CN-122027303-A - Credible cloud security level formalized concept verification system and level assessment method

Abstract

The invention relates to the field of cloud computing, in particular to a system and a method for formalized concept verification (FPoC) of a trusted cloud security level, which aim to solve the problems that the existing security assessment lacks a quantization standard, can not identify bottlenecks and is difficult to measure a synergistic effect; the system comprises a layering security mechanism model, a technical and standard reference library, an intrinsic security level computing engine and a Web UI interaction module, and is characterized in that the dual-mode computing engine adopts a security barrel effect algorithm to take the minimum value to identify a short board when the mechanism is independent, and adopts an enhancement mode algorithm to compute additional values based on four enhancement vectors of coverage, independence, redundancy and auditability when the mechanism works cooperatively. The invention converts the security assessment from qualitative art to computable and reproducible engineering science, and is suitable for the security architecture design and compliance audit of cloud computing environment.

Inventors

• LI YAN
• ZHANG HUANGUO
• YAN FEI

Assignees

• 武汉可信云科技有限公司

Dates

Publication Date

20260512

Application Date

20260227

Claims (10)

1. 1. The credible cloud security level formalized concept verification system is characterized by comprising a layering security mechanism model: the hierarchical security mechanism model includes: The grade policy definition module is used for defining and storing technical specifications of five progressive security grades from a base to an advanced level until the hardware trust root and the TEE are protected; The security mechanism cooperative scheduling module is used for dynamically loading and coordinating the TCDSSL, TCDAC and TCDCA core mechanisms of the selected security level, constructing a hierarchical processing pipeline and sequentially executing source address verification, certificate authentication and policy decision on the flow; The hardware enhancement and trusted execution module is used for migrating a key process comprising key management and policy decision to a trusted execution environment on the DPU/intelligent network card for operation under the highest security level, protecting a private key by a hardware trust root, and generating a source authenticity certification of a hardware signature for key traffic; The dynamic monitoring and proving service module is used for continuously monitoring the running state and the security event of each mechanism, triggering the level reevaluation or degradation when the state is abnormal, responding to an external request, aggregating the system state and the hardware evidence to generate a security level compliance report or source authenticity evidence of the digital signature, and providing verifiable trust evidence.
2. 2. The system for formalized concept verification of a trusted cloud security level of claim 1, wherein the hierarchical security mechanism model further comprises the following modules: the degradation operation candidate analysis module is used for carrying out historical degradation event cluster analysis through historical degradation time operation data and predicting degradation operation candidate time periods by taking the probability of direct degradation success as a constraint condition; the session interrupt repair prediction module determines session interrupt repair prediction duration caused by inconsistent security states of the SAVI-CGA binding table in the security mechanism cooperative scheduling module and the hardware enhancement and the trusted execution module according to a historical session interrupt repair duration data record corresponding to a historical degradation event of indirect degradation success; the safety state initial analysis module is used for constructing an initial time node library for analyzing the safety state consistency of the SAVI-CGA binding table by combining the predicted degradation operation candidate period and the session interruption repair prediction duration; And the safety state judging and intervening module is used for carrying out consistency analysis of the safety state of the SAVI-CGA binding table in the safety mechanism cooperative scheduling module and the hardware enhancement and trusted execution module according to the starting time node library, judging whether safety state intervening is needed, and if so, carrying out safety state consistency adjustment.
3. 3. The system is characterized in that a key process of migration of hardware enhancement and a trusted execution module comprises policy decision engine core logic, key management service and SAVI-CGA binding table manager, data after migration are transmitted to a TEE in an encryption mode, policy decisions are independently executed in an isolation environment, a private key is stored in a hardware trust root in the whole process, signing and decryption operations are executed only through standard API calls, source authenticity certification of the hardware signature is sent along with key traffic or independent channels, and a receiver can verify validity of the hardware signature through a public certificate.
4. 4. The system for verifying the concept in the form of the trusted cloud security level according to claim 1, wherein the monitoring content of the dynamic monitoring and proving service module comprises a core component operation index, a security event log and a hardware trusted state, the integrity of the TEE environment is verified through remote proving, the security level is re-assessed through triggering of a high-priority abnormal event, degradation or warning is executed according to an assessment result, system configuration, operation state and hardware proving are aggregated when an external request is received, and a structured report is generated and is signed through a system identity private key and then returned.
