物联网应用系统控制安全技术研究

How to make IoT (Internet of Things) applications run properly as we expected is a key issues in applying IoT techniques into practice. Compared with Internet applications, IoT applications face much huger security risks: IoT applications store plenty of sensitive information, and lots of applications can autonomously control or even change the behavior of the objects independently depending on the context, circumstances or environments. The security control failures will directly result in serious social and economic consequences, including sensitive information leakage, object behavior being out of control, or even the whole application being destroyed. The main reason that IoT faces risks is the lack of effective data protection techniques. The existing methods are basically based on encryption, with the result of large but ineffiecient investment, since single RFID tag can not support calculating complex cipher, and encrypted privacy information can not be used by different applications. The aim of this project is to develop both effective and practical security techniques to protect the privacy and integrity of IoT data. Main research points of this project include: ① Research on program level information flow control techniques, resulting with fine-grained information spread control among distributed, multiple and different programs; ② Research on generalized stain spread based information flow control model, with the features of no covert channels and least privilege support; ③ Research on formal verification of information flow control model to theoretically guarantee the effectiveness of policy control for IoT applications.

保障物联网应用系统的控制安全是物联网得以大范围推广应用的关键问题之一。物联网中存储着大量的隐私信息，很多应用通过预设命令直接对物品进行智能控制。控制安全一旦失效，将会导致隐私信息泄密、应用行为失控、甚至整个应用被破坏。物联网控制安全风险的根源在于缺乏有效的以数据安全为中心的保护技术。已有的方法基本上都是以加密为主要手段开展研究，投入量大但效率低。主要原因是单个RFID标签能力无法支持复杂的密码学计算，而且加密的隐私信息难以适用于多种应用。本项目的总体研究目标是：研发有效且实用的物联网数据的隐私性和完整性保护技术，实现物联网应用系统的控制安全。拟重点研究如下内容：①研究以数据安全为中心的程序级信息流控制技术，实现分布式多种不同程序间的信息的细粒度传播控制；②研究支持最小权限的广义污点传播控制模型和技术，消除隐蔽通道；③研究系统级信息流控制模型的形式化验证方法，从理论上保障控制安全的有效性。

该项目针对物联网应用系统缺乏有效的控制安全技术，导致可能的隐私信息泄密、应用行为失控、甚至整个应用被破坏等控制安全风险，主要研究以数据安全为中心的程序级信息流控制技术、支持最小权限的广义污点传播控制模型和技术，以及信息流控制模型的形式化验证方法。该项目实现了物联网应用系统中多种不同程序间的信息流动的细粒度传播控制、有效地消除了数据泄露的隐蔽通道，并验证了所提出的信息流控制模型的安全性质。该项目解决了两个关键问题，即信息流控制模型该如何建模才能实现细粒度读写控制，以及信息流控制模型的安全完备性证明难题。本项目完成了其全部研究内容并实现了项目目标。