Resolving conflicts between negotiation success and sensitive information protection in automated trust negotiation

Automated trust negotiation (ATN) is an approach to establishing mutual trust between strangers wishing to share resources or conduct business by gradually requesting and disclosing digitally signed credentials. In ATN, there are conflicts between negotiation success and sensitive information protection, that is, these two needs cannot be given priority at the same time, which is a challenging problem to resolve. In this paper, a language independent ATN framework, which is dynamic, flexible and adaptive, is presented to address this problem, ensuring negotiation success without sensitive information leakage. This framework is independent of the policy language which is used. However, the language used should have the capability to specify all kinds of sensitive information appearing in credentials and policies, and support the separation of attribute disclosure from credential disclosure. Thus definitions of new language features, which can be incorporated into existing policy languages, are given, enabling the used language to support the capabilities mentioned above.     

基于CFL的空间网络认证策略研究

卫星网络作为一种新兴的网络,具有覆盖范围广、传输环节少等优点,但拓扑结构复杂、链路频繁切换,因而面临诸多网络安全威胁。为解决卫星网络中身份认证等安全性问题,结合CFL认证体制,提出了一种适用于卫星网络的安全认证策略研究。在注册阶段,用户和卫星分别向地面控制中心申请证书,地面控制中心验证用户和卫星的身份后为用户和卫星签署证书;在认证阶段,用户与卫星互相交换证书,自主生成验证密钥并验证证书,实现用户与卫星的双向快速认证。分析结果表明,所提方案能够满足卫星网络的安全需求,抵御各种常见的网络安全攻击;与其他相关方案的相比,该方案无须地面中心参与认证过程,通信开销与计算开销较小,在保证安全性的基础上,与最低计算开销方法相比,将通信效率提升了33%,有效提高了认证效率。因此,本方案不仅适合星载资源有限的卫星网络,且能够增强卫星网络的安全性。     

Reconstructing a formal security model

Role-based access control (RBAC) is a flexible approach to access control, which has generated great interest in the security community. The principal motivation behind RBAC is to simplify the complexity of administrative tasks. Several formal models of RBAC have been introduced. However, there are a few works specifying RBAC in a way which system developers or software engineers can easily understand and adopt to develop role-based systems. And there still exists a demand to have a practical representation of well-known access control models for system developers who work on secure system development. In this paper we represent a well-known RBAC model with software engineering tools such as Unified Modeling Language (UML) and Object Constraints Language (OCL) to reduce a gap between security models and system developments. The UML is a general-purpose visual modeling language in which we can specify, visualize, and document the components of a software system. And OCL is part of the UML and has been used for object-oriented analysis and design as a de facto constraints specification language in software engineering arena. Our representation is based on a standard model for RBAC proposed by the National Institute of Standards and Technology. We specify this RBAC model with UML including three views: static view, functional view, and dynamic view. We also describe how OCL can specify RBAC constraints that is one of important aspects to constrain what components in RBAC are allowed to do. In addition, we briefly discuss future directions of this work.     

基于角色访问控制模型约束的OCL描述

基于角色的访问控制模型(RBAC)凭借其灵活的授权机制、强大的管理功能和完善的安全策略越来越引起人们的研究兴趣,随着研究的不断深入,面向对象的研究方法也逐渐应用到这个模型中,促进了它的迅速发展。UML作为一种强大的建模语言,不只是局限于支持面向对象的分析与设计,还支持从需求分析开始的软件开发的全过程,通过UML的描述可以使理论模型更加直观地应用到实际系统开发。该文使用UML的对象约束语言(OCL)来描述RBAC中的相关约束,使约束描述更加标准化,更有利于系统开发人员对模型的理解和促进RBAC模型的系统开发。     

一种汇编程序的形式验证框架

在高可信软件的各种性质中,安全性是关注的重点.软件满足安全策略的证明方法是安全性研究的热点之一.根据前期提出的安全程序设计与证明的框架以及指针逻辑推理系统,介绍在所实现的出具证明编译器(certifying compiler)原型系统中有关目标机器的形式定义、汇编程序的形式验证框架以及汇编程序指针程序性质证明等方面的研究.它们的主要特点是汇编验证框架是基于Hoare风格的程序验证方式;与指针有关的性质使用和源语言一级类似的指针逻辑推理系统进行证明;使用一个简单的类型系统完成有关指针的类型检查.     

A system for visual role-based policy modelling

The definition of security policies in information systems and programming applications is often accomplished through traditional low level languages that are difficult to use. This is a remarkable drawback if we consider that security policies are often specified and maintained by top level enterprise managers who would probably prefer to use simplified, metaphor oriented policy management tools.To support all the different kinds of users we propose a suite of visual languages to specify access and security policies according to the role based access control (RBAC) model. Moreover, a system implementing the proposed visual languages is proposed. The system provides a set of tools to enable a user to visually edit security policies and to successively translate them into (eXtensible Access Control Markup Language) code, which can be managed by a Policy Based Management System supporting such policy language.The system and the visual approach have been assessed by means of usability studies and of several case studies. The one presented in this paper regards the configuration of access policies for a multimedia content management platform providing video streaming services also accessible through mobile devices.     

