基于软件定义网络的非集中式信息流控制系统——S-DIFC

doi:10.11772/j.issn.1001-9081.2015.01.0062

摘要
图/表
参考文献(0)
相关文章 (15)

全文: PDF (1155 KB) HTML
输出: BibTeX | EndNote (RIS)

摘要

针对当前非集中式信息流控制(DIFC)系统无法对主机与网络敏感数据进行一体化有效监控的问题,提出一种基于软件定义网络(SDN)的DIFC系统设计框架——S-DIFC.首先,在主机平面利用DIFC模块对主机中文件及进程进行细粒度的监控;然后,利用标签信息转换模块拦截网络通信,将敏感数据标签添加到网络流中;其次,在网络平面的SDN控制器中,对带有机密信息的流进行多级别的访问控制;最后,在目标主机DIFC系统上,恢复敏感数据所携带的敏感信息标记.实验结果表明,该系统对主机CPU负载影响在10%以内,对内存影响在0.3%以内,与依赖加解密处理的Dstar系统大于15 s的额外时延相比,有效地减轻了分布式网络控制系统对通信的负担.该框架能够适应下一代网络对敏感数据安全的需求,同时分布式的方法能够有效增强监控系统的灵活性.

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	王涛
	严飞
	王庆飞
	张乐艺

关键词 ：非集中式信息流控制, 软件定义网络, 数据防泄漏, 标签映射, 细粒度

Abstract：

To solve the problem that current Decentralized Information Flow Control (DIFC) systems are unable to monitor the integration of host and network sensitive data effectively, a new design framework of DIFC system based on Software Defined Network (SDN), called S-DIFC, was proposed. Firstly, this framework used DIFC modules to monitor files and processes in host plane with fine granularity. Moreover, label mapping modules were used to block network communication and insert sensitive data labels into network flow. Meanwhile the multi-level access control of the flow with security label was implemented with SDN's controller in network plane. Finally, S-DIFC recovered security labels carried by sensitive data in DIFC system on target host. The experimental results show S-DIFC influences host with CPU performance decrease within 10% and memory performance decrease within 1.3%. Compared to Dstar system with extra time-delay more than 15 seconds, S-DIFC mitigates communication overhead of distributed network control system effectively. This framework can meet the sensitive data security requirements of next generation network. In addition, the distributed method can enhance the flexibility of monitor system.

Key words： Decentralized Information Flow Control (DIFC) Software Defined Network (SDN) Data Leakage Prevention (DLP) label mapping fine granularity

收稿日期: 2014-07-18

中图分类号:

TP309.2

基金资助:

国家自然科学基金资助项目(61272452, 61003268, 91118003, 61303024);国家973计划项目(2014CB340600).

通讯作者: 严飞 E-mail: yanfei@whu.edu.cn

作者简介: 王涛(1987-),男,河南郑州人,硕士研究生,主要研究方向:可信软件、信息流控制;严飞(1980-),男,湖北武汉人,副教授,博士,主要研究方向:信息安全、可信计算;王庆飞(1989-),男,安徽宿州人,硕士研究生,主要研究方向:可信软件、可信虚拟机;张乐艺(1990-),男,湖北黄冈人,硕士研究生,主要研究方向:可信软件.

引用本文:

王涛, 严飞, 王庆飞, 张乐艺. 基于软件定义网络的非集中式信息流控制系统——S-DIFC[J]. 计算机应用, 2015, 35(1): 62-67. WANG Tao, YAN Fei, WANG Qingfei, ZHANG Leyi. S-DIFC: software defined network-based decentralized information flow control system. Journal of Computer Applications, 2015, 35(1): 62-67.

链接本文:

http://www.joca.cn/CN/10.11772/j.issn.1001-9081.2015.01.0062 或 http://www.joca.cn/CN/Y2015/V35/I1/62

[1] MYERS A C, LISKOV B. A decentralized model for information flow control [J]. ACM SIGOPS Operating Systems Review, 1997, 31(5): 129-142.
[2] La PADULA L J, BELL D E. Secure computer system: a mathematical model, ESD-TR-73-278 [R]. Bedford: MITRE Corporation, 1973.
[3] FRIDRICH J, PEVNY T, KODOVSKY J, et al. Statistically undetectable JPEG steg-anography: dead ends, challenges and opportunities [C]// Proceedings of the 9th ACM Workshop on Multimedia and Security. New York, ACM Press, 2007: 3-14.
[4] JAIN S, KUMAR A, MANDAL S, et al. B4: experience with a globally-deployed software defined WAN [C]// SIGCOMM'13: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. New York, ACM Press, 2013: 3-14.
[5] ZELDOVICH N, BOYD-WICKIZER S, KOHLER E, et al. Making information flow explicit in HiStar [J]. Communications of the ACM, 2011, 54(11): 93-101.
[6] BRODSKY M, EFSTATHOPOULOS P, KAASHOEK F, et al. Toward secure services from untrusted developers, TR-2007-041 [R]. Cambridge: Massachusetts Institute of Technology, 2007.
[7] ZHANG Q, McCULLOUGH J, MA J, et al. Neon: system support for derived data management [J]. ACM SIGPLAN Notices, 2010, 45(7): 63-74.
[8] CORBATO F J, VYSSOTSKY V A. Introduction and overview of the multics system [C]// AFIPS'65: Proceedings of the 1965 Fall Joint Computer Conference. New York, ACM Press, 1965: 185-196.
[9] KROHN M, YIP A, BRODSKY M, et al. Information flow control for standard OS abstractions [J]. ACM SIGOPS Operating Systems Review, 2007, 41(6): 321-334.
[10] SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO: modular composable security services for software-defined networks [EB/OL]. [2014-06-20]. http://www.csl.sri.com/users/vinod/papers/fresco.pdf.
[11] PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks [C]// HotSDN'12: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. New York: ACM Press, 2012: 121-126.
[12] FAYAZBAKHSH S K, SEKAR V, YU M, et al. FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions [C]// HotSDN'13: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM Press, 2013: 19-24.
[13] MUNDADA Y, RAMACHANDRAN A, TARIQ M B, et al. Practical data-leak prevention for legacy applications in enterprise networks, GT-CS-11-01 [R]. Atlanta: Georgia Institute of Technology, 2011.
[14] MUNDADA Y, RAMACHANDRAN A, FEAMSTER N. Silver-Line: data and network isolation for cloud services [EB/OL]. [2014-06-10]. https://www.usenix.org/legacy/event/hotcloud11/tech/final_files/Mundada6-1-11.pdf.