The regional and dynamic characteristics of mobile clouds pose a great challenge on information flow security during service composition. Although secure verification approaches based on standard noninterference provide a solid assurance on information flow security of composite service, too strict constraints on service components may cause the failure of composition procedure. In order to ensure the availability of composite service, we specify the declassification policies based on cryptographic operations to allow data to be legally declassified. And we propose the improved distributed secure service composition framework and approach, which can realize different cloud platforms in multiple domains, cooperate with each other to complete the declassification, and secure composition procedure. Through the experiment and evaluation, it is indicated that our approach provides a more reliable and efficient way for secure service composition in mobile clouds.
Mobile devices (e.g., smartphone and tablet PC) are increasingly becoming more and more popular in human life as their portability, pervasive connectivity, and various applications (e.g., iPhone and Android Apps). Particularly, in recent years, more kinds of basic functions (e.g., computation, storage, and network) are offered by cloud computing as the software services for elastic management and rapid service delivery with low cost, such as SDS (Software Defined Storage) [
However, because of the regional and heterogeneous characteristic of mobile networks, there are multiple clouds deployed in different network domains. Due to the multidomain feature of the mobile clouds, data located in different mobile terminals and domains may have different security levels, which poses a great challenge on the security of service composition across multiple mobile clouds. For instance, the personal medical records in e-health data center are with high security level, while the position of the ambulance is with lower security level. When these services are composed together for the patient’s emergency, data with different security levels are transmitted among these services, respectively. If these services are composed in an insecure way, an operation in a service may transmit confidential data to a public object and cause the information leakage. Access control has been widely used for protecting sensitive information of individual service from being released to unauthorized attackers [
In order to enforce the data security during the service composition, various security mechanisms have been proposed to validate the information flow in composite service based on type system, Petri nets, model checking, program static analysis, and real-time monitoring. By using type system [
Based on the above approaches, many schemes for secure service composition among clouds are proposed to address the issues of the information leakage on cloud services. Bacon et al. [
Although the above approaches provide a solid assurance on information flow security of composite service, implementing these IFC policies in real applications is still a challenge. These policies aim at standard noninterference that characterizes the complete absence of any information flow or any causal flow from high-level entities to low level ones. However, this requirement is too strict that few services can satisfy it in real application. If all the candidate services fail in the verification, there is no available execution path, which causes the failure of the whole composite service. Meanwhile, in mobile clouds, services are bound together in a dynamic way during service composition, which means the security sensitivities of the input and output data may change when mobile terminal move into a new domain. Considering dozens of candidate services with similar service function, it will be a complex work on selecting appropriate components to compose users required application by type system, global model checking, or centralized static analysis. For type system, when user’s initial inputs change, the service codes need to be rebuilt, which brings extra cost for the secure service composition. For global model checking and centralized static analysis, it is impractical to employ a centralized entity in multiple clouds to verify the information flow security. Moreover, the cost of verification can increase rapidly when the application involves more components and the number of the candidate services increases. First, the same service component has to be reverified in different composite services. Second, the state explosion problem arises if each service component is complicated.
Therefore, a distributed and efficient information flow control mechanism supporting declassifying or downgrading information is needed for the secure and reliable service composition in mobile clouds. Compared to the paper [
The rest of the paper is structured as follows. Section
As shown in Figure
Service composition in mobile clouds.
Referring to the definition in [
Service chain SC is a simplified composite service with sequence structure, which can be represented as
Due to the complex operations in service chain and dynamic network environment, the inner-service dependency
In order to represent different sensitivities of data resources in mobile clouds, multilevel security model is defined as
For each input or output object
For data with different security requirements, the computation rules (CRs) on required security level are defined in [
Based on the standard noninterference, we propose a strong security definition on information flow for composite service in [
The information flow in service chain
In this definition, it is considered secure when there is no flow from a high-level object to another low level one across all service components. However, the strong security constraints enforce the fact that the flow of information must comply with the security level ordering and do not tolerate any exceptions. To deal with real application, with the execution of the composite service, the required security levels of inputs or outputs become higher and higher according to the above CRs, which is so strict that fewer candidate service components can satisfy. In this case, it would lead to a high failure rate on service composition. Therefore, more general flow policy allowing data declassification needs to be proposed to improve the availability of composite service.
Due to the strong security condition, declassification operations are needed for the secure service composition. Cryptographic operations are promising ways of maintaining data confidentiality and integrity, for example, encryption and digital signature. Through the cryptographic operations, processed secret data can be transmitted into a public object, which realizes the declassification of data. Therefore, extra cryptographic operations
For
When the data in
In traditional definition on standard noninterference, high security level data are not allowed to transfer to an object with lower level. The encryption operation may violate the requirements on standard noninterference. But the attacker still cannot obtain the sensitive data if he cannot crack the ciphertext, which is still considered secure although the sensitive data is transferred to an object with lower clearance. In order to specify the special downgrading flow in composite service, an extended definition on inner dependence is proposed as follows.
For If If If
Based on the extend inner dependence, interdependence can be defined recursively as follows.
Based on the extend inner and interdependence, the improved security definition on information flow for composite service can be presented as follows.
The information flow in service chain if if if if
According to Definition
Based on improved information flow security definition, we can deduce the security constraints on each service as the following theorem.
The information flow in service chain if if if if
First, let
Condition (1)(a) provides that for each Condition (1)(b) provides that for each
In the same way, we can get the information flow is also secure in
If If If If If For For If For For For For
Based on the above analysis and Definition
Therefore, Theorem
Then we assume Theorem
Condition (1)(a) provides that for each Condition (1)(b) provides that for each
And above assumption provides that information flow in
According to Definition For If If For If For For If For For For For For
Based on the above analysis and Definition
Therefore, Theorem
In conclusion, Theorem
Based on the above Theorem
According to the declassification policies, when the provided security level of
In the mobile cloud system with multiple domains, there are serval candidate services with same functions but different providers, which can be denoted by
Distributed secure service composition with declassification framework.
