基于信息流控制的HDFS敏感数据安全增强

云服务及mapreduce计算环境下数据安全问题日益突显，针对HDFS已有保护方法如认证授权，数据加密，访问控制和审计方法都不能保证敏感数据端到端的安全性，首先，提出了一个用于HDFS的安全代数语言SALH(Security Algebra Language for HDFS)，给出了SALH的语义和语法。其次，采用SALH形式化描述了HDFS信息流跟踪和控制模型并证明了模型的无干扰安全性。最后，给出了原型系统IF-HDFS设计与实现关键技术，原型系统的功能和性能测试结果表明IF-HDFS可实时、有效、准确地实现信息流跟踪与控制。

Enhancing Sensitive Data Security with Information Flow Controlling for HDFS

Data security has become a prominent problem under cloud services and mapreduce computing environment. At the same time, existing protection method for HDFS such as authentication and authorization, data encryption, access control and audit cannot guarantee the end-to-end security of sensitive data. First, this paper proposed a Security Algebra Language for HDFS (SALH) and given the semantics and grammar of SALH. Then formal descried the model of the information flow tracking and controlling for HDFS by SALH, and proved the interference security property of the model. Finally, it given the key technologies of design and implementation of prototype system (IF-HDFS). The function and performance test results show that IF-HDFS is an effective and accurate system that tracking and controlling information flow at runtime.