A kind of active detecting method of multi-tenant cloud platform security isolationTechnical field
The invention belongs to a kind of detection sides of security isolation in cloud security technical field more particularly to multi-tenant cloud platformMethod.
Background technique
Cloud has been increasingly becoming the development trend of IT infrastructure, quilt as one of technology with the fastest developing speed in recent yearsIt is more and more widely used.It is by proposing a kind of resource (including computing resource, Internet resources, storage resource etc.) Chi HuajiArt allows infrastructure by the shared use of multiple tenants, to realize a kind of convenient, on-demand method of service.
However, multi-tenant technology has broken the barrier between physical equipment in cloud platform, the utilization rate of resource is being improvedMeanwhile also inevitably bringing severe safety problem.On the one hand, cloud service provider need to provide corresponding tenant everyThe system of disembarking ensures specific resources not by unauthorized access;On the other hand, if isolated failure in shared environment, malice tenant in cloudBreak isolation mech isolation test, initiates unauthorized access, the data assets for making other tenants are faced into huge security risk.
Therefore, in multi-tenant cloud platform, security isolation is particularly important, and how to improve the security capabilities of cloud platform,It is a technical problem that needs to be urgently solved by technical personnel in the field at present.Currently, aiming at the problem that security isolation, correlation solutionCertainly scheme includes three categories: defence, subsequent retrospect and run-time check in advance.
The scheme defendd in advance, which mainly passes through, reinforces the means such as access control, enhancing security module, the energy of limitation access in advancePower.By the retrieval discovery to existing patent, Chinese patent literature CN104580505A discloses (bulletin) day 2015.04.29,Disclose a kind of tenant's partition method and virtual switch, comprising: virtual switch is each virtual machine point on each physical hostWith corresponding for identifying the virtual local area network tags of tenant's message;Virtual switch is that each tenant distributes corresponding virtual tenantNetwork (VTN) identifier, generates the corresponding virtual network of each tenant.
The scheme traced afterwards is chased after by the way that the data of the acquisition in a period of time are excavated and are associated in ex-post analysisIt traces back in cloud after already present attack path, enforcing remedies measure.By the retrieval discovery to existing patent, Chinese patent literature numberCN107566369A discloses (bulletin) day 2018.01.09, discloses a kind of for industry control infrastructure progress security isolation and anti-Imperial efficiency evaluation method, this method can equally act on IT infrastructure based on cloud.It include: to establish an isolation and preventImperial technology model;Information is collected based on technology model;Information carries out algorithm analysis according to the collected data;Pass through analysisThe ability of various attacks is resisted when operation system is under attack, then assesses the effectiveness of security isolation measure.
Although essential a part in the above two classes solution and cloud security protection system, its deficiency existsIn the former can not cope with the fortuitous event occurred in cloud platform operational process, such as loophole, error configurations;The latter can only be to cloudThe security threat inside occurred is analyzed and is remedied, and preventive effect can not be played.
Third class scheme may make even if cloud platform just during operation by being checked at runtime, can also be withThe potential security isolation of the discovery of active threatens, to make up the deficiency of first two scheme.The existing safety for tenant's rankIsolation real-time detection method includes: (1) by token network data packet, realizes real-time tracing and the analysis of convection current.But this methodIt cannot check that potential failure threatens;(2) by solving Boolean satisfiability, network in cloud is verified.This method is depositedIt is small to store up expense, but real-time is poor.(3) by carrying out information collection to cloud platform, graph model is established, real-time update and mould are implementedType analysis.This respect work is concentrated mainly on the configuration compliance according to provider API detection cloud infrastructure.This method is real-timeProperty it is strong, but for multi-tenant cloud platform security isolation problem it is further proposed that prolongable detection scheme.
The prior art has that expansibility is weaker, timeliness is not strong.The present invention proposes a kind of security isolation detectionMethod can detect potential isolated failure threat that may be present in the cloud environment of dynamic change, to make up existing in timeThe deficiency of method improves the security capabilities of multi-tenant cloud platform.
