计算机科学 ›› 2017, Vol. 44 ›› Issue (10): 150-158.doi: 10.11896/j.issn.1002-137X.2017.10.029

• 信息安全 • 上一篇    下一篇

基于混合流策略的按需分布式云信息流控制模型

杜远志,杜学绘,杨智   

  1. 中国人民解放军信息工程大学四院 郑州450001河南省信息安全重点实验室 郑州450001数学工程与先进计算国家重点实验室 郑州450001,中国人民解放军信息工程大学四院 郑州450001河南省信息安全重点实验室 郑州450001数学工程与先进计算国家重点实验室 郑州450001,中国人民解放军信息工程大学四院 郑州450001河南省信息安全重点实验室 郑州450001数学工程与先进计算国家重点实验室 郑州450001
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受基于多维控制的云计算信息流追责、管控技术(863)(2015AA016006),国家重点研发计划项目:协同精密定位总体架构与服务平台设计(2016FYB0501901)资助

Mixed Flow Policy Based On-demand Distributed Cloud Information Flow Control Model

DU Yuan-zhi, DU Xue-hui and YANG Zhi   

  • Online:2018-12-01 Published:2018-12-01

摘要: 为确保云平台上虚拟机系统用户信息的安全,提出了一种基于混合流策略的按需分布式云信息流控制模型(Mixed Flow Policy Based On-demand Distributed Cloud Information Flow Control Model,MDIFC)。该模型以分布式信息流控制模型为基础,结合中国墙策略形成混合流策略,通过引入污点传播思想跟踪来敏感数据以实现策略,为用户数据提供更好的安全保障。为提高模型的灵活性,考虑到虚拟域行为更具主动性的特征,提出了“按需受控”的概念及与之相适应的“输出型机密性”。同时,通过按需受控显著地降低了污点传播造成的开销。利用π演算对模型规格进行形式化描述,并借助 PicNic工具证明模型的无干扰性。最后,通过一个应用示例说明了模型的实用性。

关键词: 云计算,信息流控制,按需污点传播,中国墙策略,π演算

Abstract: In order to protect the security of user information in virtual machine on the cloud platform,this paper proposed a mixed flow control based on-demand distributed information flow control model (MDIFC).This model deve-lopes from DIFC,and the taint propagation is introduced to track the sensitive data so that the system can enforce the strategy and the user data can be protected better.In order to improve the flexibility of the model,considering the initiative of virtual domains,the concept of on-demand controlled and output classification were proposed.The model can reduce the workload result from taint propagation at the same time.This paper introduced its specification using π calculus and proved the security property of noninterference of MDIFC system with PicNic tool.Finally,this paper used an example to demonstrate of MDIFC.

Key words: Cloud computing,Information flow control,On-demand taint propagation,Chinese wall policy,π calculus

[1] FENG D G,ZHANG M,ZHANG Y,et al.Study on Cloud Computing Security[J].Journal of Software,2011,22(1):71-83.(in Chinese) 冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.
[2] MYERS A C,LISKOV B.A decentralized model for information flow control[J].Acm Sigops Operating Systems Review,1997,31(5):129-142.
[3] TUPAKULA U,VARADHARAJAN V.Trust Enhanced Security for Tenant Transactions in the Cloud Environment[J].Computer Journal,2014,58(10):2388-2403.
[4] ZHANG H F,ZUO X D,LIU G.An Information Flow Security Control Method Based on Virtualization Technology[C]∥Information Security & Technology.China Center of Information Industry Development.Beijing,2013:46-49.(in Chinese) 张怀方,左晓栋,刘刚.基于虚拟化技术的信息流控制方法[C]∥2013中国信息安全技术大会(CISTC 2013).暨工业控制系统安全发展高峰论坛论文集.北京:中国电子信息产业发展研究院,2013:46-49.
[5] PASQUIER J M,BACON J,EYERS D.FlowK:InformationFlow Control for the Cloud[C]∥International Conference on Cloud Computing Technology and Science,2014.2014:70-77.
[6] PASQUIER J M,BACON J,SHAND B.FlowR:Aspect orien-ted programming for information flow control in ruby[C]∥ ACM International Conference on Modularity.2014:37-48.
[7] BACON J,EYERS D,PASQUIER J M,et al.InformationFlow Control for Secure Cloud Computing[J].IEEE Transactions on Network & Service Management,2014,11(1):76-89.
[8] BREWER D F C,NASH M J.The Chinese Wall S ecurity Policy [C]∥IEEE Symposium on Security and Privacy,1989.IEEE,1989:206-214.
[9] LIN T Y.Chinese wall security policy-an aggressive model[C]∥Computer Security Applications Conference.1990:282-289.
[10] GUPTA V.Chinese Wall Security Policy[D].San Jose:San Jose State University.2009.
[11] KATSUNO Y,WATANABE Y,FURUICHI S,et al.Chinese-wall process confinement for practical distributed coalitions[C]∥ACM Symposium on Access Control MODELS and Technologies,Sophia Antipolis(SACMAT 2007).France,2007:225-234.
[12] JAEGER T,SAILER R,SREENIVASAN Y.Managing the risk of covert information flows in virtual machine systems[C]∥ACM Symposium on Access Control MODELS and Technologies,Sophia Antipolis(SACMAT 2007).France,2007:81-90.
[13] CHENG G,JIN H,ZOU D Q,et al.Chinese wall model based on dynamic alliance[J].Journal on Communications,2009,30(11):93-100.(in Chinese) 程戈,金海,邹德清,等.基于动态联盟关系的中国墙模型研究[J].通信学报,2009,30(11):93-100.
[14] JIANG L,HE R Y,WEI Y F.Chinese Wall Model Based on Dynamic Divided-set[J].Computer Science,2015,42(1):159-163.(in Chinese) 姜路,鹤荣育,魏彦芬.基于动态分集的中国墙模型研究[J].计算机科学,2015,42(1):159-163.
[15] YANG Z,YIN L H,DUAN M Y,et al.Generalized Taint Propa-gation Model for Access Control in Operation Systems[J].Journal of Software,2012,3(6):1602-1619.(in Chinese) 杨智,殷丽华,段洣毅,等.基于广义污点传播模型的操作系统访问控制[J].软件学报,2012,23(6):1602-1619.
[16] MILNER R,PARROW J,WALKER D.A calculus of mobile processes,II[J].Information and Computation,1992,100(1):41-77.
[17] MILNER R,PARROW J,WALKER D.Modal logics for mobile processes[J].Theoretical Computer Science,1993,114(1):149-171.
[18] MILNER R.Communicating and mobile systems:the π-calculus[M].Cambridge University Press,1999.
[19] MILNER R.Lectures on a calculus for communicating systems:Seminar on Concurrency[M].Springer Berlin Heidelberg.1985:197-220.
[20] CRAFA S,MIO M,MICULAN M,et al.PicNIc-Pi-calculus non-interference checker[C]∥ International Conference on Application of Concurrency to System Design.2008:33-38.
[21] CRAFA S,ROSSI S.P-congruences as non-interference for the pi-calculus[C]∥ACM Workshop on Formal Methods in Security Engineering(Fmse 2006).Alexandria,Va,USA,2006:13-22.
[22] PASQUIER T F J M,BACON J,EYERS D.FlowK:Information Flow Control for the Cloud[C]∥ International Conference on Cloud Computing Technology and Science.2014:70-77.
[23] Biba K J.Integrity Considerations for Secure Computer System.http://www.cerias.purdue.edu/apps/reports-and-papers/view/2834.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!