(1.The Institute of North Electronic Equipment,Beijing 10020,China;

2.Department of Computer Science,Wuhan University,Wuhan 430000,China)

Formal Protecttiioonn Architecture for Cloouudd Computing Sysstteemm

Yasha Chen1,Jianpeng Zhao1,Junmao Zhu1, and Fei Yan2

(1.The Institute of North Electronic Equipment,Beijing 10020,China;

2.Department of Computer Science,Wuhan University,Wuhan 430000,China)

Cloud computing systems play a vital role in national securi⁃ty.This paper describes a conceptual framework called dual⁃system architecture for protecting computing environments. While attempting to be logical and rigorous,formalism meth⁃od is avoided and this paper chooses algebra Communication Sequential Process.

formal method;trusted computing;privacy;cloud computing

1 Introduction

Cloud computing relies on shared resources to achieve coherence and economy of scale.It is simi⁃lar to a utility,such as an electricity grid,over a network.The foundation of cloud computing is con⁃verged infrastructure and shared services.

Transitive trust is key to the controlling ability of the Trust⁃ed Computing Platform(TCP).The Trusted Computing Group (TCG)states that if the information system starts from an initial root of trust,and every time the transition of the right of con⁃trol,the trust will be transferred to next components by integri⁃ty measurement,thus the platform computing environment is always credible.The trusted platform module(TPM)is a kind of SOC chip and is the root of trust for TCP.For TPM,opera⁃tion systems and applications are all objects that need to pre⁃cede the integrity measure because of external needs.So when a new module is loaded in the internal storage,first the kernel of the OS takes charge of determining whether the module is credible.If the loaded module is credible(such as a driver), the kernel of the OS allows it to be loaded.Conversely,if it is not credible,the kernel of the OS refuses to load it.The Transi⁃tive trust transmission models presented by TCG are usually BIOS→OS Loader→OS Kernel,finally is passed on to the kernel load area of OS.Using a Linux platform,Sailer[1],[2] fulfilled credible transmission of executable code from OS to applications.Maruyama[3]explored credible transmission mechanism from Grub to OS.Huang Tao[4]showed how to ful⁃fill the credible guide on a server platform.Research on transi⁃tive trust is now being conducted by European OpenTC,NG⁃SCB of Microsoft,and Intel’s LT technic[5]-[7].

2 Application Description

The traditional Von Neumann cloud computing architecture lacks a security mechanism.The TCG has attempted to resolve this problem and has made several breakthroughs by adding trusted hardware[8]-[11].However,there four are still four is⁃sues in terms of essential information system security assur⁃ance:

1)Lack of a reasonable security architecture.The current trust⁃ed computing single architecture does not separate the trust⁃ed computing base from OS.Hence,the architecture can be violated and does not provide adequate protection.There are several dual⁃system architectures that are based on attribute values and have a passive protection mechanism.The trust⁃ed computing function is called passively by the application. Once the security loopholes are attacked there are no restric⁃tions on those illegal usages.

2)Lack of a trusted⁃resource sharing methodology.With multi⁃ple applications sharing the same trusted resources,dynam⁃ic calling of the trusted services may lead to the potential conflicts,deadlocks,dispatching problems.

3)Lack of information flow security mechanism among applica⁃tions in the current OS.An application can easily be called by others,enabling free flow of unnecessary information. This may cause unexpected circulation of information.

4)Lack of verification mechanism between security attributes and practical engineering.The abstract model and real sys⁃tem are different from observation perspective.Security attri⁃butes in formalized models are highly conceptual abstrac⁃tions.The real system lacks transition and explanatory meth⁃odology.Consequently,there is a disconnect between prac⁃tice and theory.

This paper proposes a credible security system architecture to achieve trusted computing core function on OS level to sup⁃port initiative credible monitoring.This architecture builds a credible software base.The base is logically relatively indepen⁃dent to manage credible resources and computing process by virtual methods.It also supports credible mechanism of moni⁃toring application resource processing behavior by active inter⁃cepts on system level.

▲Figure 1.Trusted assurance of dual system architecture.

The features trusted assurance in a dual system are entirely different from those in a single system.We design its functions with initiative control mechanism,credible computing service mechanism and other related auxiliary mechanism.We also take the function of initiative measure control of Trusted Plat⁃form Control Moduel(TPCM)and the double system idea of Trusted Base’s Operation System(TBOS)into the basic frame⁃work for dual system initiative credible security.The model is shown in Fig.1.Compared with the Trusted Software Stack (TSS)norm of TCG,this system increases credible access, TSB deploys host stuck point(HSP)during the system call ser⁃vice,intercepts the information of applications,and sends this information to TSB to be measured and assessed.The HSP gets the context of application object from the host,gathers credible related information and access⁃control⁃related information of application,and changes over to TSB by the system switch in⁃ terface.TSB then processes credible measure and credible control according to the informa⁃tion.TSB executes credible⁃measure operation according to credible⁃measure policy:1)It de⁃termines the credible attribute of related objects according to the measurement and credible⁃judgment policy and then writes it to the credi⁃ble context of the object stored in TSB.2)It de⁃termines the mode of control according to the at⁃tribute of system action,credible attribute of re⁃lated object and credible control policy.Then, TSB executes credible control operation.The computing result is returned to the host system by HSP.The access control strategies executed in TSB are common discretionary access control strategies and mandatory access control strate⁃gies.This security policy is totally in an environ⁃ment independent of the host system,and the privileged core process in host system will not interfere with the operation in TSB.In this way, the security issues discussed before are solved.