Method redefinition—ensuring alternative behaviors

The redefinition of a method in subclasses can completely change the semantics of the superclass method unless there are effective mechanisms that enforce the preservation of behavioral properties. Several approaches to behavioral subtyping—exact pre-post match, plug-in match, relaxed plug-in match among others—exist that enforce the preservation of behavioral properties.To maintain or weaken pre-conditions and to maintain or enforce post-conditions when redefining methods in extended classes—plug-in match—is the solution that is adopted, by construction, in the Eiffel language, among other assertion languages. This approach forbids the specification of a class of legitimate programs from which we present an example. We claim that relaxed plug-in match should be enforced instead, in order to accommodate these examples. Other approaches exist, as is the case of case analysis in JML and OCL, that allow the specification of those programs, but they do it at the cost of decreasing software extension.We propose a new way of building contracts that identify and express, in a natural and elegant way, the several contributions that method redefinition can bring, and that are expressive enough to specify extensible contracts for the above mentioned class of programs. These contracts ensure, by construction, that redefinition preserves behavioral properties.     

A location-based policy-specification language for mobile devices

The dramatic rise in mobile applications has greatly increased threats to the security and privacy of users. Security mechanisms on mobile devices are currently limited, so users need more expressive ways to ensure that downloaded mobile applications do not act maliciously. Policy-specification languages were created for this purpose; they allow the enforcement of user-defined policies on third-party applications. We have implemented LoPSiL, a location-based policy-specification language for mobile devices. This article describes LoPSiL’s design and implementation, several example policies, and experiments that demonstrate LoPSiL’s viability for enforcing policies on mobile devices.     

Miro: visual specification of security

Miro is a set of languages and tools that support the visual specification of file system security. Two visual languages are presented: the instance language, which allows specification of file system access, and the constraint language, which allows specification of security policies. Miro visual languages and tools are used to specify security configurations. A visual language is one whose entities are graphical, such as boxes and arrows, specifying means stating independently of any implementation the desired properties of a system. Security means file system protection: ensuring that files are protected from unauthorized access and granting privileges to some users, but not others. Tools implemented and examples of how these languages can be applied to real security specification problems are described     

An approach for modeling and analysis of security system architectures

Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. In particular, the composition of the systems must consistently assure security policies that it is supposed to enforce. However, there is currently no rigorous and systematic way to predict and assure such critical properties in security system design. A systematic approach is introduced to address the problem. We present a methodology for modeling security system architecture and for verifying whether required security constraints are assured by the composition of the components. We introduce the concept of security constraint patterns, which formally specify the generic form of security policies that all implementations of the system architecture must enforce. The analysis of the architecture is driven by the propagation of the global security constraints onto the components in an incremental process. We show that our methodology is both flexible and scalable. It is argued that such a methodology not only ensures the integrity of critical early design decisions, but also provides a framework to guide correct implementations of the design. We demonstrate the methodology through a case study in which we model and analyze the architecture of the Resource Access Decision (RAD) Facility, an OMG standard for application-level authorization service.     

基于JML的面向对象设计指导测试方法的研究与实现

面向对象的软件测试应该也只能被设计所指导.提出了一种方案:在使用UML进行面向对象的设计阶段为类和方法加入OCL约束,然后由一种转换工具将带有OCL约束的UML类图转换为带有JML(Java建模语言,Java Modeling Language)注解的Java类代码框架,就可以利用JML丰富的支撑工具进行调试和自动测试,从而实现了设计指导测试的思想.研究了OCL到JML的转换机制,并给出了基于Rational Rose的转换工具JML-AddIn的实现框架.     

Emerging OCL tools

The Object Constraint Language (OCL) is a notational language for analysis and design of software systems, which is used in conjunction with the Unified Modelling Language (UML) to specify the semantics of the building blocks precisely. OCL can also be used by other languages, notations, methods and software tools in order to specify restrictions and other expressions of their models. Likewise, OCL is used by the Object Management Group (OMG) in the definition of other fast spreading industrial standards such as Meta Object Facility (MOF) or XML Metadata Interchange (XMI).Support tools aimed at making this language easier to use are becoming available. These tools are capable of supporting and handling OCL expressions. This paper presents a comparative study of the main tools currently available, both commercial and freely available ones. The study is very practical, with the advantages and disadvantages of the different tools being pointed out. The evaluations made may be of use in helping those developers and analysts who already use the language, as well as those who intend to use it in the near future, to choose the OCL tool which best adapts to their requirements.     

A Framework for Community Information Systems

In this paper we present a generic framework architecture for Web-based community information systems (CIS). The framework has an open architecture based on COTS (commercial-off-the-shelf) software components and network technologies. We discuss how a component-based approach, a layered architecture model, and design patterns can be used to provide a common framework for CIS. The CIS framework architecture results in significant benefits that include reuse, a flexible user interface, powerful search mechanisms and an integrated and scalable architecture. XML and rule-based StyleSheet languages are used for storage, information search and graphical presentation at the server or client. The overall framework architecture, its individual components and the interaction among these components are outlined.     

