【作者】 李琳；

【导师】 李庆忠；

【作者基本信息】 山东大学 ， 计算机软件与理论， 2014， 博士

【摘要】 软件即服务(Software as a Service, SaaS)是云计算中一种非常重要的服务交付方式,服务商负责应用软件的维护、管理、升级等工作,租户通过网络租赁应用并按使用付费,不需要关心底层复杂的实现细节。SaaS模式下,成熟的服务运营商一般采用单实例多租赁(Single Instance Multi-Tenancy)的方式,使用同一个应用实例为不同租户提供服务,即多租户应用。对于许多中小型企业来说,SaaS是采用先进技术的最好途径。在多租户应用中,租户数据的存储和处理都发生在非完全可信的服务运营商端,租户对自己数据的控制能力被大大削弱。非完全可信的服务运营商有可能会在租户未授权的情况下,恶意篡改、伪造或者删除租户数据,破坏租户数据的完整性。如何防止不可信的云服务提供商监守自盗,破坏租户数据完整性,是现阶段Saas应用进一步推广需要解决的重要问题。由于多租户应用的按需定制、共享存储、多数据节点等云的特征,面向多租户应用的数据完整性保护面临着一系列的新的需求：(1)租户感知的数据完整性验证结构的构建需求。在SaaS多租户模式下,成千上万的租户共享底层物理数据表存储。在这种情况下,基于已有的完整性保护方法(如MHT等)直接对共享数据表构造完整性验证结构的方式,缺乏对租户的识别,难以对租户数据进行区分。在对一个租户数据进行验证时,会需要表中其他租户数据来辅助构造验证对象,使得租户间完整性验证过程中数据互相交叉,增加了验证对象的构建复杂度,降低验证效率。(2)租户数据完整性问题及时发现需求。由于租户的数据和应用都托管在了远程服务提供商端,租户对自己数据的控制能力大为降低,租户对于及时发现数据完整性问题的需求更为强烈,租户不仅需要能够确认自己正在使用的数据是正确的完备的,对于一些使用频率较低的数据,租户也希望能够及时发现这些数据是否被破坏。(3)租户数据可靠存储需求。在SaaS模式下,租户可以定制副本数量并付费使用,因此租户需要能够确认系统是否可靠地存储了他们的数据副本。但是,采用明文存储的数据副本很容易受到服务提供商内部恶意员工的合谋攻击,通过多个存储服务器共享一个数据副本来节省存储空间,严重破坏租户经济利益,降低租户数据访问效率与可靠性。因此,本论文以多租户应用模式中租户数据完整性保护为目标,结合多租户数据共享存储、租户隔离、租户按需租赁定制其应用等特点,对云计算环境下面向多租户应用的数据完整性保护的关键问题进行研究,主要工作和贡献包括：(1)提出面向租户的完整性验证方法MTAS (Multi-tenant Authentication Structure),在共享存储模式下,通过以租户为单位分别对共享表内租户数据构造验证结构方法,在租户应用使用数据的时候,进行实时完整性检查,确保多租户间数据完整性验证过程互不干扰,提高验证效率。本文针对租户应用处理数据的实时完整性保护问题,充分考虑租户共享存储、租户隔离与个性化需求等综合因素,基于Pivot-Universal存储模式,提出基于复合MHT的多租户数据完整性保护模型MTAS。MTAS在租户应用数据时对数据进行实时完整性验证,防止错误数据进入租户应用,并且可以针对租户数据以及完整性需求的动态变化,调整完整性保护策略,满足租户动态完整性保护需求。实验结果表明,与传统验证结构相比,MTAS在验证对象重构过程中,大约节省了30%的哈希计算次数,验证对象大小约为传统方法的2/3,是一种行之有效的多租户数据完整性保护模型。(2)提出基于抽样的租户数据完整性保护方法TDIC (Tenant-oriented Duplication Integrity Checking Scheme),通过对租户数据进行周期性抽样检查方法,解决了对所有租户数据进行实时完整性检查造成的性能浪费问题。针对实时的数据完整性检查容易忽略掉租户长期不用的数据的完整性保护问题,提出面向租户副本数据的抽样检查机制TDIC,通过对租户副本内数据进行周期性随机抽样的方式,来降低服务提供商端验证对象的生成代价,消除对租户副本数据全部进行实时验证的资源浪费。同时,TDIC结合租户元组的同态标签与辅助验证树结构,使得租户可以在不泄露租户数据内容的前提下,委托可信第三方对租户副本进行抽样检查。分析与实验结果表明,如果租户逻辑视图中包含10000个数据元组时,在元组破坏率为1%的情况下发现数据被破坏的随机抽样数目最大约为元组总数的5%,相对全部验证的方法极大地降低了系统资源浪费。(3)提出防合谋删除的多副本数据混淆存储TD2O (Tenant Duplicate Data Obfuscation)模型,通过基于元组属性值的数据混淆对租户副本进行区别存储,抵御服务提供商内部恶意人员的合谋删除问题。针对租户副本数据明文存储情况下容易被服务提供商合谋删除问题,提出基于线性隐藏的的数据混淆模型TD2O,通过混淆使得存储相同数据的租户副本具有不同的数据表现内容,防止服务提供商为节省存储空间,整个删除租户不常用副本,保证租户数据完整性,并基于Monte Carlo随机单调函数对TD2O模型进行拓展,制定关键字保序策略,实现租户副本数据关键字的保序,提高混淆副本的查询效率。实验结果表明扩展的TD2O模型在保序关键字上具有较好的查询性能。更多还原

【Abstract】 Software as a Service, i.e. SaaS, is one important service delivery model in cloud computing. In SaaS, service providers take charge of software maintenance, management and upgrade, while tenants subscribe the software service through web and don’t care the implementation detail. Single instance multi-tenancy is the common way adopted by the service providers, by which one instance could serve multiple tenants. For many small and medium enterprises, SaaS is the best way to adopt advanced technologies.In multi-tenancy applications, tenants’ data are stored and processed at the platform of un-trustworthy service providers. The tenant’s ability of controlling their own data has been greatly weakened. An-trustworthy service providers may malicious tampering, forgery or delete tenant data without tenants’ authorization. How to prevent untrusted cloud service provider from violating tenant data integrity is an important issue that needs to be solved in SaaS.For the multi-tenant application characteristics with on-demand customization, shared storage and multiple data node in the cloud, there are a series of new requirements of multi-tenant application oriented data integrity protection.(1)Tenant-oriented data integrity verification structure requirement. In SaaS mode, thousands of tenants share the physical data table. For this case, traditional integrity protection methods such as MHT lack the ability of recognition tenants, it is hard for them to distinguish tenant data in their structures. During the verification phase, they can’t meet the requirements of tenant data isolation.(2) Timely detection of tenant data integrity. As tenants’ data and application are hosted on the remote service provider side and the tenant’s control force of their own data is greatly reduced, tenants are more and more nervous for their data integrity problems. So the tenants need to be able to confirm that not only the data used on-the-fly bualso the low frequency used data is right perfect.(3)Reliable tenant storage needs. In SaaS mode, tenants can customize multiple duplicates and pay for use. So the tenants need to be able to confirm whether service providers reliably store their duplicates. However, plain-text data duplicates is vulnerable to conspired attacks of the service provider malicious employees, in which multiple data nodes share a single copy of tenant data. Conspired attack makes serious damage to tenants’ data and reduces data access efficiency and reliability. Therefore, we need to adopt the confusion strategy to make storage duplicates showing different with each other.This paper aims at tenant data integrity protection in multi-tenant application mode combines with multi-tenant shared storage, multiple data nodesand tenant customization to reaearch the key problems of data integrity protection in multi-tenant application. The main contributions include:(1) Puts forward the Multi-tenant Authentication Structure (MTAS). MTAS provides data integrity assurance for multi-tenant data. By separating indexes with authentication structures, MTAS preserves tenants’isolation and customization characteristics. And we propose a new authentication structure PUA tree (Pivot and Universal table Authentication tree) which composite separate authentication trees built for pivot table and universal table into a single tree based on the characteristic of pivot-universal storage model. So we can get the VO corresponding to queries data in pivot table and universal table in one PUA tree travel. PUA tree saves about30%hash computing at VO verification. Also, PUA tree can handle dynamic structure adjustments for tenant data update operations, such as data insertion, deletion and modification.(2) Presents a sample based tenant integrity protection mechanisms TDIC (Tenant-oriented Duplication Integrity Checking Scheme) for the balance tetween tenant duplicate integrity protection with the system performance. Through periodically random sampling, TDIC reduces the complexity of service provider side verification object construction and eliminate the resource waste. TDIC makes use of homomorphism labels with auxiliary authentication structure to allow trusted third party verification without disclosing tenant data. Analysis and the experimental results show that if the tenant contained in the logical view10000data tuples and the damage rate is1%, the random sampling data number is about5%of the total number of tuples.(3) Promotes the tenant duplicates data obfuscation model (TD2O) based on linear hidden to resist service provider malicious insders’ conspired attack. TD2O makes storage duplicates showing different with each other to ensure tenant duplicates integrity of untrusted service provider deleting the whole copy of tenant data. Based on Monte Carlo random monotone function, promotes an extended TD2O model with query keyword ordering strategy to improve the query efficiency of obfuscation duplicates. Experiment results show that the extended TD2O model has better query performance on the order preserving keyword.更多还原