基于Graphplan的ARBAC策略安全分析方法

32520095CHINESEJOURNALOFCOMPUTERSVol.32No.5May2009:20080423;:20090404.(60773201).,,1978,,,.Email:liuqiangfei@tom.com.,,1945,,,.,,1977,,.GraphplanARBAC刘强1),2)姜云飞1)饶东宁1)1)(510275)2)(CIMS510006).,.,,,,ARBAC.,(Graphplan),NooP,,ARBAC.,.;;;TP309DOI:10.3724/SP.J.1016.2009.00910SafetyAnalysisofARBACPolicyBasedonGraphplanLIUQiang1),2)JIANGYunFei1)RAODongNing1)1)(SoftwareResearchInstitute,SchoolofInformationScienceandTechnology,SunYatSenUniversity,Guangzhou510275)2)(CIMSLaboratory,FacultyofElectromechanicalEngineering,GongdongUniversityofTechnology,Guangzhou510006)AbstractSafetyanalysisistheprerequisitemechanismfordistributedaccesscontrolsystem.GraphplantheorywasimportedtoperformsafetyanalysisonthoseaccesscontrolsystemwhichsupportrolehierarchyandStaticMutualExclusionRoles(SMER).Acompleteresolutionforthereachabilityproblems,aprincipalsafetyanalysisproblem,isplannedanddesigned.Firstly,adescriptionmodelusingplanninglanguageissetup,virtualactionisputforwardtoexpresstheinheritancerelationbetweenroles,andSMERsistransformedtodomainconstraints.Secondly,tosettlethenegativepredicateproblemandopenworldassumptionproblem,domainaxiomisemployed.ThentheGraphplanarithmeticismodifiedbytrimming!NooP∀actionsandrelativepredicatesfromplangraphusingthoseaxioms.Basedontheamendedarithmetic,thecorrespondingexperimentsystemisdeveloped.Atlast,aapplicationcaseoftheanalysisprocessisillustrated.Keywordsrolebasedaccesscontrol;policy;securityanalysis;graphplan1.(RoleBasedAccessControl,RBAC).RBACFerraioloKuhn1992[1],,Sandhu###RBAC96[2]ARBAC97[3].ARBAC973:URA;RRA;PRA.(policy)RBAC,,:(1)(RBACpolicy),;(2)(ARBACpolicy),,..ARBAC97,3:.URAcan_assign(SSO,DIR∃PL,DRC),SSO,,DIR∃PL(X(X),X,∃%),DRC,.:(DIR)(PL)(DRC).,,,,.,ARBAC97,(delegation)(trusted),.,,,,,.,.(safetyanalysis)Harrison[4],,,,.,,,,.LiRBAC96,(securityanalysis)[56],:(simplesafety),,(reachablility)(simpleavailability)(boundedsafety)(liveness)(mutualexclusion)(containment),.,.,,.ARBAC,,,.MunawerSandhu(AugmentedTypedAccessMatrix,ATAM)RBAC,,RBAC96[7].,Li[6]:ATAMRBAC96,,.Li:AATU(AssignmentAndTrustedUsers)(coNPHard),AATU,AAR(AssignmentAndRevocation)coNPComplete,AAR.,PRA97,()(),[8].[4][8],,.,ARBACARBAC,.Sasturkar[9],ARBAC(),,()PSPACEComplete.,(),.[9]:,.,,,9115:GraphplanARBAC.[9],,ARBAC.:(1).ARBAC.(2),,,.2,3,4,5.221ARBAC97ARBAC97,,PRA97;URA97;RRA97.RBAC96ARBAC97[3].1.U,R,P,S,AR,CR(X(X),X,∃%),2R.UAU&R,.PAR&P,.RHR&R,.URA97.2.can_assignAR&CR&2R,,ARCR2R.3.can_revokeAR&2R,/,AR2R.RRA,r1!r2r2r1,:r2r1,r1r2.RRA.