移动代码安全.pptVIP

第13章：移动代码安全 西安电子科技大学 电子对抗研究所 Mobile Code / Mobile Agent C/S MODEL?C: ? ; S: R/C CODE ON DEMAND?C:R ; S:C REMOTE COMPUTING?C:C; S:R MOBILE AGENT?C:C ; S:R MALICIOUS CODE 1 、MOBILE CODE ATTACKS THE ENVIRONMENT WHERE IT IS EXECUTED. 代理对代理平台的攻击 对驻留在代理平台上的信息的非法访问； 以预期和破坏性的方式授权访问 。 BEAR SOME SIMILARITY WITH TROJAN HORSES MALICIOUS HOST 2、MALICIOUS HOST 一个接收代理平台能很容易的分离、捕获一个代理，并通过如下方式攻击它：提取信息、毁坏或修改它的代码或状态、拒绝请求服务、或简单的重新初始化或终止它。 THREATS FROM OTHER AGENTS 3 、代理对其它代理的威胁 一个代理通过使用几个普通方法就可以攻击另一代理。这包括伪造事务，窃听谈话，或者干涉一个代理活动。 THREATS FROM OTHER ENTITIES 4 、其它实体对代理系统的威胁 即使假设当前运行的代理和代理平台都是行为良好的，代理框架外部的和内部的其它实体也可能有扰乱，损坏，或破坏代理系统活动的企图 PROTECTIONO OF A HOST FROM A MOBILE CODE TWO DIRECTIONS: A mobile code infrastructure that is gradually enhanced with authenticatin,data integrity and access control mechanism. Verification of mobile code semantics. Safe Interpreters running straight binaries presents some serious security problems. A common approach is to forgo compiled executables and instead to interpret the mobile code instead. Interpreter has fine-grained control over the applet Can examine each instruction or statement The safety of the system is reduced to the correctness of the security policy implemented by the interpreter Fault Isolation Interpreters suffer a serious performance overhead. The untrusted code is loaded into its own part of the address space known as a fault domain . The code is instrumented to be sure that each load,store,or jump instructions is to an address in the fault domain. Fault Isolation?two ways 1 : insert a conditional check of the address and raise an exception if it is invalid , or 2: simply overwrite the upper bits of the address to correspond to those of the fault domain. At much lower cost than interpreters Sandbox ?a restricted environment Code Verification Although software fault isolation certainly provides mobile code safety with higher performance than interpretation, we are stil