支持动态策略变化的ABAC决策回收

计算机与现代化 ›› 2022, Vol. 0 ›› Issue (10): 47-54.

支持动态策略变化的ABAC决策回收

(新疆大学数学与系统科学学院，新疆乌鲁木齐830046)

出版日期:2022-10-20 发布日期:2022-10-21
作者简介:古丽博斯坦·阿克木(1998—)，女（维吾尔族），新疆库尔勒人，硕士研究生，研究方向：访问控制，E-mail: 807497551@qq.com; 通信作者：努尔买买提·黑力力(1976—)，男(维吾尔族)，新疆库车人，教授，博士，研究方向：信息系统安全，访问控制，云存储安全，E-mail: nur924@sina.com。
基金资助:
国家自然科学基金资助项目(61862059, 61562085)

ABAC Decision Recycling with Dynamic Policy Change

(College of Mathematics and System Science, Xinjiang University, Urumqi 830046, China)

Online:2022-10-20 Published:2022-10-21

摘要/Abstract

摘要： 基于属性的访问控制(Attribute-Based Access Control, ABAC)因其灵活、表达能力丰富等特性，成为最常见的访问控制模型之一。然而，ABAC的策略决策点(Policy Decision Point, PDP)繁琐的策略查询任务以及PDP与策略执行点(Policy Enforcement Point, PEP)之间的网络通信影响其访问控制决策的效率。访问控制决策结果的回收利用是解决以上问题的有效方法之一。本文提出一种支持访问控制策略动态变化的、带策略的ABAC访问控制决策结果的回收利用方案。方案针对ABAC的3种变体模型给出如何创建和更新访问控制决策结果的缓存、如何由缓存内容进行精确和近似的访问控制决策。最终，通过原型系统对方案的可行性和有效性进行实验验证，实验结果显示本文提出的方法一定程度上能降低系统的访问控制决策时间并减少PDP的工作负荷。

关键词: 基于属性的访问控制, 封闭世界策略, 开放世界策略, 混合策略, 决策回收

Abstract: Attribute-based access control (ABAC) becomes one of the most prominent access control models, as it is flexible and highly expressive. However, in ABAC, the burdened policy query tasks of policy decision point (PDP) and the communication between the PDP and policy enforcement point (PEP) affect the efficiency of access control decision making. Recycling of access control decision results is an effective solution for the above problem. This paper proposes an approach of access control decision recycling for ABAC, which supports dynamic policy change, with policy recycling. The presented approach specifies how to create and update the cache of the access control decision and how to make precise and approximate access control decisions based on the contents of the cache. Finally, we verify the feasibility and effectiveness of the approach by a prototype system test. Test results show that the presented approach can shorten the decision time of the access control system and reduce the burden of the PDP.

Key words: attribute-based access control, closed-world policy, open-world policy, hybrid policy, decision recycling

古丽博斯坦·阿克木, 努尔买买提·黑力力. 支持动态策略变化的ABAC决策回收[J]. 计算机与现代化, 2022, 0(10): 47-54.

Gulbostan Akim, Nurmamat Helil. ABAC Decision Recycling with Dynamic Policy Change[J]. Computer and Modernization, 2022, 0(10): 47-54.

