摘要
云组合服务可以为用户提供更加丰富的功能,但在业务流程中敏感信息可能流经多个云服务,必须实施信息流控制来防止信息的泄露或非授权访问。针对云组合服务的信息流安全问题,提出了一种基于依赖分析的信息流控制机制,通过数据间的依赖关系分析云组合服务中的信息流动,并使用安全标签进行信息流控制。首先,构建了复杂组合结构的云组合服务加权有向图模型,基于安全属性定义了云服务的属性证书、数据的机密性标签以及完整性标签;接着,提出了服务内部输入依赖与服务间资源依赖的概念,并给出了基于历史信息的运行时输入依赖与资源依赖计算方法;其次,根据依赖分析给出了输出数据安全标签算法,定义了组合信息流策略并设计了分布式的信息流控制机制,实现了复杂组合结构下云组合服务中信息流的机密性和完整性保护;最后,分析评估了机制的有效性与性能。
Cloud composition service can provide users with richer capabilities,but sensitive information may flow through multiple cloud services in business process,so information flow control must be implemented to prevent information leakage or unauthorized access.Aiming at the security problem of information flow in cloud composite service,this paper proposed a data flow control mechanism based on dependency analysis.The information flow in cloud composite service was analyzed by the dependency between data and the information flow was controlled by using security label.Firstly,a cloud composition service weighted directed graph model with complex combination structure is constructed.Based on the security attributes,the attribute certificate of cloud service,the confidentiality label and integrity label of data are defined,then the input dependencies between services and resource dependencies between services are proposed,and the input dependence and resource dependency computing method based on historical information are given.After that,the output data security label algorithm is given according to the dependency analysis, the compositional information flow policy is defined and the distributed information flow control mechanism is designed,realizing the confidentiality and integrity protection of information flow in cloud composition service under complex compositional structure.At last,an example is given to anaylze the effectiveness and performance of the mechanism.
引文
[1] MENG S M .Trusted Service Composition and Its Key Techno- logies in Cloud Environment[D].Nanjing:Nanjing University,2016.(in Chinese)孟顺梅.云计算环境下可信服务组合及其关键技术研究[D].南京:南京大学,2016.
[2] JULA A,SUNDARARAJAN E,OTHMAN Z.Cloud computing service composition:A systematic literature review[J].Expert Systems with Applications,2014,41(8):3809-3824.
[3] XI N.A Study on Composable Information Flow Security Model and Approach[D].Xi’an:Xidian University,2014.(in Chinese)习宁.可组合信息流安全验证模型及方法研究[D].西安:西安电子科技大学,2014.
[4] YU B.Research on Key Security Techniques of Web Service Composition[D].Changsha:National University of Defense Technology,2013.(in Chinese) 喻波.Web服务组合的关键安全技术研究[D].长沙:国防科学技术大学,2013.
[5] WANG Y D,YANG J H,XU C,et al.Survey on access control technologies for cloud computing[J].Journal of Software,2015,26(5):1129-1150.(in Chinese)王于丁,杨家海,徐聪,等.云计算访问控制技术研究综述[J].软件学报,2015,26(5):1129-1150.
[6] BACON J,EYERS D,PASQUIER J M,et al.Information Flow Control for Secure Cloud Computing[J].IEEE Transactions on Network & Service Management,2014,11(1):76-89.
[7] SHE W,YEN I L,THURAISINGHAM B,et al.Security- Aware Service Composition with Fine-Grained Information Flow Control[J].IEEE Transactions on Services Computing,2013,6(3):330-343.
[8] HUTTER D,VOLKAMER M.Information Flow Control to Secure Dynamic Web Service Composition[J].Lecture Notes in Computer Science,2006,3934:196-210.
[9] SHE W,YEN I L,THURAISINGHAM B,et al.The SCIFC Model for Information Flow Control in Web Service Composition[C]//IEEE International Conference on Web Services.Los Angeles:IEEE,2009:1-8.
[10] SHE W,YEN I L,THURAISINGHAM B,et al.Rule-based run-time information flow control in service cloud[C]//2011 IEEE International Conference on Web Services (ICWS).Wa-shington,DC:IEEE,2011:524-531.
[11] YU B,YANG L,CHEN S,et al.An information flow control approach in composite services[C]//In IET International Conference on Information and Communications Technologies.Beijing:IET,2013:263-269.
[12] XI N,SUN C,MA J,et al.Secure service composition with information flow control in service clouds[J].Future Generation Computer Systems,2015,49(C):142-148.
[13] SOLANKI N,HOFFMAN T,YEN I L,et al.An Access and Information Flow Control Paradigm for Secure Information Sharing in Service-Based Systems[C]//2015 IEEE 39th Annual Computer Software and Applications Conference (COMPSAC).Taichung:IEEE,2015:60-67.
[14] PASQUIER T,BACON J,SINGH J,et al.Data-Centric Access Control for Cloud Computing[C]//Symposium on Access Control Models and Technologies.Shanghai:ACM,2016:81-88.
[15] WANG L,LI F,LI L,et al.Principle and Practice of Taint Analysis[J].Journal of Software,2017,28(4):860-882.(in Chinese)王蕾,李丰,李炼,等.污点分析技术的原理和实践应用[J].软件学报,2017,28(4):860-882.