(StaticMutuallyExclusiveRoles,SMER)RBAC96,,.2.21.UA/RH.RBAC96,UAPA,RH.,UA/RHPA/RH,,UA/RH.2.RH.,RH,,RH,RH,.3..,,ARBAC.,,ARBAC,,,,.,,can_assign(EDSO,ENG,DIR),ENGDIR.4..[9],.2.34(RBAC).RBACs={UA,RH},UA,RH.5(RBAC).RBAC={S,A,},,SRBAC;A,ARBACRH;:S&A=S,,,a.6(UR).UA/RH,s0sg,sg∀q,#sg(s0asg)%(sg∀q),q.,.7(UR).UA/RH9122009,s0,sg,sg∀q,∃sg((s0asg)∋(sg∀q)).q.,.,URUR,,UR.UR,s0sg,.8().P={,s0,sg},,s0,;sg,.!,,s0a!sg,!.UR8.33.13.1.1,,.,.9(RBAC).playRole(u,r)ur,ownPerm(r,p)rp,getPerm(u,p)p.,u(U,p(P,r(R.unplayRole(u,r),unownPerm(r,p),ungetPerm(u,p).unplayRole(u,r),unownPerm(r,p),ungetPerm(u,p)un,unun.(DomainAxiom,DA):playRole(u,r)%ownPerm(r,p)∋getPerm(u,p)(DA1),UR,playRoleunplayRole.,:1..2.SMER,.3.,ARBAC.4.,.5.,.1~3,4,5.1,..19135:GraphplanARBAC3.1.2ARBAC(OpenWorldAssumption,OWA);.can_assign(PSO,NPPJ%(ECE)%(PSE)%(BOME),QCE)NPPJPSEECEBOME,PSOQCE,,.,ECEECE,ECE.:NPPJECEPSEBOME,,;NPPJECEPSEBOME,NPPL,,.,STRIPS[10](CloseWorldAssumption,CWA),.PDDL[11]OWA[12],OWA,STRIPS.,PE,:(1).R,CWA,can_assign(PSO,NPPJ%(ECE)%(PSE)%(BOME),QCE)can_assign(PSO,NPPJ,QCE).,NPPJECE,.,R,.(2).R,,can_assign(PSO,NPPJ%(ECE)%(PSE)%(BOME),QCE),ECEECE,NPPJNPPL,,((ECE)%(PSE)%(BOME)),.,.:RunplayRole(u,R),playRole(u,R)unplayRole(u,R),,:playRole(u,r)%unplayRole(u,r)(DA2)3.210()...,,.,UA/RH,playRole(u,Rs),playRole(u,Rf),Rs,Rf.1ENG∋ED∋E,VAssign1VAssign2,2.VAssign1VAssign2,un,2VAssign3VAssign4.2:,,,.3.3SMER,,,[3],,.,.1,DRPDIR,:(playRole(u,DIR),playRole(u,DRP));(playRole(u,PDIR),playRole(u,DRP)).2,,un,(playRole(u,DIR),unplayRole(u,DIR)).3.43233,9142009,,:1.CR,N.2..3.2R|2R|playRole(),2,(|2R|&N).4.,.,.1,can_assign(EDSO,ENG,(PE,QE))revoke(EDSO,ENG),,3.Revoke,,.2,unplayRole(u,E)playRole(u,E)().33.5:RBAC,,;R0,Rg.,ARBACRH,###,?.,().,,,.,2,,un,;,,.36K,,(2&K),,K&(K-1),O(K2).MARBAC,max(|2R|)&n&M,max(|2R|)ARBAC,∀=max(|2R|),n,O(∀&n&M).,.,(2&K)(K&(K-1)+∀&n&M).44.1BlumFurst1995[13],(domainindependent).(planninggraph),.(propositionlevels)(actionlevels),,.,.(phases):(graphexpansion)(solutionextraction).,.(NoOperation,NooP),,.,,,:(1)(InconsistentEffects):.(2)(Interference):9155:GraphplanARBAC.(3)(competingneeds):.3:(1):.(2):.(3):.12,;3,.,[14],,,,.(FixedPoint),.,,.4.23,.1..:3334,Revoke,2,Revokeun..2.12.:,un,2,,1,3,.3.2.:1,,,2.4.3,.K,un,K(un),,,.,un,un.,!un∀,,DA2.4,5.4,unR,R,NooPun,4),NooP.5unNooP,,DA2un,4∗,DA2.,DA2NooP,?4DA21.DA2NooP,.证明.DA2NooP.1.LayjR.,R(NooPLayj),,unR.NooP,unRNooP91620095ActionjLayj.,DA2,LayjunR.,:NooP,DA2unR,unR,?2,NooP3.3,NooP3(R,unR).R,3,,3,,NooPunR3.((unR,R)),.,NooPunR,DA2.,1,DA2NooP.2.LayjR.R,unR,NooPunRNooPLayj.,DA2unR.DA2NooP.R,,4,NooP,unRLay0,NooPLayj,Layj+1Actionj.DA2,