计算机科学 ›› 2017, Vol. 44 ›› Issue (10): 150-158.doi: 10.11896/j.issn.1002-137X.2017.10.029
杜远志,杜学绘,杨智
DU Yuan-zhi, DU Xue-hui and YANG Zhi
摘要: 为确保云平台上虚拟机系统用户信息的安全,提出了一种基于混合流策略的按需分布式云信息流控制模型(Mixed Flow Policy Based On-demand Distributed Cloud Information Flow Control Model,MDIFC)。该模型以分布式信息流控制模型为基础,结合中国墙策略形成混合流策略,通过引入污点传播思想跟踪来敏感数据以实现策略,为用户数据提供更好的安全保障。为提高模型的灵活性,考虑到虚拟域行为更具主动性的特征,提出了“按需受控”的概念及与之相适应的“输出型机密性”。同时,通过按需受控显著地降低了污点传播造成的开销。利用π演算对模型规格进行形式化描述,并借助 PicNic工具证明模型的无干扰性。最后,通过一个应用示例说明了模型的实用性。
[1] FENG D G,ZHANG M,ZHANG Y,et al.Study on Cloud Computing Security[J].Journal of Software,2011,22(1):71-83.(in Chinese) 冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83. [2] MYERS A C,LISKOV B.A decentralized model for information flow control[J].Acm Sigops Operating Systems Review,1997,31(5):129-142. [3] TUPAKULA U,VARADHARAJAN V.Trust Enhanced Security for Tenant Transactions in the Cloud Environment[J].Computer Journal,2014,58(10):2388-2403. [4] ZHANG H F,ZUO X D,LIU G.An Information Flow Security Control Method Based on Virtualization Technology[C]∥Information Security & Technology.China Center of Information Industry Development.Beijing,2013:46-49.(in Chinese) 张怀方,左晓栋,刘刚.基于虚拟化技术的信息流控制方法[C]∥2013中国信息安全技术大会(CISTC 2013).暨工业控制系统安全发展高峰论坛论文集.北京:中国电子信息产业发展研究院,2013:46-49. [5] PASQUIER J M,BACON J,EYERS D.FlowK:InformationFlow Control for the Cloud[C]∥International Conference on Cloud Computing Technology and Science,2014.2014:70-77. [6] PASQUIER J M,BACON J,SHAND B.FlowR:Aspect orien-ted programming for information flow control in ruby[C]∥ ACM International Conference on Modularity.2014:37-48. [7] BACON J,EYERS D,PASQUIER J M,et al.InformationFlow Control for Secure Cloud Computing[J].IEEE Transactions on Network & Service Management,2014,11(1):76-89. [8] BREWER D F C,NASH M J.The Chinese Wall S ecurity Policy [C]∥IEEE Symposium on Security and Privacy,1989.IEEE,1989:206-214. [9] LIN T Y.Chinese wall security policy-an aggressive model[C]∥Computer Security Applications Conference.1990:282-289. [10] GUPTA V.Chinese Wall Security Policy[D].San Jose:San Jose State University.2009. [11] KATSUNO Y,WATANABE Y,FURUICHI S,et al.Chinese-wall process confinement for practical distributed coalitions[C]∥ACM Symposium on Access Control MODELS and Technologies,Sophia Antipolis(SACMAT 2007).France,2007:225-234. [12] JAEGER T,SAILER R,SREENIVASAN Y.Managing the risk of covert information flows in virtual machine systems[C]∥ACM Symposium on Access Control MODELS and Technologies,Sophia Antipolis(SACMAT 2007).France,2007:81-90. [13] CHENG G,JIN H,ZOU D Q,et al.Chinese wall model based on dynamic alliance[J].Journal on Communications,2009,30(11):93-100.(in Chinese) 程戈,金海,邹德清,等.基于动态联盟关系的中国墙模型研究[J].通信学报,2009,30(11):93-100. [14] JIANG L,HE R Y,WEI Y F.Chinese Wall Model Based on Dynamic Divided-set[J].Computer Science,2015,42(1):159-163.(in Chinese) 姜路,鹤荣育,魏彦芬.基于动态分集的中国墙模型研究[J].计算机科学,2015,42(1):159-163. [15] YANG Z,YIN L H,DUAN M Y,et al.Generalized Taint Propa-gation Model for Access Control in Operation Systems[J].Journal of Software,2012,3(6):1602-1619.(in Chinese) 杨智,殷丽华,段洣毅,等.基于广义污点传播模型的操作系统访问控制[J].软件学报,2012,23(6):1602-1619. [16] MILNER R,PARROW J,WALKER D.A calculus of mobile processes,II[J].Information and Computation,1992,100(1):41-77. [17] MILNER R,PARROW J,WALKER D.Modal logics for mobile processes[J].Theoretical Computer Science,1993,114(1):149-171. [18] MILNER R.Communicating and mobile systems:the π-calculus[M].Cambridge University Press,1999. [19] MILNER R.Lectures on a calculus for communicating systems:Seminar on Concurrency[M].Springer Berlin Heidelberg.1985:197-220. [20] CRAFA S,MIO M,MICULAN M,et al.PicNIc-Pi-calculus non-interference checker[C]∥ International Conference on Application of Concurrency to System Design.2008:33-38. [21] CRAFA S,ROSSI S.P-congruences as non-interference for the pi-calculus[C]∥ACM Workshop on Formal Methods in Security Engineering(Fmse 2006).Alexandria,Va,USA,2006:13-22. [22] PASQUIER T F J M,BACON J,EYERS D.FlowK:Information Flow Control for the Cloud[C]∥ International Conference on Cloud Computing Technology and Science.2014:70-77. [23] Biba K J.Integrity Considerations for Secure Computer System.http://www.cerias.purdue.edu/apps/reports-and-papers/view/2834. |
No related articles found! |
|