中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
标识与鉴别及访问控制机制的设计与实现
作者: 王瑜
答辩日期: 2004
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 安全操作系统 ; 访问控制 ; 标识与鉴别 ; 角色 ; 任务
其他题名: Design and Implementation of Identification & Authentication and Access Control in Secure Operating System
摘要: 依照相关的计算机系统的安全标准,我们在Linux源码的基础上设计和实现了BZ级的安胜4.0安全操作系统。安胜4.0安全操作系统采用新的安全策略模型,将RBAC、DTE和MAC三种访问控制机制结合在一起,使访问控制更加灵活,本文对系统中标识与鉴别机制和访问控制机制的设计和实现进行了介绍。标识和鉴别是操作系统中的重要技术。标识是用来标明用户的身份;鉴别是对用户身份的真实性进行识别。标识鉴别系统是操作系统实现自身安全机制的基础,而其自身的安全性也是整个操作系统安全性的重要保障。为了对安全操作系统的新增安全机制提供支持,本文对安胜4.0安全操作系统下的扩展的标识鉴别机制的设计和实现进行了描述。扩展后的标识鉴别机制增加了新的用户安全属性,以增加对安全操作系统下RBAC、DTE和MAC三种访问控制的支持。本文还介绍了安胜4.0安全操作系统中口令检查器和强身份认证机制的设计和实现,以增强鉴别过程的安全性。访问控制是操作系统安全保护中极为重要的一环,它是在标识与鉴别的基础上,根据用户身份对其提出的资源访问请求加以控制。本文对安胜4.0安全操作系统的多策略的访问控制模型的设计和实现进行了介绍,系统中可以单独采取某一利J访问控制机制,也可以同时采取多种访问控制机制。在安胜4.0安全操作系统的设计和开发过程中,我们发现虽然RBAC能够降低访问控制管理工作的复杂性,但是要在RBAC中高效合理的为角色配置权限仍然具有一定的难度,而且RBAC不适合处理存在依赖和时序关系的访问控制。本文通过在RBAC中引入任务机制解决以上两点困难,即权限被授予任务,任务被授予角色,角色只能使用它正在执行的任务所允许的权限。提出了TBPM-RBAC模型,给出了模型的定义,对模型进行了分析并给出了模型的两个应用示例。
英文摘要: Referring to related security criterias of computer system, we designed and realized Ercist 4.0 secure operating system. The system, which is a B2 level secure operating system, is based on the source code of Linux. Ercist 4.0 secure operating system uses a new model of securiy policy, which combines RBAC\DTE and MAC together and makes access control more flexible. We introduce the design and implementation of identification and authentication mechanism and access control mechanism in this thesis. Identification and authentication are critical technologies in operating systems. Identification is to identify who the user is; Authentication is to authenticate whether the user is the person who he claims he is. Identification and authentication is the foundation to realize the security mechanisms of operating system itself. And the security of the identification and authentication is also important to ensure the security of the whole operating system. To support the new security mechanisms of the secure operating system, we describe the design and realization of the extended identification and authentication mechanism in Ercist 4.0 secure operating system in this thesis. After extension, new security properties of users are added to the identification and authentication system in order to support RBAC^ DTE and MAC in the secure operating system. Besides, to enforce the security of authentication process, in this thesis we propose the design and implementation of a passwd checker and mandatary identification and authentication mechanism in Ercist 4.0 secure operating system. Access control is a very important part of the security of operating system. Access control is to control the access of objects by the identity of theuser, which is based on the identification and authentication mechanism. We introduce the design and implementation of the multiple policies access control model of Ercist 4.0 secure operating system in this thesis. We can choose to use only one access control mechanism or several access control mechanisms at the same time in the secure operating system. During the process of the design and the development of Ercist 4.0 secure operating system, we found that RBAC can reduce the complexity of the management of access control, but it's still rather difficult to assign permissions to roles efficiently and reasonably, further more, RBAC is not fit to manage the access controls where exists dependency and sequence. In this thesis we try to solve the two difficulties mentioned above by embedding task mechanism in RBAC, that is, permissions are assigned to tasks, tasks are assigned to roles, and a role can only use the permissions that are allowed by the tasks it's executing. A model called TBPM-RBAC is proposed, then we present the definitions of the model, analyze the model and give two application examples of the model.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/5594
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW014045.pdf(2625KB)----限制开放-- 联系获取全文

Recommended Citation:
王瑜. 标识与鉴别及访问控制机制的设计与实现[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[王瑜]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[王瑜]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace