【作者】 马俊；

【导师】 王志英；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2011， 博士

【摘要】 随着信息网络的快速发展,数据信息的应用环境越来越复杂,数据在从创建、存储、使用、共享、归档到销毁的生命周期各个阶段都面临各种泄漏风险,特别是由内部威胁导致的数据泄漏问题日益突出。传统的数据泄漏防护技术可以有效抵御来自外部的攻击,但对于内部威胁还缺乏有效的防护。而且这些技术多是针对数据生命周期某个阶段的防护需求建立相应的防护机制,没有形成统一的有机整体,一旦某个环节出现问题,将导致整个泄漏防护失败。分布式和云计算技术的广泛应用给数据泄漏防护提出了许多新的挑战。如何有效应对内部威胁导致的数据泄漏,建立支持数据全生命周期的统一防护机制,确保数据在存储、使用和共享传输过程中的安全,是当前信息安全领域亟待解决的关键问题。本文分析了数据生命周期各个阶段的泄漏防护需求,并针对内部威胁的特点,从增强数据自身防护能力的角度出发,提出了一种面向内部威胁的数据泄漏主动防护模型。基于该模型,本文分别从信息流约束、可信主体的隔离约束以及主动防护体系结构等方面深入研究了数据泄漏防护的理论和技术。通过对关键技术的集成,设计实现了一款具有主动防护能力的安全移动存储器,验证了模型的正确性和防护技术的有效性。本文取得的主要研究成果如下:1.提出了一种面向内部威胁的数据泄漏主动防护模型。该模型通过对数据本身或数据存储环境进行属性和安全机制扩展,为数据增加具有自主安全防护能力的安全数据容器(Secure Data Container, SDC),由安全容器在数据生命周期的各个阶段主动对使用环境进行可信检测,并对数据使用过程进行安全控制,从而实现对数据的“贴身保护”。同时,针对内部威胁的特点,给出了数据泄漏主动防护模型的实现框架,为本文关键技术的研究提供总体的思想和结构指导。2.提出了一种基于单向信息流约束的主动中国墙模型。该模型针对数据泄漏防护中信息流约束的特点和需求,对传统中国墙模型的冲突关系和联盟关系进行了扩展,提出了主动冲突关系和主动联盟关系的概念。在此基础上,给出了模型的形式化描述和安全特性分析,并与传统中国墙模型以及BLP模型等进行了比较和分析,最后给出了模型在访问控制、终端电子文档泄漏防护和虚拟机环境泄漏防护等不同应用场景下的实现结构。3.提出了一种面向可信主体约束的动态隔离机制。该机制根据数据泄漏防护的需求划分隔离域,并针对可信主体的不同访问操作,通过读隔离、写隔离和通信隔离等三种隔离过程动态扩展隔离域范围,在保证可信主体应用完整性的同时,防止其通过“合法操作”导致的数据泄漏。给出了隔离过程中文件和进程迁移的实施策略,并使用形式化方法对动态隔离机制的安全性进行了描述和证明。在此基础上,通过扩展不同隔离域之间的引用关联,实现了一种动态隔离增强的轻量级虚拟机DI-FVM。DI-FVM在操作系统层进行虚拟化,通过引用关联来实现细粒度的行为约束。4.提出了一种基于使用预期的主动安全存储结构。从数据角度出发,根据数据在不同状态下对属性、访问操作以及使用环境的安全预期,建立统一的安全需求描述机制,提出了基于预期的使用控制模型。在此基础上,重点研究了数据从存储设备到使用环境的连续保护问题,提出了一种基于使用预期的主动安全存储体系结构(Usage-Expectation-based Active Secure Storage, UE-ASS)。UE-ASS将主动防护机制绑定到存储设备中,通过在终端系统中动态构建虚拟隔离使用环境,并基于可信计算建立从存储设备到隔离环境的信任链,实现数据使用预期的可信传递和使用过程的连续控制。5.以主动泄漏防护模型为指导,综合上述关键技术成果,设计实现了一款具有主动防护能力的安全移动存储器UTrustDisk。该存储器将嵌入式安全芯片集成到存储器硬件中,并通过安全芯片上运行的片上操作系统(Chip Operating System,COS)实现存储器的主动防护。COS会在终端系统中动态构建数据使用的虚拟隔离环境DI-FVM,并基于安全芯片提供的安全机制实现信任链的建立和数据使用预期的管理,从而确保数据从存储设备到使用环境过程中的主动泄漏防护。以上研究成果综合考虑了内部威胁的特点和数据整个生命周期内的泄漏防护需求,以信息流分析方法为基础,结合虚拟隔离和可信计算的思想,通过增强数据自身的主动防护能力,实现数据全生命周期的连续泄漏防护。对信息流约束和动态隔离机制的形式化验证表明,本文的方法可以有效保证泄漏防护的安全性,具有一定的理论意义。原型系统的实现和测试也表明,以上泄漏防护技术可以较好的解决内部威胁导致的数据泄漏问题,为实际应用中的泄漏防护提供了重要的技术支撑,具有很好的实用价值。更多还原

