Towards Remote Policy Enforcement for - Prof ：对远程强制政策教授.pptVIP

Towards Remote Policy Enforcement for Runtime Protection of Mobile CodeUsing Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu George Mason University IWSEC 2006 Mobile Codes and Agents programs that migrate and execute at remote hosts, so that the execution environments are different for different instances Downloaded executables, Java applet, ActiveX components, Servlet/EJB components, etc. Two types of security problems: Type I: Protect a local host (where a mobile code is executing) resources to prevent malicious access from mobile code Protect host’s files/dirs, sockets, memory space, etc. Type II: Protect mobile applications from malicious hosts Sensitive information/functions with mobile codes Security in Type I Runtime policy enforcement on local host Common Language Runtime (CLR) and Java Runtime Environment (JRE) Policies are based on attributes of codes and users JDK1.0/1.1: code-identity based model Simple sandbox model Sandboxing based on code sources, URL (where the code is downloaded, signature, etc. JDK1.2: user code attribute based model User attributes—Java Authentication and Authorization services Identity-based, role-based, group-based, general certificate-based, etc. Augmented with local operating system’s access control policies Java Security Sample policies: granting permissions based on: Code URL Code signature Solaris authenticated principal name Kerberos authenticated Principal name Mechanism Initial steps for security check in JVM: Type safety checks for language by Verifier Classloader loads bytecode and check signatures and code source Construct security policy in terms of protection domain Class is “defined” and public available to run in JRE Every time the class tries to access a system resources, its permissions are checked by security manager (or access controller). Stack inspection mechanism is used in access controller to enforce security policy Rights of a piece of code is a function of the st