Abstract
Homomorphic encryption allows the direct operations on encrypted data, which provides a promising way to protect outsourcing data in clouds. However, it can not guarantee the end-to-end data security if different cloud services are composed together. Especially for the operations on encrypted data, it may violate the standard noninterference, which can not be solved by traditional information flow control approaches. In order to analyze the information flow with encrypted data, we define a new type of flow called the encryption flow to describe the dependence relationship among different encrypted data objects across multiple services. Based on the new definition on encrypted flow, we propose the secure information flow verification theorem and specify the improved security constraints on each service component. Then a distributed information flow control framework and algorithm are designed for verification on regular and encrypted flow across multiple clouds. Through the experiments, we can obtain that our approach is more appropriate for the verification across multiple clouds and provides a more effective way compared with centralized verification approaches.
Similar content being viewed by others
References
Wei, Y., Blake, M.B.: Service-oriented computing and cloud computing: challenges and opportunities. IEEE Internet Comput. 14(6), 72–75 (2010)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, ser. CCS ’09, ACM, New York, NY, USA, pp. 199–212 (2009). https://doi.org/10.1145/1653662.1653687
Yang, T., Zhang, H., Wang, H., Shahzad, M., Liu, X., Xin, Q., Li, X.: Fid-sketch: an accurate sketch to store frequencies in data streams. World Wide Web J. (2018). https://doi.org/10.1007/s11280-018-0546-5
Gentry, C., et al.: Fully homomorphic encryption using ideal lattices. STOC 9(2009), 169–178 (2009)
Brenner, M., Wiebelitz, J., von Voigt, G., Smith, M.: Secret program execution in the cloud applying homomorphic encryption. In: 5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), pp. 114–119 (2011)
Fiore, D., Gennaro, R., Pastro, V.: Efficiently verifiable computation on encrypted data. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Ser. CCS ’14, ACM, New York, NY, USA, pp. 844–855 (2014). https://doi.org/10.1145/2660267.2660366
Bhatti, R., Bertino, E., Ghafoor, A.: A trust-based context-aware access control model for web-services. Distrib. Parallel Databases 18(1), 83–105 (2005). https://doi.org/10.1007/s10619-005-1075-7. [Online]
Yang, T., Liu, A.X., Shahzad, M., Zhong, Y., Fu, Q., Li, Z., Xie, G., Li, X.: A shifting bloom filter framework for set queries. Proc. VLDB Endow. 9(5), 408–419 (2016)
Yang, T., Liu, A.X., Shahzad, M., Yang, D., Fu, Q., Xie, G., Li, X.: A shifting framework for set queries. IEEE/ACM Trans. Netw. 25(5), 3116–3131 (2017)
Hutter, D., Volkamer, M.: Information flow control to secure dynamic web service composition. In: SPC, vol. 3934. Springer, Berlin, pp. 196–210 (2006)
She, W., Yen, I.L., Thuraisingham, B., Huang, S.Y.: Rule-based run-time information flow control in service cloud. In: 2011 IEEE International Conference on Web Services, pp. 524–531 (2011)
Xi, N., Ma, J., Sun, C., Shen, Y., Zhang, T.: Distributed information flow verification framework for the composition of service chain in wireless sensor network. Int. J. Distrib. Sens. Netw. 9(5), 693639 (2013)
Nakajima, S.: Model-checking of safety and security aspects in web service flows. In: ICWE, vol. 3140, pp. 488–501. Springer, Berlin (2004)
Rossi, S.: Model checking adaptive multilevel service compositions. In: FACS, pp. 106–124. Springer, Berlin (2010)
Xi, N., Sun, C., Ma, J., Shen, Y.: Secure service composition with information flow control in service clouds. Future Gener. Comput. Syst. 49, 142–148 (2015)
Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)
Laud, P.: Handling encryption in an analysis for secure information flow. In: Degano, P. (ed.) Programming Languages and Systems, pp. 159–173. Springer, Berlin (2003)
Hicks, B., King, D., McDaniel, P.: Declassification with cryptographic functions in a security-typed language. Network and Security Center, Department of Computer Science, Pennsylvania State University, Tech. Rep. NAS-TR-0004-2005 (2005)
Askarov, A., Hedin, D., Sabelfeld, A.: Cryptographically-masked flows. In: Yi, K. (ed.) Static Analysis, pp. 353–369. Springer, Berlin (2006)
Mitchell, J.C., Sharma, R., Stefan, D., Zimmerman, J.: Information-flow control for programming on encrypted data. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 45–60 (2012)
Xi, N., Lu, D., Sun, C., Ma, J., Shen, Y.: Distributed secure service composition with declassification in mobile clouds. Mobile Information Systems, vol. 2017 (2017)
Xi, N., Sun, C., Ma, J., Chen, X., Shen, Y.: Distributed information flow verification for secure service composition in smart sensor network. China Commun. 13(4), 119–130 (2016)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. (TOPLAS) 9(3), 319–349 (1987)
Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. (TOSEM) 15(4), 410–457 (2006)
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. RFC Editor (2002)
Henderson, T.R., Lacage, M., Riley, G.F., Dowell, C., Kopena, J.: Network simulations with the ns-3 simulator. SIGCOMM Demonstr. 14(14), 527 (2008)
Yang, T., Xie, G., Li, Y., Fu, Q., Liu, A.X., Li, Q., Mathy, L.: Guarantee ip lookup performance with fib explosion. ACM SIGCOMM Comput. Commun. Rev. 44(4), 39–50 (2014)
Acknowledgements
This work was supported in part by National Natural Science Foundation of China (61502368, 61602357 and U1405255), the National High Technology Research and Development Program (863 Program) of China (Nos. 2015AA017203, 2015AA016007), Natural Science Basis Research Plan in Shaanxi Province of China (Grant Nos. 2017JM6047 and 2016JM6034), the Fundamental Research Funds for the Central Universities (XJS17077, JBX171507, JB170303), China Postdoctoral Science Foundation Funded Project (2016M592762).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Xi, N., Ma, J., Sun, C. et al. Information flow control on encrypted data for service composition among multiple clouds. Distrib Parallel Databases 36, 511–527 (2018). https://doi.org/10.1007/s10619-018-7228-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10619-018-7228-2