【Abstract】 With the rapid development of information networks, the application environment ofdata has become increasingly complex. The data owner would encounter various risk ofleakage in the whole life-cycle of data. The leakage caused by insider threats is increasingprominently. Traditional Data Leakage Prevention(DLP) technologies can effectivelydefend outsider attacks, but lack of protection against insider threats. Moreover, most ofthese technologies provide appropriate protection mechanisms against special situationsof data life-cycle with lack of unifying principles. So a failure at one point would breakdown all the protection mechanisms. What’s more important, the extensive application ofdistributed computing and cloud computing have brought many new challenges to DLP.How to effectively prevent data leakage caused by insider threats and especially assure thesecurity of data in storage, usage and sharing by building unified protection mechanismsfor the whole life-cycle of data has become a burning problem for information security.This paper analyzes protection requirements in all stages of data life-cycle and proposesan active data leakage prevention model against insider threats. And then we presentthe theoretical basis and implementation techniques of this model though researching informationflow constraint mechanism, trusted subjects behavior isolation and active protectionimplementation architecture.Finally, we design and implement a secure removablestorage device which has active defense capabilities against data leakage.The main contributions of this paper are as follows:1. We propose an active data leakage prevention model against insider threats. Byextending the attributes and security mechanisms of data objects and data storage environment,this model contributes to adding the Secure Data Container(SDC) to data. TheSDC will provide trust detection and usage control with the data. Then we also give theimplementation framework for providing key ideas for the following research.2. We propose an Active Chinese Wall Model(ACWM) based on one-way informationflow constraints. This model extends the conflict and alliance relation in traditionalChinese Wall Model(CWM) and presents the conception of active conflict and alliance relation.Based on this , we present the formal description of ACWM and proof its securityfeatures. Then we compare ACWM with traditional CWMs and BLP model. The resultshows the flexibility and adaptability of ACWM. Implementation frameworks based on ACWM are also presented for DLP on three different scenarios in the end.3. We propose a dynamic isolation mechanism for the confinement of trusted subjects.This mechanism set the isolation domain according to the protection requirementof achieved data and dynamically extends the domain through isolation on read, write andcommunication operations of the trusted subject. We present implementation strategiesfor migration of files and processes. Then we give formal descriptions of the mechanismand proof the security for data leakage prevention. Based on this, we implement theDynamic-Isolation-enhanced Featherweight Virtual Machine(DI-FVM) by creating virtualizationlayer in the operating system level which can provide fine-grained behavioralconstraints for trusted subjects.4. We propose an Usage-Expectation-based Active Secure Storage(UE-ASS) architecture.In order to build an unified security requirement description mechanism for dataleakage, we present the conception of expectation according to the security constraintson attributes, access operations and usage contexts of the data object. Based on this, weextend the usage control model from the data perspective to providing continuous controlfrom storage device to usage environment. Then we give UE-ASS architecture, whichcombines the active protection mechanism with the storage device and constructs virtualisolated usage environment in terminal system before usage.5. Based on the above models and technologies, we design and implement a secureremovable storage device called UTrsutDisk. The hardware is integrated with an embeddedsecurity chip and achieves active defense by the Chip Operating System(COS). COSwill build a dynamic virtual isolation environment, named DI-FVM, in terminal systemand manage the usage expectations of data. So, UTrustDisk provides continuous protectionwhen the data is transmitting from the storage device to usage environment.All the above research results provide effective theories and technologies for dataleakage prevention especially against insider threats. The formal verification of informationflow confinement and dynamic isolation mechanism shows the theoretical contributions.Meanwhile, the implementation and evaluation result shows the effectiveness fordata leakage in practice.更多还原