Research On Process-consistent Access Control System

Access control is the foundation of system security. And it is an important content in the construction of information system classified protection. In the process of the construction of information system classified protection, many protective equipment and protective measures are introduced to protect the system’s security. However, because of the equipment and the measures are often fragmented and without considering the correlation between each other, the inconsistent problem such as conflict and omissions in access control appears easily. At the same time, in the multi-system interconnection environment, due to lack of effective coordination mechanism among the systems, illegal information flow caused by the cross system access control often appears.In order to solve the above inconsistency problem in system and cross system, this paper presents the process-consistent access control architecture based on the thought of semantic consistency of policy, information flow consistency and execution consistency of policy. This architecture integrated the mechanisms of semantic consistency in policy, the cross system access control model of information flow and the consistency safeguard mechanism of access control organic based on the technology of trusted computing. With the complement of each other, these mechanisms can effectively solve the inconsistency problem of access control system.The mechanism of semantic consistency in policy mainly used to solve the inconsistency problem of access control in the classification system. This mechanism gives full consideration to the relationship between the access control nodes. Based on the building of semantic model of policy, it can discover and solve the inconsistency problems for the reason of relevance in nodes with the technology of consistency detection and inconsistency solving.The cross system access control model is mainly to solve the inconsistent problems across the access control system. This model formulates the corresponding access control rules for cross system access based on the semantic consistency in systems. These rules can prevent effectively the illegal information flow caused by the cross system access.The consistency safeguard mechanism of access control is based on the technology of trusted computing. It can effectively protect the safety of TCB and the context of access control with the trusted pipeline and the model of TCB expansion. Then it realizes the safety of policy executing in the whole system.Specifically, the main work of this paper includes the following aspects:(1)To solve the consistency problems of access control in information system and multi-systems, this paper analyzes the existing problems in the process of implementation of the current security system problem and presents the security requirements of the process-consistent access control systems. With the security requirements, the architecture of process-consistent access control systems is presented. This architecture effectively combines the consistency realization mechanism of access control policy based on semantic, the access control model of cross system and the consistency safeguard mechanism of access control based on trusted computing. And it can solve the consistency problems in classification systems, on the condition of cross system and on the running of access control.(2)According to the inconsistency problem in classification system and from the point of view of the integration of different node access control policy, this paper implements the unified description of access control policy in grammar about the DAC and MAC based on the access control of attribute. In order to describe the semantic association of different access control nodes, the ontology theory is introduced. Then the semantic model of access control of information system is proposed and the method for building ontology knowledge base is give. Based on the semantic model and the ontology knowledge base, some detecting rules of internal inconsistency in similar node set and external constraint inconsistency between similar node sets are proposed. The use of these rules can effectively discover and solve the problem of information system access control policy inconsistencies in semantic level.(3)To solve the inconsistency problem in the process of cross system access, a MBLP access control model of dynamic multi label is proposed with the extension of BLP model based on the full analysis of the inconsistency reasons of the cross system access control. The model follows the consistency rules of authorization and information flow. Firstly, through the method of multi ontology integration this model integrates the local ontology of systems and authorizes the cross system access based on the rules of authorization consistency. Then according to consistency principle of information flow, a safety access control rules for blocking illegal access control information flow are proposed with the technology of dynamic multi labels. The model has fully considered the security problems of access control in cross system and has been proved safe with formal method. At the same time, after the integrity label is introduced, the multi label method of this model is also applicable to solve the integrity problems of system.(4)To solve inconsistent problems on the execution of access control policy and based on the technology of trusted computing, the related concepts, properties and construction mechanism of trusted pipeline are proposed with the analysis of the shortcomings of traditional cryptography. Based on the trusted pipeline, an extended model of TCB is proposed. Through the vertical and horizontal extension, this model achieves the security of the TCB in terminal and realizes the trusting and security of TCB interoperability in the whole system. It provides the effective security for the access control in the classified protection system or the cross system.(5)In order to implement the process-consistent access control system and the related mechanism, the system structure and working process are given. And the structure and working process of security management center and trust boundary gateway is presented. The unified description method of policy based on XACML, the ontology knowledge representation and reasoning technology based on OWL and the implementation technique of trusted pipeline based on trusted computing are proposed. The structure and implementation technique meets the implementation requirement of process-consistent access control system and related mechanism and has good practical guiding for the construction of the process-consistent access control system.