计算机科学 ›› 2019, Vol. 46 ›› Issue (4): 189-196.doi: 10.11896/j.issn.1002-137X.2019.04.030

• 信息安全 • 上一篇    下一篇

基于依赖分析的云组合服务信息流控制机制

刘明聪1,2, 王娜1,2, 周宁3   

  1. 信息工程大学 郑州4500011
    河南省信息安全重点实验室 郑州4500012
    江南计算技术研究所 江苏 无锡2140833
  • 收稿日期:2018-03-02 出版日期:2019-04-15 发布日期:2019-04-23
  • 通讯作者: 王 娜(1980-),女,博士,副教授,主要研究方向为复杂系统环境下的信任管理,E-mail:twftina_w@126.com(通信作者)
  • 作者简介:刘明聪(1993-),男,硕士生,主要研究方向为云计算、信息流安全;周 宁(1978-),女,硕士,工程师,主要研究方向为信息安全。
  • 基金资助:
    本文受国家自然科学基金资助项目(61802436,61502531),国家863计划项目(2015AA016006),河南省自然科学基金项目(162300410334)资助。

Dependency Analysis Based Cloud Composition Service Information Flow Control Mechanism

LIU Ming-cong1,2, WANG Na1,2, ZHOU Ning3   

  1. Information Engineering University,Zhengzhou 450001,China1
    Henan Province Key Laboratory of Information Security,Zhengzhou 450001,China2
    Jiangnan Institute of Computing Technology,Wuxi,Jiangsu 214083,China3
  • Received:2018-03-02 Online:2019-04-15 Published:2019-04-23

摘要: 云组合服务可以为用户提供更加丰富的功能,但在业务流程中敏感信息可能流经多个云服务,必须实施信息流控制来防止信息的泄露或非授权访问。针对云组合服务的信息流安全问题,提出了一种基于依赖分析的信息流控制机制,通过数据间的依赖关系分析云组合服务中的信息流动,并使用安全标签进行信息流控制。首先,构建了复杂组合结构的云组合服务加权有向图模型,基于安全属性定义了云服务的属性证书、数据的机密性标签以及完整性标签;接着,提出了服务内部输入依赖与服务间资源依赖的概念,并给出了基于历史信息的运行时输入依赖与资源依赖计算方法;其次,根据依赖分析给出了输出数据安全标签算法,定义了组合信息流策略并设计了分布式的信息流控制机制,实现了复杂组合结构下云组合服务中信息流的机密性和完整性保护;最后,分析评估了机制的有效性与性能。

关键词: 安全标签, 服务组合, 数据依赖, 信息流, 云服务

Abstract: Cloud composition service can provide users with richer capabilities,but sensitive information may flow through multiple cloud services in business process,so information flow control must be implemented to prevent information leakage or unauthorized access.Aiming at the security problem of information flow in cloud composite service,this paper proposed a data flow control mechanism based on dependency analysis.The information flow in cloud composite service was analyzed by the dependency between data and the information flow was controlled by using security label.Firstly,a cloud composition service weighted directed graph model with complex combination structure is constructed.Based on the security attributes,the attribute certificate of cloud service,the confidentiality label and integrity label of data are defined,then the input dependencies between services and resource dependencies between services are proposed,and the input dependence and resource dependency computing method based on historical information are given.After that,the output data security label algorithm is given according to the dependency analysis, the compositional information flow policy is defined and the distributed information flow control mechanism is designed,realizing the confidentiality and integrity protection of information flow in cloud composition service under complex compositional structure.At last,an example is giventoanaylze the effectiveness and performance of the mechanism.

Key words: Cloud service, Data dependency, Information flow, Security label, Service composition

中图分类号: 

