S-DIFC: software defined network-based decentralized information flow control system
WANG Tao1, YAN Fei1,2, WANG Qingfei1, ZHANG Leyi1
1. School of Computer, Wuhan University, Wuhan Hubei 430072, China;
2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education (Wuhan University), Wuhan Hubei 430072, China
To solve the problem that current Decentralized Information Flow Control (DIFC) systems are unable to monitor the integration of host and network sensitive data effectively, a new design framework of DIFC system based on Software Defined Network (SDN), called S-DIFC, was proposed. Firstly, this framework used DIFC modules to monitor files and processes in host plane with fine granularity. Moreover, label mapping modules were used to block network communication and insert sensitive data labels into network flow. Meanwhile the multi-level access control of the flow with security label was implemented with SDN's controller in network plane. Finally, S-DIFC recovered security labels carried by sensitive data in DIFC system on target host. The experimental results show S-DIFC influences host with CPU performance decrease within 10% and memory performance decrease within 1.3%. Compared to Dstar system with extra time-delay more than 15 seconds, S-DIFC mitigates communication overhead of distributed network control system effectively. This framework can meet the sensitive data security requirements of next generation network. In addition, the distributed method can enhance the flexibility of monitor system.
王涛, 严飞, 王庆飞, 张乐艺. 基于软件定义网络的非集中式信息流控制系统——S-DIFC[J]. 计算机应用, 2015, 35(1): 62-67.
WANG Tao, YAN Fei, WANG Qingfei, ZHANG Leyi. S-DIFC: software defined network-based decentralized information flow control system. Journal of Computer Applications, 2015, 35(1): 62-67.
[1] MYERS A C, LISKOV B. A decentralized model for information flow control [J]. ACM SIGOPS Operating Systems Review, 1997, 31(5): 129-142. [2] La PADULA L J, BELL D E. Secure computer system: a mathematical model, ESD-TR-73-278 [R]. Bedford: MITRE Corporation, 1973. [3] FRIDRICH J, PEVNY T, KODOVSKY J, et al. Statistically undetectable JPEG steg-anography: dead ends, challenges and opportunities [C]// Proceedings of the 9th ACM Workshop on Multimedia and Security. New York, ACM Press, 2007: 3-14. [4] JAIN S, KUMAR A, MANDAL S, et al. B4: experience with a globally-deployed software defined WAN [C]// SIGCOMM'13: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. New York, ACM Press, 2013: 3-14. [5] ZELDOVICH N, BOYD-WICKIZER S, KOHLER E, et al. Making information flow explicit in HiStar [J]. Communications of the ACM, 2011, 54(11): 93-101. [6] BRODSKY M, EFSTATHOPOULOS P, KAASHOEK F, et al. Toward secure services from untrusted developers, TR-2007-041 [R]. Cambridge: Massachusetts Institute of Technology, 2007. [7] ZHANG Q, McCULLOUGH J, MA J, et al. Neon: system support for derived data management [J]. ACM SIGPLAN Notices, 2010, 45(7): 63-74. [8] CORBATO F J, VYSSOTSKY V A. Introduction and overview of the multics system [C]// AFIPS'65: Proceedings of the 1965 Fall Joint Computer Conference. New York, ACM Press, 1965: 185-196. [9] KROHN M, YIP A, BRODSKY M, et al. Information flow control for standard OS abstractions [J]. ACM SIGOPS Operating Systems Review, 2007, 41(6): 321-334. [10] SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO: modular composable security services for software-defined networks [EB/OL]. [2014-06-20]. http://www.csl.sri.com/users/vinod/papers/fresco.pdf. [11] PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks [C]// HotSDN'12: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. New York: ACM Press, 2012: 121-126. [12] FAYAZBAKHSH S K, SEKAR V, YU M, et al. FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions [C]// HotSDN'13: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM Press, 2013: 19-24. [13] MUNDADA Y, RAMACHANDRAN A, TARIQ M B, et al. Practical data-leak prevention for legacy applications in enterprise networks, GT-CS-11-01 [R]. Atlanta: Georgia Institute of Technology, 2011. [14] MUNDADA Y, RAMACHANDRAN A, FEAMSTER N. Silver-Line: data and network isolation for cloud services [EB/OL]. [2014-06-10]. https://www.usenix.org/legacy/event/hotcloud11/tech/final_files/Mundada6-1-11.pdf.