Research On High Assurance Separation Model And Key Technology In Cloud Computing Environment

High assurance system, refers to the system which convincing evidence is given that the system satisfies a collection of critical security properties. It is reflected in reli-ability, completeness and verifiability of security functions. Due to strict requirements for the security and safety of high assurance system, the security issues should be con-sidered in the design and analysis process of such system. However, it is not easy to design and implement a high assurance system. There are several obstacles such as: difficulty in formal description and verification on the system architecture due to the complexity, excessively huge TCB (Trusted Computing Base) along with the growth of security concerned functions, modifications for current computing and network envi-ronment in order to adjust to the capability for dealing with labeled information.The notion of MILS (Multiple Independent Levels of Security and Safety) is an innovative idea for the design of high assurance system. MILS, based on separation and information control, divides a traditional multi-level security system into several single-level security components or domains connected by a few of trusted components.Both trusted and untrusted components are allowed to coexist in the system to make sure MILS is non-bypassable, evaluable, always invoked and tamper proof.Which matches the concept of MILS is the cloud computing technology. With the advantages of cloud computing such as hardware resources multiplexing and dynamic resource organization and allocation, private cloud constructed with MILS would be able to initialize security domains quickly and flexibly. Meanwhile, such security do-mains are capable to provide compatibility for different OS, applications, database and protocol with different semantics to eliminate the untrusted components such as com-modity OS, and the scale of TCB would be reduced correspondingly. However, the security problems of cloud computing itself would disrupt the users’trust on cloud computing, and consequently make the prospect of cloud environment which meets high assurance security requirements doubtful. Meanwhile, although the complexity of the entire system would be reduced in the MILS-based cloud computing environment, overall formal description and verification are still missing for the requests of EAL4 in CC. Moreover, in MILS-based cloud computing environment, it is hard to verify the support and coordinate relationships between security concerned functions, and it is hard to determine the overall security policies fulfilled or not. Separation is key is- sue in MILS and one of the most important problems in cloud computing. Whether proper reliable separation enforced between cloud tenants would affect the data securi-ty of tenants and impact the confidence of tenants for cloud computing. Whether proper separation enforced between applications would determine the problems such as cross contamination of information and whether the entire system would be at risk because of one single security vulnerability. In this thesis, the separation issue of cloud environ-ment in high assurance systems has been thoroughly studied. The contributions of this thesis are:(1) In cloud environment, there is an opponent relationship between the owner and maintainer of the infrastructures and the users of the infrastructures due to the conflict of interests between them. To gain more confidence and trust from the user, cloud service providers (CSP) should take actions to prove the trustwor-thiness of the services they provide. Studies on trusted cloud discussed this issue. It has been pointed out that service transparency would be an effective measure to make cloud service more trustworthy, which means that the users should be allowed to participate in the management of cloud platform, such as establishing their own security policies and taking control of their own data and transaction-s. Meanwhile, proof of trust from CSP should be presented to make sure that the security goal would be satisfied with the security mechanisms provided by CSP. In this thesis, a multilevel-management mechanism is presented to clarify the responsibilities of users and CSP, which enables the users to participate in the management and maintenance of their own data, applications and resources to improve their confidence. With this multi-level management mechanism, a ten-ant separation model is proposed to describe the separation relationship between tenants such as tenants management and access control from tenants to resources.Additionally, as the dynamic distribution of the resources which undertake the applications and the non-binding relationship between resources and the phys-ical platform, the application border would change simultaneously with the vari-ation of resources. This characteristic makes that the separation of tenants has to be based on the separation of abstract resources to ensure the validity of the separation between tenants. An application separation model is proposed in this thesis, which mainly describes the allocation and scheduling of resources with the aspect of tenants’applications. This model ensures that the applications would be appropriately separated with the dynamically allocated resources and provide the underlying basis for the separation of tenants.(2) Because of the complexity of cloud computing system, it is hard to formally describe and verify the overall architecture of cloud computing system. How-ever, for cloud computing system, the "perception" and "influence" between virtual machines have adapt to the semantic of information flow provided by non-interference. Information flow has been used to describe the interact between system components to analyze the security properties of complex system. In this thesis, with the characteristic of cloud computing, the separation issue in cloud computing system is analyzed based on information flow. The information flow in cloud computing system is formally described. With separation rules proposed in this thesis, the non-interference security is proved.(3) When designing a complex system, a top-bottom method is always invoked. It starts with a raw and abstract architecture, and with step by step refinements, a specific, realizable detailed architecture would be generated. But in the pro-cess of refinement, because of the constantly changing of the system architecture, it is hard to make sure that the prime security design and support relationship between security functions are reserved. TCB hierarchical expand is a concept derived from the transitive trusted model, which starts with a TCB initial core and extends in every layer to emerge a hierarchical structure which is consist-ed of TCB subsets connected with trusted channel. Although there are a lot of distinctions between TCB hierarchical expand and architectural refinement, it is practicable to guide architectural refinement with the notion of TCB hierarchical expand. With introducing the concept of channel in the process of architectural refinement, it is easy to design a new top-bottom architect design model to make sure that the support relation between security functions would not be destroyed in the refinement process and the original security properties would be reserved. This model is able to resolve the issue of loss of connection between security functions in the design of MILS system and guide the design and implementation of the prototype.(4) A prototype which presents as private cloud environment is implemented to verify the key techniques in this thesis. There are three private clouds in the pro-totype:The applications in each cloud are separated with openflow technology and with characteristics such as flexibility and dynamic responding. Users’data is stored and separated with encrypted channel and unidirectional transmission is used to share data based on separation. Virtual desktop is used to separate the user terminal and operating platform, and the MITM-based virtual desktop infor-mation flow controlling mechanism is introduced to ensure that the controllability of information between user terminal and operating platform.In summary, this thesis discusses the separation issue in cloud computing environ-ment with high assurance conditions, including tenant separation, application separa-tion and information flow separation. It is meaningful for building computing environ-ment with cloud computing technology which satisfies high assurance security require-ments and promoting the further development of high assurance system with combing cloud computing technology and MILS concept.