<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mais</journal-id><journal-title-group><journal-title xml:lang="ru">Моделирование и анализ информационных систем</journal-title><trans-title-group xml:lang="en"><trans-title>Modeling and Analysis of Information Systems</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-1015</issn><issn pub-type="epub">2313-5417</issn><publisher><publisher-name>Yaroslavl State University</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.18255/1818-1015-2015-6-735-749</article-id><article-id custom-type="elpub" pub-id-type="custom">mais-291</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Оригинальные статьи</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>Articles</subject></subj-group></article-categories><title-group><article-title>Модель безопасности информационных потоков для программно-конфигурируемых сетей</article-title><trans-title-group xml:lang="en"><trans-title>End-to-end Information Flow Security Model for Software-Defined Networks</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Чалый</surname><given-names>Д. Ю.</given-names></name><name name-style="western" xml:lang="en"><surname>Chaly</surname><given-names>D. Ju.</given-names></name></name-alternatives><bio xml:lang="ru"><p>канд. физ.-мат. наук., доцент,</p><p>ул. Советская, 14, г. Ярославль, 150000</p></bio><bio xml:lang="en"><p>PhD, Sovetskaya str., 14, Yaroslavl, 150000</p></bio><email xlink:type="simple">dmitry.chaly@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Никитин</surname><given-names>Е. С.</given-names></name><name name-style="western" xml:lang="en"><surname>Nikitin</surname><given-names>E. S.</given-names></name></name-alternatives><bio xml:lang="ru"><p>студент,</p><p>ул. Советская, 14, г. Ярославль, 150000</p></bio><bio xml:lang="en"><p>student, Sovetskaya str., 14, Yaroslavl, 150000,</p></bio><email xlink:type="simple">nik.zhenya@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Антошина</surname><given-names>Е. Ю.</given-names></name><name name-style="western" xml:lang="en"><surname>Antoshina</surname><given-names>E. Ju.</given-names></name></name-alternatives><bio xml:lang="ru"><p>аспирант,</p><p>ул. Советская, 14, г. Ярославль, 150000</p></bio><bio xml:lang="en"><p>graduate student, Sovetskaya str., 14, Yaroslavl, 150000</p></bio><email xlink:type="simple">kantoshina@gmai.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Соколов</surname><given-names>В. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Sokolov</surname><given-names>V. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>доктор физ.-мат. наук, профессор,</p><p>ул. Советская, 14, г. Ярославль, 150000</p></bio><bio xml:lang="en"><p>doctor of science, Sovetskaya str., 14, Yaroslavl, 150000,</p></bio><email xlink:type="simple">valery-sokolov@yandex.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Ярославский государственный университет им. П.Г. Демидова</institution><country>Россия</country></aff><aff xml:lang="en"><institution>P.G. Demidov Yaroslavl State University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2015</year></pub-date><pub-date pub-type="epub"><day>20</day><month>12</month><year>2015</year></pub-date><volume>22</volume><issue>6</issue><fpage>735</fpage><lpage>749</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Чалый Д.Ю., Никитин Е.С., Антошина Е.Ю., Соколов В.А., 2015</copyright-statement><copyright-year>2015</copyright-year><copyright-holder xml:lang="ru">Чалый Д.Ю., Никитин Е.С., Антошина Е.Ю., Соколов В.А.</copyright-holder><copyright-holder xml:lang="en">Chaly D.J., Nikitin E.S., Antoshina E.J., Sokolov V.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.mais-journal.ru/jour/article/view/291">https://www.mais-journal.ru/jour/article/view/291</self-uri><abstract><p>Программно-конфигурируемые сети (ПКС, SDN, Software-defined Networks) являются новой парадигмой организации сетей, которая используется во многих современных приложениях, таких как виртуализация сети, управление доступом на основе политик безопасности и многих других. Программное обеспечение ПКС обеспечивает гибкость и быстрый темп инноваций в сети, однако оно имеет сложную природу, в связи с чем возникает необходимость в средствах обеспечения его корректности и безопасности. Абстрактные модели для ПКС могут решить эти задачи. Данная работа направлена на разработку моделей безопасного взаимодействия в ПКС, акцентируя внимание на таких свойствах безопасности, как конфиденциальность и, частично, целостность. Это критические свойства безопасности многопользовательских сетей, поскольку программное обеспечение, управляющее сетью, должно гарантировать, что конфиденциальные данные одного пользователя не будут переданы другим (нежелательным) пользователям. Мы определили понятие сквозной безопасности в контексте ПКС и предложили семантическую модель, позволяющую сделать обоснованный вывод о соблюдении конфиденциальности, и мы можем проверить, что конфиденциальные информационные потоки не смешиваются с не конфиденциальными. Мы показываем, что модель может быть расширена до обоснования соблюдения конфиденциальности в сетях с безопасными и небезопасными каналами связи, которые могут возникнуть, например, в беспроводных средах.