一种改进的以基于角色的访问控制实施BLP模型及其变种的方法

该文指出了Sandhu等人提出的以基于角色的访问控制(Role-Based Accesas Control,RBAC)实施强制访问控制(Mandatory Access Control．MAC)策略的方法存在拒绝服务(Denial of Service,DoS)和给主体赋予过多权限等错误，且缺乏对经典BLP模型的充分的支持．为此作者提出了一种改进的方法——ISandhu方法，引入了辅助角色层次，加强了角色间关系并提供了对可信主体概念的支持．此方法修正了原有方法的错误，在RBAC中实施了经典的BLP模型及其变种模型以满足实际需求．保证了强制访问控制策略的正确实施，为在大量商业系统中以较小的代价引入强制访问控制提供了理论依据．

An Improved Method to Enforce BLP Model and Its Variations in Role-Based Access Control

The existing classical method of enforcing BLP model in Role-based Access Control (RBAC) model presented by Sandhu et al. is researched and analyzed. Some errors of it are revealed, such as denial of service, over many privileges may be granted to the subjects, etc. Additionally, it also lacks of enough support to the classical BLP model. An improved method called ISandhu method is presented; it introduces assistant role hierarchies, strengthens role relations, and provides the support to the notation of trusted subject. Based on this method, the mistakes of the original method are revised and the classical BLP model and some variations of it are enforced in RBAC to meet the practical requirements. As results, the exact enforcement of mandatory access control (MAC) in RBAC is guaranteed and the theoretical foundation for adopting MAC in a large amount of commercial systems with small cost is offered.