1 Introduction

With the rapid increment on requirements of large amount data storage and computation, cloud computing has become the most predominant paradigm for data processing. Based on the advancement of high performance on computation and dynamic resources management, clouds can provide a distributed and flexible way to deliver the various IT services for different users’ purposes. In recent years, more complex applications can be delivered by multiple basic services in different clouds in a composition way [1], e.g., emergency assistance application in smart city can be composed by health care services in e-health cloud and intelligent route planning services in e-transportation cloud. However, outsourcing data and operations pose a great challenge on data privacy due to the disclosure of users’ data to the cloud service providers [2, 3].

Fortunately, homomorphic encryption approaches [4] are proposed to address those privacy concerns, which allows the direct operations on encrypted data without access to source data. Homomorphic encryption including FHE(Fully Homomorphic Encryption) and PHE(Partial Homomorphic Encryption) is widely used in secure cloud computation [5] and verifiable computation [6].

Despite secret data can be protected by cryptography algorithms, end-to-end data security can not be guaranteed during the transmission of data from one cloud service to another. Especially for the composite services, secret data may be leaked through the operations by the following services even if its source service is protected by access control mechanisms [7,8,9]. Therefore, information flow security is a major concern for service composition in multiple clouds. Fortunately, kinds of information flow control mechanisms are proposed to address those concerns including type system [10], program anlysis [11, 12], model checking [13, 14] and so on. Considering services are located in different clouds, Xi et al [15] propose a distributed information flow verification framework for secure service composition across multiple clouds, in which security constraints for each service are specified.

However, most of above work are based on operation on clear data and guarantee the standard noninterference, which strictly forbids all flows of information from ’high’ to ’low’. When cloud data is encrypted, an improved security constraints supporting downgrading mechanisms are needed to avoid the violation on the standard noninterference [16]. In order to support verification on encrypted data, Peeter et al. [17] presents a simple program analysis approach for verification on program containing the cryptographic primitive. Boniface et al. [18] design a new security-typed language by introducing the notion of trusted functions to support verification on declassify operations. Aslan et al. [19] also propose a type system that guarantees noninterference for language with primitive cryptographic operations, which can prevent dangerous program behavior (e.g., giving away a secret key or confusing keys and nonkeys). For the cloud computing, Mitchell et al. [20] presents an expressive core language for guaranteeing secure execution of all expressible programs in clouds. But these approaches are used to verify on single program or service, which can work in a centralized way. It is a great concern that how to verify the information flow between different services when these services are composed together, especially for the services located in different clouds. We [21] propose an improved distributed information flow verification framework and approach to support verification on encrypted data for service composition in clouds. But the approach only support the simplest composite service, i.e., service chain [12].

In order to ensure the end-to-end security for service composition in multiple clouds, we have made the following contributions. Firstly, we give the definition on the inner and inter encryption flows among different services based on the basic dependence relationship and compositional structure. Secondly, based on improved definition on noninterference, we propose a new compositional information flow verification theorem, which modifies the security constrains on each service to support verification on encrypted data. And finally, we design a distributed information flow control framework and approach for supporting verification on both clear and encrypted data in clouds based on the improved theorem.

The rest of the paper is structured as follows. Section 2 gives the preliminaries including the formal definition on composite service with complex composition structure in service clouds. Section 3 presents the improved secure information flow model for encrypted data in service clouds. In Sect. 4, we propose the distributed information flow control framework and algorithm on encrypted data. Section 5 evaluates the proposed approach. Section 6 concludes the paper.

2 Preliminaries

Before analyzing the information flow among different services, we specify the formal definition on composite service with complex structures in clouds first. Referring to the cloud model in [15], there are various services \(s_i\) and resources \(R_c\), and a security authority \(SA_c\). These services in the same or different clouds can be composed as a composite service \(S_C\) for complex applications.

Based the definition in [22], we use \(S_C=\langle SC, \vec {G_S}, In_C, Out_C \rangle \) to represent the composite service. In this definition, \(\vec {G_S}=\{S, \vec {E}, \Gamma , I_E, C_{\Gamma }\}\) is a direct graph to represent the composition structure. S is a vertex set including all the service components, \(s_i \in S\), \(i \in N\). \(\vec {E}=\{a_i \in \vec {E},i \in N\}\) is a set of arcs representing the execution order of \(S_C\). \(\Gamma \) is a condition set including all the transfer conditions for each arc in \(a_i \in \vec {E}\), \(\gamma \in \Gamma \). \(I_{\vec {E}}\) is an incidence map that associates each arc of \(\vec {G_S}\) with an ordered pair of vertices, \(I_E: \vec {E} \rightarrow S \times S\). \(C_{\Gamma }\) is the map that associates each service vertex with its all execution conditions, \(C_{\Gamma }: s_i \rightarrow \{ \Gamma ^{'} \}\),\(s_i \in S\), \(\Gamma ^{'} \subseteq \Gamma \).