  • TP309
[1]MENG S M.Trusted Service Composition and Its Key Techno- logies in Cloud Environment[D].Nanjing:Nanjing University,2016.(in Chinese) 孟顺梅.云计算环境下可信服务组合及其关键技术研究[D].南京:南京大学,2016.
[2]JULA A,SUNDARARAJAN E,OTHMAN Z.Cloud computing service composition:A systematic literature review[J].Expert Systems with Applications,2014,41(8):3809-3824.
[3]XI N.A Study on Composable Information Flow Security Model and Approach[D].Xi’an:Xidian University,2014.(in Chinese) 习宁.可组合信息流安全验证模型及方法研究[D].西安:西安电子科技大学,2014.
[4]YU B.Research on Key Security Techniques of Web Service Composition[D].Changsha:National University of Defense Technology,2013.(in Chinese) 喻波.Web服务组合的关键安全技术研究[D].长沙:国防科学技术大学,2013.
[5]WANG Y D,YANG J H,XU C,et al.Survey on access control technologies for cloud computing[J].Journal of Software,2015,26(5):1129-1150.(in Chinese) 王于丁,杨家海,徐聪,等.云计算访问控制技术研究综述[J].软件学报,2015,26(5):1129-1150.
[6]BACON J,EYERS D,PASQUIER J M,et al.Information Flow Control for Secure Cloud Computing[J].IEEE Transactions on Network & Service Management,2014,11(1):76-89.
[7]SHE W,YEN I L,THURAISINGHAM B,et al.Security- Aware Service Composition with Fine-Grained Information Flow Control[J].IEEE Transactions on Services Computing,2013,6(3):330-343.
[8]HUTTER D,VOLKAMER M.Information Flow Control to Secure Dynamic Web Service Composition[J].Lecture Notes in Computer Science,2006,3934:196-210.
[9]SHE W,YEN I L,THURAISINGHAM B,et al.The SCIFC Model for Information Flow Control in Web Service Composition[C]∥IEEE International Conference on Web Services.Los Angeles:IEEE,2009:1-8.
[10]SHE W,YEN I L,THURAISINGHAM B,et al.Rule-based run-time information flow control in service cloud[C]∥2011 IEEE International Conference on Web Services (ICWS).Wa-shington,DC:IEEE,2011:524-531.
[11]YU B,YANG L,CHEN S,et al.An information flow control approach in composite services[C]∥In IET International Conference on Information and Communications Technologies.Beijing:IET,2013:263-269.
[12]XI N,SUN C,MA J,et al.Secure service composition with information flow control in service clouds[J].Future Generation Computer Systems,2015,49(C):142-148.
[13]SOLANKI N,HOFFMAN T,YEN I L,et al.An Access and Information Flow Control Paradigm for Secure Information Sharing in Service-Based Systems[C]∥2015 IEEE 39th Annual Computer Software and Applications Conference (COMPSAC).Taichung:IEEE,2015:60-67.
[14]PASQUIER T,BACON J,SINGH J,et al.Data-Centric Access Control for Cloud Computing[C]∥Symposium on Access Control Models and Technologies.Shanghai:ACM,2016:81-88.
[15]WANG L,LI F,LI L,et al.Principle and Practice of Taint Analysis[J].Journal of Software,2017,28(4):860-882.(in Chinese) 王蕾,李丰,李炼,等.污点分析技术的原理和实践应用[J].软件学报,2017,28(4):860-882.
[1] 梁剑, 何军辉.
基于宏块编码信息自适应置换的H.264/AVC视频加密方法
H.264/AVC Video Encryption Based on Adaptive Permutation of Macroblock Coding Information
计算机科学, 2022, 49(1): 314-320. https://doi.org/10.11896/jsjkx.201100089
[2] 姚娟, 邢镔, 曾骏, 文俊浩.
云制造服务组合研究综述
Survey on Cloud Manufacturing Service Composition
计算机科学, 2021, 48(7): 245-255. https://doi.org/10.11896/jsjkx.200800173
[3] 蒋慧敏, 蒋哲远.
企业云服务体系结构的参考模型与开发方法
Reference Model and Development Methodology for Enterprise Cloud Service Architecture
计算机科学, 2021, 48(2): 13-22. https://doi.org/10.11896/jsjkx.200300044
[4] 陆懿帆, 曹芮浩, 王俊丽, 闫春钢.
一种基于微服务的检察业务服务封装方法
Method of Encapsulating Procuratorate Affair Services Based on Microservices
计算机科学, 2021, 48(2): 33-40. https://doi.org/10.11896/jsjkx.191100152
[5] 王勤, 魏立斐, 刘纪海, 张蕾.
基于云服务器辅助的多方隐私交集计算协议
Private Set Intersection Protocols Among Multi-party with Cloud Server Aided
计算机科学, 2021, 48(10): 301-307. https://doi.org/10.11896/jsjkx.210300308
[6] 高子妍, 王勇.
面向云服务的分布式消息系统负载均衡策略
Load Balancing Strategy of Distributed Messaging System for Cloud Services
计算机科学, 2020, 47(6A): 318-324. https://doi.org/10.11896/JsJkx.191100012
[7] 范国栋,祝铭,李静,崔晓柳.
基于FAHP与规划图融合的Web服务组合方法
Web Service Composition by Combining FAHP and Graphplan
计算机科学, 2020, 47(1): 270-275. https://doi.org/10.11896/jsjkx.181102228
[8] 贾志淳, 李想, 于湛麟, 卢元, 邢星.
基于二阶隐马尔科夫模型的云服务QoS满意度预测
QoS Satisfaction Prediction of Cloud Service Based on Second Order Hidden Markov Model
计算机科学, 2019, 46(9): 321-324. https://doi.org/10.11896/j.issn.1002-137X.2019.09.049
[9] 王雪健, 赵国磊, 常朝稳, 王瑞云.
信息流格模型的非法流分析
Illegal Flow Analysis for Lattice Model of Information Flow
计算机科学, 2019, 46(2): 139-144. https://doi.org/10.11896/j.issn.1002-137X.2019.02.022
[10] 鲁城华, 寇纪淞.
求解Web服务组合QoS优化的多属性决策及自适应遗传算法
Multi-attribute Decision Making and Adaptive Genetic Algorithm for Solving QoS Optimization of Web Service Composition
计算机科学, 2019, 46(2): 187-195. https://doi.org/10.11896/j.issn.1002-137X.2019.02.029
[11] 项英倬, 魏强, 游凌.
一种基于通联数据的信息扩散路径推测算法
Information Diffusion Path Inferring Algorithm Based on Communication Data
计算机科学, 2019, 46(10): 116-121. https://doi.org/10.11896/jsjkx.180901759
[12] 周女琪, 周宇.
基于概率模型检测的Web服务组合多目标验证
Multi-objective Verification of Web Service Composition Based on Probabilistic Model Checking
计算机科学, 2018, 45(8): 288-294. https://doi.org/10.11896/j.issn.1002-137X.2018.08.052
[13] 朱浩,陈建平.
软件系统的可信降密述评
Review of Trust Declassification for Software System
计算机科学, 2018, 45(6A): 36-40.
[14] 范艳芳.
协作环境下的时空约束强制访问控制模型
Temporal-Spatial-based Mandatory Access Control Model in Collaborative Environment
计算机科学, 2017, 44(8): 107-114. https://doi.org/10.11896/j.issn.1002-137X.2017.08.020
[15] 丁丽丽,李雁冰,张素平,王鹏翔,张庆花.
分支嵌套循环的自动并行化研究
Auto-parallelization Research Based on Branch Nested Loops
计算机科学, 2017, 44(5): 14-19. https://doi.org/10.11896/j.issn.1002-137X.2017.05.003
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!