云系统中多域安全策略规范与验证方法

doi:10.11772/j.issn.1001-9081.2016.07.1834

计算机应用 ›› 2016, Vol. 36 ›› Issue (7): 1834-1840.DOI: 10.11772/j.issn.1001-9081.2016.07.1834

云系统中多域安全策略规范与验证方法

蔡婷¹, 蔡宇¹, 欧阳凯²

1. 重庆邮电大学移通学院计算机系, 重庆 401520;
2. 华中科技大学计算机学院, 武汉 430074

收稿日期:2015-12-28 修回日期:2016-03-14 出版日期:2016-07-10 发布日期:2016-07-14
通讯作者: 蔡婷
作者简介:蔡婷(1984-),女,湖北广水人,讲师,硕士,主要研究方向:互联网计算、网络安全结构与控制;蔡宇(1979-),男,河南郑州人,讲师,硕士,主要研究方向:云计算、信息安全;欧阳凯(1978-),男,四川成都人,副教授,博士,主要研究方向:网络安全控制、安全操作系统。
基金资助:
重庆市本科高校“三特行动计划”特色专业建设项目（渝教高（2013）49号）；重庆市教委科学技术研究项目（KJ1502002，KJ1502003）；重庆市高等教育学会2015-2016年度高等教育科学研究课题（CQGJ15203B）；重庆市教育科学“十二五”规划高等教育质量提升专项成果（2015-GX-086）。

Specification and verification method for security policy in multi-domain cloud systems

CAI Ting¹, CAI Yu¹, OUYANG Kai²

1. Department of Computer, College of Mobile Telecommunications, Chongqing University of Posts and Telecommunications, Chongqing 401520, China;
2. School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan Hubei 430074, China

Received:2015-12-28 Revised:2016-03-14 Online:2016-07-10 Published:2016-07-14
Supported by:
This work is partially supported by the "Three Special Action Plan" Specialty Construction Project of Universities in Chongqing (Yu Teach High (2013) No. 49), the Science and Technology Research Project of Education Committee of Chongqing (KJ1502002, KJ1502003), the Scientific Research Programs in Higher Education of Chongqing Institute of Higher Education (CQGJ15203B), the Quality Improvement Projects in Higher Education of Chongqing Education Science "Twelfth Five Year Plan" (2015-GX-086).

摘要/Abstract

摘要： 为了有效管理云系统间跨域互操作中安全策略的实施，提出一种适用于云计算环境的多域安全策略验证管理技术。首先，研究了安全互操作环境的访问控制规则和安全属性，通过角色层次关系区分域内管理和域间管理，形式化定义了基于多域的角色访问控制（domRBAC）模型和基于计算树逻辑（CTL）的安全属性规范；其次，给出了基于有向图的角色关联映射算法，以实现domRBAC角色层次推理，进而构造出了云安全策略验证算法。性能实验表明，多域互操作系统的属性验证时间开销会随着系统规模的扩大而增加。技术采用多进程并行检测方式可将属性验证时间减少70.1%～88.5%，其模型优化检测模式相比正常模式的时间折线波动更小，且在大规模系统中的时间开销要明显低于正常模式。该技术在规模较大的云系统安全互操作中具有稳定和高效率的属性验证性能。

关键词: 云系统, 多域, 访问控制, 安全互操作, 策略, 验证

Abstract: To effectively manage the enforcement of secure policies during the cross-domain interoperation among cloud systems, a management technique applied for the verification of multi-domain cloud policies was proposed. First, both the access control policies and security properties under secure inter-operation environments were studied, the intra-domain administration was distinguished from inter-domain administration according to role hierarchies, and a multi-domain Role Based Access Control (domRBAC) model and specifications for the security properties based on Computation Tree Logic (CTL) were formally defined. Next, a role-to-role mapping algorithm derived from the graph theory was proposed, to depict the reasoning for domRBAC hierarchies, and a verification algorithm of security policies for cloud systems was further constructed. The simulation results show that, the time cost of security policy verification for multi-domains increases with the expansion of the size of the system. Multi-process parallel detection mode can reduce the time of policy verification from 70.1% to 88.5%, and compared to the normal mode, the model optimized detection mode fluctuates smaller in time lines, and the time overhead is significantly lower for large-scale systems. Therefore, the proposed technique has stable performance and high efficiency to be used in secure interoperation of large-scale cloud systems.

