基于依赖分析的云组合服务信息流控制机制  被引量：1

作　　者：刘明聪 王娜[1,2] 周宁 LIU Ming-cong;WANG Na;ZHOU Ning(Information Engineering University,Zhengzhou 450001,China;Henan Province Key Laboratory of Information Security,Zhengzhou 450001,China;Jiangnan Institute of Computing Technology,Wuxi,Jiangsu 214083,China)

机构地区：[1]信息工程大学,郑州450001 [2]河南省信息安全重点实验室,郑州450001 [3]江南计算技术研究所,江苏无锡214083

出　　处：《计算机科学》2019年第4期189-196,共8页Computer Science

基　　金：国家自然科学基金资助项目(61802436;61502531);国家863计划项目(2015AA016006);河南省自然科学基金项目(162300410334)资助

摘　　要：云组合服务可以为用户提供更加丰富的功能,但在业务流程中敏感信息可能流经多个云服务,必须实施信息流控制来防止信息的泄露或非授权访问。针对云组合服务的信息流安全问题,提出了一种基于依赖分析的信息流控制机制,通过数据间的依赖关系分析云组合服务中的信息流动,并使用安全标签进行信息流控制。首先,构建了复杂组合结构的云组合服务加权有向图模型,基于安全属性定义了云服务的属性证书、数据的机密性标签以及完整性标签;接着,提出了服务内部输入依赖与服务间资源依赖的概念,并给出了基于历史信息的运行时输入依赖与资源依赖计算方法;其次,根据依赖分析给出了输出数据安全标签算法,定义了组合信息流策略并设计了分布式的信息流控制机制,实现了复杂组合结构下云组合服务中信息流的机密性和完整性保护;最后,分析评估了机制的有效性与性能。Cloud composition service can provide users with richer capabilities,but sensitive information may flow through multiple cloud services in business process,so information flow control must be implemented to prevent information leakage or unauthorized access.Aiming at the security problem of information flow in cloud composite service,this paper proposed a data flow control mechanism based on dependency analysis.The information flow in cloud composite service was analyzed by the dependency between data and the information flow was controlled by using security label.Firstly,a cloud composition service weighted directed graph model with complex combination structure is constructed.Based on the security attributes,the attribute certificate of cloud service,the confidentiality label and integrity label of data are defined,then the input dependencies between services and resource dependencies between services are proposed,and the input dependence and resource dependency computing method based on historical information are given . After that,the output data security label algorithm is given according to the dependency analysis, the compositional information flow policy is defined and the distributed information flow control mechanism is designed,realizing the confidentiality and integrity protection of information flow in cloud composition service under complex compositional structure.At last,an example is given to anaylze the effectiveness and performance of the mechanism.

关 键 词：云服务 服务组合 信息流 数据依赖 安全标签 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]