参考文献

［1］ SANDHU R S, SAMARATI P. Access control: Principle and practice［J］. IEEE Communications Magazine, 1994,32(9):40-48.
［2］ SANDHU R S, COYNE E J, FEINSTEIN H L, et al. Role-based access control models［J］. Computer, 1996,29(2):38-47.
［3］ FERRAIOLO D F, SANDHU R S, GAVRILA S, et al. Proposed NIST standard for role-based access control［J］. ACM Transactions on Information and System Security, 2001,4(3):224-274.
［4］房梁,殷丽华,郭云川,等. 基于属性的访问控制关键技术研究综述［J］. 计算机学报, 2017,40(7):1680-1698.
［5］ KUHN D R, COYNE E J, WEIL T R. Adding attributes to role-based access control［J］. Computer, 2010,43(6):79-81.
［6］ CRAMPTON J, WILLIAMS C. Attribute expressions, policy tables and attribute-based access control［C］// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. 2017:79-90.
［7］ WEI Q, RIPEANU M, BEZNOSOV K. Authorization using the publish-subscribe model［C］// Proceedings of the 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications. 2008:53-62.
［8］ KINI P, BEZNOSOV K. Speculative authorization［J］. IEEE Transactions on Parallel and Distributed Systems, 2013,24(4):814-824.
［9］程相然,陈性元,张斌,等. 基于属性的访问控制策略模型［J］. 计算机工程, 2010,36(15):131-133.
［10］周加根,叶春晓,罗娟. ABAC策略语义表示和决策方法［J］. 计算机工程与应用, 2013,49(23):56-62.
［11］FERRAIOLO D, GAVRILA S, KATWALA G. A system for centralized ABAC policy administration and local ABAC policy decision and enforcement in host systems using access control lists［C］// Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control. 2018:35-42.
［12］钟子超. ABAC安全策略的优化研究［D］. 西安:西安电子科技大学, 2019.
［13］MOLLOY I, DICKENS L, MORISSET C, et al. Risk-based security decisions under uncertainty［C］// Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 2012:157-168.
［14］SONG L H, LI M C, ZHU Z K, et al. Attribute-based access control using smart contracts for the Internet of things［J］. Procedia Computer Science, 2020,174:231-242.
［15］IYER P, MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules［C］// Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 2018:161-172.
［16］DAS S, SURAL S, VAIDYA J, et al. Policy adaptation in hierarchical attribute-based access control systems［J］. ACM Transactions on Internet Technology, 2019,19(3). DOI: 10.1145/3323233.
［17］〖JP+2〗BEZNOSOV K. Flooding and recycling authorizations［C］// Proceedings of the 2005 Workshop on New Security Paradigm. 2005:67-72.
［18］BEZNOSOV K. Recycling authorizations: Toward secondary and approximate authorizations model (SAAM)［R］. University of British Columbia, 2005.
［19］CRAMPTON J, LEUNG W, BEZNOSOV K. The secondary and approximate authorization model and its application to Bell-LaPadula policies［C］// Proceedings of the 11th ACM Symposium on Access Control Models and Technologies. 2006:111-120.
［20］REEJA S L. Role based access control mechanism in cloud computing using co-operative secondary authorization recycling method［J］. International Journal of Emerging Technology and Advanced Engineering, 2012,2(10):444-450.
［21］陈阳,赵琛,窦燕,等. 基于角色访问控制模型的缓存机制研究［J］. 计算机工程, 2006,32(12):142-144.
［22］WEI Q, RIPEANU M, BEZNOSOV K. Cooperative secondary authorization recycling［C］// Proceedings of the 16th International Symposium on High Performance Distributed Computing. 2007:65-74.
［23］WEI Q, CRAMPTON J, BEZNOSOV K, et al. Authorization recycling in RBAC systems［C］// Proceedings of the 13th ACM Symposium on Access Control Models and Technologies. 2008:63-72.
［24］KOHLER M, BRUCKER A D. Access control caching strategies: An empirical evaluation［C］// Proceedings of the 6th International Workshop on Security Measurements and Metrics. 2010:57-64.
［25］YASEEN Q, ALTHEBYAN Q, JARARWEH Y. PEP-side caching: An insider threat port［C］// Proceedings of the 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI). 2013:137-144.
［26］HU V, FERRAIOLO D, KUHN D R, et al. Guide to attribute based access control (ABAC) denition and considerations［R］. National Institute of Standards and Technology, 2014.
［27］OASIS. The extensible access control markup language (XACML) version 3.0 plus Errata 01［DB/OL］. (2017-07-12)［2021-11-22］. http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.html.
［28］韩舒艳,努尔买买提·黑力力. 选择性隐藏树型访问结构的CP-ABE方案［J］. 计算机工程, 2020,46(7):150-158.