2006,32(8):162-164.
[95]廖振松,金海,李赤松.基于属性的信任协商模型.华中科技大学学报,2006,34(5):30-32.
[96]Chen Liqun. A DAA scheme using batch proof and verification[C]. In:Proc of the 3rd Internet Conf on Trust and Trustworthy Computing, Berlin, Springer,2010:166-180.
[97]Chen Liqun, Page D, Smart N P. On the design and implementation of an efficient DAA scheme[C]. In:Proc of Smart Card Research and Advanced Application conf CARDIS 2010, Berlin:Springer,2010,223-238.
[98]Brickell, E., Chen, L., Li, J. Simplified security notions for direct anonymous attestation and a concrete scheme from pairings. Cryptology eprint Archive, March, 2008.
[99]Miyaji A, Nakabayashi M, Takano S. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans,2002, E85-A:481-484.
[100]Liqun Chen, Paul Morrissey, and Nigel P. Smart. Paring in trusted computing. S.D. Galbraith and K.G. Paterson (Eds.):Pairing 2008, LNCS 2008, Springer-Verlag, Berlin, Heidelberg,2008,5209:1-17.
[101]LAMPSON B, ABAD IM, BURROW M, et al. Authentication in distributed systems: theory and p ractice [J]. ACM Transactions on Computer Systems,1992,10 (4):265-310.
[102]De TREV ILLE J. Binder. A logic based security language [C]. In:Proceedings of the IEEE Symposium on Security and Privacy, California, IEEE Computer Society Press, 2002,105-113.
[103]ABAD IM, WOBBER T. A logical account of NGSCB [C]. In Proceeding of the Formal Techniques for networked and Distributed Systems FORTE 2004. Heidelberg: Springer Verlag,2004, (3235):1-12.
[104]李莉,曾国荪,陈波.开放网络环境下的属性远程证明.计算机应用,2008,30(10):2632-2635.
[105]Liqun Chen., Z. Cheng, and N. Smart, N.P.:Identity-based key agreement protocols from pairings. Int. Journal of Information Security,2007,6:213-242.
[106]Bellare M, Rogawy P. Random oracle are practical:A paradigm for designing efficient protocols. In:Proceedings of the 1st CCS. New York:ACM Press,1993.62-73
[107]J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In D. Boneh, editor, CRYPTO, Lecture Notes in Computer Science, Springer,2003,2729:126-144.
[108]李勇.基于可信计算的应用环境安全研究[D].解放军信息工程大学,2011.
[109]沈昌祥.基于可信平台构筑积极防御的信息安全保障框架[J].信息安全与通信保密,2004,9:17-19.
[110]Information Assurance Technical Framework Release 3.1[R]. National Security Agency Information Assurance Solution Technical Dlrectors,2002
[111]Department of defense of U.S.A. Trtusted computer system evaluation crieria [S]. Department of Defence Standard, Aug,1983.
[112]London:Department of Trade and Industry. Information Secureity Technology Evaluation Criteria (ITSEC):Harmonised Criteria of France, Germany. The Netherlands, the United Kingdom[S]. www.iwar.org.uk/comsec/resources/standards/ itsec.htm,1991.
[113]International Standards Organization (ISO). Information technology-Security techniques-Evaluation criteria for IT security-Part 1:Introduction and general model, iso/iec15408-1 edition[S].1999.
[114]R.S.Sandht. Lattice-Based Access Control Models [J]. IEEE Computer,1993,26(11): 9-19.
[115]郑志蓉,蔡谊,沈昌祥.操作系统安全结构框架中应用类通信安全模型的研究[J].计算机研究与发展,2005,42(2):322-328.
[116]李益发,沈昌祥.一种新的操作系统安全模型[J].中国科学E辑,2004,36(4):347-356.
[117]Sandhu R.S, Coyne E, etal. Role-Based Access Control Models [J]. IEEE Computer. IEEE Press,1996,29(2):38-47.
[118]Mantel H, Sands D. Controlled declassification based on intransitive, noninterference[S]. Proc. AP1. AS.2004:129-145.
[119]Myers A.C, Sabelfeld A, Zdaneewie S. Enforcing robust declassifieatio[C].17th IEEE Computer Security Foundations Workshop,2004:172-186.
[120]Clark D.D, Wilson D.R. A Comparison of Commercial and Military Computer Security Policity[C]. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA,1987:184-194.
[121]Badger L, Swme D.F, etal. Practical domain and type enforcement for UNIX[C]. Proceedings of IEEE Symposium on Security and Privacy.1995:66-77.
[122]季庆光,卿斯汉,贺也平.基于DTE技术的完整性保护形式模型[J].中国科学E辑,2005.35(6):570-587
[123]David F.C.B, Michael J.N. The Chinese Wall Security Poliey[C]. In:Proceedings of IEEE Symposium on Security and Privacy.,1989:206-214.
[124]Lampson B. Protection[C], In:Proceedings of the Fifth Princeton Symposium of lrlformation Science and Systems, Mar,1971:437-443.
[125]Anderson J.P. Computer Security Technology Planning Study[R]. Tecnical Report esdtr-73-51. Air Force Electronic Systems Division, Hanscom AFB, Bedford. MA, 1972.
[126]Lampson B.W. A Note on the Connement Problem [J]. Communications of the ACM. 1973.16(10):613-615.
[127]Schiller W.L. The Design and Specifiation of a Security Kernel for the pdp-11/45[R]. Technical Report MTR-2709, MITRE Corp., Bedford, MA, Jun.1973.
[128]MeCauley E.J, P.J.Drongowski.Ksos. The Design of a secure Operating system[C]. In: Proceedings of the National Computer Conference, Arlington, VA, USA,1979,48: 345-353.
[129]Neumann P.G. A Provably Secure Operating System:Final Report[R]. Technical Report DAAB03-73-C-1454, Stanford Researeh Institute.Menlo Park, California 94025, Jun.1975.
[130]郭玮,茅兵,谢立.安全操作系统中的安全管理增强功能.计算机科学,2004,31(1):165-169
[131]国防科技大学计算机学院银河麒麟项目组.关于银河麒麟操作系统的说明.Feb,2006.
[132]Bell D E, La Padula L J. Secure Computer System:Unified Exposition and MULTICS Interpretation. Mitre Corp., Technical Report 01730, Bedford MA:Mitre Corp.,1976.
[133]Biba K J. Integrity Consideration for Secure Computer System.Mitre Corp., Report MTR-2997, Bedford Mass:Mitre Corp.,1977.
[134]Matt Bishop.Computer Security:Art and Science.清华大学出版社,2004.
[135]Denning D, S.Akl, M.Heckman. Views for Multilevel Database Security. IEEE Transactions on Software Engineering, Feb,1987,13(2):129-140.
[136]Clark D, Wilson D. A comparison of commercial and military computer security policies. Proceedings of the 1987 IEEE Symposium on Security and Privacy, Apr, 1987:184-194.
[137]蔡谊,郑志蓉,沈昌祥.基于多级安全策略的二维标识模型[J].计算机学报,2004,27(5):619-624.