TSB also offers credible computing function. After judgment,an application that needs the credible service sends the information the credi⁃ble service need to TSB by HSP.TSB config⁃ures exclusive virtual credible service environ⁃ment for it by building credible pipelines,and sends the computing results to the application credible computing framework,credible data base,credible re⁃source management,and more.It also includes what is present⁃ed in TSS,such as the synchronous access to TPCM,capability of hiding the structuring command stream to applications,and the management of credible hardware resource of TPCM.

The trusted software base(TSB)and host system are logical⁃ly separated,and they are combined by the system switch inter⁃face.For the applications of the host system,application⁃visi⁃ble accessing resources are virtual resources by system calls. They really access the physical resources that are mapped from the application level to the source level.Therefore,we put the stuck point in the process of the access of virtual re⁃sources,which logically switch the information to the judgment of TSB and then fulfill the virtual resources access.However, for the applications,the flows happen in TSB are unaware.We call the flows transparent to applications.

TSB has initiative measure control function.Because appli⁃cations use virtual application resource(VAR)by system call, by HSP.

3 Architecture Design

3.1 Security Approximation Conditions Based on Non-Interference Attributes

We give the security approximation conditions in non⁃ideal state;just the approximation attributes of system.

Definition 1.B(B⊆αS)is supposed as all the visible oper⁃ations to system for a certain user.The user can only see the trace shown by his windowB(B⊆αS),which we call the part oft(t∈τS)confined to window B,mark ast†B.And,

Definition 2.All the trace of s user B can see is called the

projection of S on B,mark asS⊙B:

And

Definition 3.The deduction extent of S after user B’s sur⁃veylis defined as:

All the t inτS that contents t|B=lcan reflect the extent of deduction to system S that B makes.And,

If the user isαS,then the observing window is all the sys⁃tem alphabet,so the observing window and system behavior correspond,and the user deduce the behavior of system.The observing window is blank{}otherwise if the user cannot ob⁃serve the system,and then the user cannot deduce anything.

So user a in system S cannot deduce whether and when event b occurs from window{a}.

So users in system Q cannot deduce how many times an event occurs by window{b},but only knows event a will occur after b occurs once.

3.2 CSP Description of Non-Interference

Because process algebra Calculus of Communicating System (CSP)has completely formalized descriptive approach to what process may do and what process has already done,it is very easy to combine with non⁃deducible model,express security policy such as“system will never divulge information,”and make real modeling and confirmation to security attributes of system by this formalized description.The object CSP focuses on the behavior model of a guest in the system,just CSP pro⁃cess.Each process is related to a component.The alphabet in CSP shows all the events completed by a process.The trace shows each event that the process has already done and can be recorded one by one.

The sets of all the events a process can provide at original state in certain environment is given by X,and the environ⁃ment has the same alphabet is marked as P.Now put P in the environment.If P is deadlocked at the beginning of execution, X is a rejection set of P.This kind of rejection set is given by refusals(P).To an uncertain process,at some point the process may refuse the execution of an event because of an uncertain choice.If a process cannot execute all the events it can exe⁃cute,we call this process the certain process.

The rejection set of a process is given bySF〚P〛,which is defined as

where P sis P after event in the execution trace s.

P executes all the event sequences recorded by trace s,and then refuses to do more things.We define it as an impasse (s,X),and use CSP to describe the stable failures model.

Theorem 1:If∀a,a′∈traces(S)makesa≈La′

s†Ais the set of trace s limited in event set A,just the set of trace without all the events that do not belong to A.

Theorem 1 shows that,if the traces that contain(1)and(2) are of equal value,S can still receive or reject the same event, and then s contents the attribute of noninterference in L.

Proof:The way to prove they are of equal values to prove the two impasses belong to each other.

From the projection of impasse,we can know that there ex⁃istsf′=(c′,X′),which makes

can know thatc≈Lc′.The projections of their sequence on L are still equal,that is(b∩c′)≈L(b′∩c).Our hypothesis is refusals(S/(b′∩c))=refusals(S/(b∩c′)).

Then,we investigate trace f′.We wantto prove c∈traces(S/b′)†L′.The tracec′is given byc′=. From the definition, we know that ei∈initials(S/(b∩)). If ei∈L, then ei∈initials(S/(b∩)).