Besides, the predecessor and successor set of each service \(s_i\) are represented as \(S_i^{pre}\) and \(S_i ^{suc}\) respectively. And we use \(\bullet s_i\) to represent \(s_i\)’s direct predecessor set while using \(s_i \bullet \) to represent \(s_i\) ’s direct successor set.

3 Secure information flow in composite service across multiple clouds

3.1 Secure information flow in composite service with standard noninterference

Based on the composite service model, we use a Multi-Level security level model \((SL, \le )\) [15] to represent data with different sensitivities. For example, routing data RD is public while medical data MD is privacy in emergency assistance application. And we can define a simple model with two security levels, i.e., \(SL=\{L,H\}\),\(L \le H\). Then it means the security level of routing data is L while that of medical data is H. For a clear description, we define Sec function mapping the input or output objects to their security levels, i.e., \(Sec: In_i \bigcup Out_i \rightarrow SL\). There is \(Sec(RD)=L\) and \(Sec(MD)=H\).

In order to analyze the explicit and implicit flow [23] in composite service, we first analyze the inner-service flow based on program dependence graph (PDG) [24] and the program backward slice [25]. Here we use \(in_{i,x}\rightarrow out_{i,y}\) refers to a flow (explicit or implicit) from an input \(in_{i,x}\) to an output \(out_{i,y}\). Then we can define the inter-service flow based on inner-service flow and the complex composition structures as follows [22].

Definition 1

For \(\forall u \in In_i \bigcup Out_i\) , \(\forall v \in In_j \bigcup Out_j\), \(s_j \in S_i^{suc}\), there is a flow from u to v iff they satisfies one of the following three conditions.

  1. (1)

    For \(u\in Out_i\), \(v\in In_j\) if \(s_i \in \bullet s_j\) , and \(v:=u\), there is \(u \rightarrow v\).

  2. (2)

    For \(u\in Out_i\), \(v\in Out_j\) if \(u \rightarrow \gamma \) and \(\gamma \in C_{\Gamma }(s_j)\), there is \(u\rightarrow v\) .

  3. (3)

    For \(u\in In_i \bigcup Out_i\), \(v\in In_j \bigcup Out_j\), if \(\exists w\in In_k \bigcup Out_k\) satisfies \(u\rightarrow w\) and \(w \rightarrow v\) , where \(s_k \in S_i^{suc}\) and \(s_k \in S_j^{pre}\) , there is \(u \rightarrow v\).

We also obtain the secure composition theorem based on the standard noninterference as follows [22].

Theorem 1

For a composite service \(S_C\) , the information flow is secure if each service component \(s_i\) satisfies the following three conditions:

  1. (1)

    In each service component \(s_i\), \(\forall u\in In_i\), \(\forall v \in Out_i\), if \(w \rightarrow v\), there is \(Sec(u) \le Sec(v)\);

  2. (2)

    In adjacent services \(s_i\) and \(s_{i \bullet }\), \(\forall w_1 \in Out_i^M\), \(w_2\in In_{s_{i\bullet }}\), if \(w_2:=w_1\) , there is \(Sec(w_1) \le Sec(w_2)\);

  3. (3)

    For each \(\gamma \in C_{\Gamma }(s_i)\), \(\forall w \in Out_k\),\(\forall v \in In_i \bigcup Out_i\), where \(s_k \in S_i^{pre}\), if \(w \rightarrow \gamma \), there is \(Sec(w)\le Sec(v)\).

3.2 Secure information flow model of composite service with encrypted data

Using homomorphic encryption, cloud servers may perform regularly structured computation on encrypted data, without access to decryption keys. However, this operation may violate the requirements on standard noninterference. According to the Theorem 1, the data in one object cannot be transmitted to an object with lower security level during the execution of service. Although the attacker may observe the encrypted data through this low-level object, he cannot obtain the sensitive data as long as the attacker cannot crack the encryption algorithm, which is still considered secure.

In order to the analyze encrypted flows in services, the security level of the encrypted data is defined as follows according to the properties of encryption.

Definition 2

For \(\forall u \in In_i \bigcup Out_i\), if u is encrypted, the security level of u is defined as \( Sec(u) = Sec(\langle E, key \rangle )\), where E is the encryption algorithm and key is the encryption key. And we can obtain the following qualities.

  1. (1)

    If u is encrypted with more complex algorithm and key \(\langle E', key' \rangle \), there is \(Sec(\langle E', key'\rangle ) < Sec(\langle E,\) \(key\rangle \)).

  2. (2)

    When u is decrypted, the data of u is no longer protected by encryption, and the security level of u return to its original value.

  3. (3)

    If u is multiply encrypted during execution of composite service, its security level depends on the strongest algorithm and key.

Based on Definition.2, we extend the definition on basic dependence relationship to support the encryption flows. The inner-service encryption dependence is defined first.

Definition 3

For \(\forall u \in In_i\), \(\forall v \in Out_i\), \(u \rightarrow _{Enc,Dec} v\) represents an encryption flow from u to v in each service, where Enc is the pair of encryption algorithm and key that v adopts; Dec is the pair of decryption algorithm and key that u adopts. There are four cases to consider [21]:

  1. (1)

    Neither of u and v are not encrypted, there is \(u \rightarrow _{\phi ,\phi } v\), i.e., \(Enc=\phi \),\(Dec=\phi \).

