基于OPM的安全起源模型

为了确保数据起源的安全, 研究了开放起源模型, 并在该模型上进行安全起源的扩展, 建立了满足机密性和完整性的安全起源模型。在机密性中, 改进了Diffie-Hellman协议用来安全协商会话密钥, 从而用它来加密敏感信息; 在完整性中, 用三元组集合描述起源于关系, 并对其签名, 改进了基于签名的校验和使其适用于有向无环图中。最后以伪代码的形式给出了验证完整性的算法。开放式的安全起源模型的建立确保了数据起源的可信性。     

Sharing geospatial provenance in a service-oriented environment

One of the earliest investigations of provenance was inspired by applications in GIS in the early 1990’s. Provenance records the processing history of a data product. It provides an information context to help users determine the reliability of data products. Conventional provenance applications in GIS focus on provenance capture, representation, and usage in a stand-alone environment such as a desktop-based GIS software system. They cannot support wide sharing and open access of provenance in a distributed environment. The growth of service-oriented sharing and processing of geospatial data brings some new challenges in provenance-aware applications. One is how to share geospatial provenance in an interoperable way. This paper describes the development of provenance service for geospatial data products using the ebXML Registry Information Model (ebRIM) of a geospatial catalog service, which follows the interface specifications of the OGC Catalogue Services for the Web (CSW). This approach fits well the current service stack of the GIS domain and facilitates the management of geospatial data provenance in an open and distributed environment.     

数据起源安全研究综述*

数据起源是描述数据来源及其所经历处理过程的元数据。数据起源常用于数据错误溯源、数据重建和数据可信性验证。起源安全是制约起源技术大规模应用的关键瓶颈。为推动起源安全研究,本文首先从完整性、机密性和可用性三方面分析了起源安全的内涵;然后介绍了目前广受关注的起源安全机制：起源过滤和起源感知的访问控制,分别分析了这两类起源安全机制的主要特征,并对比了现有工作的优点和不足;最后指出了起源安全研究的发展方向。     

Service-oriented system engineering (SOSE) and its applications to embedded system development

In the past few years, we witnessed a rapid progress in service-oriented computing (SOC), which represents a new computing paradigm. SOC changes the way we develop and use software and hardware. Major enabling techniques, including service-oriented architecture (SOA), service-oriented enterprise (SOE), service-oriented infrastructure (SOI), Web services (WS), and associated protocols and standards are being established. This paper focuses on the system engineering issues and how these engineering issues manifested in SOA development processes. SOSE differs from traditional system engineering because it emphasizes on reusability, dynamic and adaptive nature, and unique model-driven approach.     

Automated data provenance capture in spreadsheets,with case studies

One of the most important tasks in eScience is capturing the provenance of data. While scientists frequently use off-the-shelf analysis tools to process and manipulate data, current provenance techniques such as those based on scientific workflows are typically not able to trace internal data manipulations that occur within these tools. In this paper, we focus on one such off-the-shelf tool, MS Excel, which is used by many scientists; specifically, we propose InSituTrac, an automated in situ provenance approach for spreadsheet data in Excel. Our framework captures data provenance unobtrusively in the background, allows for user annotations, provides undo/redo functionality at various levels of granularity, presents the captured provenance in an accessible format, and visualizes captured provenance to support analysis of the provenance log. We highlight several motivating use case scenarios which show how provenance queries can be answered by our approach. Finally, case studies with an atmospheric science research group and a fisheries research group suggest that the automated provenance approach is both efficient and useful to scientists.     

Android框架层完整性度量方案

长期以来Android系统一直是黑客攻击的主要目标之一,自发布以来一直面临着root、镜像篡改、恶意程序等安全风险,框架层是在系统安全中容易被忽视但又能产生极高的安全风险.本文分析了Android系统中框架层的表现形式和框架层的使用方式,针对框架层特点提出了一种框架层完整性度量方法（FIMM）,以此保障Android系统框架层代码完整性和运行时的完整性.对于Android系统针对框架层组件完整性保护的缺失,该方法能提供框架层组件在加载时的完整性度量和完整性校验.而对于Android的系统服务,我们考虑到其较长的运行周期的特征,于是研究了系统服务的调用过程并为其提供了较为细粒度的动态度量,在每次系统服务调用时确认系统服务进程代码段的完整性.最后我们给出了基于Android模拟器的原型系统的实现,并分析了FIMM的安全性和性能损耗,认为FIMM能完全达到我们的安全预期,并且只会造成少量的性能损耗.     