Summary of the invention
Present invention aim to address the deficiencies of existing multi-tenant cloud platform security isolation technology, it is therefore proposed that a kind of rightThe method that configuration carries out active safety detection in cloud finds isolated failure threat that may be present in multi-tenant cloud platform.The partyMethod has the characteristics that scalability is strong, timeliness is high.
To achieve the above object, the present invention takes following methods, comprising:
(1) graph model is defined: Directed Graph Model G=(V, E, C), V of the definition comprising each node in multi-tenant cloud platformIndicate the cluster of the node of be provided with service in cloud platform, any node meets v in clusteri∈V;E is indicated between each nodeSide, there are any bar side e in clusteri,jIndicate node viIt may have access to another node vj, ei,j∈E;C is indicated between nodeConnected relation, ci,jIndicate node viWith vjBetween connected relation, ci,j∈C.I, j indicate the mark of two nodes.
When constructing Directed Graph Model, if ci,j=1, then it is assumed that v in figure GiWith vjBetween there are side ei,jIf ci,j=0, then viWith vjBetween be not present side ei,j.Above-mentioned Directed Graph Model G is stored in the form of two-dimentional adjacency matrix, is denoted as:
(2) definition detection benchmark: in multi-tenant cloud platform, there are multiple tenants to belong to different rents by Admin AdministrationUnauthorized access can not be initiated between the node at family;Inside each tenant, there are multiple user groups, by administrator or tenant administratorManagement, the node for belonging to different user groups can not initiate unauthorized access.Therefore, security isolation includes two class scenes: first is that differentSecurity isolation between tenant need to verify the potential threat that whether there is unauthorized access between each tenant;Second is that same tenantSecurity isolation between interior different user groups need to be verified and whether there is the latent of unauthorized access in same tenant between different user groupsIt is threatening.For the above scene, detection benchmark based on tenant's security isolation is defined respectively and based on user group security isolationDetect benchmark.
(21) based on the detection benchmark of tenant's security isolation: when attacker obtains in administrator right or multi-tenant cloud platformThere are when malice administrator, the configuration of multi-tenant cloud platform can be maliciously tampered in portion, make to originally belong to different tenants node itBetween can initiate unauthorized access, tenant's security isolation is destroyed.Therefore, the correct mapping relationship f for establishing tenant and node, asThe detection benchmark of tenant's security isolation.If n indicates the mark of node, tenentnIndicate the mark for being identified as the node tenant of nKnow, mapping relations be denoted as:
F (n)=tenentn。
(22) based on the detection benchmark of user group security isolation: for the user for belonging to same tenant in multi-tenant cloud platformGroup, definition L are user group grade, and L value can be uppr, normal or lower.L value may have access to non-for the user group of upprAll user groups of uppr, can not be by other users group access;L value be normal user group can be all with L value normal andMark value is all that the user group of x is exchanged visits, and x is the integer greater than zero;L value be lower user group can by all user's group access,It can not initiate to access.For the node in user group, if n indicates the mark of node, levelnIndicate the mark for being identified as the node of nNote value, then the mark value level of node nnIs defined as:
When attacker obtains inside administrator or tenant's administrator right and multi-tenant cloud platform, there are malice administratorsOr when malice tenant administrator, the configuration of the grade of user group can be maliciously tampered, make different grades of user group node itBetween can initiate unauthorized access, user group security isolation is destroyed.Therefore, each user group and node are established in same tenant justMapping relations are denoted as by true mapping relations y as the detection benchmark of user group security isolation:
Y (n)=leveln。
(3) original state generates: acquiring the configuration data of all nodes in multi-tenant cloud platform under original state.According to stepSuddenly Directed Graph Model G=(V, E, C) defined in (1) traverses configuration data and records current traverse node viWith other sectionsPoint vjConnected relation ci,j∈C.If viWith vjIt is connected to, then ci,j=1, otherwise ci,j=0, then with step (1) the definition structureBuild the graph model G based on original stateinit。
(4) benchmark, digraph G described in detecting step (3) initial isolation detection: are detected described in foundation step (2)initWhether security isolation is met, and detection process includes initialization vertex ticks and initialization two stages of nodal test:
(41) vertex ticks process is initialized are as follows: successively traversal step (3) the digraph GinitIn all nodes.TimeIt is node to be detected by current accessed vertex ticks, and be inserted into queue Detect to be detected from tail end during going through.