By transforming to the presentation that can be simulated by CSP,we can simulate that it satisfies theorem 1,then it can be proved that the system is non⁃interference,and that the securi⁃ty approaching of the system is achieved.

4 Conclusion

In this paper,we focus on the characteristics of and prob⁃lems with the cloud computing environment.We propose a the⁃oretical model of innovative initiative security protection base of dual system.We also describe the base by formalized meth⁃od and give the authentication method of security attribute.

[1]T.Schelling,“Models of segregation,”American Economic Review,vol.59,no.2, pp.488-493,May 1969.

[2]T.Schelling,“Dynamic models of segregation,”Journal of Mathematical Sociolo⁃gy,vol.1,no.2,pp.143-186,1971.

[3]M.Matuszewski,N.Beijar,J.Lehtinen,and T.Hyyrylainen,“Understanding atti⁃tudes towards mobile peer⁃to⁃peer content sharing services,”in PORTABLE’07, Orlando,FL,USA,pp.1-5.doi:10.1109/PORTABLE.2007.11.

[4]Mobile Ad Hoc Networking(MANET):Routing Protocol Performance Issues and Evaluation Considerations,IETF Network Working Group RFC 2501,1999.

[5]J.Li,C.Blake,D.De Couto,H.Lee,and R.Morris,“Capacity of ad hoc wireless networks,”in ACM MobiHoc 2001,Long Beach,CA,USA,pp.61-69.doi: 10.1145/381677.381684.

[6]X.Li,“Multicast capacity of wireless ad hoc networks,”IEEE/ACM Trans. Netw.,vol.17,no.3,pp.950-961,Jun.2008.doi:10.1109/TNET.2008.927256.

[7]P.Gupta and P.Kumar,“The capacity of wireless networks,”IEEE Trans.Inf. Theory,vol.46,no.2,pp.388-404,Mar.2000.doi:10.1109/18.825799.

[8]C.Perkins and E.Royer,“Ad⁃hoc on⁃demand distance vector routing,”in WMC⁃SA 1999,New Orleans,LA,USA,pp.90-100.doi:10.1109/MCSA.1999.749281. [9]D.Johnson and D.Maltz,“Dynamic source routing in ad hoc wireless networks,”Mobile Computing,T.Imielinski and H.Korth,Eds.,New York:Kulwer Academ⁃ic Publishing,1996,pp.153-181.

[10]R.Draves,J.Padhye,and B.Zill,“Comparison of routing metrics for static mul⁃tihop wireless networks,”in ACM SIGCOMM 2004,Portland,OR,USA,pp. 133-144.doi:10.1145/1015467.1015483.

[11]D.De Couto,D.Aguayo,J.Bicket,and R.Morris,“A high throughput path met⁃ric for multihop wireless routing,”in ACM MobiCom 2003,San Diego,CA, USA,pp.134-46.doi:10.1145/938985.939000.

Manuscript received:2014-03-03

Biograpphhiieess

Yasha Chen(yashachen@gmail.com)has a PhD degree in computer software from Beijing University of Technology.She is currently working at the Institute of North Electronic Equipment.Her research interests include information security and net⁃work security.

Jianpeng Zhao(JianpengZhao@gmail.com)has a PhD degree in computer software from Beijing University of Posts and Telecommunications.He is currently working at the Institute of North Electronic Equipment.His research interests include infor⁃mation security and network security.

Junmao Zhu(JunmaoZhu@gmail.com)has a PhD degree in computer software from Beijing University of Posts and Telecommunications.He is currently working at the Institute of North Electronic Equipment.His research interests include information security and network security.

Fei Yan(FeiYan@gmail.com)has a PhD degree in computer software from Wuhan University.He is currently working at Wuhan University.His research interests in⁃clude information security and network security.

New Member ofZTE CommunicationsEditorial Board

Xiaodong Wang(S’98-M’98-SM’04-F’08)received the PhD degree in Electrical Engi⁃neering from Princeton University.He is a professor of Electrical Engineering at Columbia University in New York.Dr.Wang’s research interests fall in the general areas of computing, signal processing and communications,and he has published extensively in these areas. Among his publications is a book entitled“Wireless Communication Systems:Advanced Techniques for Signal Reception”,published by Prentice Hall in 2003.His current research interests include wireless communications,statistical signal processing,and genomic signal processing.Dr.Wang received the 1999 NSF CAREER Award,the 2001 IEEE Communica⁃tions Society and Information Theory Society Joint Paper Award,and the 2011 IEEE Commu⁃nication Society Award for Outstanding Paper on New Communication Topics.He has served as an Associate Editor for theIEEE Transactions on Communications,theIEEE Transactions on Wireless Communica⁃tions,theIEEE Transactions on Signal Processing,and theIEEE Transactions on Information Theory.He is a Fellow of the IEEE and listed as an ISI Highly-Cited Author.