中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
面向XML文档的访问控制研究
作者: 李斓
答辩日期: 2004
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 安全 ; 自主访问控制 ; 强制访问控制 ; 基于角色的访问控制
其他题名: Research on Access Control for XML Documents
摘要: XML是目前信息交换和存取的新兴技术,而XML文档中的敏感信息需要各种机制来保证其安全性,访问控制是其中之一。本文在国家863项目的支持下,以实现灵活、安全而且高效的模型为目标,对面向XML文档的访问控制进行了全面的研究。本文主要的研究成果有以下几点:1)用形式化的方法描述了XML文档模型,并提供了一系列规则来保证模型描述的XML文档的良构性。XML模式文档与普通文档适用同样的模型,本文也对它们之间的对应关系进行了描述。2)提出了一种灵活实用的方法对XML文档实施自主访问控制策略,该方法基于功能强大的XML模式而不是传统的DTD技术。通过在授权中扩展了关于授权的可覆盖性、管理能力以及授权者的字段,方便了XML文档的权限管理和用户请求的判断。描述了权限的管理能力,授权在分配过程中管理能力逐步递减,使得对象权限在一定程度上是可控的。证明了访问请求的可判定性,并在此基础上给出了请求判定的算法。3)首次讨论了在XML文档中实施强制访问控制策略的方法。在XML文档模型中增加了描述对象安全属性的组件—安全标签,讨论了安全标签应该满足的规则。定义了强制访问控制策略下XML文档的有效性,提高了处理有效文档的系统的可用性。详细地描述了如何实现强制访问控制策略下针对XML文档的操作,并讨论了可能引起的多实例情况和解决办法,然后给出了一些关键模块的实现机制。4)基于前面描述的方法,讨论了如何把自主与强制访问控制策略综合应用于面向XML文档的系统,并提出了基于RBAC的实现综合策略的访问控制模型。引入了多级角色和内部角色的概念,管理员和用户在权限管理时不需要考虑强制访问控制的限制,系统会自动地进行再分配。详细描述了模型中的管理操作,讨论这些操作的执行条件及引起的模型状态变化。本文提出的模型有较好的灵活性,可通过配置实现不同级别的安全需求,而且适用于不同规模的系统,不会随着对象数目或安全标签层次的扩展使得权限管理的复杂度急剧增加。
英文摘要: XML is a new technology for information exchange, storage and retrieve. Some mechanisms are needed to protect sensitive information stored in XML documents, and access control is one of the mechanisms. Supported by a National 863 project, implementing flexible, security and effective model as objective, research on access control for XML documents is conducted in this paper. Some results obtained in this paper are as follows. XML document model is described by formal method. Some rules are provided to guarantee that the described documents are well-formed. The model is also applicable for XML schema documents. A flexible and practical method to enforce Discretionary Access Control (DAC) policy on XML documents is presented in this paper. The method is based on XML schema technology that is more powerful than DTD. The authorization is extended to include three fields for overriding option, administrative capability and grantor. Administrative capability in authorization on XML documents is described. Privileges on objects are controllable to some extent. The determinability of users' requests is proved, and algorithm for judging users' requests is given. How to enforce Mandatory Access Control (MAC) policy on XML documents is first proposed. The XML document model is extended to include security label, and some rules which security labels in XML documents should obey are given. The validation of XML documents under MAC policy is defined to improve the usability of systems processing valid documents. Operations on XML documents under MAC policy are described in details. The polyinstantiation caused by these operations is also discussed. Some implementing mechanisms for key models are given. Based on methods discussed before, how to enforce an integrated policy with DAC and MAC on XML system is discussed, an access control based on RBAC is presented to implement the integrated policy. After introduce the concepts of multilevel role and internal role, administrators and users don't have to consider the constraints among the labels of users, roles and objects when assigning privileges. Administrative operations in the model are described in details. This model is flexible and able to be configured to meet different security requirements. The model is applicable in many systems with different scales. The complexity of privilege administration will not added heavily when the numbers of objects or security labels increase.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6068
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW013935.pdf(2910KB)----限制开放-- 联系获取全文

Recommended Citation:
李斓. 面向XML文档的访问控制研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[李斓]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[李斓]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace