[精选]第13章移动代码安全7762.pptx

第13章：移动代码安全 西安电子科技大学西安电子科技大学电子对抗研究所电子对抗研究所信息对抗信息对抗Mobile Code/Mobile Agent l C/S MODELC:;S:R/Cl CODE ON DEMANDC:R;S:Cl REMOTE COMPUTINGC:C;S:Rl MOBILE AGENTC:C;S:R MALICIOUS CODE1、MOBILE CODE ATTACKS THE ENVIRONMENT WHERE IT IS EXECUTED.代理对代理平台的攻击代理对代理平台的攻击 对驻留在代理平台上的信息的非法访问；对驻留在代理平台上的信息的非法访问；以预期和破坏性的方式授权访问以预期和破坏性的方式授权访问。BEAR SOME SIMILARITY WITH TROJAN HORSESMALICIOUS HOST2、MALICIOUS HOST 一一个个接接收收代代理理平平台台能能很很容容易易的的分分离离、捕捕获获一一个个代代理理，并并通通过过如如下下方方式式攻攻击击它它：提提取取信信息息、毁毁坏坏或或修修改改它它的的代代码码或或状状态态、拒拒绝绝请请求求服服务务、或或简简单单的的重新初始化或终止它。重新初始化或终止它。THREATS FROM OTHER AGENTS3、代理对其它代理的威胁代理对其它代理的威胁 一一个个代代理理通通过过使使用用几几个个普普通通方方法法就就可可以以攻攻击击另另一一代代理理。这这包包括括伪伪造造事事务务，窃窃听听谈谈话话，或者干涉一个代理活动。或者干涉一个代理活动。THREATS FROM OTHER ENTITIES4、其它实体对代理系统的威胁其它实体对代理系统的威胁 即即使使假假设设当当前前运运行行的的代代理理和和代代理理平平台台都都是是行行为为良良好好的的，代代理理框框架架外外部部的的和和内内部部的的其其它它实实体体也也可可能能有有扰扰乱乱，损损坏坏，或或破破坏坏代代理理系统活动的企图系统活动的企图 PROTECTIONO OF A HOST FROM A MOBILE CODElTWO DIRECTIONS:lA mobile code infrastructure that is gradually enhanced with authenticatin,data integrity and access control mechanism.lVerification of mobile code semantics.Safe Interpretersl running straight binaries presents some serious security problems.lA common approach is to forgo compiled executables and instead to interpret the mobile code instead.lInterpreter has fine-grained control over the appletlCan examine each instruction or statementlThe safety of the system is reduced to the correctness of the security policy implemented by the interpreterFault IsolationlInterpreters suffer a serious performance overhead.lThe untrusted code is loaded into its own part of the address space known as a fault domain.lThe code is instrumented to be sure that each load,store,or jump instructions is to an address in the fault domain.Fault Isolationtwo waysl1:insert a conditional check of the address and raise an exception if it is invalid,orl2:simply overwrite the upper bits of the address to correspond to those of the fault domain.lAt much lower cost than interpretersSandbox a restricted environmentCode VerificationlAlthough software fault isolation certainly provides mobile code safety with higher performance than interpretation,we are still subject to the overheads of the code instrumentation,as well as the overheads of the indirected calls which access resources.lProof-carrying Code can be used to address some of these issuses.Code Verification program checkinglChecking a mobile code means to perform a verification on the code structure or on the code behavior as it is run and modifying in consequence the status of the code.lSandboxes:rudimentary program check,either statically,for instance to ensure that operands of an instuction are of the correct type,or dynamically,for example to locate any access to a protected resource.Proof-Carrying CodelA predefined security policy is defined in terms of a logic.lHost first asks to be sent a proof that the code respects the policy before he actually agrees to run it.lThe code producer sends the program and an accompanying prooflAfter receiving the code,host can check the program with the guidance of the proof.Proof-Carrying CodeProof-Carrying CodelOn key question which affects the usefulness of this approach is that of:lWhat program properties are expressible and provable in the LF logic used to publish the security policy and encode the proof.lPCC sacrifices platform-independence for performance.Protection of