Journal of Software:2020.31(2):439-454

(北京大学 软件与微电子学院, 北京 102600;北京大学 软件与微电子学院, 北京 102600;软件工程国家工程研究中心(北京大学), 北京 100871)
Access Control Policy Specification Language Based on Metamodel
LUO Yang,SHEN Qing-Ni,WU Zhong-Hai
(School of Software and Microelectronics, Peking University, Beijing 102600, China;School of Software and Microelectronics, Peking University, Beijing 102600, China;National Engineering Research Center for Software Engineering(Peking University), Beijing 100871, China)
Chart / table
Similar Articles
Article :Browse 406   Download 236
Received:August 19, 2017    Revised:April 19, 2018
> 中文摘要: 为了保护云资源的安全,防止数据泄露和非授权访问,必须对云平台的资源访问实施访问控制.然而,目前主流云平台通常采用自己的安全策略语言和访问控制机制,从而造成两个问题:(1)云用户若要使用多个云平台,则需要学习不同的策略语言,分别编写安全策略;(2)云服务提供商需要自行设计符合自己平台的安全策略语言及访问控制机制,开发成本较高.对此,提出一种基于元模型的访问控制策略描述语言PML及其实施机制PML-EM.PML支持表达BLP、RBAC、ABAC等访问控制模型.PML-EM实现了3个性质:策略语言无关性、访问控制模型无关性和程序设计语言无关性,从而降低了用户编写策略的成本与云服务提供商开发访问控制机制的成本.在OpenStack云平台上实现了PML-EM机制.实验结果表明,PML策略支持从其他策略进行自动转换,在表达云中多租户场景时具有优势.性能方面,与OpenStack原有策略相比,PML策略的评估开销为4.8%.PML-EM机制的侵入性较小,与云平台原有代码相比增加约0.42%.
Abstract:In order to protect the cloud resources, access control mechanisms have to be established in the cloud. However, cloud platforms have tendency to design their own security policy languages and authorization mechanisms. It leads to two issues:(i) a cloud user has to learn different policy languages to customize the permissions for each cloud, and (ii) a cloud service provider has to design and implement the authorization mechanism from the beginning, which is a high development cost. In this work, a new access control policy specification language called PML is proposed to support expressing multiple access control models like BLP, RBAC, ABAC and important features like multi-tenants. An authorization framework called PML-EM is implemented on OpenStack to centralize the authorization. PML-EM is irrelative to policy languages, access control models and programming languages that implement the authorization module. Other policies like XACML policy and OpenStack policy can be automatically translated into PML, which facilitates the migration between the clouds that both support PML-EM. The experimental results indicate PML-EM has improved the flexibility of policy management from a tenant's perspective. And the performance overhead for policy evaluation is 4.8%, and the invasiveness is about 0.42%.
文章编号:     中图分类号:TP309    文献标志码:
基金项目:国家自然科学基金(61232005,61672062);国家高技术研究发展计划(863)(2015AA016009) 国家自然科学基金(61232005,61672062);国家高技术研究发展计划(863)(2015AA016009)
Foundation items:National Natural Science Foundation of China (61232005, 61672062); National High Technology Research and Development Program of China (863) (2015AA016009)
Reference text:


LUO Yang,SHEN Qing-Ni,WU Zhong-Hai.Access Control Policy Specification Language Based on Metamodel.Journal of Software,2020,31(2):439-454