  2. (2)

    u is not encrypted but v is encrypted by \(\langle E_v,key_v \rangle \), there is \(u \rightarrow _{\langle E_v,key_v \rangle , \phi } v\) , i.e., \(Enc=\langle E_v, key_v \rangle \), \(Dec=\phi \).

  3. (3)

    u is initially encrypted but it is decrypted with \(\langle E_u, key_u \rangle \) during the execution of service, there is \(u \rightarrow _{\phi ,\langle E_u, key_u \rangle } v\) , i.e., \(Enc=\phi \), \(Dec=\langle E_u, key_u \rangle \).

  4. (4)

    Both u and v are encrypted, there are three different cases.

    1. (1)

      If u is decrypted with \(\langle E_u, key_u \rangle \) during the execution of service, it means u is operated as plaintext and u is encrypted by another encryption algorithm and key. Then there is \(u \rightarrow _{\langle E_v, key_v \rangle , \langle E_u, key_u \rangle } v\), i.e., \(Enc=\langle E_v, key_v \rangle \), \(Dec=\langle E_u, key_u \rangle \).

    2. (2)

      If v is not decrypted but u is re-encrypted by \(\langle E_u, key_u\rangle \), there is \(u \rightarrow _{\langle E_u, key_u \rangle ,\phi } v\), i.e., \(Enc=\langle E_u, key_u \rangle \), \(Dec=\phi \).

    3. (3)

      If v is not decrypted and u is not re-encrypted there is \(u \rightarrow _{\phi ,\phi } v\), i.e., \(Enc=\phi \), \(Dec=\phi \).

Considering the explicit and implicit flows among composite services, inter-service encryption dependence can be defined recursively based on inner-service dependence.

Definition 4

For \(\forall u\in In_i \bigcup Out_i\), \(\forall v \in In_j \bigcup Out_j\), \(s_j \in S_i^{suc}\), \(u\rightarrow _{EnS,DeS} v\) represents an encryption flow from u to v across service components. EnS is the set of pairs of the encryption algorithm and key that used during the execution path. DeS represents the set of all decryption operations. There are six cases to consider:

  1. (1)

    For \(u\in Out_i, v\in In_j\), if \(s_i \in \bullet s_j\) , and \(v:=u\), there is \(u \rightarrow _{EnS_u,DeS_u} v\), where \(EnS_u=\phi \) and \(DeS_u=\phi \).

  2. (2)

    For \(u\in Out_i, v\in Out_j\), if \(u \rightarrow \gamma \), and \(\gamma \in C_{\Gamma }(s_j)\), there is \(u\rightarrow _{EnS_u,DeS_u} v\) , where \(EnS=\phi \) and \(DeS=\phi \).

  3. (3)

    For \(u\in In_i\), \(v\in In_j\), if \(s_i \in \bullet s_j\) and \(\exists w \in Out_i\), \(u \rightarrow _{Enc_u,Dec_u} w\), \(w \rightarrow _{EnS, DeS} v\), there is \(u \in _{EnS, DeS} v\), where \(EnS=Enc_u \cup EnS_w\) and \(Des=Dec_u \cup DeS_w\).

  4. (4)

    For \(u \in Out_i\), \(v \in Out_j\) if \(s_i \in \bullet s_j\) and \(\exists w \in In_j\), \(u \rightarrow _{EnS_u,DeS_u} w\), \(w \rightarrow _{ Enc_w,Dec_w} v\) , there is \(u \rightarrow _{EnS, DeS} v\) , where \(EnS=EnS_u \cup Enc_w\) and \(DeS=DeS_u \cup Dec_w\).

  5. (5)

    For \(u\in In_i\), \(v\in Out_j\), if \(s_i \in \bullet s_j\) and \(\exists w \in In_j\), \(u\rightarrow _{EnS_u,DeS_u} w1\), \(w1 \rightarrow _{\phi ,\phi } w2\), \(w2 \rightarrow _{Enc_{w2},Dec_{w2}} v\) , there is \(u \rightarrow _{EnS,DeS} v\) , where \(EnS=Enc_u \cup Enc_{w2}\) and \(DeS=Dec_u \cup Dec_{w2}\).

  6. (6)

    For \(u \in In_i\bigcup Out_i\), \(v \in In_j \bigcup Out_j\), if \(\exists w \in In_k \bigcup Out_k\) satisfies \(u \rightarrow _{EnS_u,DeS_u} w\) and \( w \rightarrow _{EnS_w,DeS_w} v\) , where \(s_k \in S_i^{suc}\) and \(s_k \in S_j^{pre}\), there is \(u \rightarrow _{EnS,DeS} v\) , where \(EnS=EnS_u \cup EnS_w\) and \(DeS=DeS_u \cup DeS_w\).

