第13章移动代码安全

第13章：移动代码安全西安电子科技大学电子对抗研究所信息对抗MobileCode/MobileAgentC/SMODELC:;S:R/CCODEONDEMANDC:R;S:CREMOTECOMPUTINGC:C;S:RMOBILEAGENTC:C;S:RMALICIOUSCODE1、MOBILECODEATTACKSTHEENVIRONMENTWHEREITISEXECUTED.代理对代理平台的攻击对驻留在代理平台上的信息的非法访问；以预期和破坏性的方式授权访问。BEARSOMESIMILARITYWITHTROJANHORSESMALICIOUSHOST2、MALICIOUSHOST一个接收代理平台能很容易的分离、捕获一个代理，并通过如下方式攻击它：提取信息、毁坏或修改它的代码或状态、拒绝请求服务、或简单的重新初始化或终止它。THREATSFROMOTHERAGENTS3、代理对其它代理的威胁一个代理通过使用几个普通方法就可以攻击另一代理。这包括伪造事务，窃听谈话，或者干涉一个代理活动。THREATSFROMOTHERENTITIES4、其它实体对代理系统的威胁即使假设当前运行的代理和代理平台都是行为良好的，代理框架外部的和内部的其它实体也可能有扰乱，损坏，或破坏代理系统活动的企图PROTECTIONOOFAHOSTFROMAMOBILECODETWODIRECTIONS:Amobilecodeinfrastructurethatisgraduallyenhancedwithauthenticatin,dataintegrityandaccesscontrolmechanism.Verificationofmobilecodesemantics.SafeInterpretersrunningstraightbinariespresentssomeserioussecurityproblems.Acommonapproachistoforgocompiledexecutablesandinsteadtointerpretthemobilecodeinstead.Interpreterhasfine-grainedcontrolovertheappletCanexamineeachinstructionorstatementThesafetyofthesystemisreducedtothecorrectnessofthesecuritypolicyimplementedbytheinterpreterFaultIsolationInterpreterssufferaseriousperformanceoverhead.Theuntrustedcodeisloadedintoitsownpartoftheaddressspaceknownasafaultdomain.Thecodeisinstrumentedtobesurethateachload,store,orjumpinstructionsistoanaddressinthefaultdomain.FaultIsolationtwoways1:insertaconditionalcheckoftheaddressandraiseanexceptionifitisinvalid,or2:simplyoverwritetheupperbitsoftheaddresstocorrespondtothoseofthefaultdomain.AtmuchlowercostthaninterpretersSandboxarestrictedenvironmentCodeVerificationAlthoughsoftwarefaultisolationcertainlyprovidesmobilecodesafetywithhigherperformancethaninterpretation,wearestillsubjecttotheoverheadsofthecodeinstrumentation,aswellastheoverheadsoftheindirectedcallswhichaccessresources.Proof-carryingCodecanbeusedtoaddresssomeoftheseissuses.CodeVerification–programcheckingCheckingamobilecodemeanstoperformaverificationonthecodestructureoronthecodebehaviorasitisrunandmodifyinginconsequencethestatusofthecode.Sandboxes:rudimentaryprogramcheck,eitherstatically,forinstancetoensurethatoperandsofaninstuctionareofthecorrecttype,ordynamically,forexampletolocateanyaccesstoaprotectedresource.Proof-CarryingCodeApredefinedsecuritypolicyisdefinedintermsofalogic.Hostfirstaskstobesentaproofthatthecoderespectsthepolicybeforeheactuallyagreestorunit.ThecodeproducersendstheprogramandanaccompanyingproofAfterreceivingthecode,hostcanchecktheprogramwiththeguidanceoftheproof.Proof-CarryingCodeProof-CarryingCodeOnkeyquestionwhichaffectstheusefulnessofthisapproachisthatof:WhatprogrampropertiesareexpressibleandprovableintheLFlogicusedtopublishthesecuritypolicyandencodetheproof.PCCsacrificesplatform-independenceforperformance.ProtectionofamobilecodefromamalicioushostTheproblemofprotectionfromamalicioushosthasbeenstudiedonlyrecently,andisintrinsicallymoredifficultbecausetheenvironmentgetsatotalcontroloverthemobilecode(otherwise,hostprotectionwouldnotbepossible!)Classifiedalong2criteria,1)dataversuscodeprotection,and2)integrity–orconfidentiality-based.MaliciousHostSolutionstothemalicioushostproblemshouldfocusontwothemes:1.Beingabletoprovethattamperingoccurred2.Preventingleakageofsecretinformation.DetectingTamperingExecutionTracingAuthenticatingPartialResultsExecutionTracingTheagent’scodeisdividedinto2typesofinstructions:–Dependonlyontheagent’sinternalstate–Dependuponinteractionwiththeevaluationenvironment.Former:newvaluesrecordintraceLatter:recordingthenewvaluesanddigitallysignthem.ExecutionTracingThetracecanbeexaminedtodetermineifthehosteither:–Incorrectlyexecutedaninternal-onlyinstruction,or–Liedtotheagentduringoneofitsinteractionswiththeenvironment.AuthenticatingPartialResultsPartialResultAuthenticationCodeAnagentissentoutwithasetofsecretkeysk1,k2,…,kn.Atserveri,theagentuseskeykitosigntheresultofitsexecutionthere.TherebyproducingaPRAC,andtheneraseskifromitsstatebeforemovingtothenextserver.GuaranteeperfectforwardintegrityPreservingSecrecyThemotivationofanagenttopreservesomesecrecyfromthemalicioushostisthattherearesomesituationsinwhichsimpledetectionafter-the-factisinsufficientorunsatisfactory.ThecostoflegalactionAprivatekeycompromisedPreservingSecrecyTosolvethefollowingproblem:Ouragent’sprogramcomputessomefunctionf,andthehostiswillingtocomputef(x)fortheagent,buttheagentwantsthehosttolearnnothingsubstantiveaboutf.PreservingSecrecyPreservingSecrecy--protocolTheowneroftheagentencryptsf.TheownercreatesaprogramP(E(f))whichimplementsE(f)andputsitintheagent.Theagentgoestotheremotehost,whereitcomputeP(E(f))(x)andreturnhome.TheownerdecryptsP(E(f))(x)andobtainsf(x).五、保护代理（续）4、执行追踪执行追踪技术，通过使用代理在每一代理平台上执行过程中对其行为的可靠记录，来探测代理是否被非法修改。该技术要求涉及到的每一个平台，对代理在该平台停留期间所执行的操作，创建并保持一个客观的日志或跟踪文件，并作为一次跟踪的总结或指纹，提交对追踪的加密复述作为结论。五、保护代理（续）5、环境钥的产生环境钥产生[25]描述了一种设计，它允许代理在一些环境条件为真的时候，执行预先定义的行为。这种方法集中于采用如下方法构建代理，即遇到一种状态环境时（如通过匹配一个搜索串），产生一个环境钥，用它来解锁一些加密的可执行代码。五、保护代理（续）6、具有加密功能的计算具有加密功能计算的目的，是确定一种方法，使得移动代码能安全地计算密码操作原语，例如一个数字的签名，即使代码是在不可信赖的计算环境中执行并且是自主操作，而没有与起始平台相互作用。该方