毕业设计外文资料翻译-数据约束系统：通过执行数据访问策略防止信息泄漏

1、毕业设计外文资料翻译学 院： 专业班级： 学生姓名： 学 号： 指导教师： 外文出处：(外文)Data Tethers: Preventing Information Leakageby Enforcing Environmental Data Access Policies 附 件：1.外文资料翻译译文； 2.外文原文 指导教师评语：该同学专业术语、词汇翻译的准确度较高，体现了一定的专业英语应用水平。翻译工作较为认真细致，翻译材料与原文能基本保持一致，能基本正确表达出原文意思，细节处理得当，保持准确。翻译字、词数满足要求。翻译材料语句较为通顺，符合中文的表达习惯。翻译工作能够按照规定，达到考

2、核、提高学生英语应用水平的目的。签名： 年 月 日外文资料翻译译文 数据约束系统：通过执行数据访问策略防止信息泄漏介绍数据丢失是个人、企业、机构和政府最为关注的问题之一。虽然一些数据丢失是由黑客入侵引起的，但许多大规模的数据丢失问题则是因为计算机中存储数据的装置丢失或错误配置的软件造成的。当一台笔记本电脑的闪存驱动器丢失数据包或内部数据通过错误配置的软件被共享时，成百上千万的敏感资源都会因此丢失。 许多组织觉得应该将便携设备进行全磁盘加密或安装数据泄露防护软件等方式才能解决数据泄露的问题。这些方法虽然起到一定的作用，但并不能完全解决数据泄露的问题。因为全磁盘加密并不能完全阻止笔记本电脑的数据被

3、盗。当数据已被加密但仍然无法避免数据被盗时，计算机该如何保证敏感资源不会丢失呢？数据约束系统之所以能够处理这个问题，是因为它发现丢失的数据根本就没有存储在一个的安全的环境下。数据约束系统允许组织将数据存储在一个清晰、准确的环境中，并给数据附加访问控制策略。然后，系统提供一个切实可行的访问控制机制来执行这项策略，并确保所有的备份数据，包括磁盘上的数据或通过网络发送的数据，仍然受限于这一策略。通过执行附加在数据上的访问控制策略，从而导致容易被盗或丢失的数据得到了保护，因为这些数据不能在安全环境以外受到访问，即无法对数据存储的设备进行访问。这些数据即使离开了用户的设备，例如通过互联网或电子邮件发送出

4、去，仍然是安全的。1.1 移动数据丢失问题 Ponemon研究所估计，2010年至少有十台企业笔记本电脑会丢失或被盗，每台丢失的设备会造成49000美元的财产损失。尽管问题严重，但没有任何迹象表明这一现象将会消失。事实上，自2009年以来,由于便携式设备的丢失，导致了美国医疗保健数据损失增加了525。这些丢失的数据被张贴到各大网站，或通过点对点软件被共享。数据丢失问题不仅会造成大量的财产损失，而且还会导致民事诉讼。移动网络在最近几年得到了前所未有的发展。先是笔记本电脑，然后是上网本，到如今的平板电脑和智能手机正在逐渐取代传统的台式机以完成更加复杂的任务。从2012年开始，将会有更多的移动设备被

5、人们使用，到2016年底，每人平均将会使用1.4台移动设备。与同期相比，使用这些设备存储的数据增加了2.3倍，这标志着连续四年移动设备的数据存储量将在2倍以上。显然，移动设备的数量和存储的数据量正在迅速增加。除了存储的数据量不断增加，移动设备的功率也得到大幅度的提升。从图1.1我们可以发现现代的智能手机与第一代的苹果手机相比，设备的功率和可用性方面都得到了大量增强。这样确保了在旅途中移动设备可以执行更为复杂的任务。 图1.1 iPhone和现代手机对比 随着移动设备的性能不断增强，致使大量的数据需要在移动设备上进行操作，因此移动设备的数据安全变成了一个急需解决的重大课题。由于移动设备受运行环境