(42) nodal test process is initialized are as follows: be successively read node up to queue is from queue Detect head end to be detectedThe current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginningEnd removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21)It surveys, the user group security isolation detection executed based on detection benchmark (22).
(5) isolation detection when running: being denoted as time for the current time of running, if at the time moment, administrator or tenant's pipeReason person, which implements configuration operation to cloud platform, causes digraph state that will update, then current digraph is denoted as Gtime, and according toBenchmark is detected according to described in step (2), detects G when updatingtimeWhether security isolation demand is met, and detection process includes updatingWhen vertex ticks and update when two stages of nodal test:
(51) update when node labeling process are as follows: described in step (5) configuration operation include creation example, delete example,It creates security strategy, delete security strategy.When in cloud platform administrator or tenant administrator implement aforesaid operations when, increment is moreNew graph model Gtime, and will be updated vertex ticks is node to be detected, is inserted into queue Detect to be detected from tail end.
(52) node detection process when updating are as follows: be successively read node up to queue is from queue Detect head end to be detectedThe current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginningEnd removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21)It surveys, the user group security isolation detection executed based on detection benchmark (22).
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step(51) incremental update described in, when implementation, specifically may include following four classes situation:
Side insertion: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt may have access tovjWhen, connected relation c described in setting steps (1)i,j=1, make adjacency matrix A [i] [j]=1, thereby executing side insertion.
Edge contract: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt can not visitAsk vjWhen, connected relation c described in setting steps (1)i,j=0, make adjacency matrix A [i] [j]=0, thereby executing edge contract.
Point insertion: when creating new example, in step (5) the graph model GtimeMiddle insertion new node, is denoted as vnew, newIndicate node identification.If remembering GtimeIn other nodes be identified as k, adjacency matrix A [new] [k] described in initialization step (1)=0 and A [new] [k]=0.As node vnewIt may have access to vkWhen, connected relation c described in setting steps (1)new,k=1, make to abutMatrix A [new] [k]=1;As node vkIt may have access to vnewWhen, connected relation c is setk,new=1, make adjacency matrix A [k] [new]=1.Thereby executing an insertion.
Point deletion: when deleting new example, in step (5) the graph model GtimeThe corresponding node of middle positioning example,It is denoted as vdel, del expression node identification.At this time by the way that del=-1 is arranged by node vdelLabeled as failure, it is not involved in detection.FromAnd execute point deletion.
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step(42), tenant's security isolation described in (52) detects, and is according to the detection base based on tenant's security isolation described in step (2)Standard, the node v that queue Detect head end to be detected described in detecting step (42), (52) is readdetWhether tenant safety is metIsolation.
For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr described in step (5)Scheme GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification.At this point, if described in step (1)Adjacency matrix A [k] [det]=1 can assert node v then when f (det)=f (k) described in step (2)detMeetTenant's security isolation.
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step(42), user group security isolation described in (52) detects, and is according to the detection based on user group security isolation described in step (2)Benchmark, the node v that queue Detect head end to be detected described in detecting step (42), (52) is readdetWhether user group is metSecurity isolation.
For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr described in step (5)Scheme GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification.At this point, if described in step (1)Adjacency matrix A [k] [det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 ory(k)!When=0 and y (det)=0, node v can be assertdetMeet user group security isolation.