  7. (7)

    For \(u \in In_i\bigcup Out_i\), \(v \in In_j \bigcup Out_j\), if \(\exists w \in Out_k\) satisfies \(u \rightarrow _{EnS_u,DeS_u} w\) and \( w \rightarrow \gamma \), \(\gamma \in C_{\Gamma }(s_j)\), where \(s_k \in S_i^{suc}\) and \(s_k \in S_j^{pre}\), there is \(u \rightarrow _{EnS,DeS} v\), where \(EnS=EnS_u\) and \(DeS=DeS_u\).

Based on the extend definition on the inner and inter flows, the improved security definition on information flow supporting for encrypted data can be presented as follows:

Definition 5

For a composite service \(S_C\) , the information flow is secure if for \(\forall v \in In_i \bigcup Out_i\) in each service component \(s_i\) satisfies the following two conditions:

  1. (1)

    For \(\forall u \in In_i\),\(u \rightarrow _{Enc,Dec} v\),

    • If \(Enc-Dec=\phi \), there is \(Sec(v) \ge Sec(u)\).

    • If \(Enc-Dec \ne \phi \) , there is \(Sec(v) \ge Sec(\langle E, key \rangle )\), where \(\langle E, key \rangle = Enc-Dec\).

  2. (2)

    For \(u \in In_j \bigcup Out_j\), \(s_i \in S_j^{suc}\), \(u \rightarrow _{EnS,DeS} v\),

    • If \(EnS-DeS=\phi \), there is \(Sec(v) \ge Sec(u)\).

    • If \(EnS-DeS\ne \phi \) , there is \(Sec(v) \ge \sqcap _{min}^{1\le x \le N_e} Sec(\langle E_x, key_x \rangle )\), where \(\langle E_x,key_x \rangle \in EnS-Des\).

According to the Definition 5, two different types of flow are considered separately, i.e., regular and encryption flow. For the regular flow, it must satisfy the traditional information noninterference constraints, i.e., the security level of each input or output in must be no less than the security level of the object that they depends on. For the encryption flow, data security depends on the encryption operation, so it can be considered secure that the security level of the input or output is equal or greater than the security level of the strongest encryption operation.

Based on improved information flow security definition, we can deduce the security constraints on each service as the following theorem:

Theorem 2

The information flow in composite service \(S_C\) with N steps is considered secure if for each \(s_i\) in \(S_C\) satisfies the following conditions:

  1. (1)

    For \(\forall u\in In_i, v\in Out_i, u \rightarrow _{Enc,Dec}(v)\):

    1. (a)

      If v is not encrypted, there is \(Sec(v) \ge Sec(u)\).

    2. (b)

      If v is encrypted by \(\langle E_u, key_u \rangle \), there is \(Sec(v) \ge Sec(\langle E_u,key_u \rangle )\).

  2. (2)

    For \(\forall u \in In_j \cup Out_j, v\in In_i \cup Out_i, s_j \in \bullet s_i, u \rightarrow _{EnS,DeS}(v)\),

    1. (a)

      If v is not encrypted, there is \(Sec(v) \ge Sec(u)\).

    2. (b)

      If v is encrypted by \(\langle E_w, key_w \rangle \), there is \(Sec(v) \ge Sec(\langle E_w,key_w \rangle )\).

  3. (3)

    For \(\forall u \in Out_j, v \in Out_i, s_j \in S_i^{pre}, u \rightarrow \gamma , \gamma \in C_{\Gamma }(s_i), u \rightarrow _{EnS,DeS}(v)\), there is \(Sec(v) \ge Sec(u)\).

Proof

First, let \(N=1\), then there are two service components involved in the composite service, i.e., \(s_0\) and \(s_1\).

Case 1 Inner information flow in each service component is considered first, i.e., \(\forall v\in Out_0, u\in In_0, u \rightarrow _{Enc,Dec} v\).

  • (1) condition (1).a provides that for each \(u \rightarrow _{Enc,Dec} v\) where \(Enc-Dec=\phi \), there is \(Sec(v) \ge Sec(u)\).

  • (2) condition (1).b provides that for each \(u \rightarrow _{Enc,Dec} v\) where \(Enc-Dec \ne \phi \), there is \(Sec(v) \ge Sec(\langle E_u, key_u \rangle )\).

In the same way, we can get the information flow is also secure in \(s_1\).

Case 2 Information flow between \(s_0\) and \(s_1\) is considered, i.e., \(\forall v\in In_1 \cup Out_1, u\in In_0 \cup Out_0, u \rightarrow _{EnS,DeS} v\).

  • (1) For \(\forall u \in Out_0, v \in In_1, u \rightarrow _{EnS, DeS} v\), according to the Definition 4(1), there is \(u \rightarrow _{EnS,DeS} v\) where \(EnS =\phi \) and \(DeS=\phi \), and condition (2).a provides \(Sec(v) \ge Sec(u)\).

  • (2) For \(u\in Out_0, v\in Out_1, u \rightarrow \gamma , \gamma \in C_{\Gamma }(s_1)\), according to the Definition 4(2), there is \(u \rightarrow _{EnS,DeS} v\) where \(EnS =\phi \) and \(DeS=\phi \), and condition (3) provides \(Sec(v) \ge Sec(u)\).

