云系统中多域安全策略规范与验证方法  

作　　者：蔡婷[1] 蔡宇[1] 欧阳凯[2] 

机构地区：[1]重庆邮电大学移通学院计算机系,重庆401520 [2]华中科技大学计算机学院,武汉430074

出　　处：《计算机应用》2016年第7期1834-1840,共7页journal of Computer Applications

基　　金：重庆市本科高校"三特行动计划"特色专业建设项目(渝教高(2013)49号);重庆市教委科学技术研究项目(KJ1502002;KJ1502003);重庆市高等教育学会2015-2016年度高等教育科学研究课题(CQGJ15203B);重庆市教育科学"十二五"规划高等教育质量提升专项成果(2015-GX-086)~~

摘　　要：为了有效管理云系统间跨域互操作中安全策略的实施,提出一种适用于云计算环境的多域安全策略验证管理技术。首先,研究了安全互操作环境的访问控制规则和安全属性,通过角色层次关系区分域内管理和域间管理,形式化定义了基于多域的角色访问控制（domRBAC）模型和基于计算树逻辑（CTL）的安全属性规范;其次,给出了基于有向图的角色关联映射算法,以实现domRBAC角色层次推理,进而构造出了云安全策略验证算法。性能实验表明,多域互操作系统的属性验证时间开销会随着系统规模的扩大而增加。技术采用多进程并行检测方式可将属性验证时间减少70.1%~88.5%,其模型优化检测模式相比正常模式的时间折线波动更小,且在大规模系统中的时间开销要明显低于正常模式。该技术在规模较大的云系统安全互操作中具有稳定和高效率的属性验证性能。To effectively manage the enforcement of secure policies during the cross-domain interoperation among cloud systems, a management technique applied for the verification of multi-domain cloud policies was proposed. First, both the access control policies and security properties under secure inter-operation environments were studied, the intra-domain administration was distinguished from inter-domain administration according to role hierarchies, and a multi-domain Role Based Access Control（ domRBAC） model and specifications for the security properties based on Computation Tree Logic（ CTL） were formally defined. Next, a role-to-role mapping algorithm derived from the graph theory was proposed, to depict the reasoning for domRBAC hierarchies, and a verification algorithm of security policies for cloud systems was further constructed. The simulation results show that, the time cost of security policy verification for multi-domains increases with the expansion of the size of the system. Multi-process parallel detection mode can reduce the time of policy verification from70. 1% to 88. 5%, and compared to the normal mode, the model optimized detection mode fluctuates smaller in time lines,and the time overhead is significantly lower for large-scale systems. Therefore, the proposed technique has stable performance and high efficiency to be used in secure interoperation of large-scale cloud systems.

关 键 词：云系统 多域 访问控制 安全互操作 策略 验证 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]