6、的限制，所以人们错误地将数据安全问题归结到数据运行的台式机或服务器上，但有些情况下，即使设备中数据已经丢失或被盗，但设备仍在正常运行。其实台式机或服务器中的数据被盗现象是非常罕见的，对于大多数的安全策略来说，这些攻击者如果没有访问机器物理地址的权限，是无法对移动设备中的数据进行访问的，所以攻击者通常是拥有了对设备的访问权限，才导致移动设备中的数据丢失和泄露的。鉴于目前移动设备的大量增加，所以移动设备数据丢失是一个必须立刻解决的问题。1.2 数据约束的方法 数据约束就是给敏感数据附加访问控制策略，在这种策略下，数据只能被指定的用户访问，并且保存在加密文件中。而密钥存储在远程服务器中，仅当密钥作用

7、在指定用户的系统上时它才是有效的，一旦密钥被破坏，它将失去作用。 当应用程序创建一个新的文件时，访问控制策略可能会被丢失，此时会产生“标签数据”的问题。对于这一问题传统的解决方法是数据跟踪技术，将数据附上标签然后跟踪所有接触过此数据的应用程序，并使用标签数据执行访问控制策略。不幸的是，除非是特殊的应用程序，要不然，无论该应用是否使用标签数据，它所包含的所有文件都会被感染。这通常会导致许多无关的文件被感染，使系统无法使用。数据约束系统采用动态代码重写技术，允许标签数据跟踪应用程序，当系统中存在被标记的数据时才允许写入到文件中。如图1.2所示，数据约束系统由三大部分组成：策略服务器、策略监视器、动

8、态编译器。策略服务器运行在一个安全的环境中，在这个环境下存储了访问控制策略，密钥以及应用程序所需的数据。策略监视器运行在本地计算机上，主要用于监控系统运行环境，以及处理与策略服务器相关的通信工作。动态编译器也是在本地系统中运行，是数据约束的应用工具，用于支持数据的有效跟踪和处理违反控制策略的行为。 图1.2数据约束系统架构图敏感数据指的是被标记的数据。当应用程序从磁盘或网络上读取这些数据时，操作系统检测到该数据被访问。此时策略监视器会从策略服务器上检索策略，并验证策略执行条件是否满足。如果是这样，策略监视器会通过操作系统检索策略服务器中的策略加密密钥，将其加入到当前监视策略列表中，并在操作系统

9、已经启动的应用程序中访问动态重编译的数据。动态重编译器会将代码添加到应用程序中来跟踪带标签的数据。此时带有正确的加密密钥和策略标识的应用程序会将数据写入到文件中。策略监视器会定期评估在规定时间间隔内的策略是否有效。如果策略发生冲突，它会通知操作系统，暂停所有与受影响的数据相关的进程，破坏当地的加密密钥，并对数据进行重新加密。数据约束系统并不是OpenSolaris访问控制机制的替代品，两者重大的区别在于，数据约束系统是只有在本地计算机上拥有相应权限的用户才能访问系统文件。数据约束系统是基于OpenSolaris的功能并进行了相应的的修改，以满足用户对数据操作的个性需求。我们不仅描述了动态重编译

10、的过程，并且为该系统中各个应用程序正常运作做了价格标准测试，比如运行重写代码应用程序的成本。我们提供给用户真实的收费标准，即显示出在最少的用户开销下，数据约束系统的工作状态。最后，虽然该系统的原始目的是为了保护移动设备上的数据，但是该技术还有很多其他有趣的用途。 1.3 系统案例为了说明该系统的功能和作用，我们列举几个使用该系统的例子。第一，一家收集用户数据的公司，其中有些敏感数据本不应该被泄露出去，如社会安全号。该公司在其“数据约束系统”的数据库中对访问控制策略相关的表格做上标记。当员工X想要查询数据库并检索客户数据时，数据会通过网络的形式发出。员工X的装有数据约束系统的笔记本电脑识别到该数

11、据，并检查机器是否处于该策略的有效状态下，以及将数据发送到用户应用程序之前，都会识别该标签中的数据。即当系统开始处理客户端应用程序时，会将已标签的数据作为应用程序操作的数据。当员工X保存该数据或导出该数据到自己的硬盘驱动器或闪存驱动器，或无意间通过网络发送这些数据时，数据会自动加密并且遵循相应的访问控制策略。另一个案例是，用户X想发送一个文件给他的朋友，让他帮忙进行校对，但不希望此文件被转发给其他人或泄露到互联网上。虽然在某些程度上，X很相信他的朋友，但是当他朋友离开自己的电脑时，将无法对电脑状态进行监控。此时他的计算机仍然很容易受到木马或病毒的感染，导致文件被分享出去。随着数据约束系统的诞生

