【文档说明】第13章移动代码安全.pptx，共(30)页，196.756 KB，由精品优选上传

转载请保留链接：https://www.ichengzhen.cn/view-287580.html

以下为本文档部分文字说明：

第13章：移动代码安全西安电子科技大学电子对抗研究所信息对抗MobileCode/MobileAgent⚫C/SMODEL→C:;S:R/C⚫CODEONDEMAND→C:R;S:C⚫REMOTECOMPUTING

→C:C;S:R⚫MOBILEAGENT→C:C;S:RMALICIOUSCODE1、MOBILECODEATTACKSTHEENVIRONMENTWHEREITISEXECUTED.代理对代理平台的攻击对驻留在代理平台上的信息的非法访问；以预

期和破坏性的方式授权访问。BEARSOMESIMILARITYWITHTROJANHORSESMALICIOUSHOST2、MALICIOUSHOST一个接收代理平台能很容易的分离、捕获一个代理，并通过如下方式攻击它：提取信息、毁坏或修改它的代码

或状态、拒绝请求服务、或简单的重新初始化或终止它。THREATSFROMOTHERAGENTS3、代理对其它代理的威胁一个代理通过使用几个普通方法就可以攻击另一代理。这包括伪造事务，窃听谈话，或者干涉一个代理活动。THREATSFROMOTHERENTITIES4、

其它实体对代理系统的威胁即使假设当前运行的代理和代理平台都是行为良好的，代理框架外部的和内部的其它实体也可能有扰乱，损坏，或破坏代理系统活动的企图PROTECTIONOOFAHOSTFROMAMOBILECODE⚫TWODIRECTIONS:⚫Amobilecodeinfrastructuret

hatisgraduallyenhancedwithauthenticatin,dataintegrityandaccesscontrolmechanism.⚫Verificationofmobilecodesemantics.SafeInterpreters⚫runningstraig

htbinariespresentssomeserioussecurityproblems.⚫Acommonapproachistoforgocompiledexecutablesandinsteadto

interpretthemobilecodeinstead.⚫Interpreterhasfine-grainedcontrolovertheapplet⚫Canexamineeachinstructionorstatement⚫Thesafetyofthesystemisreducedtoth

ecorrectnessofthesecuritypolicyimplementedbytheinterpreterFaultIsolation⚫Interpreterssufferaseriousperformanceoverhead.⚫Theuntrustedc

odeisloadedintoitsownpartoftheaddressspaceknownasafaultdomain.⚫Thecodeisinstrumentedtobesurethateachload,store,orjumpinstructionsistoanaddr

essinthefaultdomain.FaultIsolation→twoways⚫1:insertaconditionalcheckoftheaddressandraiseanexceptionifitisinvalid,or⚫2:simplyoverwritetheupper

bitsoftheaddresstocorrespondtothoseofthefaultdomain.⚫AtmuchlowercostthaninterpretersSandbox→arestrictedenviron

mentCodeVerification⚫Althoughsoftwarefaultisolationcertainlyprovidesmobilecodesafetywithhigherperformancethaninterpretation,wearestillsub

jecttotheoverheadsofthecodeinstrumentation,aswellastheoverheadsoftheindirectedcallswhichaccessresources.⚫Proof-carryingCodecanbeusedtoaddr

esssomeoftheseissuses.CodeVerification–programchecking⚫Checkingamobilecodemeanstoperformaverificationonthec

odestructureoronthecodebehaviorasitisrunandmodifyinginconsequencethestatusofthecode.⚫Sandboxes:rudimentaryprogramcheck,

eitherstatically,forinstancetoensurethatoperandsofaninstuctionareofthecorrecttype,ordynamically,forexampletolocateanyaccesstoaprotecte

dresource.Proof-CarryingCode⚫Apredefinedsecuritypolicyisdefinedintermsofalogic.⚫Hostfirstaskstobesentaproofthatthecode

respectsthepolicybeforeheactuallyagreestorunit.⚫Thecodeproducersendstheprogramandanaccompanyingproof⚫Afterreceivingthecode,hostc

anchecktheprogramwiththeguidanceoftheproof.Proof-CarryingCodeProof-CarryingCode⚫Onkeyquestionwhichaffectstheusefulnesso

