云环境下多租户数据完整性保护机制研究

发布时间：2018-05-19 10:56

本文选题：云计算 + 多租户应用　；参考：《山东大学》2014年博士论文

【摘要】：软件即服务(Software as a Service, SaaS)是云计算中一种非常重要的服务交付方式,服务商负责应用软件的维护、管理、升级等工作,租户通过网络租赁应用并按使用付费,不需要关心底层复杂的实现细节。SaaS模式下,成熟的服务运营商一般采用单实例多租赁(Single Instance Multi-Tenancy)的方式,使用同一个应用实例为不同租户提供服务,即多租户应用。对于许多中小型企业来说,SaaS是采用先进技术的最好途径。在多租户应用中,租户数据的存储和处理都发生在非完全可信的服务运营商端,租户对自己数据的控制能力被大大削弱。非完全可信的服务运营商有可能会在租户未授权的情况下,恶意篡改、伪造或者删除租户数据,破坏租户数据的完整性。如何防止不可信的云服务提供商监守自盗,破坏租户数据完整性,是现阶段Saas应用进一步推广需要解决的重要问题。由于多租户应用的按需定制、共享存储、多数据节点等云的特征,面向多租户应用的数据完整性保护面临着一系列的新的需求：(1)租户感知的数据完整性验证结构的构建需求。在SaaS多租户模式下,成千上万的租户共享底层物理数据表存储。在这种情况下,基于已有的完整性保护方法(如MHT等)直接对共享数据表构造完整性验证结构的方式,缺乏对租户的识别,难以对租户数据进行区分。在对一个租户数据进行验证时,会需要表中其他租户数据来辅助构造验证对象,使得租户间完整性验证过程中数据互相交叉,增加了验证对象的构建复杂度,降低验证效率。(2)租户数据完整性问题及时发现需求。由于租户的数据和应用都托管在了远程服务提供商端,租户对自己数据的控制能力大为降低,租户对于及时发现数据完整性问题的需求更为强烈,租户不仅需要能够确认自己正在使用的数据是正确的完备的,对于一些使用频率较低的数据,租户也希望能够及时发现这些数据是否被破坏。(3)租户数据可靠存储需求。在SaaS模式下,租户可以定制副本数量并付费使用,因此租户需要能够确认系统是否可靠地存储了他们的数据副本。但是,采用明文存储的数据副本很容易受到服务提供商内部恶意员工的合谋攻击,通过多个存储服务器共享一个数据副本来节省存储空间,严重破坏租户经济利益,降低租户数据访问效率与可靠性。因此,本论文以多租户应用模式中租户数据完整性保护为目标,结合多租户数据共享存储、租户隔离、租户按需租赁定制其应用等特点,对云计算环境下面向多租户应用的数据完整性保护的关键问题进行研究,主要工作和贡献包括： (1)提出面向租户的完整性验证方法MTAS (Multi-tenant Authentication Structure),在共享存储模式下,通过以租户为单位分别对共享表内租户数据构造验证结构方法,在租户应用使用数据的时候,进行实时完整性检查,确保多租户间数据完整性验证过程互不干扰,提高验证效率。本文针对租户应用处理数据的实时完整性保护问题,充分考虑租户共享存储、租户隔离与个性化需求等综合因素,基于Pivot-Universal存储模式,提出基于复合MHT的多租户数据完整性保护模型MTAS。MTAS在租户应用数据时对数据进行实时完整性验证,防止错误数据进入租户应用,并且可以针对租户数据以及完整性需求的动态变化,调整完整性保护策略,满足租户动态完整性保护需求。实验结果表明,与传统验证结构相比,MTAS在验证对象重构过程中,大约节省了30%的哈希计算次数,验证对象大小约为传统方法的2/3,是一种行之有效的多租户数据完整性保护模型。 (2)提出基于抽样的租户数据完整性保护方法TDIC (Tenant-oriented Duplication Integrity Checking Scheme),通过对租户数据进行周期性抽样检查方法,解决了对所有租户数据进行实时完整性检查造成的性能浪费问题。针对实时的数据完整性检查容易忽略掉租户长期不用的数据的完整性保护问题,提出面向租户副本数据的抽样检查机制TDIC,通过对租户副本内数据进行周期性随机抽样的方式,来降低服务提供商端验证对象的生成代价,消除对租户副本数据全部进行实时验证的资源浪费。同时,TDIC结合租户元组的同态标签与辅助验证树结构,使得租户可以在不泄露租户数据内容的前提下,委托可信第三方对租户副本进行抽样检查。分析与实验结果表明,如果租户逻辑视图中包含10000个数据元组时,在元组破坏率为1%的情况下发现数据被破坏的随机抽样数目最大约为元组总数的5%,相对全部验证的方法极大地降低了系统资源浪费。 (3)提出防合谋删除的多副本数据混淆存储TD2O (Tenant Duplicate Data Obfuscation)模型,通过基于元组属性值的数据混淆对租户副本进行区别存储,抵御服务提供商内部恶意人员的合谋删除问题。针对租户副本数据明文存储情况下容易被服务提供商合谋删除问题,提出基于线性隐藏的的数据混淆模型TD2O,通过混淆使得存储相同数据的租户副本具有不同的数据表现内容,防止服务提供商为节省存储空间,整个删除租户不常用副本,保证租户数据完整性,并基于Monte Carlo随机单调函数对TD2O模型进行拓展,制定关键字保序策略,实现租户副本数据关键字的保序,提高混淆副本的查询效率。实验结果表明扩展的TD2O模型在保序关键字上具有较好的查询性能。
[Abstract]:Software as a Service ( SaaS ) is a very important service delivery way in cloud computing . The service provider is responsible for the maintenance , management and upgrade of the application software . The tenant uses the network rental application and pays for the use . It does not need to care about the underlying complex implementation details . In the SaaS mode , the mature service operator uses Single Instance Multi - tenancy . The same application instance provides services to different tenants , i.e . multi - tenant applications . For many small and medium enterprises , SaaS is the best way to adopt advanced technology .