  • (3) For \(\forall u \in In_0, v \in In_1, u \rightarrow _{EnS, DeS} v\), according to the Definition 4(3), there is \(\exists w \in Out_0, u \rightarrow _{Enc_u,Dec_u} w, w \rightarrow _{\phi ,\phi } v\).

    • If \(\forall u \rightarrow _{EnS,DeS} w\) satisfies \(EnS-DeS=\phi \), w is not encrypted. Condition (1).a provides \(Sec(w) \ge Sec(u)\), and condition (2).a provides \(Sec(v) \ge Sec(w)\). Therefore, \(Sec(v) \ge Sec(u)\).

    • If \(\forall u \rightarrow _{EnS,DeS} w\) satisfies \(EnS-DeS \ne \phi \), w is encrypted by \(\langle E_u,key_u \rangle \). There is \(EnS-DeS =\) \(\{ \langle E_u, key_u \rangle \}\). Condition (1).b provides \(Sec(w) \ge Sec(\langle E_u, key_u\rangle )\). Condition (2).a provides \( Sec(v) \ge Sec(w)\). Therefore, \(Sec(v) \ge Sec(\langle E_u, key_u\rangle ).\)

  • (4) For \(\forall u \in Out_0, v \in Out_1, u \rightarrow _{EnS, DeS} v\), according to the Definition 4(4), there is \(\exists w \in In_1, u\rightarrow _{\phi ,\phi } w, w\rightarrow _{Enc_w,Dec_w} v\).

    • If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS=\phi \), v is not encrypted. Condition (1).a provides \(Sec(w) \ge Sec(u)\), and condition (2) provides \(Sev(v) \ge Sec(w)\). Therefore, \(Sec(v) \ge Sec(u)\).

    • If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS \ne \phi \), v is encrypted by \(\langle E_w,key_w \rangle \). There is \(EnS-DeS = \{\langle E_w, key_w \rangle \}\). Condition (1).b provides \(Sec(v) \ge Sec(\langle E_w, key_w\rangle )\).

    • (5) For \(\forall u \in In_0, v \in Out_1\), according to the Definition 4(5), there is \(\exists w1 \in Out_0\), \(w2 \in In_1\), \(u \rightarrow _{Enc_u,Dec_u} w1\), \(w1 \rightarrow _{\phi ,\phi }(w2), w2\rightarrow _{Enc_{w2},Dec_{w2}} v\), there is \( u \rightarrow _{EnS,DeS} v\) where \(EnS=\) \(Enc_u \cup Enc_{w2}\) and \(DeS=Dec_u \cup Dec_{w2}\).

-If \(\forall u \rightarrow _{EnS,DeS} v\) satisfies \(EnS-DeS=\phi \), there are two different cases:

  1. (a)

    For \(Enc_u \cup Enc_{w2} = \phi \),\(Dec_u \cup Dec_{w2}=\phi \), Condition (1).a provides \(Sec(v) \ge Sec(w2)\) and \(Sec(w1) \ge Sev(u)\). Condition (2).a provides \(Sec(w2) \ge Sec(w1)\). Therefore, \(Sec(v) \ge Sec(u)\).

  2. (b)

    For \(Enc_u = \{ \langle E_u, key_u \rangle \}\), \(Dec_u=\phi , Enc_{w2}=\phi , Dec_{w2}=\{\langle E_u,key_u \}\), condition (2).a provides \(Sec(v) \ge Sec(u)\).

-If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS \ne \phi \), there are four different cases:

  1. (a)

    For \(Enc_u = \{ \langle E_u, key_u \rangle \}\), \(Dec_v=\phi , Enc_{w2}=\phi \),\( Dec_{w2}=\phi \) where \(EnS-DeS=\{\langle E_u, key_u \rangle \}\), condition (2).b provides \(Sec(v) \ge Sec(\langle E_u,key_u \rangle )\).

  2. (b)

    For \(Enc_u = \phi \), \(Dec_u=\phi \), \(Enc_{w2}=\{\langle E_{w2}, key_{w2} \rangle \}\), \(Dec_{w2}=\phi \) where \(EnS-DeS=\{\langle E_{w2},key_{w2} \rangle \}\), condition (2).b provides \(Sec(v) \ge Re(\langle E_v,key_v \rangle )\).

  3. (c)

    For \(Enc_u = \{ \langle E_u, key_u \rangle \}\), \(Dec_u=\phi \), \(Enc_{w2}=\) \(\{\langle E_{w2}, key_{w2} \rangle \}\), \(Dec_{w2}=\) \(\{\langle E_u, key_u \rangle \}\) where \(EnS-DeS=\{\langle E_{w2}, key_{w2} \}\), condition (2).b provides \(Sec(v) \ge Re(\langle E_{w2},key_{w2} \rangle )\).

