面向Web服务的基于属性的访问控制研究

Web服务是一种新的面向服务的计算模式，由于其异构性、多域性和高度动态性，它提出了独特的安全挑战。一个关键的安全挑战就是要设计有效的访问控制机制。但目前存在的访问控制机制大多是基于身份的，存在严重的管理规模和控制粒度问题。本文提出利用基于属性的访问控制（Attribute-Based Access Control，ABAC）机制来处理Web服务的访问控制问题。ABAC采用相关实体的属性进行授权决策，能解决管理规模问题，并提供细粒度的控制。另外，文中对ABAC进行了建模，讨论了其应用，最后还给出了一种实施框架。     

Ws-AC: A Fine Grained Access Control System for Web Services

The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. In this paper we present an innovative access control model for Web services. The model is characterized by a number of key features, including identity attributes and service negotiation capabilities. We formally define the protocol for carrying on negotiations, by specifying the types of message to be exchanged and their contents, based on which requestor and provider can reach an agreement about security requirements and services. We also discuss the architecture of the prototype we are currently implementing. As part of the architecture we propose a mechanism for mapping our policies onto the WS-Policy standard which provides a standardized grammar for expressing Web services policies.     

面向Web服务的交互访问控制

针对传统访问控制策略的不足,提出面向Web服务的交互式访问控制策略模式,为适应Web服务间的信息交互访问安全,设计一种基于SAML认证授权框架以实现协同用户与服务商之间交互访问的匹配机制。以Web服务的访问控制过程为例,分析Web服务的交互式访问控制协议的实现过程,结果证明,该协议能为Web服务提供更细粒度的访问控制。     

云环境下组合电子健康记录访问控制框架

针对云环境下电子健康记录信息安全共享的需求提出云环境下组合电子健康记录访问控制框架.在该框架中基于多个CDA文档的逻辑关系,提出并构建组合电子健康记录结构,应用基于属性的多级安全访问控制策略实现组合电子健康记录的安全管理,应用基于XLINK技术的XML Web服务实现组合电子健康记录的下载和查看.通过对比分析可说明,与已有方案相比,本方案提出的框架更加适合云环境下的电子健康信息安全共享.     

Web service conversation modeling: a cornerstone for e-business automation

Web services are emerging as a promising technology for effectively automating interorganizational interactions. However, despite the growing interest, several issues remain to be addressed to provide Web services with benefits similar to what traditional middleware brings to intraorganizational application integration. We identify a framework that builds on current standards to help developers define extended service models and richer Web service abstractions. The framework's main feature is a conversation metamodel derived from our analysis of e-commerce portal sites.     

Framework for cloud-based software test data generation service

This paper presents the framework of cloud-based software test data generation service (CSTS) that caters to cost-effective test data generation service in a cloud environment. In contrast to existing conventional or cloud-based testing frameworks, CSTS has a number of unique benefits. First, CSTS is designed to facilitate test data generation in minimum time and cost. Second, unlike existing frameworks which mandates clients to opt for resources to test their jobs, CSTS guides customer for selecting best cluster configuration in order to minimize the cost. While the existing models do not provide any solution for trust establishment in cloud computing services, CSTS delivers it by implementing security mechanism with the provision of role based access control. The security mechanism proposed in this paper ensures the protection of data and code of different users. Third, CSTS provides a mathematical pricing model to fulfill the expectations of customers and also to maximize the net profit of service providers. Cloud service request model has also been designed that postulates service level agreements between customers and service providers. We have evaluated, compared, and analyzed our framework and have found that it outperforms other existing cloud-based frameworks.     

Cloud authorization: exploring techniques and approach towards effective access control framework

Despite the various attractive features that Cloud has to offer, the rate of Cloud migration is rather slow, primarily due to the serious security and privacy issues that exist in the paradigm. One of the main problems in this regard is that of authorization in the Cloud environment, which is the focus of our research. In this paper, we present a systematic analysis of the existing authorization solutions in Cloud and evaluate their effectiveness against well-established industrial standards that conform to the unique access control requirements in the domain. Our analysis can benefit organizations by helping them decide the best authorization technique for deployment in Cloud; a case study along with simulation results is also presented to illustrate the procedure of using our qualitative analysis for the selection of an appropriate technique, as per Cloud consumer requirements. From the results of this evaluation, we derive the general shortcomings of the extant access control techniques that are keeping them from providing successful authorization and, therefore, widely adopted by the Cloud community. To that end, we enumerate the features an ideal access control mechanisms for the Cloud should have, and combine them to suggest the ultimate solution to this major security challenge – access control as a service (ACaaS) for the software as a service (SaaS) layer. We conclude that a meticulous research is needed to incorporate the identified authorization features into a generic AcaaS framework that should be adequate for providing high level of extensibility and security by integrating multiple access control models.     