</p><p>Статья представляет собой расширенную версию доклада на VI Международном семинаре “Program Semantics, Specification and Verification: Theory and Applications”, Казань, 2015.</p><p>Статья публикуется в авторской редакции.</p></abstract><trans-abstract xml:lang="en"><p>Software-defined networks (SDN) are a novel paradigm of networking which became an enabler technology for many modern applications such as network virtualization, policy-based access control and many others. Software can provide flexibility and fast-paced innovations in the networking; however, it has a complex nature. In this connection there is an increasing necessity of means for assuring its correctness and security. Abstract models for SDN can tackle these challenges. This paper addresses to confidentiality and some integrity properties of SDNs. These are critical properties for multi-tenant SDN environments, since the network management software must ensure that no confidential data of one tenant are leaked to other tenants in spite of using the same physical infrastructure. We define a notion of end-to-end security in context of software-defined networks and propose a semantic model where the reasoning is possible about confidentiality, and we can check that confidential information flows do not interfere with non-confidential ones. We show that the model can be extended in order to reason about networks with secure and insecure links which can arise, for example, in wireless environments.</p><p>The article is published in the authors’ wording.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>ПКС</kwd><kwd>безопасность</kwd><kwd>формальные модели</kwd></kwd-group><kwd-group xml:lang="en"><kwd>SDN</kwd><kwd>security</kwd><kwd>formal models</kwd></kwd-group><funding-group><funding-statement xml:lang="ru">РФФИ, Минобрнауки</funding-statement></funding-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">E. Al-Shaer, S. Al-Haj, “FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures”, SafeConfig 2010 : 2nd ACM Workshop on Assurable and Usable Security Configuration (October 4, 2010, Chicago, IL, USA), 37–44.</mixed-citation><mixed-citation xml:lang="en">E. Al-Shaer, S. Al-Haj, “FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures”, SafeConfig 2010 : 2nd ACM Workshop on Assurable and Usable Security Configuration (October 4, 2010, Chicago, IL, USA), 37–44.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">C. J. Anderson et al., “NetKAT: semantic foundations for networks”, POPL 2014: 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (January 22–24, 2014, San Diego, USA), 113–126.</mixed-citation><mixed-citation xml:lang="en">C. J. Anderson et al., “NetKAT: semantic foundations for networks”, POPL 2014: 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (January 22–24, 2014, San Diego, USA), 113–126.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">E. Ju. Antoshina et al., “A translator with a security static analysis feature of an information flow for a simple programming language.”, Autom. Control and Comp. Sciences, 48:7 (2014), 589–593.</mixed-citation><mixed-citation xml:lang="en">E. Ju. Antoshina et al., “A translator with a security static analysis feature of an information flow for a simple programming language.”, Autom. Control and Comp. Sciences, 48:7 (2014), 589–593.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">M. Casado, N. Foster, A. Guha, “Abstractions for software-defined networks”, Communications of the ACM, 57:10 (2014), 86–95.</mixed-citation><mixed-citation xml:lang="en">M. Casado, N. Foster, A. Guha, “Abstractions for software-defined networks”, Communications of the ACM, 57:10 (2014), 86–95.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">M. Casado et al., “Ethane: taking control of the enterprise”, ACM SIGCOMM 2007: Data Communications Festival (Augest 27–31, 2007, Kyoto, Japan).</mixed-citation><mixed-citation xml:lang="en">M. Casado et al., “Ethane: taking control of the enterprise”, ACM SIGCOMM 2007: Data Communications Festival (Augest 27–31, 2007, Kyoto, Japan).</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">N. Foster et al., “Frenetic: a network programming language”, The 16th ACM SIGPLAN International Conference on Functional Programming (September 19–21, 2011, Tokyo, Japan), 279–291.