  4. (d)

    For \(Enc_u = \{ \langle E_u, key_u \rangle \}\), \(Dec_u=\phi \), \(Enc_{w2}=\) \(\{\langle E_{w2}, key_{w2} \rangle \}\), \(Dec_{w2}=\) \(\phi \) where \(EnS-DeS=\{\langle E_u, key_u\rangle , \langle E_{w2}, key_{w2} \rangle \}\), condition (2).b provides \(Sec(v) \ge Sec(\langle E_{w2}, key_{w2} \rangle ) \ge min\{Sec(\langle E_u,key_u \rangle ),\) \( Sec(\langle E_{w2},key_{w2})\}\).

Based on the above analysis and Definition 5, information flow between \(s_0\) and \(s_1\) is secure.

Therefore, Theorem 1 is true when N=1.

Then we assume the Theorem 1 is true when \(N=n\), and the proof on \(N=n+1\) is presented as follows.

Case 1 Inner information flow in service component \(s_{n+1}\) is considered, i.e., \(\forall u\in In_{n+1}\), \(v\in Out_{n+1}\), \(u \rightarrow _{Enc,Dec} v\).

  • (1) condition (1).a provides that for each \(u \rightarrow _{Enc,Dec} v\) where \(Enc-Dec=\phi \), there is \(Sec(v)\ge Sec(u)\).

  • (2) condition (1).b provides that for each \(u \rightarrow _{Enc,Dec} v\) where \(Enc-Dec \ne \phi \), there is \(Sec(v) \ge Sec(\langle E_u, key_u \rangle )\).

And above assumption provides information flow in \(s_0,s_1,...,s_n\) is secure.

Case 2 The assumption provides information flow among first n service components is secure. Then the inter information flows between \(s_{n+1}\) and former services are considered, i.e., \(\forall v \in In_{n+1} \cup Out_{n+1}\), \(u\in In_j \cup Out_j\), \(u \rightarrow _{EnS,DeS} v\), \(s_j \in S_{n+1}^{pre}\). The data flow and control flow are considered respectively.

For the data flow, according to the Definition 4(6), there is \(\exists w1 \in Out_k\), \(w2 \in In_{n+1}\), \(s_k \in \bullet s_{n+1}\), \(u \rightarrow _{EnS,DeS} w1\), \(w1 \rightarrow _{\phi ,\phi } w2\), \(w2 \rightarrow _{Enc,Dec} v\).

(1) For \(v \in In_{n+1}\), there is \(v=w2\).

  • If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS=\phi \), there is for \(u \rightarrow _{EnS, DeS}w1, w1 \rightarrow _{\phi ,\phi }v\) where \(EnS-DeS=\phi \). Condition(2).a provides \(Sec(v) \ge Sec(w1)\) and the assumption provides \(Sec(w1) \ge Sec(u)\). So there is \(Sec(v) \ge Sec(u)\).

  • If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS \ne \phi \), there is for \(u \rightarrow _{EnS, DeS}(w1), w1 \rightarrow _{\phi ,\phi }(v)\) where \(EnS-DeS=\{\langle E_{\textit{ui}}, key_{\textit{ui}} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}|\}\). Condition(2).b provides \(Sec(v) \ge Sec(\langle E_n, key_n \rangle )\), so there is \(Sec(v) \ge \mathop \sqcap _{min}^{1 \le i \le n} Sec(\langle E_{\textit{vi}},key_{\textit{vi}} \rangle )\).

(2) For \(v \in Out_{n+1}\), the following cases are considered.

-If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS=\phi \), there are two cases:

  1. (a)

    For \(u \rightarrow _{EnS, DeS} w1, w1 \rightarrow _{\phi ,\phi } w2, w2 \rightarrow _{Enc,Dec} v\) where \(EnS-DeS=\phi \) and \(Enc_{w2}-Dec_{w2}=\phi \), condition (1).a provides \(Sec(v) \ge Sec(w2)\). Condition (2).a provides \(Sec(w2) \ge Sec (w1)\). The assumption provides \(Sec(w1) \ge Sec(u)\). So there is \(Sec(v) \ge Sec(u)\).

  2. (b)

    For \(u \rightarrow _{EnS, DeS} w1 \), \(w1 \rightarrow _{\phi ,\phi } w2, w2 \rightarrow _{Enc,Dec} v\) where \(EnS_v-DeS_v=\) \(\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}| \}\) and \(Dec_{w2}=\) \(\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}|\}\), condition (2).b provides \(Sec(v) \ge Sec(w1)\). The assumption provides \(Sec(w1) \ge Sec(u)\). So there is \(Sec(u) \ge Sec(v)\).

-If \(\forall u \rightarrow _{EnS, DeS} v\) satisfies \(EnS-DeS \ne \phi \), there are five cases:

  1. (a)

    For \(u \rightarrow _{EnS, DeS} w1\), \(w1 \rightarrow _{\phi ,\phi }w2\), \(w2 \rightarrow _{Enc,Dec} v\) where \(EnS_u-DeS_u=\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}|\}\) and \(Enc_{w2}-Dec_{w2}=\phi \), condition (1).b provides \(Sec(v) \ge Sec(\langle E_n, key_n \rangle )\). So there is \(Sec(v) \ge \mathop \sqcap _{min}^{1 \le i \le n} Sec(\langle E_{ui},key_{ui} \rangle )\).