Model-driven trust negotiation for Web services

Trust negotiation is an approach to access control whereby access is granted based on trust established in a negotiation between the service requester and the service provider. Trust negotiation systems avoid several problems facing traditional access control models such as DAC (discretionary access control) and MAC (mandatory access control). Another problem is that Web service providers often do not know requesters identities in advance because of the ubiquitousness of services. We describe Trust-Serv, a trust negotiation framework for Web services, which features a policy language based on state machines. It is supported by lifecycle management and automated runtime enforcement tools. Credential retrieval and validation in Trust-Serv rely on predefined Web services that provide interactions with attribute assertion authorities and public key infrastructure.     

XML-based specification for Web services document security

The Internet and related technologies have seen tremendous growth in distributed applications such as medicine, education, e-commerce, and digital libraries. As demand increases for online content and integrated, automated services, various applications employ Web services technology for document exchange among data repositories. Web services provide a mechanism to expose data and functionality using standard protocols, and hence to integrate many features that enhance Web applications. XML, a well-established text format, is playing an increasingly important role in supporting Web services. XML separates data from style and format definition and allows uniform representation, interchange, sharing, and dissemination of information content over the Internet. XML and Web services provide a simplified application integration framework that drives demand for models that support secure information interchange. Providing document security in XML-based Web services requires access control models that offer specific capabilities. Our XML-based access control specification language addresses a new set of challenges that traditional security models do not address.     

组合Web服务访问控制策略合成研究

针对Web服务多域环境下组合服务的访问控制策略合成问题,首先提出基于属性的Web服务访问控制策略描述框架,并结合原子属性值限制的属性描述方法,对服务访问控制策略进行了形式化表达。然后,通过分析服务组合描述文档中的控制结构,并研究访问控制策略合成算子和访问控制策略规则的合成运算,提出组合Web服务访问控制策略合成方法,实现了组合服务访问控制策略的合成。最后,结合实例给出组合Web服务的访问控制策略合成流程,验证了合成方法的实用性。     

Ontology-based access control model for security policy reasoning in cloud computing

There are many security issues in cloud computing service environments, including virtualization, distributed big-data processing, serviceability, traffic management, application security, access control, authentication, and cryptography, among others. In particular, data access using various resources requires an authentication and access control model for integrated management and control in cloud computing environments. Cloud computing services are differentiated according to security policies because of differences in the permitted access right between service providers and users. RBAC (Role-based access control) and C-RBAC (Context-aware RBAC) models do not suggest effective and practical solutions for managers and users based on dynamic access control methods, suggesting a need for a new model of dynamic access control that can address the limitations of cloud computing characteristics. This paper proposes Onto-ACM (ontology-based access control model), a semantic analysis model that can address the difference in the permitted access control between service providers and users. The proposed model is a model of intelligent context-aware access for proactively applying the access level of resource access based on ontology reasoning and semantic analysis method.     

Web服务访问控制规范及其实现

提出了一种用于Web服务的访问控制模型,这种模型和Web服务相结合,能够实现Web服务下安全访问控制权限的动态改变,改善目前静态访问控制问题。新的模型提供的视图策略语言VPL用于描述Web服务的访问控制策略。给出了新的安全模型和Web服务集成的结构,用于执行Web服务访问控制策略。     

On the design of secure ATM networks

Asynchronous Transfer Mode (ATM) is seen to be a technology that allows flexibility, efficiency and manageable bandwidth on demand to be achieved in high-speed networks. ATM is able to support a variety of applications including voice, video, image and data with different quality of service requirements. This paper addresses the design and implementation of security services and mechanisms in ATM networks. The paper examines the various design options for the placement of security services within the ATM protocol reference model and considers their advantages and disadvantages. The option of placing the security layer between the ATM Adaptation Layer (AAL) and the ATM layer is selected and the design of security services such as confidentiality, integrity and data origin authentication services in the user plane are described. The paper then presents an authentication scheme and key establishment protocol. This protocol is integrated with the existing ATM signaling protocols as part of the call setup procedures in the control plane. Then the paper discusses a public key infrastructure for the ATM environment and considers the design of public key management protocols between ATM nodes and Certification Authority for initializing, retrieving and distributing public key certificates. Finally, the paper considers the design of access control service for ATM networks and discusses the issues involved in the provision of access control mechanisms both at the connection setup phase and during the user data transfer phase. It seems that the developed security design can be transparently integrated to secure ATM networks.     