12、，文件所有者可以指定该文件只能由他的朋友读取，它只能在特定时间段内被读取，或他的朋友必须在运行了最新的病毒扫描程序下才能进行访问。这也保证了即使数据是被他的朋友不小心泄露出去，也不会被其他人下载或读取。第三个例子是个人信息的访问控制。用户通常需要向网站提供个人信息，如信用卡号，社会安全号码或家庭地址。这些详细信息会发送给谁，能够保留多长时间，它会被如何使用等等，用户往往是不知道的，并且这些数据可能随时发生改变。数据约束系统可以帮助用户解决这一问题。例如，他可以附加访问控制策略到他们的信用卡号码上，使他的信用卡号码只在从当前日期开始的一周时间内会被保留，但可以将他的联系方式设置为永久保存。当然，

13、用户必须相信该公司不会试图故意绕过数据约束系统对他的数据进行访问，然而，这仅仅是一个合理的假设，因为公司为了自己的利益，一定会履行承诺，不会恶意访问用户的信息。2.外文原文 Data Tethers: Preventing Information Leakage By Enforcing Environmental Data AccessPoliciesbyCharles FlemingCHAPTER 1 IntroductionData loss is a serious concern for individuals, companies, institutions, and govern

14、-ment agencies. While some data loss is caused by hacker intrusions, many large- scale data losses are caused by the physical loss of a portable computer or data storage device, or by accidental leakage by mis-configured software. Hundreds of thousands of sensitive records can be lost instantly when

15、 a laptop disappears from a coffee shop or a flash drive falls out of a bag, or when a sensitive directory is shared via peer to peer software. Many organizations respond to this problem by mandating full-disk encryp-tion for portable devices or data leakage prevention services, which typically scan

16、 outgoing data for sensitive information. These technologies help, but are not complete solutions. Full disk encryption does not help when a running laptop is stolen, or when the password that unlocks the encryption is guessable. Data leakage prevention cannot work when the data is already encrypted

17、 or in someforms of compression. Carelessness and shallow understanding of how computers really work make it hard to ensure that data is not lost. The Data Tethers approach to this problem is based on the key observation that what is really desired by these organization is that data is simply not ac

18、ces-sible outside a safe environment. The Data Tethers system allows organizations to specify clearly and precisely what conditions they consider to be safe, and attach this policy to the data. It then provides a practical mechanism to enforce this policy, and to make sure that all future copies of

19、the data, including both copies on disk and copies sent over the network, are also restricted by this policy. The net result is that data that is stolen or lost is protected because it cannot be accessed outside of the safe environment, which the would-be thief does not have access to. Because we al

20、so protect copies, data that leaves the users machine, for example via portable media or sent via e-mail, is also secure.1.1 The Mobile Data Loss Problem The Ponemon Institute estimated in 2010 that one out of ten corporate laptops will be lost or stolen in their lifetime, with an estimated cost of

21、$49,000 per lost device41. Despite the severity of the problem, there are no signs that it is going away. In fact, loss of health care data in the US increased 525% since 2009, mainly due to lost devices and portable media14. Secure data has also been mistakenly posted to websites55, accidentally sh

22、ared via peer-to-peer software12, and lost on disposed backup tapes14. In addition to the cost of the lost data, these incidents are both highly embarrassing for the entities involved, and frequently result in lawsuits. Mobile computing has exploded in recent years. First laptops, then netbooks, and

23、 now tablets and smart phones are replacing traditional desktops for many tasks. By the end of 2012, its predicted that there will be more mobile devices in use than people on the planet, and by 2016 there will be 1.4 devices in use per person. The amount of data used by these devices increased by a

24、 factor of 2.3, year over year, which marks a fourth straight year of more than 2x increase of data usage18. Clearly both the number and amount of use these devices are seeing is growing rapidly. In addition to raw numbers, the power of mobile devices is increasing as well. In figure 1.1 we can see

25、the first popular modern smart phone, the original iPhone, compared with the a modern phone, set to be released mid-2012 6869. As you can see, the hardware for these devices is growing quickly in both power and usability. The main drive for this growth is the desire to more frequently do more comple

26、x tasks on the go. Figure 1.1: Comparison of original iPhone with newer phones With this new found mobility and more work being done on mobile devices, mobile data security looms as a major issue that needs to be solved. While data security has been around almost since the beginning of computing, mo