In multi - tenant applications , the storage and handling of tenant data occurs at the end of a non - completely trusted service operator . The ability of tenants to control their own data is greatly impaired . Non - fully trusted service operators may tamper with , forge or delete tenant data without authorization of the tenant , destroying the integrity of tenant data . How to prevent non - trusted cloud service providers from guarding against theft and destroying tenant data integrity is an important issue at this stage of the application of Saas application further .

Data integrity protection for multi - tenant applications is faced with a series of new requirements due to demand customization , shared storage , multi - data nodes , etc .

Therefore , this paper studies the key problems of data integrity protection for multi - tenant applications under cloud computing environment by using tenant data integrity protection in multi - tenant application mode as the target , combining multi - tenant data sharing storage , tenant isolation , tenant - on - demand lease and customizing the application , and the main tasks and contributions include :

( 1 ) An integrity verification method MTAS ( Multi - tenancy Authentication Structure ) for a tenant is proposed . In the shared storage mode , a real - time integrity check is carried out on the tenant data structure in a shared table in a shared storage mode , so as to ensure that the data integrity verification process between the multi - tenancy is not interfered with each other , and the verification efficiency is improved .

In this paper , based on Pivot - Universal storage model , MTAS . MTAS , which is based on multi - tenant data integrity protection model MTAS - MTAS based on composite MHT , is proposed for real - time integrity protection of tenant application processing data , which is based on the Pivot - Universal storage model . The results show that MTAS saves about 30 % of hash calculation times in the process of verifying object reconstruction , and verifies that object size is about 2 / 3 of traditional method . It is an effective multi - tenant data integrity protection model .

( 2 ) A sampling - based method TDIC ( Tenant - oriented Integrity Checking Scheme ) is proposed to solve the problem of performance waste caused by the real - time integrity check of all tenant data by periodically sampling the tenant data .

According to the real - time data integrity check , it is easy to ignore the integrity protection problem of the long - term unused data of the tenant , propose a sampling inspection mechanism TDIC for the tenant copy data , reduce the generation cost of the service provider end verification object by periodically random sampling the data in the tenant replica , and eliminate the resource waste of all real - time verification of the tenant copy data .

( 3 ) Put forward the multi - copy data confusion storage TD2O ( Tenant Duplicate Data Obfuscation ) model deleted by anti - collusion , and make the difference storage to the tenant copy by data confusion based on the tuple attribute value , and resist the collusion deletion problem of the malicious personnel inside the service provider .

The paper proposes a data confusion model TD2O based on linear hiding under the condition of plaintext storage of tenant replica data , and proposes a data confusion model TD2O based on linear hiding , which prevents the service provider from saving the storage space . The whole deletion tenant does not use a common copy to ensure the data integrity of the tenant , and develops the keyword preserving strategy based on the Monte Carlo random monotone function to improve the query efficiency of the duplicated copy . The experimental results show that the expanded TD2O model has better query performance on the order - preserving keyword .
【学位授予单位】：山东大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.09;TP309

【参考文献】