5. 5. The system of claim 2, wherein the degradation operation candidate analysis module divides a day into a plurality of continuous long-time windows, clusters and distributes the windows to the corresponding windows according to the starting time of the historical degradation event, marks the event which does not generate the direct success of the session interrupt as the direct degradation success event, generates the mark of the session interrupt as the indirect degradation success event, counts the proportion of the direct degradation success event of each window to obtain the direct degradation success rate, marks the window with the proportion higher than a preset threshold as a candidate window, and the corresponding time period is the degradation operation candidate period; the session interruption repair prediction module collects historical repair time lengths of indirect degradation success events to form a sequence, calculates a sequence variation coefficient, takes an average value as a prediction time length when the variation coefficient is smaller than a threshold value, and takes a maximum historical time length as a prediction time length when the variation coefficient is greater than or equal to the threshold value; The safety state starting analysis module extracts the starting time of each degradation operation candidate period, takes the session interruption repair prediction time length as the time advance, obtains corresponding state consistency analysis starting time nodes by subtracting the time advance from the starting time, gathers all starting time nodes to construct a complete starting time node library, and the safety state judgment and intervention module triggers the state verification of two modules binding table at each starting time node, judges consistency by calculating and comparing the hash value of the merck tree root, the hash value is consistent without intervention, and takes intervention measures of log repair synchronization or DSL1 reconstruction authentication according to the deviation degree until the states are consistent.
6. 6. The trusted cloud security level formalized concept verification system of claim 1, further comprising: A technical reference library, which stores a plurality of atomic level security mechanisms and mapping relations of corresponding preset inherent security levels; a bimodal intrinsic safety level computing engine is comprised of one or more processors configured to perform two computing modes: SBEC, when a plurality of safety mechanisms are identified to be independent of each other, taking the minimum value of the inherent safety level in all the mechanisms as the whole safety level; and the second mode is an enhancement mode, namely when the cooperative work relation of a plurality of safety mechanisms is identified, calculating and superposing enhancement added values according to the contribution values of the enhancement vectors on the basis grade obtained by the minimum value.
7. 7. The system of claim 6, wherein the rule for determining the contribution of the enhancement vector of independence is such that the independence vector contributes a positive enhancement value if and only if the security mechanism is anchored to a physical hardware root of trust.
8. 8. The system of claim 7, further comprising a decision tree module and a Web UI application module, wherein the decision tree module stores a set of preset rules for automatically analyzing an input safety mechanism list and automatically selecting and calling the first mode or the second mode for calculation according to the dependency relationship among mechanisms; The Web UI application module provides: The engineer view is used for receiving the mechanism list input and displaying bottleneck recognition results and repair suggestions; And the auditor view is used for receiving the external security statement and the evidence chain file and displaying the difference comparison of the independent calculation result and the statement result.
9. 9. A trusted cloud security level assessment method based on the implementation of a trusted cloud security level formalized concept verification system as claimed in any one of claims 1,6, 7, 8, characterized by comprising the steps of; a receiving step of receiving a list including a plurality of security mechanisms through a user interface; deconstructing, namely analyzing mechanisms in the list into corresponding atomic-level technical points based on the hierarchical security mechanism model; Inquiring a preset inherent security level corresponding to each atomic-level technical point from a technical reference library; The calculation step is that according to whether a cooperative enhancement relation exists between mechanisms, safety barrel effect calculation or enhancement mode calculation is automatically selected to be executed so as to obtain the overall safety level; And outputting, namely visually displaying the overall security level and the calculation path.
10. 10. The method for evaluating the security level of a trusted cloud as claimed in claim 9, wherein said specific step of calculating the second pattern comprises: step A, calculating the minimum value of the intrinsic safety level of all mechanisms in the cooperative group, and taking the minimum value as a basic level; Step B, identifying the type of the enhancement vector of the cooperative group, and calculating an enhancement added value according to a preset weight; and C, adding the basic grade and the enhanced added value, and taking a smaller value with the upper limit of the preset highest grade of the system to obtain a final grade.