27、bile computing faces one particular issue that desktop or server environments do not: the devices themselves can be lost or stolen, often while still running. Desktops or servers may be stolen, but this is much rarer, and most security schemes for these types of machines assume that the attacker doe

28、s not have physical access to the machine. This is exactly the opposite case for mobile devices, where the attacker almost always has access to the device. Given the scope of the current problems with mobile data loss, and the explosion of mobile devices, this is a problem that must be solved.1.2 Th

29、e Data Tethers Approach The Data Tethers approach is to attach environmental policies to sensitive data. These policies specify under what conditions the data may be accessed, and the data is kept in encrypted when those conditions are not met. Keys are stored remotely and are only available on the

30、users system when the environment is secure, and destroyed when it is not secure. One problem with labeling data is that policies may be lost when applications create new files. Taint tracking, a traditional solution for this problem, attaches a label to data and tracks all applications that touch t

31、he data, using the labels to enforce a policy. Unfortunately, unless specially written programs are used, the taint must be applied at the process level to all files written by that program, whether they contain labeled data or not. This generally results in large numbers of unrelated files being ta

32、inted, making the system unusable. The Data Tethers system uses dynamic code rewriting techniques to allow label tracking in applications so that files are only tainted when they have labeled data written to them. The Data Tethers system is composed of three major components which can be seen in Fig

33、ure 1.2: the policy server, the policy monitor, the dynamic re- compiler, plus modifications to the operating system. The policy server is an application that runs in a secure location and stores policies and keys for the data. The policy monitor runs on the local machine, monitoring environmental c

34、onditions, and handling communication with the policy server. The dynamic recompiler also runs locally and instruments applications that use tethered data. OS modifications support efficient tracking of data and handle policy violations. Figure 1.2: Data Tethers high-level architecture. Sensitive da

35、ta is labeled with tags at the word level. When a user applica-tion reads this data from the disk, network, etc., the operating system detects that tethered data is being accessed. If the relevant policy is not currently being monitored, the policy monitor retrieves the policy from the policy server

36、 and verifies that the policy conditions are met. If so, the policy monitor retrieves the encryption key for the policy from the remote policy server, passes this key to the operating system, and adds the policy to the list of currently monitored policies. The operating system starts the dynamic rec

37、ompiler for the application accessing the data. The dynamic recompiler adds code to the application to track the data labels. Labeled data written to a file by the application is encrypted with the proper encryption key and tagged with the policy ID. The policy monitor periodi- cally reevaluates the

38、 policy at policy-specified intervals. When a violation occurs,it notifies the operating system, which suspends all processes using affected data, encrypts that data, and destroys the local encryption keys. Data Tethers is not intended to be a replacement for the standard OpenSo- laris access contro

39、l mechanisms, and access to files is always contingent on the appropriate user permissions on the local machine.An OpenSolaris based implementation of the system is presented with a de-scription of modifications to the operating system required to support Data Teth-ers. We describe the dynamic code

40、rewriting process and give benchmarks of mi-cro applications that illustrate the performance of individual pieces of the system,such as the cost of running rewritten applications. We also provide benchmarks of real user applications, showing that Data Tethers can work in realistic cases with minimal

41、 user-visible overhead. Finally, while the original motivation for thiswork was to protect data on mobile devices, the technology also suggests many other interesting uses.1.3 Use Cases To demonstrate the systems goals, we present examples of system use. First,consider a company that collects custom

42、er data, including sensitive information such as Social Security numbers, which should not be leaked. The company labels these fields in the relevant tables with a policy in their “Data Tethers compliant” database. When employee x queries the database and retrieves customer data, it is sent in the D

43、ata Tethers network format. Employee xs Data Tethers laptop recognizes this, checks whether the machine is in a valid state for the policy, andlabels the data before passing it to the users application. The instrumentation process is started on the client application, and the data labels are tracked

44、 as the application manipulates the data. When employee x saves this data or any derived data to his hard drive or flash drive, or sends the data, accidentally or intentionally, over the network, the data is automatically encrypted and theappropriate policy is attached. As another example, user x has written a document that he wants to give to a friend to proofread, but does not want forwarded to other people or leaked onto the Internet. Currently, even though the user may trust his friend to some degree, he has no control over his documen