a mobile code from a malicious host lThe problem of protection from a malicious host has been studied only recently,and is intrinsically more difficult because the environment gets a total control over the mobile code(otherwise,host protection would not be possible!)lClassified along 2 criteria,1)data versus code protection,and 2)integrity or confidentiality-based.Malicious HostSolutions Solutions to to the the malicious malicious host host problem problem should should focus on two themes:focus on two themes:1.Being able to prove that tampering occurred 1.Being able to prove that tampering occurred 2.Preventing leakage of secret information.2.Preventing leakage of secret information.Detecting TamperinglExecution TracinglAuthenticating Partial ResultsExecution TracinglThe agents code is divided into 2 types of instructions:Depend only on the agents internal stateDepend upon interaction with the evaluation environment.lFormer:new values record in tracelLatter:recording the new values and digitally sign them.Execution TracinglThe trace can be examined to determine if the host either:Incorrectly executed an internal-only instruction,or Lied to the agent during one of its interactions with the environment.Authenticating Partial ResultslPartial Result Authentication CodelAn agent is sent out with a set of secret keys k1,k2,kn.lAt server i,the agent uses key ki to sign the result of its execution there.Thereby producing a PRAC,and then erases ki from its state before moving to the next server.lGuarantee perfect forward integrityPreserving SecrecylThe motivation of an agent to preserve some secrecy from the malicious host is that there are some situations in which simple detection after-the-fact is insufficient or unsatisfactory.lThe cost of legal actionlA private key compromisedPreserving SecrecylTo solve the following problem:lOur agents program computes some function f,land the host is willing to compute f(x)for the agent,lbut the agent wants the host to learn nothing substantive about f.Preserving SecrecyPreserving Secrecy-protocollThe owner of the agent encrypts f.lThe owner creates a program P(E(f)which implements E(f)and puts it in the agent.lThe agent goes to the remote host,where it compute P(E(f)(x)and return home.lThe owner decrypts P(E(f)(x)and obtains f(x).五、保护代理（续）4、执行追踪执行追踪 执执行行追追踪踪技技术术，通通过过使使用用代代理理在在每每一一代代理理平平台台上上执执行行过过程程中中对对其其行行为为的的可可靠靠记记录录，来来探探测测代代理理是是否否被被非非法法修修改改。该该技技术术要要求求涉涉及及到到的的每每一一个个平平台台，对对代代理理在在该该平平台台停停留留期期间间所所执执行行的的操操作作，创创建建并并保保持持一一个个客客观观的的日日志志或或跟跟踪踪文文件件，并并作作为为一一次次跟跟踪踪的的总结或指纹，提交对追踪的加密复述作为结论。总结或指纹，提交对追踪的加密复述作为结论。五、保护代理（续）5、环境钥的产生环境钥的产生 环环境境钥钥产产生生25描描述述了了一一种种设设计计，它它允允许许代代理理在在一一些些环环境境条条件件为为真真的的时时候候，执执行行预预先先定定义义的的行行为为。这这种种方方法法集集中中于于采采用用如如下下方方法法构构建建代代理理，即即遇遇到到一一种种状状态态环环境境时时（如如通通过过匹匹配配一一个个搜搜索索串串），产产生生一一个环境钥，用它来解锁一些加密的可执行代码。个环境钥，用它来解锁一些加密的可执行代码。五、保护代理（续）6、具有加密功能的计算具有加密功能的计算 具具有有加加密密功功能能计计算算的的目目的的，是是确确定定一一种种方方法法，使使得得移移动动代代码码能能安安全全地地计计算算密密码码操操作作原原语语，例例如如一一个个数数字字的的签签名名，即即使使代代码码是是在在不不可可信信赖赖的的计计算算环环境境中中执执行行并并且且是是自自主主操操作作，而而没没有有与与起起始始平平台台相相互互作作用用。该该方方法法使使得得平平台台执执行行一一段段程程序序，该该程程序序包包含含有有译译成成了了密密文文的的函函数数，而而不不能能识识别别出出初初始始函函数数；这这种种方法需要区别函数和执行函数的程序。方法需要区别函数和执行函数的程序。五、保护代理（续）7模糊代码模糊代码 Hohl针针对对黑黑盒盒的的安安全全性性，提提出出了了由由于于代代理理遭遭遇遇恶恶意意主主机机而而被被威威胁胁的的一一个个详详细细概概述述。针针对对这这种种一一般般技技术术的的一一个个严严重重的的问问题题是是，没没有有已已知知的的算算法法或或方方法法可可以以提提供供对对黑黑盒盒的的保保护护。然然而而，本本文文引引用用了了一一种种具具有有加加密密函函数数功功能能的的计计算算，作作为为一一种种可可以以划划分分到到黑黑盒盒范范畴畴的的方方法法举举例例，它它具具有有某某些些预预定定的的关关于于应应用用的的输输入入规范限制范围。规范限制范围。