微信服务号

微信订阅号

2025-5-15- 15
Home > Archive>Volume 31, Issue 2, 2020 >439-454. DOI:10.13328/j.cnki.jos.005624
PDF HTML XML Export Cite reminder
Access Control Policy Specification Language Based on Metamodel
Author:
Affiliation:

Clc Number:

TP309

Fund Project:

National Natural Science Foundation of China (61232005, 61672062); National High Technology Research and Development Program of China (863) (2015AA016009)

  • Article
    • | |
  • Metrics
    • |
  • Reference [23]
    • |
  • Related
    • | | |
  • Comments
    Abstract:

    In order to protect the cloud resources, access control mechanisms have to be established in the cloud. However, cloud platforms have tendency to design their own security policy languages and authorization mechanisms. It leads to two issues:(i) a cloud user has to learn different policy languages to customize the permissions for each cloud, and (ii) a cloud service provider has to design and implement the authorization mechanism from the beginning, which is a high development cost. In this work, a new access control policy specification language called PML is proposed to support expressing multiple access control models like BLP, RBAC, ABAC and important features like multi-tenants. An authorization framework called PML-EM is implemented on OpenStack to centralize the authorization. PML-EM is irrelative to policy languages, access control models and programming languages that implement the authorization module. Other policies like XACML policy and OpenStack policy can be automatically translated into PML, which facilitates the migration between the clouds that both support PML-EM. The experimental results indicate PML-EM has improved the flexibility of policy management from a tenant's perspective. And the performance overhead for policy evaluation is 4.8%, and the invasiveness is about 0.42%.

    Reference
    [1] Feng DG, Zhang M, Zhang Y, Xu Z. Study on cloud computing security. Ruan Jian Xue Bao/Journal of Software, 2011,22(1):71-83(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/3958.htm[doi:10.3724/SP.J.1001.2011.03958]
    [2] Lin C, Su WB, Meng K, Liu Q, Liu WD. Cloud computing security:Architecture, mechanism and modeling. Chinese Journal of Computers, 2013,36(9):1765-1784(in Chinese with English abstract).
    [3] Moses T. Extensible Access Control Markup Language (XACML) Version 2.0. Oasis Standard. 2005.
    [4] Ribeiro C, Zuquete A, Ferreira P, Guedes P. SPL:An access control language for security policies with complex constraints. In:Proc. of the Network and Distributed System Security Symp. 2001. 89-107.
    [5] Damianou N, Dulay N, Lupu E, Sloman M. The ponder policy specification language. In:Proc. of the Workshop on Policies for Distributed Systems and Networks (Policy 2001). 2001. 18-38.
    [6] Li NH, Mitchell JC, Winsborough WH. Design of a role-based trust-management framework. In:Proc. of the IEEE Symp. on Security and Privacy. 2002. 114-130.
    [7] Han WL, Lei C. A survey on policy languages in network and security management. Computer Networks, 2012,56(1):477-489.
    [8] Ferraolo D, Kuhn R. Role-based access control. In:Proc. of the 15th National Computer Security Conf. 1992. 554-563.
    [9] Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-based access control models. Computer, 1996,29(2):38-47.
    [10] Bao YB, Yin LH, Fang BX, Guo L. Approach of security policy expression and verification based on well-founded semantic. Ruan Jian Xue Bao/Journal of Software, 2012,23(4):912-927(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4023.htm[doi:10.3724/SP.J.1001.2012.04023]
    [11] Bertino E, Jajodia S, Samarati P. Supporting multiple access control policies in database systems. In:Proc. of the IEEE Symp. on Security and Privacy. 1996. 94-107.
    [12] Minsky NH, Ungureanu V. Unified support for heterogeneous security policies in distributed systems. In:Proc. of the 7th USENIX Security Symp. 1998. 131-142.
    [13] Bell DE, Lapadula LJ. Secure computer systems:Mathematical foundations. MITRE Corporation Report, 1973.
    [14] Fielding RT, Taylor RN. Architectural styles and the design of network-based software architectures[Ph.D. Thesis]. University of California, 2000.
    [15] Wu R, Zhang X, Ahn G, Sharifi H, Xie H. ACaaS:Access control as a service for iaas cloud. In:Proc. of the Int'l Conf. on Social Computing. 2013. 423-428.
    [16] Tang B, Sandhu R. Extending openstack access control with domain trust. In:Proc. of the Int'l Conf. on Network and System Security. 2014. 54-69.
    [17] Jin X, Krishnan R, Sandhu R. Role and attribute based collaborative administration of intra-tenant cloud IaaS. In:Proc. of the 10th IEEE Int'l Conf. on Collaborative Computing:Networking, Applications and Worksharing. IEEE, 2014. 261-274.
    [18] Kagal L, Finin T, Joshi A. A policy language for a pervasive computing environment. In:Proc. of the Int'l Conf. on Collaborative Computing:Networking, Applications and Worksharing. 2003. 63-74.
    [19] Ashley P, Hada S, Karjoth GUN, Powers C, Schunter M. Enterprise privacy authorization language (EPAL). In:Proc. of the IBM Research. 2003. 1-69.
    附中文参考文献:
    [1] 冯登国,张敏,张妍,徐震.云计算安全研究.软件学报,2011,22(1):71-83. http://www.jos.org.cn/1000-9825/3958.htm[doi:10.3724/SP.J.1001.2011.03958]
    [2] 林闯,苏文博,孟坤,刘渠,刘卫东.云计算安全:架构、机制与模型评价.计算机学报,2013,36(9):1765-1784.
    [10] 包义保,殷丽华,方滨兴,郭莉.基于良基语义的安全策略表达与验证方法.软件学报,2012,23(4):912-927. http://www.jos.org.cn/1000-9825/4023.htm[doi:10.3724/SP.J.1001.2012.04023]
    Related
    Cited by
Get Citation

罗杨,沈晴霓,吴中海.一种基于元模型的访问控制策略描述语言.软件学报,2020,31(2):439-454

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:August 19,2017
  • Revised:April 19,2018
  • Online: February 17,2020
  • Published: February 06,2020
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063