Description

Credible cloud security level formalized concept verification system and level assessment method Technical Field The invention belongs to the fields of cloud computing security, formal verification and system security engineering, and particularly relates to a system and a method for carrying out unified, quantifiable and hierarchical intrinsic security level assessment, calculation and continuous verification on a trusted security mechanism of an information system (particularly a cloud environment). Background Traditional security assessment, often reduced to a binary answer of "safe/unsafe", or relying on static, checklist compliance checks; Traditional Source Address Verification (SAV) technology, such as BCP38 entry filtering in an IPv4 environment, has the problem of 'public tragedy' of deployment fragmentation and insufficient power, is difficult to form systematic defenses, and particularly in an IPv6 environment, the huge address space and stateless Neighbor Discovery Protocol (NDP) of the traditional filtering mechanism based on IP prefix are almost invalid, so that the risk of IP spoofing attack is increased sharply; The current SAV technical evolution presents a scattered state, namely, on one hand, the SAVA working group of IETF realizes that SAV is a systematic engineering covering an intra-domain, inter-domain and link layer (SAVI) and proposes a plurality of technologies such as CGA, SEND, ASPA and the like, but lacks a unified framework to organically integrate and hierarchical govern the technologies; A more prominent problem is that in a gateway where a high-level security mechanism (such as a TEE and a hardware trust root based on a hardware trusted execution environment) is deployed, when dynamic degradation from a high level (such as a hardware anchoring mode) to a low level (such as a software certificate mode) is required due to hardware faults or maintenance, critical security states (such as a SAVI-CGA binding table) running in a hardware module and a software collaboration module are very likely to be inconsistent, if the inconsistency is exposed in the degradation process, identity authentication failure and session interruption are directly caused, so that the reliability advantage of the high-level security architecture becomes a bottleneck of service continuity at critical time, and the prior art lacks an effective mechanism for predicting, analyzing and actively intervening on the state consistency before degradation, so that degradation operation is often accompanied by unpredictable service interruption risk. Disclosure of Invention The invention aims to solve the technical problems of binarization, lack of quantification, incapability of identifying bottleneck and incapability of measuring synergistic effect in the existing security assessment method. The invention provides a system and a method for evaluating a credible cloud security level formalized concept, which are characterized in that a set of hierarchical security mechanism models (TCDxSM), two kinds of core level calculation theory (SBEC and Enhancement) and a complete technology-to-level reference system are defined, and an operable Web UI application is further provided for engineering the method. In order to solve the problems, the invention discloses a credible cloud security level formalized concept verification system which comprises a layering security mechanism model, a technical reference library, a plurality of security mechanism libraries, a component level (TCDGSM), a core level (TCDCSM) and a unit production level (TCDUSM), wherein the technical reference library stores a plurality of atomic security mechanisms and mapping relations of preset intrinsic security levels corresponding to the atomic security mechanisms, and the security mechanism libraries store a plurality of security mechanism libraries, namely atomic technical levels (TCDTSM), component levels (TCDGSM), core levels (TCDCSM) and unit production levels (TCDUSM) and computing mapping relations of the preset intrinsic security levels corresponding to the atomic security mechanisms. A bimodal intrinsic safety level computing engine is composed of one or more processors and is configured to operate in at least two modes, wherein a first mode (SBEC) is used for taking the minimum value of intrinsic safety levels of all mechanisms as the whole intrinsic safety level when a plurality of safety mechanisms are identified to be independent of each other, a second mode (enhancement mode) is used for computing and adding an enhancement added value according to the contribution of one or more enhancement vectors on the basis of the basis level obtained by the minimum value when a plurality of safety mechanisms are identified to have a cooperative working relation, and the enhancement vector at least comprises a combination of one or more dimensions in the second mode (enhancement mode), namely Coverage (Coverage) which represents the Coverage of the