安全与可信securityandtrusted脆弱性安全vs结构性安全

上传人:s9****2 文档编号:580523291 上传时间:2024-08-29 格式:PPT 页数:65 大小:2.35MB
返回 下载 相关 举报
安全与可信securityandtrusted脆弱性安全vs结构性安全_第1页
第1页 / 共65页
安全与可信securityandtrusted脆弱性安全vs结构性安全_第2页
第2页 / 共65页
安全与可信securityandtrusted脆弱性安全vs结构性安全_第3页
第3页 / 共65页
安全与可信securityandtrusted脆弱性安全vs结构性安全_第4页
第4页 / 共65页
安全与可信securityandtrusted脆弱性安全vs结构性安全_第5页
第5页 / 共65页
点击查看更多>>
资源描述

《安全与可信securityandtrusted脆弱性安全vs结构性安全》由会员分享,可在线阅读,更多相关《安全与可信securityandtrusted脆弱性安全vs结构性安全(65页珍藏版)》请在金锄头文库上搜索。

1、1安全与可信security and trusted脆弱性安全脆弱性安全 vs. 结构性安全结构性安全Vulnerability vs. Structure攻防两端如何在结构性安全环境中寻求空间Space in the structural environmenthttp:/ security结构性安全Structural security结构性安全中的脆弱性Vulnerabilities in structures结构性威胁Structural threats3脆弱性安全Vulnerability-oriented security4脆弱性Vulnerabilities弱口令 simple

2、password病毒 virus操作系统漏洞 OS flaw协议漏洞 protocol flaw造成拒绝服务攻击的性能限制performance limitation防火墙配置不当 bad configuration of firewalls 5面向脆弱性的安全Vulnerability-oriented security防病毒系统 anti-virus system漏洞扫描系统 vulnerability scanner补丁管理系统 patch management system入侵检测系统 IDS防拒绝服务攻击系统 anti-DoS防火墙 Firewall多功能安全网关 UTM 6PSPC

3、需求驱动筐架Requirement Driven BaCaMeth需求筐架Req.BCM.来自内部From Internal来自外部From External主动引导Active体系化体系化Systematic政策性政策性Policy被动要求Passive问题型问题型Problem合规性合规性Compliance7面向脆弱性的风险管理Vulnerability-oriented risk management8国家标准中的风险管理关系图Risk management elements in Chinese standard9最精简的风险管理要素模型3-element risk manageme

4、nt model102006 SC AwardsBest anti-malware solution Best Anti-spyware Best Anti-trojan Best Anti-virus Best Anti-worm Best Content Security Solution Best Anti-spam Best Email Content Filtering Best Email Security Best IM security Best Intellectual Property Protection Best Network Security Solution Be

5、st Wireless Security Best Enterprise Firewall Best Intrusion Detection Best Intrusion Prevention Best Desktop Firewall Best Remote Access Best VPN - SSL Best VPN - Ipsec Best Endpoint Security Solution Best Web Filtering Best Encryption Best Identity Management Solution Best Password Management Best

6、 Authentication Best Single Sign-on Best Two-Factor Solution Best Unified Threat Solution Best Integrated Security Software Best Integrated Security Appliance Best Managed Security Service Best Email Managed Service Best Network Security Management Best Event Management Best Computer Forensics Best

7、Policy Management Best Security Audit Best Security Management Tool Best Vulnerability Assessment and Remediation Best Patch Management Best Vulnerability Assessment Source from: http:/ security industrial environment威胁方Threat agents厂商Provider用户User12木桶原理的迷失Misleading of Cask Rule误导将整体结构仅仅简化为防御结构不考虑

8、防御纵深问题只考虑静态的结果状态没有成本观念 MisleadingOnly consider prevention structureNot consider deep preventionOnly consider static stateNot consider cost-effective 13结构性安全Structural security基本结构basic structure紧密结构 tight structure松散结构loose structure14访问控制的RM机制Reference monitor of access control访问控制的RM机制是非常基本的安全结构Re

9、ference monitor of access control is a very basic security structure15RM机制有效的结构性条件Structural conditions of valid RM mechanism三个条件不能被绕过不可篡改足够小,可以被证明3 conditions of VRMCan not be bypassCan not be tamperedBe small enough, can be proved16Randomly GeneratedSymmetric Key (seed + PRNG)AlicePublickeyPrivate