  2. (b)

    For \(u \rightarrow _{EnS, DeS} w1\), \(w1 \rightarrow _{\phi ,\phi }w2\), \(w2 \rightarrow _{Enc,Dec} v\)where \(EnS_u-DeS_u=\) \(\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}|\}\) and \(Enc_{w2}-Dec_{w2}= \{\langle E_{w2}, key_{w2} \rangle \}\), there is \(EnS-DeS=\) \(\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n+1}^{pre}|\}\) \(\cup {\langle E_{w2}, key_{w2} \rangle }\). Condition (1).b provides \(Sec(v) \ge Sec(\langle E_{w2}, key_{w2} \rangle )\). So there is \(Sec(v) \ge \mathop \sqcap _{min}^{1 \le i \le |S_{n+1}^{pre}|}Re(\langle E_{vi},key_{vi} \rangle )\).

  3. (c)

    For \(u \rightarrow _{EnS, DeS} w1\), \(w1 \rightarrow _{\phi ,\phi }w2\), \(w2 \rightarrow _{Enc,Dec} v\) where \(EnS_u-DeS_u=\) \(\{\langle E_{ui}, key_{ui} \rangle , 1 \le i \le |S_{n}^{pre}|\}\), \(Enc_{w2}-Dec_{w2}=\phi \) but \(Dec_{w2}=\) \(\{\langle E_{un}, key_{un} \rangle \}\), there is \(EnS-DeS=\) \(\{\langle E_{ui}, key_{ui} \rangle ,\) \(1 \le i \le |S_{n}^{pre}|-1\}\). Condition (2).b provides \(Sec(u) \ge Sec(\langle E_{n-1}, key_{n-1} \rangle )\). So there is \(Sec(v) \ge \mathop \sqcap _{min}^{1 \le i \le |S_{n}^{pre}|-1} Sec(\langle E_{ui},key_{ui} \rangle )\).

  4. (d)

    For \(u \rightarrow _{EnS, DeS} w1\), \(w1 \rightarrow _{\phi ,\phi }w2\), \(w2 \rightarrow _{Enc,Dec} v\) where \(EnS_u-DeS_u=\) \(\{\langle E_{ui}, key_{ui} \rangle , 1 \le i \le |S_{n}^{pre}|\}\), \(Enc_{w2}-Dec_{w2}=\) \(\{\langle E_{w2}, key_{w2} \rangle \}\) but \(Dec_{w2}={\langle E_{un}, key_{un} \rangle }\), there is \(EnS-DeS=\) \(\{\langle E_{ui}, key_{ui} \rangle \), \(1 \le i \le |S_{n}^{pre}|-1\}\) \(\cup \{\langle E_{w2}, key_{w2} \rangle \} \). Condition (1).b provides \(Sec(v) \ge Sec(\langle E_{w2}, key_{w2} \rangle )\). So there is \(Sec(v) \ge \mathop \sqcap _{min}^{1 \le i \le |S_{n}^{pre}|} Sec(\langle E_{ui},key_{ui} \rangle )\).

  5. (e)

    For \(u \rightarrow _{EnS, DeS} w1\), \(w1 \rightarrow _{\phi ,\phi }w2\), \(w2 \rightarrow _{Enc,Dec} v\) where \(EnS_u-DeS_u=\phi \), \(Enc_{w2}-Dec_{w2}=\) \(\{\langle E_{w2}, key_{w2} \rangle \}\), there is \(EnS-DeS=\) \(\{\langle E_{w2}, key_{w2} \rangle \}\). Condition (1).b provides \(Sec(u) \ge Sec(\langle E_{w2}, key_{w2} \rangle )\).

For the control flow, according to the Definition 4(7), there is \(\exists w1 \in Out_k\), \(w1 \rightarrow \gamma \), \(\gamma \in C_{\Gamma }(s_{n+1})\), \(s_k \in \bullet s_{n+1}\), \(u \rightarrow _{EnS,DeS} w1\), \(w1 \rightarrow _{\phi ,\phi } v\). Condition (3) provides \(Sec(v) \ge Sec(w1)\). The assumption provides \(Sec(w1) \ge Sec(u)\). So there is \(Sec(v) \ge Sec(u)\).

Based on the above analysis and the Definition 5, information flows between \(s_{n+1}\) and former services \(s_i\) where \(i<n+1\) are secure.

Therefore, Theorem 1 is also true when N=n+1.

In a conclusion, Theorem 1 is true. \(\square \)

According to the Theorem 1, the information flow can be verified by the adjacent nodes which provides an effective way to realize the distributed verification on the encrypted data across multiple clouds.

4 Distributed information flow control on encrypted data across multiple clouds

4.1 Distributed information flow control framework on encrypted data across multiple clouds

Based on the security constraints on each service component according to the Theorem 2, we propose a distributed information flow control framework on encrypted data across multiple clouds as shown in Fig.1.