一种基于云的 Web 应用安全服务

安全云服务的核心思想是借助云计算的高可靠性、弹性扩容、按需定制的特点,将传统硬件网络安全功能虚拟化,以服务的形式对外提供安全防护能力。目前该服务技术和研究处于初期发展阶段,在技术概念、实施架构以及拓展应用方面还没有统一的界定,因此开展安全云服务技术和应用研究具有重要的理论和实践意义。本文以中国科学院信息保障示范工程“Web应用安全云服务平台”为实践背景,首先明确阐述安全云服务的概念、特征、应用领域及国内外发展现状,然后针对Web应用的安全,提出基础架构设计及关键技术,并描述该架构下具体应用的实践效果。     

An extended XACML model to ensure secure information access for web services

More and more software systems based on web services have been developed. Web service development techniques are thus becoming crucial. To ensure secure information access, access control should be taken into consideration when developing web services. This paper proposes an extended XACML model named EXACML to ensure secure information access for web services. It is based on the technique of information flow control. Primary features offered by the model are: (1) both the information of requesters and that of web services are protected, (2) the access control of web services is more precise than just “allow or reject” policy in existing models, and (3) the model will deny non-secure information access during the execution of a web service even when a requester is allowed to invoke the web service.     

面向SOA的密码服务安全框架研究

SOA环境下用户管理的分布性、业务协作的动态性、以及服务的开放性给密码服务带来了极大的安全挑战。文章建立了一种安全框架,该框架定义了完整的安全服务集合和接口,可满足密码服务安全接入、访问控制、安全共享的特殊要求,为面向SOA的密码服务提供了安全保障。     

组合Web服务访问控制技术研究综述

访问控制技术是保证Web服务组合增值应用安全性和可靠性的关键技术。主要论述了组合Web服务访问控制技术的研究现状及其问题。首先论述了组合Web服务安全面临的挑战;接着基于层的视角对组合Web服务安全问题进行了分析;然后从组合Web服务访问控制体系构架、原子安全策略的一致性协同和业务流程访问控制3个方面分析了组合W cb服务访问控制核心技术研究的进展;最后,结合已有的研究成果,指出了目前研究的不足以及未来的发展趋势。     

Intelligent security and access control framework for service-oriented architecture

One of the most significant difficulties with developing Service-Oriented Architecture (SOA) involves meeting its security challenges, since the responsibilities of SOA security are based on both the service providers and the consumers. In recent years, many solutions to these challenges have been implemented, such as the Web Services Security Standards, including WS-Security and WS-Policy. However, those standards are insufficient for the new generation of Web technologies, including Web 2.0 applications. In this research, we propose an intelligent SOA security framework by introducing its two most promising services: the Authentication and Security Service (NSS), and the Authorization Service (AS). The suggested autonomic and reusable services are constructed as an extension of WS-¹ security standards, with the addition of intelligent mining techniques, in order to improve performance and effectiveness. In this research, we apply three different mining techniques: the Association Rules, which helps to predict attacks, the Online Analytical Processing (OLAP) Cube, for authorization, and clustering mining algorithms, which facilitate access control rights representation and automation. Furthermore, a case study is explored to depict the behavior of the proposed services inside an SOA business environment. We believe that this work is a significant step towards achieving dynamic SOA security that automatically controls the access to new versions of Web applications, including analyzing and dropping suspicious SOAP messages and automatically managing authorization roles.     

基于ASP．NET应用系统网络安全机制的研究

随着用户应用系统和网络环境的日益复杂,安全威胁日益增多。作为微软．NET框架的组成部分,ASP．NET使得构建安全的Web应用程序更加容易。本文重点探讨基于ASP．NET技术开发Web应用系统的安全问题,介绍基于ASP．NET平台B／S架构的应用系统网络安全的设计,分析B／S三层网络架构的安全机制,给出了通过身份验证、权限控制、数据加密、存储过程访问数据库等手段实现系统的安全性的技术要点。     

Web服务测试研究

Web服务技术为软件测试研究带来了新的挑战。Web服务测试需要能够适应面向服务的新的分布式计算体系架构。为保证服务的质量，Web服务需要从多个层次进行验证与确认，包括基础设施、单元服务、集成服务等；测试需涵盖服务的功能、性能、可靠性、安全等各个方面。本文从web服务体系架构和应用模式出发，讨论了Web服务测试的主要问题。文章分析当前相关研究的现状，并归纳总结了SOAP协议验证、WSDL语言扩展、基于模型的服务集成验证、和测试构架等主要研究成果。本文最后讨论了当前存在的主要问题及进一步的研究方向。