| Cloud computing is widely used with its flexible and on-demand service model.More and more companies and individuals deploy their services and applications to the cloud.By combining a large number of basic services on the cloud platform,a complex and powerful composite service can be created at a lower cost,and extensive business collaboration and resource sharing can be promoted.However,During the operation of the cloud composite service,sensitive information or pollution data may flow into other component services along with the business process due to data processing of the component service or message forwarding between the services,which brings serious information flow security problems.How to implement information flow control in the cloud composite service to ensure that the security attributes such as confidentiality and integrity of data are not destroyed is the core issue of this paper.At present,the research of information flow control of cloud composite services cannot solve the problems of information flow security in complex structured cloud composite services.Focusing on the commercial nature of cloud computing environment and the dynamic nature of information flow in complex structured cloud composite services,this paper studies the information flow control model and mechanism for complex structured cloud composite service and the information flow security verification method in composite phase.This paper provides theoretical and technical support for the solution to the problem of information flow in complex structured cloud composite service.The main work and innovation of this article are reflected in the following four aspects:1.A information flow control model for cloud composite service supporting Chinese Wall policy is proposedDue to the competitive relationship of the service providers involved in the business,there may be a conflict of interest between component services of the cloud composite service.The information flow between conflict component services can result in leakage of sensitive information or contamination of real data.At present,the study of the cloud composite service information flow control model cannot solve the information flow security problem caused by the conflict of interest.Based on this,a information flow control model for cloud composite service supporting Chinese Wall policy called CW-CCSIFC is proposed.On the basis of constructing the weighted directed graph model of cloud composite service,the information flow under the complex composition structure is described formally.Because the information flow complicates the conflict of interest among component services,the composite conflict problem is proposed for complex structured cloud composite service,and the composite conflict relationship between component services is defined.The classical Chinese Wall policy model is improved,and the axioms that should be followed in the implementation of information flow control is proposed.The theory proves the consistency of the model and the proliferation of conflict,and the model is security on composite conflict.Finally,the example illustrates the effectiveness of the model.2.A information flow control mechanism for cloud composite service based on dependency analysis is proposedAiming at the requirement of dynamic information flow control in complex structured cloud composite service,this paper proposes a information flow control mechanism for cloud composite service based on dependency analysis called DA-IFC.This mechanism analyzes the information flow from input data to output data in the component service of the cloud and the information flow between the local data of component service and output data of its successor services,and establishes a dynamic dependency relationship between data.According to the dependency relationship and the composite information flow policies based on security attributes,a distributed dynamic information flow control mechanism for cloud composite services is implemented.At last,the example analyzes the effectiveness of the mechanism and the experiment evaluates the performance of the mechanism.3.A composite information flow security verification method for cloud service based on information flow graph is proposedAiming at the problem of information flow security verification in the composite phase of complex structure cloud composite service,this paper presents a method based on information flow graph for composite information flow security verification called IFG-CSV.This method abstracts the weighted directed graphs with complex structure cloud composite service into static information flow graph,makes full use of pre-defined static information flow policies,and historical violation information obtained from previous dynamic runtimes in two phases.The candidate composite service performs information flow security verification and finally,a cloud composite service that satisfies the static information flow security constraints is obtained.The experimental analysis shows that this method can effectively reduce the high service interruption rate caused by the implementation of information flow control when the cloud composite service is running.4.A security authority based information flow control architecture for cloud composite service is designedBased on the above theoretical research,this paper designs a security authority based information flow control architecture for cloud composite service called SA-IFCA,expounds the structure of the architecture,the functional modules and the relationship between the functional modules.The architecture lays the foundation for the implementation of information flow control in complex structured cloud composite service. |
PDF Full Text Request