Fig. 1
figure 1

Distribute information flow control framework on encrypted data across multiple clouds

The Distributed Information Flow Verification Framework is similar to that in [15]. It is composed by multiple cloud domains including candidate services (CS), security authorities (SA) and cloud platforms (CP). The procedure of verification also includes two vital phases, i.e., inner-service and inter-service verification. Both the regular and encryption flows are verified according to the Theorem 2 during the procedure compared to [15].

4.2 Inner-service information flow verification on service component

For the inner-service verification phase, each service component \(s_i\) is verified by local SA in cloud. During this phase, the component can be verified by program analysis [22] or model checking [15] according to the security constraints in the Theorem 2.

If \(s_i\) is secure, a service certificate \(SCe_i\) signed by the local SA is generated for the inter-service verification. \(SCe_i\) can be described using the attribute certificates defined in [26], which can specify the properties of service \(s_i\) as a set of statements, i.e. service id , input \(In_i\), output \(Out_i\), the corresponding security levels, the inner-service dependence including regular and encryption dependences and other security information. For example, \(s_i\)’s service certificate is presented in XML format as follows.

figure a

For consideration on the improvement of the efficiency, inner-service verification can be performed off-line before service executable code is deployed into cloud platform.

4.3 Inter-service information flow verification on service composition

After the inner-service verification, each candidate service \(s_{i,j}\) is verified by the cooperation of local SA and its direct predecessor \(\bullet s_i\)s SA. At the beginning of the verification,the composite service must be analyzed by service composer first to generate the dependence graph \(\vec {G_{dep}}\). Based on the graph, we can obtain the inter-service dependences including regular and encryption dependences. And the verification is executed in two main steps according to the Theorem 2, i.e., regular flow and encryption flow verification. The detailed inter-service verification algorithm is shown as the Algorithm 1.

figure b

4.4 Distributed information flow control algorithm on encrypted data for secure service composition in multiple clouds

Based on the inner-service and inter-service verification, we propose a distributed information flow control algorithm on encrypted data for secure service composition across multiple clouds. The procedure is similar to that in [15]. During the verification, start, success and failure messages are used to control and synchronize the whole procedure. But in this algorithm, the encryption flows and the implicit flows are considered. For the encryption flows, it is verified separating from the regular flows which is shown in the Algorithm 1. For the implicit flows, each candidate service is verified by its direct predecessors SA including predecessors in its execution conditions. The distributed information flow control algorithm is presented as Algorithm 2.

figure c

5 Experiments and evaluations

The security can be guaranteed by Theorem 2. In this section, we mainly analyze its functionality and performance comparing with [10, 11, 13, 19, 20] and [21]. The basic comparison on functionality is made first, which is shown in Table 1.

Table 1 Basic comparison

Based on the comparison in Table 1, it can be obtained that [13, 19,20,21] and our approach supports the verification on encrypted flow. However, [13, 19] and [20] verify the flow in a centralized way, namely all the dependence relationships or possible status must be verified by a single security authority in one specific cloud, which is not appropriate for multiple clouds. Although [21] and our approach work in a distributed way, [21] can only verify the information flow in service chain, which can be considered as a simplified version of our approach.

Besides, we investigate the performance of our distributed algorithm for a further comparison with [13, 19] and [20]. We evaluate the time cost and resource cost on these approaches in multiple scenarios by using NS-3 [27, 28]. The basic configuration on simulation is show in Table 2.

Table 2 Simulation configuration

Our simulation involves three cloud domains, three cloud platforms and about 80 service components. We use high-speed ethernet to connect different clouds and users. For the security configuration, we define four different security levels, i.e., unclassified(U), confidential(C), secret(S), and topsecret(T) [23].

Fig. 2
figure 2

Time cost on information flow verification

Fig. 3
figure 3

Time cost on information flow verification

Figures 2 and 3 shows the time cost on verification with dynamic candidate service number and service steps. Compared with the centralized verification way [13, 19] and [20], our approach works in a distributed way. Therefore, with the increase of candidate service, the time cost in [13, 19] and [20] increase sharply while that in our approach increase steadily. Besides, when the number of service step is bigger, time cost in [13, 19], and [20] increase more sharply because of the exponential increment on verified status.

Fig. 4
figure 4

Average resource cost of verification cloud(s)

Fig. 5
figure 5

Average resource cost of verification cloud(s)

Figures 4 and 5 shows the average resource cost on verification with different candidate services and service steps. Compared to [13, 19] and [20], our approach performs in a distributed way where each cloud participating in composite service is involved in the verification. Therefore, the average resource cost on verification cloud is evidently lower than the other three approaches.

6 Conclusion

In order to guarantee the end-to-end security on service composition across multiple clouds, especially for the computing operations using homomorphic encryption which may violate the standard noninterference, we first define a new kind of dependence relationship, i.e. encryption dependence. Then we deduce the improved information flow security theorem of verification on regular and encryption flows. Based on the theorem, we propose a distributed information flow control framework and algorithm on service composition across multiple clouds. Through the experiments and evaluations, the results show our approach can verify the composite services across clouds in an effective way. The implementation of the prototype verification tools are developing and it will be released in the future.