基于软件完整性级别的软件可靠性度量选取框架

选取合适的软件可靠性度量,对于软件质量保证及项目管理有着重要意义。现有的软件可靠性度量选取方法没有考虑软件完整性级别这个重要的设计属性。完整性级别表示软件特性的取值范围,该范围对将系统风险保持在可容忍的限度内是必需的,其对软件可靠性水平有显著影响。提出了一种基于完整性级别的可靠性度量选取框架:首先给出基于完整性级别的度量选取体系;然后在选取体系的基础上,给出相应的度量选取方法;最后,将提出的度量选取框架应用于ISO/IEC 9126质量模型中的外部软件可靠性度量,根据度量的特点将每种度量不同程度(基本、条件及参考)地推荐给不同的完整性级别。实例表明,基于完整性级别的度量选取技术是系统且有效的,所推荐的度量可以满足软件尤其是安全关键软件在不同完整性级别上的需求。     

一种基于UML模型的起源感知访问控制策略分析方法

起源(Provenance)是记录数据演变历史的元数据。最近研究者提出起源感知的访问控制,通过追溯和分析访问者或被访问对象的起源来决定允许或拒绝访问请求。由于起源通常由系统在运行时记录并呈现为复杂的有向图,识别、规约和管理起源感知的访问控制策略非常困难。为此,提出了一个基于UML模型的起源感知访问控制策略分析方法,包括对复杂起源图的抽象建模技术以及一个在面向对象的软件开发过程中系统地建立起源模型、规约起源感知访问控制策略的参考过程指南。最后结合企业在线培训系统案例说明如何应用所提出的方法。     

一个基于硬件虚拟化的内核完整性监控方法

对操作系统内核的攻击就是通过篡改关键数据和改变控制流来危及操作系统的安全。已有的一些方法通过保护代码完整性或控制流完整性来抵御这些攻击,但是这往往只关注于某一个方面而没有给出一个完整的监控方法。通过对内核完整性概念的分析,得出了在实际系统中保证内核完整性需要的条件:保障数据完整性,影响系统功能的关键数据对象只能由指定的代码在特定情况下修改;保障控制流完整性,保护和监控影响代码执行序列改变的所有因素。并采用硬件虚拟化的Xen虚拟机监控器实现对Linux内核的保护和监控。实验结果证明,该方法能够阻止外来攻击和本身漏洞对内核的破坏。     

模型检测在完整性形式化验证中的应用研究

对于信息系统而言,数据信息的安全性是十分重要的,数据的完整性是数据安全最重要的表现形式。为了确保系统中数据信息的安全性,提高系统可靠性,需要对数据的完整性进行分析和验证。针对数据完整性的定量评估问题,提出使用概率计算树逻辑对完整性定义进行形式化描述,并建立相应的马尔可夫决策过程定量评估模型,运用概率模型检测算法对完整性进行的评估,实现对完整性的定量验证。通过把提出的评估模型应用于交互式电子手册系统,定量计算出了该系统模型的完整性,为系统开发中的完整性需求提供支持。     

外包数据库系统安全机制研究

在外包数据库系统模式下,组织将数据库业务外包给外部数据库服务器运行,外包服务提供者为数据拥有者及数据库用户提供远程的数据库创建、存储、更新与查询服务。由于外包服务器本身并非完全可信,外包数据库系统带来了一系列安全问题。本文讨论了数据库安全体系的分类,探讨了外包数据库的基本结构,综述了外包数据库在数据加密、密文查询策略、隐私保护、数据完整性验证及基于数据库水印技术的数据库版权保护等安全机制方面的研究现状,介绍了其研究进展,并展望了安全外包数据库系统的发展方向。研究认为,整合多种安全机制,兼顾安全性和可用性两方面的合理需求,是构建外包数据库系统的技术关键。     