Key words: cloud system, multi-domain, access control, secure interoperation, policy, verification

中图分类号:

TP309.2

蔡婷, 蔡宇, 欧阳凯. 云系统中多域安全策略规范与验证方法[J]. 计算机应用, 2016, 36(7): 1834-1840.

CAI Ting, CAI Yu, OUYANG Kai. Specification and verification method for security policy in multi-domain cloud systems[J]. Journal of Computer Applications, 2016, 36(7): 1834-1840.

参考文献

[1] 杨健,汪海航,王剑,等.云计算安全问题研究综述[J].小型微型计算机系统,2012,33(3):472-479.(YANG J, WANG H H, WANG J, et al. Survey on some security issues of cloud computing[J]. Journal of Chinese Computer Systems, 2012, 33(3):472-479.)
[2] ARMBRUST M, FOX A, GRIFFITH R, et al. A view of cloud computing[J]. Communications of the ACM, 2010, 53(5):50-58.
[3] 陈华山,皮兰,刘峰,等.网络空间安全科学基础的研究前沿及发展趋势[J].信息网络安全,2015(3):1-5.(CHEN H S, PI L, LIU F, et al. Research on frontier and trends of science of cybersecurity[J]. Netinfo Security, 2015(3):1-5.)
[4] American National Standard Institute. ANSI INCITS 359-2004, American national standard for information technology-role based access control[S]. New York:American National Standards Institute, 2004.
[5] SCHEFER-WENZL S, STREMBECK M. Modeling context-aware RBAC models for business processes in ubiquitous computing environments[C]//Proceedings of the 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing. Piscataway, NJ:IEEE, 2012:126-131.
[6] YAN D, TIAN Y, HUANG J, et al. Privacy-aware RBAC model for Web services composition[J]. The Journal of China Universities of Posts and Telecommunications, 2013, 20(S1):30-34.
[7] LI W, WAN H, REN X, et al. A refined RBAC model for cloud computing[C]//Proceedings of the 2012 IEEE/ACIS 11th International Conference on Computer and Information Science. Piscataway, NJ:IEEE, 2012:43-48.
[8] 叶春晓,郭东恒.多域环境下安全互操作研究[J].计算机应用,2012,32(12):3422-3425.(YE C X, GUO D H. Research on secure interoperation in multi-domain environment[J]. Journal of Computer Applications, 2012, 32(12):3422-3425.)
[9] MIGLIAVACCA M, PAPAGIANNIS I, EYERS D M, et al. Distributed middleware enforcement of event flow security policy[C]//Proceedings of the 2010 ACM/IFIP/USENIX 11th International Conference on Middleware. Berlin:Springer, 2010:334-354.
[10] TAKABI H, JOSHI J B D, AHN G J. Security and privacy challenges in cloud computing environments[J]. IEEE Security & Privacy, 2010, 8(6):24-31.
[11] 邹德清,邹永强,羌卫中,等.网格安全互操作及其应用研究[J].计算机学报,2010,33(3):514-525.(ZOU D Q, ZOU Y Q, QIANG W Z, et al. Grid security interoperation and its application[J]. Chinese Journal of Computers, 2010, 33(3):514-525.)
[12] KAPADIA A, AL-MUHTADI J, ROY C, et al. IRBAC 2000:secure interoperability using dynamic role translation[R]. Champaign, IL:University of Illinois at Urbana-Champaign, 1999:1-7.
[13] AL-MUHTADI J, KAPADIA A, CAMPBELL R, et al. The A-IRBAC 2000 model:administrative interoperable role-based access control[R]. Champaign, IL:University of Illinois at Urbana-Champaign, 2000:1-9.
[14] HU V C, KUHN D R, XIE T. Property verification for generic access control models[C]//EUC'08:Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing. Piscataway, NJ:IEEE, 2008, 2:243-250.
[15] BRYANS J W, FITZGERALD J S. Formal Engineering of XACML Access Control Policies in VDM++[M]. Berlin:Springer, 2007:1-23.
[16] HU V C, KUHN D R, XIE T, et al. Model checking for verification of mandatory access control models and properties[J]. International Journal of Software Engineering and Knowledge Engineering, 2011, 21(1):103-127.
[17] HWANG J H, XIE T, HU V, et al. ACPT:a tool for modeling and verifying access control policies[C]//Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks. Piscataway, NJ:IEEE, 2010:40-43.
[18] HWANG J H, ALTUNAY M, XIE T, et al. Model checking grid policies[EB/OL].[2015-11-28]. http://hwang250.googlecode.com/.
[19] SHAFIQ B, JOSHI J B D, BERTINO E, et al. Secure interoperation in a multidomain environment employing RBAC policies[J]. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(11):1557-1577.
[20] CLARKE E M, EMERSON E A. Design and synthesis of synchronization skeletons using branching time temporal logic[M]//25 Years of Model Checking. Berlin:Springer, 2008:196-215.
[21] HOLZMANN G J. The model checker SPIN[J]. IEEE Transactions on Software Engineering, 1997, 23(5):279-295.
[22] CIMATTI A, CLARKE E, GIUNCHIGLIA F, et al. NuSMV:a new symbolic model checker[J]. International Journal on Software Tools for Technology Transfer, 2000, 2(4):410-425.
[23] BERHMANN G, DAVID A, LARSEN K G. A tutorial on UPPAAL[M]//Formal Methods for the Design of Real-Time Systems. Berlin:Springer, 2004:200-236.
[24] PAPADIMITRIOU C, SIDERI M. On the Floyd-Warshall algorithm for logic programs[J]. Journal of Logic Programming, 1999, 41(1):129-137.
[25] HERB S, ANDREI A. Boost C++ libraries 1.58.0[EB/OL].[2015-04-17]. http://www.boost.org/.

