基于远程证明的数据服务完整性验证方法  

作　　者：张溯 张颖 张伟 黄罡[1] ZHANG Su;ZHANG Ying;ZHANG Wei;HUANG Gang(Key Laboratory of High-confidence Software Technology of Ministry of Education(Peking University),Beijing 100871,China;National Engineering Research Center for Software Engineering,Peking University,Beijing 100871,China;Internetware Technologies Corporation,Beijing 100085,China)

机构地区：[1]高可信软件技术教育部重点实验室(北京大学),北京100871 [2]北京大学软件工程国家工程研究中心,北京100871 [3]神旗数码有限公司,北京100085

出　　处：《软件学报》2024年第11期4949-4972,共24页Journal of Software

基　　金：国家重点研发计划(2021YFF1201103)。

摘　　要：数据作为一种新型生产要素,需要在不同主体间流通以发挥价值.在这一过程中,数据需要确保其完整性,避免受到未经授权的篡改,否则可能导致极为严重的后果.现有工作通过将分布式账本与数据加密、校验技术结合实现数据存证以证明待流通数据在传输、存储等环节中未受篡改,保障数据的完整性.然而,此类工作难以确认数据供方所提供数据本身的完整性,一旦数据供方主动或被动提供了伪造数据,后续完整性保障工作将失去意义.为此,提出一种基于远程证明的数据服务完整性验证方法,所提方法以可信执行环境作为信任锚,对特定数据服务静态代码、执行过程和执行结果的完整性进行多维度量与验证,并通过程序切片优化对特定数据服务的完整性验证,从而将数据完整性保障的范围延伸至数据供方提供数据的环节.通过在3个真实Java信息系统中25个数据服务上的一系列实验验证了所提出方法的有效性.As an important production factor,data need to be exchanged between different entities to create value.In this process,data integrity needs to be ensured,or in other words,data cannot be tampered without authorization,or otherwise,it may lead to extremely serious consequences.The existing work realizes data evidence preservation by combining distributed ledger with data encryption and verification technology to ensure the integrity of data to be exchanged in transmission,storage,and other related data processing phrases.However,such work is difficult to confirm the integrity of the data provided by the data supplier.Once the data supplier provides forged data,all subsequent integrity assurance will be meaningless.Therefore,this study proposes a method for verifying the integrity of data services based on remote attestation.By using the trusted execution environment as the trust anchor,this method can measure and verify the integrity of the static code,execution process,and execution result of a specific data service.It also optimizes the integrity verification of a specific data service through program slicing,thus extending the scope of data integrity assurance to the time point when the data supplier provides data.A series of experiments are carried out on 25 data services of three real Java information systems to validate the proposed method.

关 键 词：数据服务 数据完整性 远程证明 控制流证明 可信执行环境 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]