The present invention takes above technical scheme, has the following characteristics that
(1) this method carries out organization modeling to the configuration status of multi-tenant cloud platform in graph form, and establishes and be based onThe detection benchmark of tenant's security isolation and the detection benchmark based on user group security isolation, then isolation detection with high safety, withFind that potential isolated failure threatens the harm caused by tenant in cloud in time.
(2) the main dynamic measuring method of the security isolation inspection proposed through the invention, can detect that in the cloud environment of dynamic changePotential isolated failure that may be present threatens, to make up the deficiency of existing method, improves the safe energy of multi-tenant cloud platformPower.
Detailed description of the invention
Fig. 1 shows a kind of active detecting method flow diagram of multi-tenant cloud platform security isolation provided by the invention;
Fig. 2 shows system platform configuration diagrams provided in an embodiment of the present invention;
Fig. 3 shows a kind of implementation of the active detecting method of multi-tenant cloud platform security isolation provided in an embodiment of the present inventionFrame diagram.
Specific embodiment
In order to which target of the invention, technical solution and advantage is more clearly understood, below with reference to the embodiment of the present inventionIn attached drawing the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used toIt explains the present invention, is not intended to limit the present invention.Based on the embodiments of the present invention, those skilled in the art are not making woundAll other embodiment obtained under the premise of the property made labour, shall fall within the protection scope of the present invention.
Currently, with the fast development and change of IT infrastructure the relevant technologies, the appearance based on lightweight virtualization technologyDevice engine Docker is used by the more and more companies of every profession and trade.Container (Container) is a kind of New Virtual technology, is madeThe mechanism such as the namespace and cgroup that are supported with linux kernel itself realize the isolation of environment and resource, have flexibilityFeature high, deployment is convenient.It, can be based on appearance by integrating the distributed container cluster Managed Solution using kubernetes as representativeDevice technology building is to provide service as the PaaS cloud of target.
The present embodiment is based on container engine docker and builds cloud platform, manages container cluster, calico by kubernetesThree-layer network project management container cluster network, the NameSpace label and Network provided in conjunction with kubernetes platformPolicy mechanism, realizes the tenant network isolation requirement of cloud platform, and disposing consistency warehouse etcd cooperates with each node of platformWork.
Based on above-mentioned implementation environment, the isolation detection method proposed is applied to container cloud platform by the embodiment of the present invention,And security isolation detection is carried out for tenant network.In the present embodiment, if all users are assigned in management granularity in cloudIn dry group, every group is known as a tenant (tenant), and tenant may include user group again.Therefore, user can be divided into three in cloudClass: including cloud platform administrator, tenant administrator and ordinary user.
Fig. 2 is the platform architecture schematic diagram of the embodiment of the present invention.The present embodiment includes 5 steps.
(1) graph model is defined.Under the PAAS cloud environment of kubernetes cluster building, dummy node is referred to as POD,Therefore using POD be used as the fundamental node unit of cloud platform management, then building cloud platform in each user node state it is orientedGraph model G:
G=(V, E, C)
V indicates the cluster of the node of be provided with service in cloud platform, and any node meets v in clusteri∈V;E indicates eachSide between node, there are any bar side e in clusteri,jIndicate node viIt may have access to another node vj, ei,j∈E;C indicates sectionConnected relation between point, ci,jIndicate node viWith vjBetween connected relation, ci,j∈C.I, j indicate the mark of two nodes.
When constructing Directed Graph Model, if ci,j=1, then it is assumed that v in figure GiWith vjBetween there are side ei,jIf ci,j=0, then viWith viBetween be not present side ei,j.Above-mentioned Directed Graph Model G is stored in the form of two-dimentional adjacency matrix, is denoted as:
(2) definition detection benchmark: in multi-tenant cloud platform, there are multiple tenants to belong to different rents by Admin AdministrationUnauthorized access can not be initiated between the node at family;Inside each tenant, there are multiple user groups, by administrator or tenant administratorManagement, the node for belonging to different user groups can not initiate unauthorized access.Therefore, security isolation includes two class scenes: first is that differentSecurity isolation between tenant need to verify the potential threat that whether there is unauthorized access between each tenant;Second is that same tenantSecurity isolation between interior different user groups need to be verified and whether there is the latent of unauthorized access in same tenant between different user groupsIt is threatening.For the above scene, detection benchmark based on tenant's security isolation is defined respectively and based on user group security isolationDetect benchmark.
