计算机科学 ›› 2015, Vol. 42 ›› Issue (12): 257-262.

• 信息安全 • 上一篇    下一篇

面向PaaS云的信息流控制框架设计与实现

邵婧,陈左宁,殷红武,许国春   

  1. 解放军信息工程大学 郑州450001;江南计算技术研究所 无锡 214083,江南计算技术研究所 无锡 214083,江南计算技术研究所 无锡 214083,江南计算技术研究所 无锡 214083
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受核高基项目(2013ZX01029002-001)资助

Design and Implementation of Information Flow Control Framework for PaaS

SHAO Jing, CHEN Zuo-ning, YIN Hong-wu and XU Guo-chun   

  • Online:2018-11-14 Published:2018-11-14

摘要: 分布式信息流控制(DIFC)是实施端到端数据保护的一种有效方法。现有DIFC方法存在信息流控制粒度单一、需要修改语言运行时环境等问题,不能很好地满足PaaS平台的数据安全需求。基于最典型的PaaS云平台GAE,提出了一个信息流控制框架GIFC,其结合了对象级、消息级和SQL级3种控制粒度。组件内基于Python库来控制调用 对象的方法中所涉及的实体间的信息交互;组件间消息代理根据消息安全标记来过滤消息,以此限制组件可以接收的消息集;组件与数据库之间扩展GAE中的数据模式支持标记信息在datastore中的持久化存储。实验表明,多种IFC粒度相结合有效平衡了信息流控制精度和运行性能。

关键词: Google应用程序执行引擎,信息流控制,组件,Python,中间件

Abstract: Decentralized information flow control is an effective method for end-to-end data protection.The existing DIFC methods have some shortages,for example,information flow tracking granularity is too simplex and language runtime environment has to be modified,which cannot satisfy the data security requirements of PaaS platform.An information flow control framework for GAE was proposed.The framework GIFC combines three granularities of objects,message and SQL.In the component,the information interactions of the entities are controlled with the Python library.The entities are those involved in the method calling for objects.Between the components,message proxies filter the messages with the security labels,in order to restrict the messages received by the component.Between the components and datastore,the data models of GAE are extended,supporting the persistent storage of labels in the datastore.The evaluation shows that the combination of multi IFC granularities effectively balances the precision and performance.

Key words: Google app engine,Information flow control,Component,Python,Middleware

[1] 温克勒.云计算安全:架构、战略、标准与运营[M].刘戈舟,等译.北京:机械工业出版社,2013 Winkler V J R.Securing the Cloud:Cloud Computing Security Technologies and Tactics[M].Liu Ge-zhou,et al.Beijing:China Machine Press,2013
[2] Fernandes D A B,Soares L F B,Gomes J V,et al.Security issues in cloud environments:a survey[J].International Journal of Information Security,2014,13(2):113-170
[3] Bacon J,Eyers D,Pasquier T,et al.Information Flow Control for secure cloud computing[J].IEEE Transactions on Network and Service Management,2014,11(1):76-89
[4] Krohn M,Yip A,Brodsky M,et al.Information flow control for standard OS abstractions[C]∥21th ACM SIGOPS Symposium on Operating Systems Principles.New York,ACM,2007:321-334
[5] Pasquier T F J M,Bacon J,Shand B.FlowR:aspect oriented programming for information flow control in ruby[C]∥13th International Conference on Modularity.New York,ACM,2014:37-48
[6] Hosek P,Migliavacca M,Papagiannis I,et al.SafeWeb:A middleware for securing Ruby-based Web applications[C]∥Proceedings of the 12th International Middleware Conference.International Federation for Information Processing.2011:480-499
[7] Migliavacca M,Papagiannis I,Eyers D M,et al.DEFCON:High- Performance Event Processing with Information Security[C]∥USENIX Annual Technical Conference.Boston,MA,2010:88-102
[8] Enck W,Gilbert P,Chun B G,et al.TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[C]∥OSDI.Berkeley,CA,USA:USENIX Association,2010:255-270
[9] Rodero-Merino L,Vaquero L M,Caron E,et al.Building safe PaaS clouds:A survey on security in multitenant software platforms[J].Computers & Security,2012,31(1):96-108
[10] Pappas V,Kemerlis V P,Zavou A,et al.CloudFence:Data Flow Tracking as a Cloud Service[M]∥Research in Attacks,Intrusions,and Defenses.Springer Berlin Heidelberg,2013:411-431
[11] 刘鹏.云计算[M].北京:电子工业出版社,2011 Liu Peng.Cloud Computing[M].Beijing:Publishing house ofelectronic industry,2011
[12] Bello L,Russo A.Towards a taint mode for cloud computingWeb applications[C]∥7th Workshop on Programming Languages and Analysis for Security.New York,ACM,2012,7:1-7,12
[13] McDonald S.[EB/OL].(2012-11-18)[2014-01-20].http://bitbucket.org/ stephenmcd/cartridge/
[14] Johnson N.[EB/OL].(2010-03-12)[2014-03-25].http://goog-leappengine.blogspot.com/2010/03/app-engine-community-update.html

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!