A compiler-hardware approach to software protection for embedded systems

Because of their rapid growth in recent years, embedded systems present a new front in vulnerability and an attractive target for attackers. Their pervasive use, including sensors and mobile devices, makes it easier for an adversary to gain physical access to facilitate both attacks and reverse engineering of the system. This paper describes a system - CODESSEAL - for software protection and evaluates its overhead. CODESSEAL aims to protect embedded systems from attackers with enough expertise and resources to capture the device and attempt to manipulate not only software, but also hardware. The protection mechanism involves both a compiler-based software tool that instruments executables and an on-chip FPGA-based hardware component that provides run-time integrity and control flow checking on the executable code. The use of reconfigurable hardware allows CODESSEAL to provide such security services as confidentiality, integrity and program-flow protection in a platform-independent manner without requiring a redesign of the processor. Similarly, the compiler instrumentation hides the security details from software developers. Software and data protection techniques are presented for our system and a performance analysis is provided using cycle accurate simulation. Our experimental results show that protecting instructions and data with a high level of security can be achieved with low performance penalty, in most cases less than 10%.     

A verifiable data integrity scheme for distributed data sharing in fog computing architecture

Fog computing is a promising computing paradigm that brings computing resources close to end users at the edge of the network. Hence, it handles large-scale, geographically distributed, and latency-sensitive services. However, there are several security challenges that must be addressed due to the unreliable nature of this architecture. One can cite the verification of data integrity among the most critical issues in the context of fog computing. In fact, since data is often stored dynamically in a fully distributed manner, traditional solutions based on a centralized third-party auditor for integrity verification become unsuitable for such highly dynamic and distributed contexts. Indeed, the constant transfer of data to and from the central auditor results in high network latency and potential bottlenecks.Therefore, in this paper, we propose a new efficient public verification protocol that ensures the integrity of the data in fog computing architecture. Our solution protects data integrity and authenticity using the short integer solution problem (SIS) and identity-based signatures. Moreover, in order to legitimately modify the data, our protocol allows to distributively identify the data owners and to delegate their signatures to other entities in the architecture. Furthermore, it enables effective data integrity verification even when data is separately shared across several servers. This verification can be performed by any legitimate end user connected to the architecture, and without relying on any trusted third party. Finally, we prove that our protocol is highly efficient and outperforms existing solutions, as demonstrated by our extensive simulations and thorough security analysis that confirmed its security.     

基于堆叠式分布式文件系统的端到端校验

端到端校验是一种有效的数据完整性检测手段,可为分布式存储系统提供基本的可靠性保证。Glusterfs 是一种常用的堆叠式分布式文件系统,但缺乏有效的数据完整性检测机制,存在用户数据遭受破坏而无法被发现的风险,即返回错误数据给用户。这种风险在某些情况还会扩散,造成多副本或灾备、双活情况下的数据丢失。针对这一问题,该文提出了一种高性价比的基于 Glusterfs 的端到端校验方案(命名为 Glusterfs-E2E),可以有效解决 Glusterfs 文件系统中存在的数据完整性风险。该方案不但可以提供全路径的保护,具备 2%～8% 的高性能开销,而且还可以提供软件故障的定位功能。     

多级安全数据库保密性和数据完整性研究

保密性、完整性和可用性是多级安全数据库必须具备的三要素,然而完整性和保密性的要求往往不一致,现有的多级安全系统一般采用牺牲数据完整性和可用性的方法来获得较高的保密性。该文通过对传统安全模型进行改造,使之具有较高的保密性、数据完整性和可用性。     

The Requirements of Using Provenance in e-Science Experiments

In e-Science experiments, it is vital to record the experimental process for later use such as in interpreting results, verifying that the correct process took place or tracing where data came from. The process that led to some data is called the provenance of that data, and a provenance architecture is the software architecture for a system that will provide the necessary functionality to record, store and use process documentation to determine the provenance of data items. However, there has been little principled analysis of what is actually required of a provenance architecture, so it is impossible to determine the functionality they would ideally support. In this paper, we present use cases for a provenance architecture from current experiments in biology, chemistry, physics and computer science, and analyse the use cases to determine the technical requirements of a generic, technology and application-independent architecture. We propose an architecture that meets these requirements, analyse its features compared with other approaches and evaluate a preliminary implementation by attempting to realise two of the use cases.     

