Access Control Policy Specification Language Based on Metamodel

被引：0

作者：

Luo Y. ^{[1
]}

Shen Q.-N. ^{[1
]}

Wu Z.-H. ^{[1
,2
]}

机构：

[1] School of Software and Microelectronics, Peking University, Beijing

[2] National Engineering Research Center for Software Engineering, Peking University, Beijing

来源：

Ruan Jian Xue Bao/Journal of Software | 2020年 / 31卷 / 02期

基金：

国家高技术研究发展计划(863计划); 中国国家自然科学基金;

关键词：

Abstract syntax tree; Access control model; Interpreter; Policy language; Policy translation;

D O I：

10.13328/j.cnki.jos.005624

中图分类号：

学科分类号：

摘要：

In order to protect the cloud resources, access control mechanisms have to be established in the cloud. However, cloud platforms have tendency to design their own security policy languages and authorization mechanisms. It leads to two issues: (i) a cloud user has to learn different policy languages to customize the permissions for each cloud, and (ii) a cloud service provider has to design and implement the authorization mechanism from the beginning, which is a high development cost. In this work, a new access control policy specification language called PML is proposed to support expressing multiple access control models like BLP, RBAC, ABAC and important features like multi-tenants. An authorization framework called PML-EM is implemented on OpenStack to centralize the authorization. PML-EM is irrelative to policy languages, access control models and programming languages that implement the authorization module. Other policies like XACML policy and OpenStack policy can be automatically translated into PML, which facilitates the migration between the clouds that both support PML-EM. The experimental results indicate PML-EM has improved the ﬂexibility of policy management from a tenant's perspective. And the performance overhead for policy evaluation is 4.8%, and the invasiveness is about 0.42%. © Copyright 2020, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：439 / 454

页数：15

共 19 条

[1] Feng D.G., Zhang M., Zhang Y., Xu Z., Study on cloud computing security, Ruan Jian Xue Bao/Journal of Software, 22, 1, pp. 71-83, (2011)
[2] Lin C., Su W.B., Meng K., Liu Q., Liu W.D., Cloud computing security: Architecture, mechanism and modeling, Chinese Journal of Computers, 36, 9, pp. 1765-1784, (2013)
[3] Moses T., Extensible Access Control Markup Language (XACML) Version 2.0, (2005)
[4] Ribeiro C., Zuquete A., Ferreira P., Guedes P., SPL: An access control language for security policies with complex constraints, Proc. of the Network and Distributed System Security Symp, pp. 89-107, (2001)
[5] Damianou N., Dulay N., Lupu E., Sloman M., The ponder policy specification language, Proc. of the Workshop on Policies for Distributed Systems and Networks (Policy 2001), pp. 18-38, (2001)
[6] Li N.H., Mitchell J.C., Winsborough W.H., Design of a role-based trust-management framework, Proc. of the IEEE Symp. on Security and Privacy, pp. 114-130, (2002)
[7] Han W.L., Lei C., A survey on policy languages in network and security management, Computer Networks, 56, 1, pp. 477-489, (2012)
[8] Ferraolo D., Kuhn R., Role-based access control, Proc. of the 15th National Computer Security Conf, pp. 554-563, (1992)
[9] Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E., Role-based access control models, Computer, 29, 2, pp. 38-47, (1996)
[10] Bao Y.B., Yin L.H., Fang B.X., Guo L., Approach of security policy expression and verification based on well-founded semantic, Ruan Jian Xue Bao/Journal of Software, 23, 4, pp. 912-927, (2012)

← 1 2 →