This framework is constructed as a distributed secure service composition framework involving three main kinds of entities, that is, Cloud Platform (CP), Candidate Services (CS), and Domain Security Authorities (DSA). Considering the limited energy and computation resources of mobile terminals, the verification procedure is executed by CPs. DSAs are responsible for the management on the security certificate SCe for each service node. SCe includes the provided security levels of input and outputs, the dependencies between the input and output and its public key. If the service node is fixed one, that is, services are provided by cloud platform, the certificate is generated when the service is first deployed in cloud platform. If the service node is mobile one, that is, services are provided by mobile terminal, the certificate is generated when the terminal first moves into this domain.
During the verification, all candidate services send their dynamic input data and certificates to the cloud platform to finish the verification procedure. There are two different scenarios, that is, inner-domain and interdomain verification. For inner-domain verification, candidate services CP and DSA in the same domain are involved in the verification. For interdomain verification, the participant entities include not only candidate services but also two CPs and SAs in the corresponding domains.
Comparing to the traditional verification procedure in [
Based on the Theorem
Cryptographic operation agent in each service node.
The cryptographic operation agent is composed of three function modules, that is, key negotiator, encryptor and decryptor. Key negotiator is responsible for the key management including key generation, negotiation with other services, key storage, and update. Encryptor and decryptor are responsible for data encryption and decryption during the service. There are two phases for agent to complete the declassification procedure, that is, key negotiation and data encryption and decryption.
Key negotiation phase is the preparation phase for the data declassification, which is also the most critical step. In this phase, for each insecure input or output
Key negotiation in the domain.
Key negotiation across the domain.
When the key negotiation begins between two adjacent service nodes, both certificates containing their own public keys are delivered to the opponents. Then the random number protected by public key is transferred to each other at the fourth and seventh step. And finally the session key
( input and outputs in ( ( ( ( == ( can’t generate appropriate ( ( ( ( ( ( ( == ( ( ( ( (
The data declassification phase is activated after the procedure of secure service composition. During the service execution, the COA encrypts the insecure inputs and outputs to realize the declassification on high-level data by using the session key. Meanwhile, it also realizes decryption on the cipher data for normal processing of service function.
During the secure service composition, cloud platform
( (2) ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
Based on the verification and declassification procedure, we propose a distributed secure service composition with declassification algorithm for mobile clouds. The composition procedure is executed in a distributed way, that is, different cloud platforms in multiple domains need cooperation with each other to finish the whole procedure. There are three types of messages defined for the control on the execution of the procedure, that is, start_message, failure_message, and success_message. First, each cloud platform
( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
The information flow security can be ensured by Theorem
Basic comparison.
Approach | Framework | Information | |
---|---|---|---|
Hutter and Volkamer [ | Type system | Centralized | × |
Nakajima [ | Model checking | Centralized | ✓ |
She et al. [ | Program analysis | Centralized | × |
Chou [ | Program analysis | Distributed | × |
Solanki et al. [ | Program analysis | Distributed | × |
Xi et al. [ | Model checking | Distributed | × |
Xi et al. [ | Program analysis | Distributed | × |
This paper | Program analysis | Distributed | ✓ |
According to Table
In addition, we evaluate the performance of typical approaches, that is, our approach, global model checking [
Simulation Configuration.
Network settings | |
---|---|
Simulator | NS-3 |
Field | 1000 × 1000 |
Cloud domain | 3 |
Cloud platform | 3 |
Mobile nodes | 100 |
Radio type | 802.11g |
Mobility model | RandomWalk |
Backbone network | 1 Gbps |
| |
Security settings | |
| |
Security level | U, C, S, T |
Our simulated mobile network covers about 1000 × 1000 m2, which involves three cloud domains, three cloud platforms, and about 100 mobile nodes. For each domain in mobile network, there is one cloud platform and random number of mobile nodes. The communication adopts advanced 802
Based on the designed mobile network, we simulate the service composition process in multiple mobile clouds. During the simulation, we investigate the success rate and time cost on the composition with the different number of service steps and candidate services. The variations of the simulation are shown in the Table
Experiment scenario.
Success rate | |
---|---|
Candidate Number | 0–20 |
Service step | 1–15 |
Approaches | Our approach, Solanki et al. [ |
| |
Composition Time | |
| |
Candidate Number | 1–15 |
Service step | 1–8 |
Approaches | Our approach, Xi et al. [ |
Figures
Success rate of composition with candidate service number.
Success rate of composition with service step.
Figures
Composition time with candidate service number.
Composition time with service step.
In this paper, we propose a declassification mechanism for secure service composition based on cryptographic operations and information flow security requirements. Considering the multidomain characters of mobile clouds, a distributed secure service composition with declassification framework and approach is proposed to overcome the high-rate failure of composition, which is caused by too strict security constraints in the traditional composition methods. Through the evaluation on NS-3, the results show our approach can improve the success rate of service composition effectively while the additional cost can be affordable. More dynamic declassification policies for service composition with complex structure will be considered in the future.
The authors declare that they have no competing interests.
This work was supported in part by National Natural Science Foundation of China (61502368, 61303033, and U1405255), the National High Technology Research and Development Program (863 Program) of China (no. 2015AA017203 and no. 2015AA016007), the Fundamental Research Funds for the Central Universities (XJS14072 and JB150308), Natural Science Basis Research Plan in Shaanxi Province of China (Grant no. 2016JM6034), Xi’an Technology Research Project (CXY1402), and the Aviation Science Foundation of China (no. 20141931001).