云系统中多域安全策略规范与验证方法

Specification and verification method for security policy in multi-domain cloud systems

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	葛纪红, 沈韬. 基于区块链的能源数据访问控制方法[J]. 计算机应用, 2021, 41(9): 2615-2622.
[2]	张林发, 张榆锋, 王琨, 李支尧. 基于直觉模糊集和亮度增强的医学图像融合[J]. 计算机应用, 2021, 41(7): 2082-2091.
[3]	张萌, 李维华. 用户互动表示下的影响力最大化算法[J]. 计算机应用, 2021, 41(7): 1964-1969.
[4]	杜心雨, 王化群. LTE-A网络中基于动态组的有效的身份认证和密钥协商方案[J]. 计算机应用, 2021, 41(6): 1715-1722.
[5]	王建平, 王刚, 毛晓彬, 马恩琪. 基于深度强化学习的二连杆机械臂运动控制方法[J]. 计算机应用, 2021, 41(6): 1799-1804.
[6]	陈家豪, 殷新春. 基于云雾计算的可追踪可撤销密文策略属性基加密方案[J]. 计算机应用, 2021, 41(6): 1611-1620.
[7]	吴恺凡, 殷新春. 基于随机运算符的轻量级匿名射频识别系统双向认证协议[J]. 计算机应用, 2021, 41(6): 1621-1630.
[8]	葛丽娜, 胡雨谷, 张桂芬, 陈园园. 云计算环境基于客体属性匹配的逆向混合访问控制方案[J]. 计算机应用, 2021, 41(6): 1604-1610.
[9]	徐国保, 陈媛晓, 王骥. 基于图卷积网络的药物靶标关联预测算法[J]. 计算机应用, 2021, 41(5): 1522-1526.
[10]	贾鹤鸣, 李瑶, 姜子超, 孙康健. 基于改进共生生物搜索算法的林火图像多阈值分割[J]. 计算机应用, 2021, 41(5): 1465-1470.
[11]	张伟伟, 陶聪, 范岩, 于坤杰, 文笑雨, 张卫正. 改进回溯搜索算法解决光伏模型参数识别问题[J]. 计算机应用, 2021, 41(4): 1199-1206.
[12]	李燕, 陈巧萍. 考虑非支持性评论的网络谣言传播模型[J]. 计算机应用, 2021, 41(4): 1128-1135.
[13]	包玉龙, 朱雪阳, 张文辉, 孙鹏飞, 赵颖琪. 物联网应用中访问控制智能合约的形式化验证[J]. 计算机应用, 2021, 41(4): 930-938.
[14]	李秀艳, 刘明曦, 史闻博, 董国芳. 面向资源受限用户的高效动态数据审计方案[J]. 计算机应用, 2021, 41(2): 422-432.
[15]	张恩, 李会敏, 常键. 可验证的隐私保护k-means聚类方案[J]. 计算机应用, 2021, 41(2): 413-421.