(21) based on the detection benchmark of tenant's security isolation: when attacker obtains in administrator right or multi-tenant cloud platformThere are when malice administrator, the configuration of multi-tenant cloud platform can be maliciously tampered in portion, make to originally belong to different tenants node itBetween can initiate unauthorized access, tenant's security isolation is destroyed.Therefore, the correct mapping relationship f for establishing tenant and node, asThe detection benchmark of tenant's security isolation.If n indicates the mark of node, tenentnIndicate the mark for being identified as the node tenant of nKnow, mapping relations be denoted as:
F (n)=tenentn。
(22) based on the detection benchmark of user group security isolation: for the user for belonging to same tenant in multi-tenant cloud platformGroup, definition L are user group grade, and L value can be uppr, normal or lower.L value may have access to non-for the user group of upprAll user groups of uppr, can not be by other users group access;L value be normal user group can be all with L value normal andMark value is all that the user group of x is exchanged visits, and x is the integer greater than zero;L value be lower user group can by all user's group access,It can not initiate to access.For the node in user group, if n indicates the mark of node, levelnIndicate the mark for being identified as the node of nNote value, then the mark value level of node nnIs defined as:
When attacker obtains inside administrator or tenant's administrator right and multi-tenant cloud platform, there are malice administratorsOr when malice tenant administrator, the grade configuration of user group can be maliciously tampered, between the node for making different grades of user groupUnauthorized access can be initiated, user group security isolation is destroyed.Therefore, the correct of each user group and node in same tenant is establishedMapping relations are denoted as by mapping relations y as the detection benchmark of user group security isolation:
Y (n)=leveln。
(3) original state generates: acquiring the configuration data of all nodes in multi-tenant cloud platform under original state.According to stepSuddenly Directed Graph Model G=(V, E, C) defined in (1) traverses configuration data and records current traverse node viWith other sectionsPoint vjConnected relation ci,j∈C.If viWith vjIt is connected to, then ci,j=1, otherwise ci,j=0, then with step (1) the definition structureBuild the graph model G based on original stateinit。
In the present embodiment, data source is each node in container cloud cluster, and the specific data that acquire include: nodeNameSpace label;The Role label of node;The corresponding isolation strategy of node R ole label;Time corresponding to current network stateStamp.
Finally obtained data set such as table 1 shows, gives multi-tenant cloud platform node configuration data sample.
1 multi-tenant cloud platform node configuration data sample of table
The configuration of Namespace attribute provides interface by Namespace isolation mech isolation test in kubernetes platform in table 1,The setting of Role attribute provides interface by Network Policy mechanism in kubernetes platform.
Oriented state diagram G can then be constructedinit, and obtain adjacency matrix:
(4) benchmark, digraph G described in detecting step (3) initial isolation detection: are detected described in foundation step (2)initWhether security isolation is met, and detection process includes initialization vertex ticks and initialization two stages of nodal test:
(41) vertex ticks process is initialized are as follows: successively traversal step (3) the digraph GinitIn all nodes.TimeIt is node to be detected by current accessed vertex ticks, and be inserted into queue Detect to be detected from tail end during going through.
Detect={ pod1, pod2, pod3 }
(42) nodal test process is initialized are as follows: be successively read node up to queue is from queue Detect head end to be detectedThe current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginningEnd removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21)It surveys, the user group security isolation detection executed based on detection benchmark (22).
