计算机应用 ›› 2011, Vol. 31 ›› Issue (01): 115-117.

• 信息安全 • 上一篇    下一篇

隐私安全策略中的变更影响分析

王强1,刘峤1,秦志光2   

  1. 1. 电子科技大学
    2. 电子科技大学计算机科学与工程学院
  • 收稿日期:2010-06-30 修回日期:2010-08-13 发布日期:2011-01-12 出版日期:2011-01-01
  • 通讯作者: 王强

Change impact analysis in authorization policies

  • Received:2010-06-30 Revised:2010-08-13 Online:2011-01-12 Published:2011-01-01
  • Contact: Qiang Wang

摘要: 为了解决Web分布式系统中的隐私安全策略在制定和变更中的错误很难被发现的问题,提出了策略变更中各种情况的相应变更影响分析算法。对以可扩展访问控制标记语言(XACML)为代表的隐私安全策略语言中的变更理论进行了研究,定义了变更分析中的相关概念,通过把策略中的字符串元素转化成对应整数值建立一个优化的树形数据结构,利用树的特征分析变更后果。这使得一个管理员可以在正式应用策略变更前检验即将实施的变更是否符合自己的真正意图,从而大大增强系统安全性。最后实现了一个原型系统,并可以应用到其他标准策略语言。

关键词: XACML, 隐私安全策略, 变更影响分析, 树形结构

Abstract: Due to the lack of tools for analyzing policies, most authorization policies on the Internet have been plagued with policy errors. A policy error either creates security holes that will compromise the security of IT system. A major source of policy errors stem from policy changes. Authorization policies often need to be changed as networks evolve and new requests emerge. The theory and algorithms for authorization policy change-impact analysis are presented. Algorithms in this paper take as input an authorization policy and a proposed change, then output the accurate impact of the change. Thus, an administrator can verify a proposed change before committing it. A prototype was built to demonstrate the use of the algorithms.

Key words: XACML, Authorization Policy, Change Impact Analysis, Tree Structure