基于信息流控制的HDFS敏感数据安全增强
|
摘要
针对HDFS已有保护方法如认证授权、数据加密、访问控制和审计方法都不能保证敏感数据端到端的安全性,提出了一个用于HDFS的安全代数语言SALH(security algebra language for HDFS),给出了SALH的语义和语法;采用SALH形式化描述了HDFS信息流跟踪和控制模型并证明了模型的无干扰安全性。最后,给出了原型系统IF-HDFS设计与实现关键技术,原型系统的功能和性能测试结果表明IF-HDFS可实时、有效、准确地实现信息流跟踪与控制。
Existing protection method for HDFS such as authentication and authorization,data encryption,access control and audit cannot guarantee the end-to-end security of sensitive data. First,this paper proposed a security algebra language for HDFS( SALH) and gave the semantics and grammar of SALH. Then it formal descried the model of the information flow tracking and controlling for HDFS by SALH,and proved the interference security property of the model. Finally,it gave the key technologies of design and implementation of prototype system( IF-HDFS). The function and performance test results show that IF-HDFS is an effective and accurate system that tracking and controlling information flow at runtime.
Existing protection method for HDFS such as authentication and authorization,data encryption,access control and audit cannot guarantee the end-to-end security of sensitive data. First,this paper proposed a security algebra language for HDFS( SALH) and gave the semantics and grammar of SALH. Then it formal descried the model of the information flow tracking and controlling for HDFS by SALH,and proved the interference security property of the model. Finally,it gave the key technologies of design and implementation of prototype system( IF-HDFS). The function and performance test results show that IF-HDFS is an effective and accurate system that tracking and controlling information flow at runtime.
引文
[1] Derbeko P,Dolev S,Gudes E,et al. Security and privacy aspects in MapReduce on clouds:a survey[J]. Computer Science Review,2016,20(3):1-28.
[2] Gajjar H. Securing user’s data in HDFS[J]. International Journal of Computer Trends&Technology,2013,4(5):1325-1333.
[3] Park S,Lee Y. Secure Hadoop with encrypted HDFS[C]//International Conference on Grid and Pervasive Computing. Berlin:Springer,2013:134-141.
[4] Cheng Zhonghan,Zhang Diming,Hao Huang,et al. Design and implementation of data encryption in cloud based on HDFS[C]//Proc of International Workshop on Cloud Computing&Information Security.2013:274-277.
[5]裴树军,张圆绪,娄淑慧.公钥加密体系下的HDFS身份认证过程改进与实现[J].哈尔滨理工大学学报,2016,21(4):13-18.
[6]陈豪.基于属性基加密的HDFS安全模型研究与应用[D].南京:南京邮电大学,2015.
[7] Roy I,Setty S T V,Kilzer A,et al. Airavat:security and privacy for Map Reduce[C]//Proc of USENIX Symposium on Networked Systems Design and Implementation. Berkeley,CA:USENIX Association,2010:297-312.
[8]黄忠睿.利用Airavat实现医疗信息的隐私保护与访问控制[D].上海:东华大学,2013.
[9]基于HDFS的云存储访问控制技术研究[D].上海:华东师范大学,2015.
[10]余琦,凌捷.基于HDFS的云存储安全技术研究[J].计算机工程与设计,2013,34(8):2700-2705.
[11]朱建波,李萍,于炯,等.改进的Kerberos协议在HDFS环境下的研究[J].计算机工程与设计,2014,34(10):3392-3398.
[12]王绍人,杜学绘,杨智.面向HDFS的可证明安全的单点登录协议[J].计算机应用研究,2016,33(7):2152-2156.
[13]Cohen J C,Acharya S. Towards a trusted HDFS storage platform:mitigating threats to Hadoop infrastructures using hardware-accelerated encryption with TPM-rooted key protection[J]. Journal of Information Security&Applications,2014,19(3):224-244.
[14]何学乾.面向云计算的用户认证与行为审计技术的研究与实现[D].广州:广东工业大学,2015.
[15]吴泽智,陈性元,杨智,等.信息流控制研究进展[J].软件学报,2017,28(1):135-159.
[2] Gajjar H. Securing user’s data in HDFS[J]. International Journal of Computer Trends&Technology,2013,4(5):1325-1333.
[3] Park S,Lee Y. Secure Hadoop with encrypted HDFS[C]//International Conference on Grid and Pervasive Computing. Berlin:Springer,2013:134-141.
[4] Cheng Zhonghan,Zhang Diming,Hao Huang,et al. Design and implementation of data encryption in cloud based on HDFS[C]//Proc of International Workshop on Cloud Computing&Information Security.2013:274-277.
[5]裴树军,张圆绪,娄淑慧.公钥加密体系下的HDFS身份认证过程改进与实现[J].哈尔滨理工大学学报,2016,21(4):13-18.
[6]陈豪.基于属性基加密的HDFS安全模型研究与应用[D].南京:南京邮电大学,2015.
[7] Roy I,Setty S T V,Kilzer A,et al. Airavat:security and privacy for Map Reduce[C]//Proc of USENIX Symposium on Networked Systems Design and Implementation. Berkeley,CA:USENIX Association,2010:297-312.
[8]黄忠睿.利用Airavat实现医疗信息的隐私保护与访问控制[D].上海:东华大学,2013.
[9]基于HDFS的云存储访问控制技术研究[D].上海:华东师范大学,2015.
[10]余琦,凌捷.基于HDFS的云存储安全技术研究[J].计算机工程与设计,2013,34(8):2700-2705.
[11]朱建波,李萍,于炯,等.改进的Kerberos协议在HDFS环境下的研究[J].计算机工程与设计,2014,34(10):3392-3398.
[12]王绍人,杜学绘,杨智.面向HDFS的可证明安全的单点登录协议[J].计算机应用研究,2016,33(7):2152-2156.
[13]Cohen J C,Acharya S. Towards a trusted HDFS storage platform:mitigating threats to Hadoop infrastructures using hardware-accelerated encryption with TPM-rooted key protection[J]. Journal of Information Security&Applications,2014,19(3):224-244.
[14]何学乾.面向云计算的用户认证与行为审计技术的研究与实现[D].广州:广东工业大学,2015.
[15]吴泽智,陈性元,杨智,等.信息流控制研究进展[J].软件学报,2017,28(1):135-159.