10、keyPrivate keyPublic keyBob密钥交换过程密钥交换过程Key Exchange ProcessmessageX15/ow83h7ERH39DJ3HmessageX15/ow83h7ERH39DJ3H17紧密安全结构的代表可信计算Tight security structure Trusted Computinghttp:/www.trustedcomputinggroup.org可信的定义 Definition of trust可信就是,一个设备的行为是按照其预期目标和指定方式执行的Trust is the expectation that a device will

11、behave in a particular manner for a specific purpose. 一个可信平台应当至少提供三个基本特性:保护能力、完整性测量和完整性报告A trusted platform should provide at least three basic features: protected capabilities, integrity measurement and integrity reporting. (From section 4.1, TCG Architecture Overview 1.0)18TCG的基石性原理Fundamental rul

12、e of TCG信任根就像“公理”一样,是信任的基础。在PC系统中,常常用硬件芯片实现。Roots of trustIn TCG systems roots of trust are components that must be trusted because misbehavior might not be detected. 信任链则是信任传递的机制。常常采用密码技术。Chains of trustTransitive trust also known as “Inductive Trust”, is a process where the Root of Trust gives a t

13、rustworthy description of a second group of functions. 19一个包含TPM的PCReference PC platform containing a TCG TPM20TCG 可信平台模块TCG Trusted Platform Module (TPM)一个可信平台常常拥有三个可信根There are commonly three Roots of Trust in a trusted platform测量可信根 root of trust for measurement (RTM)存储可信根 root of trust for stora

14、ge (RTS) 报告可信根 root of trust for reporting (RTR)21证明协议和消息交换Attestation protocol and message exchange22TPM 存储可信根的体系结构TPM Root of Trust for Storage (RTS)23TPM 部件体系结构TPM component architecture24TCG 软件分层TCG software layering25可信平台的生命周期The trusted platform lifecycle26可信平台上的用户认证User authentication using t

15、rusted platforms 27可信平台上的用户认证User authentication using trusted platforms28经典的四角模型The classical four corners model29四角模型的可信平台实现Detailed TP deployment architecture30TCG对于可信计算平台的划分8 categories of Trusted platform体系结构体系结构体系结构体系结构ArchitectureArchitectureArchitectureArchitectureTPMTPMTPMTPM移动设备移动设备移动设备移动设

16、备MobileMobileMobileMobile客户端客户端客户端客户端PC ClientPC ClientPC ClientPC Client服务器服务器服务器服务器ServerServerServerServer软件包软件包软件包软件包Software StackSoftware StackSoftware StackSoftware Stack存储存储存储存储StorageStorageStorageStorage可信网络连接可信网络连接可信网络连接可信网络连接Trusted Network ConnectTrusted Network ConnectTrusted Network C

17、onnectTrusted Network Connect31TCG的IWG和TNC的对应关系the IWG and TNC architecture32TNC体系结构TNC architecture33TNC体系结构下的消息流Message flow between components34拥有TPM的TNC体系结构The TNC architecture with the TPM35思科的自防御网络体系Ciscos self-defending network36思科的自防御网络体系Ciscos self-defending network37松散安全结构的代表框架和方案Loose sec

18、urity structure Framework松散结构中的各个部件关联关系,常常靠人的集成来实现The connection among the components of loose structure is always integrated by human.松散结构常常表现为框架Framework技术框架Technology framework管理体系Management systemISO27001, ISO20000, etc.3839技术功能是PDR的衍生PDR can express technology framework40检测能力是松散技术结构的关联要素Detecti

19、on make the loose structure tight攻击者不得不面对越来越多的Attackers have to face more入侵检测 IDS漏洞扫描 scanner应用审计系统 Application auditing system日志系统 log system蜜罐 honey pot取证系统 forensic system监控平台 monitoring platform等等 etc.41一个信息安全管理体系的结构Structure of a ISMS (modified ISO27001)42结构性安全中的脆弱性Vulnerabilities in structures

20、43你对刚才阐述的结构性安全有什么感觉?Whats your feeling about structural security?复杂 complex怀疑其完备性 concern about the completion成本 cost蠢人永远有 stupid guys are there 44不要被“结构性安全”给忽悠了!Do not be misled by structural security不要被“结构性安全”给忽悠了!脆弱性安全和结构性安全并不是对立的,也不是两个发展阶段;脆弱性安全也有结构,结构性安全也有脆弱性。Do not be misled by structural secu

21、rityVulnerability-oriented security also has structureStructural security also has vulnerabilities45借助非技术环节来侵害技术结构Find vulnerabilities from non-technology partsRandomly GeneratedSymmetric Key (seed + PRNG)AlicePublickeyPrivatekeyPrivate keyPublic keyBob46借助非技术环节来侵害技术结构Find vulnerabilities from non-t

