《{安全生产管理}第13章移动代码安全》由会员分享,可在线阅读,更多相关《{安全生产管理}第13章移动代码安全(30页珍藏版)》请在金锄头文库上搜索。
1、第13章:移动代码安全,西安电子科技大学 电子对抗研究所,信息对抗,Mobile Code / Mobile Agent,C/S MODELC: ; S: R/C CODE ON DEMANDC:R ; S:C REMOTE COMPUTINGC:C; S:R MOBILE AGENTC:C ; S:R,MALICIOUS CODE,1 、MOBILE CODE ATTACKS THE ENVIRONMENT WHERE IT IS EXECUTED. 代理对代理平台的攻击 对驻留在代理平台上的信息的非法访问; 以预期和破坏性的方式授权访问 。 BEAR SOME SIMILARITY WIT
2、H TROJAN HORSES,MALICIOUS HOST,2、MALICIOUS HOST 一个接收代理平台能很容易的分离、捕获一个代理,并通过如下方式攻击它:提取信息、毁坏或修改它的代码或状态、拒绝请求服务、或简单的重新初始化或终止它。,THREATS FROM OTHER AGENTS,3 、代理对其它代理的威胁 一个代理通过使用几个普通方法就可以攻击另一代理。这包括伪造事务,窃听谈话,或者干涉一个代理活动。,THREATS FROM OTHER ENTITIES,4 、其它实体对代理系统的威胁 即使假设当前运行的代理和代理平台都是行为良好的,代理框架外部的和内部的其它实体也可能有扰乱
3、,损坏,或破坏代理系统活动的企图,PROTECTIONO OF A HOST FROM A MOBILE CODE,TWO DIRECTIONS: A mobile code infrastructure that is gradually enhanced with authenticatin,data integrity and access control mechanism. Verification of mobile code semantics.,Safe Interpreters,running straight binaries presents some serious s
4、ecurity problems. A common approach is to forgo compiled executables and instead to interpret the mobile code instead. Interpreter has fine-grained control over the applet Can examine each instruction or statement The safety of the system is reduced to the correctness of the security policy implemen
5、ted by the interpreter,Fault Isolation,Interpreters suffer a serious performance overhead. The untrusted code is loaded into its own part of the address space known as a fault domain . The code is instrumented to be sure that each load,store,or jump instructions is to an address in the fault domain.
6、,Fault Isolationtwo ways,1 : insert a conditional check of the address and raise an exception if it is invalid , or 2: simply overwrite the upper bits of the address to correspond to those of the fault domain. At much lower cost than interpreters,Sandbox a restricted environment,Code Verification,Al
7、though software fault isolation certainly provides mobile code safety with higher performance than interpretation, we are still subject to the overheads of the code instrumentation , as well as the overheads of the indirected calls which access resources. Proof-carrying Code can be used to address s
8、ome of these issuses.,Code Verification program checking,Checking a mobile code means to perform a verification on the code structure or on the code behavior as it is run and modifying in consequence the status of the code. Sandboxes : rudimentary program check, either statically ,for instance to en
9、sure that operands of an instuction are of the correct type , or dynamically , for example to locate any access to a protected resource.,Proof-Carrying Code,A predefined security policy is defined in terms of a logic. Host first asks to be sent a proof that the code respects the policy before he act
10、ually agrees to run it. The code producer sends the program and an accompanying proof After receiving the code ,host can check the program with the guidance of the proof.,Proof-Carrying Code,Proof-Carrying Code,On key question which affects the usefulness of this approach is that of: What program pr
11、operties are expressible and provable in the LF logic used to publish the security policy and encode the proof. PCC sacrifices platform-independence for performance.,Protection of a mobile code from a malicious host,The problem of protection from a malicious host has been studied only recently , and
12、 is intrinsically more difficult because the environment gets a total control over the mobile code (otherwise , host protection would not be possible!) Classified along 2 criteria, 1) data versus code protection , and 2) integrity or confidentiality-based.,Malicious Host,Solutions to the malicious h
13、ost problem should focus on two themes: 1.Being able to prove that tampering occurred 2.Preventing leakage of secret information.,Detecting Tampering,Execution Tracing Authenticating Partial Results,Execution Tracing,The agents code is divided into 2 types of instructions: Depend only on the agents
14、internal state Depend upon interaction with the evaluation environment. Former: new values record in trace Latter: recording the new values and digitally sign them.,Execution Tracing,The trace can be examined to determine if the host either: Incorrectly executed an internal-only instruction ,or Lied
15、 to the agent during one of its interactions with the environment.,Authenticating Partial Results,Partial Result Authentication Code An agent is sent out with a set of secret keys k1,k2,kn. At server i, the agent uses key ki to sign the result of its execution there. Thereby producing a PRAC , and t
16、hen erases ki from its state before moving to the next server. Guarantee perfect forward integrity,Preserving Secrecy,The motivation of an agent to preserve some secrecy from the malicious host is that there are some situations in which simple detection after-the-fact is insufficient or unsatisfactory. The cost of legal action A private key compromised,Preserving Secrecy,To solve the following problem: Our agents program computes some fun