An Aspect-Oriented Approach to Modular Behavioral Specification

Behavioral interface specification languages, such as Java Modeling Language (JML), can be used to specify the behavior of program modules. We have developed a behavioral interface specification language Moxa, an extension of JML. Moxa provides a new modularization mechanism called assertion aspect that can capture the crosscutting properties among assertions. In this paper, we briefly explain the notion of assertion aspects and the design of Moxa, and then we show an example specification. By comparing the specification to its JML counterpart, we show that the use of assertion aspects clarifies the large, complex specification and greatly simplifies each assertion in the specification.     

一种改进的内网安全防护策略

针对目前内网安全防护策略疏于监控的问题,提出了一种改进的内网安全防护策略.改进后的安全防护策略采用指纹对用户身份的合法性进行认证,对内网用户终端的安全防护策略进行验证,对终端非法外联进行管控,划分了内网可信主机边界、内网可信用户边界、服务器可信使用者边界,有效地增强了内网安全,抵御了网络攻击.     

Infrastructural Support for Enforcing and Managing Distributed Application-Level Policies

State-of-the-art security mechanisms are often enforced in isolation from each other, which limits the kinds of policies that can be enforced in distributed and heterogeneous settings. More specifically, it is hard to enforce application-level policies that affect, or use information from multiple distributed components. This paper proposes the concept of a Security Service Bus (SSB), which is a dedicated communication channel between the applications and the different security mechanisms. The SSB treats the security mechanisms as reusable, stand-alone security services that can be bound to the applications and it allows the enforcement of advanced policies by providing uniform access to application-level information. This leads to a security infrastructure that is more flexible and more manageable and that can enforce more expressive policies.     

A transformation contract to generate aspects from access control policies

Access control is an important security issue. It has been addressed since the late 1960s in the early time-sharing computer systems. Many access control models have been proposed since than but of particular interest is Ferraiolo and Khun’s role-based access control model (RBAC). It is a simple and yet general model which has been deeply studied and applied both in industry and in academia. A variety of industrial standards have been proposed based on this model. Generating code for an access control policy is an interesting challenge. Understanding access control as a non-functional concern that cross-cuts the functional part of a system raises difficulties quite suitable for a solution based on aspect-oriented programming. In this paper, we address the problems of specification and validation of code generation for access control policies targeting an aspect-based infra-structure. We propose an MDA approach. The code generator is a transformation from SecureUML, an RBAC-based modeling language, to the language Aspects for Access Control (AAC), an aspect-oriented modeling language proposed in this paper. Metamodels are used to represent the languages and to specify the transformation. A metamodel is used to represent the abstract syntax of a language and the constraints that a given instance model of the metamodel must fulfill. We also use a metamodel to specify the code generator. This transformation metamodel, together with all the constraints, that is, from both languages and those constraints regarding the merge of the two languages, we call a transformation contract. It merges and conservatively extends the source and target metamodels of the model transformation it represents. In the context of code-generation for access control policies, the transformation contract specifies the relationships between the abstract syntaxes of SecureUML and AAC and constrains the two languages. The validation of the code generator also uses the transformation contract. For a given access control policy and aspect, represented as instances of the appropriate metamodels, with aspects produced by the code generator, the constraints of the transformation contract must hold. We have prototyped a transformer from SecureUML to aspects on top of ITP/OCL, an OCL interpreter that automatically validates the generated aspect code by applying the constraints of the transformation contract.     

A security policy framework for context-aware and user preferences in e-services

In today’s dynamic and distributed markets a large spectrum of services is delivered through information and communication technologies. Emerging markets of e-services lie at the intersection of non-traditional user behaviour, and cyber-partnerships of enterprises to deliver innovative services. Current approaches to manage and control security demonstrate lacks in terms of security policy matching and integration in heterogeneous e-service environments. In this paper, we introduce a framework to support role-based access control for distributed services focusing on the integration of customer preferences. The framework aims to collect and generate policy-based security measures in cross-organisational scenarios. In addition to catering to specifications of security and business policies, the ability to integrate contextual information and user preferences make the role-based framework flexible and express a variety of access policies that provide a just-in-time permission activation.     

策略灵活安全系统的设计与实现

安全需求多样化对操作系统提出策略灵活性要求，传统操作系统把对安全策略的支持分散到系统相关功能模块中，如文件系统及进程通信等，难以满足这种需求，该文通过对操作系统中策略相关功能部件的分析，提出了一种策略灵活的安全体系结构，并在Linux基础上实现该结构。同以往研究相比，该结构通过对安全属性的统一维护简化了策略冲突协调的复杂性，既方便用户灵活配置已有安全策略，又支持用户针对本领域的安全需求引入新的安全属性及添加新型安全策略。