22、echnology partsRandomly GeneratedSymmetric Key (seed + PRNG)AlicePublickeyPrivatekeyPrivate keyPublic keyBobPrivate keyPublic keyCarl线路的透明插入,可以完成对于加密通信的嗅探攻击47借助非技术环节来侵害技术结构Find vulnerabilities from non-technology partsRandomly GeneratedSymmetric Key (seed + PRNG)AlicePublickeyPrivatekeyPrivate keyPu

23、blic keyBobPrivate keyPublic keyCarl48结构性安全的局限性Limitation of structural security结构是在环境中的、有边界的environment and boundary49在生命周期中寻找弱点 Find vulnerabilities along the lifecycle厂家的生产环节常常会埋有后门back doors embedded during manufacturing没有一个系统是完美的No perfect system 50在结构的时序中寻找突破Find vulnerabilities through time s

24、equence以文档保密系统为例Sample: Document protection system文档的生成环节最可能存在漏洞Vulnerabilities during creating documentation51结构性安全的局限性Limitation of structural security结构是在环境中的、有边界的environment and boundary在不同阶段、不同人手中保持安全很困难different phases and organizations52在人性中寻找弱点Find vulnerabilities from human behavior社交工程攻击So

25、cial Engineering隐私保护Privacy protection自由倾向Anti-DRM懒惰Lazy 53结构性安全的局限性Limitation of structural security结构是在环境中的、有边界的environment and boundary在不同阶段、不同人手中保持安全很困难different phases and organizations人把科学变成了艺术Human transform science to art54结构本身可能就有问题Find vulnerabilities from structure itself55对于AR/PEP/PDP的伪装

26、,可能打破整个结构every role may be spoofed所有看似漂亮的结构,其性能和可用性问题可能会非常严重,会轻易被拒绝服务攻击击垮Most beautiful structures have performance and availability problems and may be easy to be kick down by DoS.那么多传统攻击方式,可能有的还有效Some traditional attacks are still effective结构本身可能就有问题Find vulnerabilities from structure itself56结构性安

27、全还要继续博弈We are still in the game怎么博弈?How to Play the game?你了解对方的结构吗?Do you know the structure of all players?你了解对方了解多少自己的结构吗?Do you know “how much have the other player known about your structure” ?57结构性威胁Structural threats知识、资源和原则Knowledge, Resources and Principles58知识Knowledge寻求对于系统更深层次技术结构的研究Who k

28、now lower?寻求对于系统宏观结构的了解Who know the macro-structure better?寻求对于具体对象的全面了解How many details do you know? 59资源Resources从分布式拒绝服务攻击到僵尸网络,掌握具有结构和组织的攻击体Botnet is a sample of structural software organization for attacking在时序上组成结构,非常有利于攻击Time sequence spreading is a good thinking of structural attack 60结构的一些关

29、键字Key words of structureBusinessDistributionHierarchyTime sequenceLife-cycleManagementOrganizationRegularProcess ControlValue业务分布式层次时序生命周期管理组织制度过程控制价值61流程化的结构思路Process-oriented structureprocessprocessprocessprocessinputinputinputinputoutputoutputoutputoutputProcess ownerProcess ownerProcess ownerPro

30、cess owneroperatoroperatoroperatoroperatorInfra-Infra-Infra-Infra-structurestructurestructurestructureKnowledgeKnowledgeKnowledgeKnowledgebasebasebasebaseLOGLOGLOGLOGArchiveArchiveArchiveArchiveProcessProcessProcessProcessimprovingimprovingimprovingimprovingMonitorMonitorMonitorMonitor62原则Principles

31、安全没有百分之百 No 100% Security安全相对性的三个原则 3 security relativity rule生存原则 survival rule风险原则 Risk rule保镖原则 bodyguard rule自身完备性要求Perfective requirement63总结 Conclusion脆弱性安全Vulnerability-oriented security结构性安全Structural security结构性安全中的脆弱性Vulnerabilities in structures结构性威胁Structural threats64总结:一个可以持续研究下去的课题Conclusion: A good problem to keep approaching脆弱性防御脆弱性防御V.O. defend结构性防御结构性防御Structuraldefend脆弱性攻击脆弱性攻击V.O. attack结构性攻击结构性攻击Structuralattack脆弱性和结构性 Vulnerability-oriented vs. structural攻击和防守 defend vs. attack65谢谢Thanks

展开阅读全文
相关资源
正为您匹配相似的精品文档
相关搜索

最新文档


当前位置:首页 > 高等教育 > 研究生课件

电脑版 |金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号