fthisapproachisthatof:⚫WhatprogrampropertiesareexpressibleandprovableintheLFlogicusedtopublishthesecuritypolicyandencodetheproof.⚫PCCsacrificesplat

form-independenceforperformance.Protectionofamobilecodefromamalicioushost⚫Theproblemofprotectionfromamalicioushosthasb

eenstudiedonlyrecently,andisintrinsicallymoredifficultbecausetheenvironmentgetsatotalcontroloverthemobilecode(other

wise,hostprotectionwouldnotbepossible!)⚫Classifiedalong2criteria,1)dataversuscodeprotection,and2)integrity–orconfidentiality-based.Maliciou

sHostSolutionstothemalicioushostproblemshouldfocusontwothemes:1.Beingabletoprovethattamperingoccurred2.Preventingle

akageofsecretinformation.DetectingTampering⚫ExecutionTracing⚫AuthenticatingPartialResultsExecutionTracing⚫Theagent’scodeisdividedinto2

typesofinstructions:–Dependonlyontheagent’sinternalstate–Dependuponinteractionwiththeevaluationenvironment.⚫Former:new

valuesrecordintrace⚫Latter:recordingthenewvaluesanddigitallysignthem.ExecutionTracing⚫Thetracecanbeexaminedtodetermineiftheh

osteither:–Incorrectlyexecutedaninternal-onlyinstruction,or–Liedtotheagentduringoneofitsinteractionswiththeen

vironment.AuthenticatingPartialResults⚫PartialResultAuthenticationCode⚫Anagentissentoutwithasetofsecretkeysk1,k2,…,kn.⚫Atserv

eri,theagentuseskeykitosigntheresultofitsexecutionthere.TherebyproducingaPRAC,andtheneraseskifromitsstatebeforemovingtot

henextserver.⚫GuaranteeperfectforwardintegrityPreservingSecrecy⚫Themotivationofanagenttopreservesomes

ecrecyfromthemalicioushostisthattherearesomesituationsinwhichsimpledetectionafter-the-factisinsufficientorunsatisfactory.⚫T

hecostoflegalaction⚫AprivatekeycompromisedPreservingSecrecy⚫Tosolvethefollowingproblem:⚫Ouragent’sprogramcomputessomefunc

tionf,⚫andthehostiswillingtocomputef(x)fortheagent,⚫buttheagentwantsthehosttolearnnothingsubstantiveaboutf.Preservi

ngSecrecyPreservingSecrecy--protocol⚫Theowneroftheagentencryptsf.⚫TheownercreatesaprogramP(E(f))which

implementsE(f)andputsitintheagent.⚫Theagentgoestotheremotehost,whereitcomputeP(E(f))(x)andreturnhome.⚫Theo

wnerdecryptsP(E(f))(x)andobtainsf(x).五、保护代理（续）4、执行追踪执行追踪技术，通过使用代理在每一代理平台上执行过程中对其行为的可靠记录，来探测代理是否被非法修改。该技术要求涉及到的每

一个平台，对代理在该平台停留期间所执行的操作，创建并保持一个客观的日志或跟踪文件，并作为一次跟踪的总结或指纹，提交对追踪的加密复述作为结论。五、保护代理（续）5、环境钥的产生环境钥产生[25]描述了一

种设计，它允许代理在一些环境条件为真的时候，执行预先定义的行为。这种方法集中于采用如下方法构建代理，即遇到一种状态环境时（如通过匹配一个搜索串），产生一个环境钥，用它来解锁一些加密的可执行代码。五、保护代理（续）6、具有加密功能的计算具有加密功能计算的目的，是确定一种方法，使

得移动代码能安全地计算密码操作原语，例如一个数字的签名，即使代码是在不可信赖的计算环境中执行并且是自主操作，而没有与起始平台相互作用。该方法使得平台执行一段程序，该程序包含有译成了密文的函数，而不能识别出初始函数；这种方法需要区别函数和执行函数的程序。五、保护代理（续）7

模糊代码Hohl针对黑盒的安全性，提出了由于代理遭遇恶意主机而被威胁的一个详细概述。针对这种一般技术的一个严重的问题是，没有已知的算法或方法可以提供对黑盒的保护。然而，本文引用了一种具有加密函数功能的计算，作为一种可以划分到黑盒范畴的方法举例，它具有某些预定的关于应用

的输入规范限制范围。