移动代码安全第十三章

移动代码安全第十三章MobileCode/MobileAgent

C/SMODELC:;S:R/CCODEONDEMANDC:R;S:CREMOTECOMPUTINGC:C;S:RMOBILEAGENTC:C;S:R

MALICIOUSCODE1、MOBILECODEATTACKSTHEENVIRONMENTWHEREITISEXECUTED.代理对代理平台的攻击对驻留在代理平台上的信息的非法访问；以预期和破坏性的方式授权访问。BEARSOMESIMILARITYWITHTROJANHORSESMALICIOUSHOST2、MALICIOUSHOST一个接收代理平台能很容易的分离、捕获一个代理，并通过如下方式攻击它：提取信息、毁坏或修改它的代码或状态、拒绝请求服务、或简单的重新初始化或终止它。THREATSFROMOTHERAGENTS3、代理对其它代理的威胁一个代理通过使用几个普通方法就可以攻击另一代理。这包括伪造事务，窃听谈话，或者干涉一个代理活动。THREATSFROMOTHERENTITIES4、其它实体对代理系统的威胁即使假设当前运行的代理和代理平台都是行为良好的，代理框架外部的和内部的其它实体也可能有扰乱，损坏，或破坏代理系统活动的企图PROTECTIONOOFAHOSTFROMAMOBILECODETWODIRECTIONS:Amobilecodeinfrastructurethatisgraduallyenhancedwithauthenticatin,dataintegrityandaccesscontrolmechanism.Verificationofmobilecodesemantics.SafeInterpreters

runningstraightbinariespresentssomeserioussecurityproblems.Acommonapproachistoforgocompiledexecutablesandinsteadtointerpretthemobilecodeinstead.Interpreterhasfine-grainedcontrolovertheappletCanexamineeachinstructionorstatementThesafetyofthesystemisreducedtothecorrectnessofthesecuritypolicyimplementedbytheinterpreterFaultIsolationInterpreterssufferaseriousperformanceoverhead.Theuntrustedcodeisloadedintoitsownpartoftheaddressspaceknownasafaultdomain.Thecodeisinstrumentedtobesurethateachload,store,orjumpinstructionsistoanaddressinthefaultdomain.FaultIsolationtwoways1:insertaconditionalcheckoftheaddressandraiseanexceptionifitisinvalid,or2:simplyoverwritetheupperbitsoftheaddresstocorrespondtothoseofthefaultdomain.AtmuchlowercostthaninterpretersSandboxarestrictedenvironmentCodeVerificationAlthoughsoftwarefaultisolationcertainlyprovidesmobilecodesafetywithhigherperformancethaninterpretation,wearestillsubjecttotheoverheadsofthecodeinstrumentation,aswellastheoverheadsoftheindirectedcallswhichaccessresources.Proof-carryingCodecanbeusedtoaddresssomeoftheseissuses.CodeVerification–programcheckingCheckingamobilecodemeanstoperformaverificationonthecodestructureoronthecodebehaviorasitisrunandmodifyinginconsequencethestatusofthecode.Sandboxes:rudimentaryprogramcheck,eitherstatically,forinstancetoensurethatoperandsofaninstuctionareofthecorrecttype,ordynamically,forexletolocateanyaccesstoaprotectedresource.Proof-CarryingCodeApredefinedsecuritypolicyisdefinedintermsofalogic.Hostfirstaskstobesentaproofthatthecoderespectsthepolicybeforeheactuallyagreestorunit.ThecodeproducersendstheprogramandanaccompanyingproofAfterreceivingthecode,hostcanchecktheprogramwiththeguidanceoftheproof.Proof-CarryingCodeProof-CarryingCodeOnkeyquestionwhichaffectstheusefulnessofthisapproachisthatof:WhatprogrampropertiesareexpressibleandprovableintheLFlogicusedtopublishthesecuritypolicyandencodetheproof.PCCsacrificesplatform-independenceforperformance.ProtectionofamobilecodefromamalicioushostTheproblemofprotectionfromamalicioushosthasbeenstudiedonlyrecently,andisintrinsicallymoredifficultbecausetheenvironmentgetsatotalcontroloverthemobilecode(otherwise,hostprotectionwouldnotbepossible!)Classifiedalong2criteria,1)dataversuscodeprotection,and2)integrity–orconfidentiality-based.MaliciousHostSolutionstothemalicioushostproblemshouldfocusontwothemes:1.Beingabletoprovethatteringoccurred2.Preventingleakageofsecretinformation.DetectingTeringExecutionTracingAuthenticatingPartialResultsExecutionTracingTheagent’scodeisdividedinto2typesofinstructions:Dependonlyontheagent’sinternalstateDependuponinteractionwiththeevaluationenvironment.Former:newvaluesrecordintraceLatter:recordingthenewvaluesanddigitallysignthem.ExecutionTracingThetracecanbeexaminedtodetermineifthehosteither:Incorrectlyexecutedaninternal-onlyinstruction,orLiedtotheagentduringoneofitsinteractionswiththeenvironment.AuthenticatingPartialResultsPartialResultAuthenticationCodeAnagentissentoutwithasetofsecretkeysk1,k2,…,kn.Atserveri,theagentuseskeykitosigntheresultofitsexecutionthere.TherebyproducingaPRAC,andtheneraseskifromitsstatebeforemovingtothenextserver.GuaranteeperfectforwardintegrityPreservingSecrecyThemotivationofanagenttopreservesomesecrecyfromthemalicioushostisthattherearesomesituationsinwhichsimpledetectionafter-the-factisinsufficientorunsatisfactory.ThecostoflegalactionAprivatekeycompromisedPreservingSecrecyTosolvethefollowingproblem:Ouragent’sprogramcomputessomefunctionf,andthehostiswillingtocomputef(x)fortheagent,buttheagentwantsthehosttolearnnothingsubstantiveaboutf.PreservingSecrecyPreservingSecrecy--protocolTheowneroftheagentencryptsf.TheownercreatesaprogramP(E(f))whichimplementsE(f)andputsitintheagent.Theagentgoestotheremotehost,whereitcomputeP(E(f))(x)andreturnhome.TheownerdecryptsP(E(f))(x)andobtainsf(x).五、保护代理（续）4、执行追踪执行追踪技术，通过使用代理在每一代理平台上执行过程中对其行为的可靠记录，来探测代理是否被非法修改。该技术要求涉及到的每一个平台，对代理在该平台停留期间所执行的操作，创建并保持一个客观的日志或跟踪文件，并作为一次跟踪的总结或指纹，提交对追踪的加密复述作为结论。五、保护代理（续）5、环境钥的产生