Non-functional properties in the model-driven development of service-oriented systems

Systems based on the service-oriented architecture (SOA) principles have become an important cornerstone of the development of enterprise-scale software applications. They are characterized by separating functions into distinct software units, called services, which can be published, requested and dynamically combined in the production of business applications. Service-oriented systems (SOSs) promise high flexibility, improved maintainability, and simple re-use of functionality. Achieving these properties requires an understanding not only of the individual artifacts of the system but also their integration. In this context, non-functional aspects play an important role and should be analyzed and modeled as early as possible in the development cycle. In this paper, we discuss modeling of non-functional aspects of service-oriented systems, and the use of these models for analysis and deployment. Our contribution in this paper is threefold. First, we show how services and service compositions may be modeled in UML by using a profile for SOA (UML4SOA) and how non-functional properties of service-oriented systems can be represented using the non-functional extension of UML4SOA (UML4SOA-NFP) and the MARTE profile. This enables modeling of performance, security and reliable messaging. Second, we discuss formal analysis of models which respect this design, in particular we consider performance estimates and reliability analysis using the stochastically timed process algebra PEPA as the underlying analytical engine. Last but not least, our models are the source for the application of deployment mechanisms which comprise model-to-model and model-to-text transformations implemented in the framework VIATRA. All techniques presented in this work are illustrated by a running example from an eUniversity case study.     

基于循环哨兵的软件保护方法研究

保护软件代码不被非法修改是软件开发者面临的严峻问题。本文基于哨兵的思想提出一种循环哨兵模型,能以更灵活的方式保护哨兵的完整性。哨兵之间形成循环链,保证每个哨兵都受到其他哨兵的保护,在保护软件完整性的同时能够确保哨兵本身的安全性。同时,提出数据完整性校验协议实时检测哨兵的完整性,并证明协议的安全性。     

一个改进的主从结构表安全数据模型

到目前为止,大量的文献已经提出了许多用以实现多级安全数据库系统的安全模型,不同的模型有不同的优点。本文针对原有主从结构表安全模型容易产生语义模糊性和操作不完备性等问题,提出了一个能够消除语义模糊性和操作不完备性的新的主从结构表模型。该模型增加了基元组和数据继承的概念,重新定义了多实例完整性和参照完整性,将PUPDATE操作和数据继承完整性引入该模型,大大增强了系统的安全性和非二义性。     

BTDA:基于半可信第三方的动态云数据更新审计方案

云存储由于具有方便和廉价的优点,自诞生以来便得到了广泛应用。但与传统系统相比,云存储中的用户失去了对数据的直接控制,因此用户最关心的是存储在云上的数据是否安全,其中完整性是安全需求之一。公共审计是验证云数据完整性的有效方法。虽然现有方案不仅能够实现云数据的完整性验证,也能够支持动态数据更新审计,但它们也存在缺点,例如在执行多个二级文件块更新任务时,用户需要一直在线进行更新审计,而且在该过程中用户与云服务器的通信量和用户计算量都较大。基于此,提出了一种基于半可信第三方的动态云数据更新审计方案——BTDA。在BTDA中,用户将二级文件块更新审计任务代理给半可信第三方,因此在二级文件块更新审计过程中,用户可以离线,从而减少了用户端的通信量和计算量。另外,BTDA采用了数据盲化和代理重签名技术来防止半可信第三方和云服务器获取用户敏感数据,从而保护了用户隐私。实验表明,与目前的二级文件块更新审计方案相比,BTDA中的用户端无论在计算时间还是通信量方面都有大幅减少。