The detection of tenant's security isolation is first carried out: traversal step schemes G described in (3)initIn all nodes, by current timeThe node gone through is denoted as vk, k expression node identification.At this point, if adjacency matrix A [k] [det]=1 described in step (1), whenAnd if only if can assert node v when f (det)=f (k) described in step (2)detMeet tenant's security isolation;
Then execute the state-detection based on region security domain: traversal step schemes G described in (3)initIn all sectionsThe node currently traversed is denoted as v by pointk, k expression node identification.At this point, if adjacency matrix A [k] described in step (1)[det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y (k)!=0 and y(det)=0 when, it can assert node vdetMeet user group security isolation.
(5) isolation detection when running: being denoted as time for the current time of running, if at the time moment, administrator or tenant's pipeReason person, which implements configuration operation to cloud platform, causes digraph state that will update, then current digraph is denoted as Gtime, and according toBenchmark is detected according to described in step (2), detects G when updatingtimeWhether security isolation demand is met, and detection process includes updatingWhen vertex ticks and update when two stages of nodal test:
(51) update when node labeling process are as follows: described in step (5) configuration operation include creation example, delete example,It creates security strategy, delete security strategy.When in cloud platform administrator or tenant administrator implement aforesaid operations when, increment is moreNew graph model Gtime.The incremental update, when implementation, specifically may include following four classes situation:
Side insertion: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt may have access tovjWhen, connected relation c described in setting steps (1)i,j=1, make adjacency matrix A [i] [j]=1, thereby executing side insertion.
Edge contract: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt can not visitAsk vjWhen, connected relation c described in setting steps (1)i,j=0, make adjacency matrix A [i] [j]=0, thereby executing edge contract.
Point insertion: when creating new example, in step (5) the graph model GtimeMiddle insertion new node, is denoted as vnew, newIndicate node identification.If remembering GtimeIn other nodes be identified as k, adjacency matrix A [new] [k] described in initialization step (1)=0 and A [new] [k]=0.As node vnewIt may have access to vkWhen, connected relation c described in setting steps (1)new,k=1, make to abutMatrix A [new] [k]=1;As node vkIt may have access to vnewWhen, connected relation c is setk,new=1, make adjacency matrix A [k] [new]=1.Thereby executing an insertion.
Point deletion: when deleting new example, in step (5) the graph model GtimeThe corresponding node of middle positioning example,It is denoted as vdel, del expression node identification.At this time by the way that del=-1 is arranged by node vdelLabeled as failure, it is not involved in detection.FromAnd execute point deletion.
For example, if tenant administrator modifies pod3 in table 1 and correspond to Ingress attribute as " { } ", G at this timetimeIt is corresponding adjacentMatrix is connect to be expressed as:
Then, node will be updated and be inserted into queue Detect to be detected from tail end.At this point, then being marked since pod3 is updatedIt is denoted as node to be detected, Detect queue is added.
Detect={ pod3 }
(52) node detection process when updating are as follows: be successively read node up to queue is from queue Detect head end to be detectedThe current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginningEnd removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21)It surveys, the user group security isolation detection executed based on detection benchmark (22).
The detection of tenant's security isolation is first carried out: traversal step schemes G described in (3)timeIn all nodes, by current timeThe node gone through is denoted as vk, k expression node identification.At this point, if adjacency matrix A [k] [det]=1 described in step (1), whenAnd if only if can assert node v when f (det)=f (k) described in step (2)detMeet tenant's security isolation;
Then execute the state-detection based on region security domain: traversal step schemes G described in (3)timeIn all sectionsThe node currently traversed is denoted as v by pointk, k expression node identification.At this point, if adjacency matrix A [k] described in step (1)[det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y (k)!=0 and y(det)=0 when, it can assert node vdetMeet user group security isolation.
Above embodiments are provided just for the sake of the description purpose of the present invention, and are not intended to limit the scope of the invention.ThisThe range of invention is defined by the following claims.It does not depart from spirit and principles of the present invention and the various equivalent replacements made and repairsChange, should all cover within the scope of the present invention.