</mixed-citation><mixed-citation xml:lang="en">N. Foster et al., “Frenetic: a network programming language”, The 16th ACM SIGPLAN International Conference on Functional Programming (September 19–21, 2011, Tokyo, Japan), 279–291.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">S. Gutz et al., “Splendid isolation: a slice abstraction for software-defined networks”, ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN) (August 13, 2012, Helsinki, Finland), 2012, 79–84.</mixed-citation><mixed-citation xml:lang="en">S. Gutz et al., “Splendid isolation: a slice abstraction for software-defined networks”, ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN) (August 13, 2012, Helsinki, Finland), 2012, 79–84.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">C.-Y. Hong et al., “Achieving high utilization with software-driven WAN”, ACM SIGCOMM 2013 (August 12 – 16, 2013, Hong Kong, China).</mixed-citation><mixed-citation xml:lang="en">C.-Y. Hong et al., “Achieving high utilization with software-driven WAN”, ACM SIGCOMM 2013 (August 12 – 16, 2013, Hong Kong, China).</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">N. McKeown et al., “OpenFlow: enabling innovation in campus networks”, ACM Comp. Comm. Review, 38:2 (2008), 69 – 74.</mixed-citation><mixed-citation xml:lang="en">N. McKeown et al., “OpenFlow: enabling innovation in campus networks”, ACM Comp. Comm. Review, 38:2 (2008), 69 – 74.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Open Networking Foundation, “OpenFlow switch specification v. 1.4.0”, URL: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onfspecifications/openflow/openflow-spec-v1.4.0.pdf, Last accessed: 10.05.2015.</mixed-citation><mixed-citation xml:lang="en">Open Networking Foundation, “OpenFlow switch specification v. 1.4.0”, URL: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onfspecifications/openflow/openflow-spec-v1.4.0.pdf, Last accessed: 10.05.2015.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">A. Sabelfeld, A.C. Myers, “Language-based information-flow security”, IEEE Journal on Selected Areas in Communications, 21 (2003), 5–19.</mixed-citation><mixed-citation xml:lang="en">A. Sabelfeld, A.C. Myers, “Language-based information-flow security”, IEEE Journal on Selected Areas in Communications, 21 (2003), 5–19.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">R. Smeliansky, “SDN for network security”, Modern Networking Technologies: SDN &amp; NFV – The Next Generation of Computational Infrastructure (October 28–29, 2014, Moscow, Russia), 155–159.</mixed-citation><mixed-citation xml:lang="en">R. Smeliansky, “SDN for network security”, Modern Networking Technologies: SDN &amp; NFV – The Next Generation of Computational Infrastructure (October 28–29, 2014, Moscow, Russia), 155–159.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">D. Zhang et al., “Jif: Java+ information flow”, URL: http://www.cs.cornell.edu/jif/, Last accessed: 10.05.2015.</mixed-citation><mixed-citation xml:lang="en">D. Zhang et al., “Jif: Java+ information flow”, URL: http://www.cs.cornell.edu/jif/, Last accessed: 10.05.2015.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">D. Zhang et al., “A Hardware Design Language for Timing-Sensitive Information-Flow Security”, ASPLOS 2015 : Architectural Support for Programming Languages and Operating Systems (Mar 14 – 18, 2015, Istanbul, Turkey).</mixed-citation><mixed-citation xml:lang="en">D. Zhang et al., “A Hardware Design Language for Timing-Sensitive Information-Flow Security”, ASPLOS 2015 : Architectural Support for Programming Languages and Operating Systems (Mar 14 – 18, 2015, Istanbul, Turkey).</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">D. Hedin et al., “JSFlow: Tracking Information Flow in JavaScript and its APIs”, The 29th Symposium On Applied Computing (March 24 – 28, 2014, Gyeongju, Korea), 1663–1671.</mixed-citation><mixed-citation xml:lang="en">D. Hedin et al., “JSFlow: Tracking Information Flow in JavaScript and its APIs”, The 29th Symposium On Applied Computing (March 24 – 28, 2014, Gyeongju, Korea), 1663–1671.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">O. Arden et al., “Sharing Mobile Code Securely With Information Flow Control”, IEEE Symp. on Security and Privacy (SP), 2012, 191–205.</mixed-citation><mixed-citation xml:lang="en">O. Arden et al., “Sharing Mobile Code Securely With Information Flow Control”, IEEE Symp. on Security and Privacy (SP), 2012, 191–205.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">A. Cheung et al., “Using Program Analysis to Improve Database Applications”, IEEE Data Eng. Bull., 37:1 (2014), 48–59.</mixed-citation><mixed-citation xml:lang="en">A. Cheung et al., “Using Program Analysis to Improve Database Applications”, IEEE Data Eng. Bull., 37:1 (2014), 48–59.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
