Xem mẫu
Mobile Code and Security Issues
Language Support for Safety
The features of the language needed to ensure that various code units do not interfere with each other, and with the system are given next.
negotiation, perhaps based on various pro-¿OHVEXWXOWLPDWHO\WKLVLVOLNHO\WREHWKH best approach.
OS Level Security
• Heavy address space protection mecha-nisms
• Type-safe feature to ensure that arrays stay in bounds, pointers are always valid, and code cannot violate variable typing (such as placing code in a string and then executing it)
• Designing a modular system, separating in-terfaces from implementations in programs, and with appropriate layering of libraries and module groups, with particular care being taken at the interfaces between security boundaries.
• Replace general library routines that could FRPSURPLVHVHFXULW\ZLWKPRUHVSHFL¿F VDIHURQHV)RUH[DPSOHDJHQHUDO¿OHDFFHVV routine can be replaced with one that can ZULWH¿OHVRQO\LQDWHPSRUDU\GLUHFWRU• Granting access to resources: Determin-ing exactly which resources a particular code unit is to be granted access to. That is, there is a need for a security policy that GHWHUPLQHVZKDWW\SHDFFHVVDQ\³PRELOH code” unit has. This policy may be:
1. Fixed for all “mobile code” units: Very restrictive but easy, and the approach cur-rently is used to handle applet security in Web browsers such as Netscape.
2. 8VHUYHUL¿HVHDFKVHFXULW\UHODWHGDFFHVV requests: Relatively easy, but rapidly gets annoying, and eventually is self-defeating when users stop taking notice of the details of the requests. Whilst there is a place for querying the user, it should be used exceed-ingly sparingly.
3. Negotiate for each “mobile code” unit: Much harder, as some basis is needed for
The types of events to be monitored in association with the agent execution are very similar to those audited for the system’s users. Moreover, the agents can be easily grouped and differentiated within the system. In addition to extensive authentication and authorization mechanisms, accounting and auditing mechanisms should be implemented.
,QDV\VWHPOLNH³GLVWULEXWHGDJHQWVRQWKHJR´ (DAGO) (Felmetsger & Vigna, 2005), a mobile agent is viewed as an ordinary system’s user who logs in to the host and uses some of the system’s resources for its own needs. Every incoming mobile agent is given an individual account and DXQLTXHXVHULGHQWL¿HU8,`IRUWKHGXUDWLRQRI its execution on a host. This approach allows the hosting OS to apply to mobile agents the same set of rules and policies that are applied by the OS to all of its users.
In Unix, a number of logging, auditing, and accounting mechanisms are available to monitor the action of its users and the status of its resources. These tools can work at the system call level and can EHFRQ¿JXUHGEDVHGRQGLIIHUHQWW\SHVRIHYHQWVVXFK DVRSHQLQJDQGFORVLQJRI¿OHVUHDGVDQGZULWHVSUR-grams executed, and so on. They also can allow one to specify groups of system objects to be monitored for certain activities, and can track system usage by recording the statistics about CPU and memory us-age, I/O operations, running time, and other forms of system resource usage, along with the user IDs of the processes involved. These tools can be easily leveraged and extended to a multiagent environment.
A variety of customizable tools, such as SNARE — system intrusion analysis and report-ing environment (SNARE, 2005), BSM — basic security module provide a greater degree of secu-rity assurance. SNARE is a dynamically loadable
2194
Mobile Code and Security Issues
kernel nodule that can be used as a stand-alone auditing system or as a distributed tool. The tool FDQEHFRQ¿JXUHGWRPRQLWRUHYHQWVDVVRFLDWHG ZLWKFHUWDLQJURXSVRIXVHUV¿OWHUWKHPRQLWRUHG HYHQWVZLWKVSHFL¿F³VHDUFKH[SUHVVLRQV´DQGVXE-mit reports in different formats and time frames. 7KHW\SHRIHYHQWVPRQLWRUHGFDQEHHLWKHUGH¿QHG by a category (for example, system calls) or by an LGHQWL¿HUVXFKDV³GHQLHGDFFHVV´
Safety Policies for Mobile Code Programs
A safety policy is a set of restrictions placed upon locally run untrusted code to ensure that the program does not behave in a manner that is detrimental to the system or to the system security. At the very least, a safety policy should guaran-tee the following fundamental safety properties (Muller, 2000):
Trust
Security is based on the notion of trust. Basically, software can be divided into two categories, namely, software that is trusted and software that is not, separated by an imaginary trust boundary. All software on our side of the trust boundary is trusted and is known as the trusted code base.
All security implementations rely on some trusted code. As a result, a trust model of a particu-lar implementation can be made. The trust model EDVLFDOO\VSHFL¿HVZKLFKFRGHLVWREHLQFOXGHGLQ the trusted-code base and which code lies outside of the trust boundary.
At the very least, the trusted-code base should include the local operating system kernel, but can also include other items of trusted software, like trusted compilers or trusted program run-time environments (e.g., the Java interpreter). It is desirable, however, to keep the trusted-code
• &RQWUROÀRZVDIHW\The program should never jump to and start executing code that lies outside of the program’s own code seg-ment. All function calls should be to valid function entry points, and function returns should return to the location from where the function was called.
• Memory safety:The program should never be allowed to access random locations in memory. The program should only access memory in its own static data segment, live system heap memory that has been explicitly allocated to it, and valid stack frames.
• Stack safety: The program should only be allowed to access the top of the stack. Ac-cess to other areas of the stack should be completely restricted.
base as small as possible to reduce the security vulnerabilities.
Performance and Security
Unfortunately, as it is in most applications, per-IRUPDQFHLVVDFUL¿FHGIRULQFUHDVHGVHFXULW\,W ZRXOGKRZHYHUEHSUR¿WDEOHWRKDYHDSSOLFDWLRQV that are both secure and perform well at the same time. For this reason, there is much research con-FHUQHGZLWKUHVROYLQJWKHFRQÀLFWEHWZHHQWKHVH concepts in some way.
CONCLUSION
The purpose of this chapter is to raise readers’ awareness of mobile code and various approaches
These three properties, combined, offer the minimum nontrivial level of security for mobile code. More complicated security policies are pos-sible, depending on the application.
to addressing security of mobile code and agents. All of the techniques discussed in this chapter of-fer different approaches to combating malicious mobile code. However, the best approach is prob-ably a combination of security mechanisms. The
2195
Mobile Code and Security Issues
sandbox and code signing approaches are already K\EULGL]HG &RPELQLQJ WKHVH ZLWK ¿UHZDOOLQJ techniques, such as the playground, gives an extra layer of security. PCC is still very much in the research and development phase at present.
In order to make the mobile code approach practical, it is essential to develop advanced and innovative solutions to restrict the operations that mobile code can perform, but without unduly restricting its functionality. It is also necessary to develop formal, extremely easy–to-use safety languages to specify safety policy.
Organizations relying on the Internet face VLJQL¿FDQWFKDOOHQJHVWRHQVXUHWKDWWKHLUQHWZRUNV operate safely, and that their systems continue to provide critical services, even in the face of attack. Even the strictest of security policies will not be able to prevent security breaches. Educating us-ers in social-engineering attacks based around mobile code is also necessary.
REFERENCES
Alfalayleh, M., & Brankovic, L. (2004). An over-view of security issues and techniques in mobile agents. Retrieved from http://sec.isi.salford.ac.uk/ FPV3URJUDP&06¿QDOSDSGI
Brown, L. (1996).Mobile code security [Electronic version]. Retrieved from http://www.unsw.adfa. edu.au/~lpb/papers/mcode96.html
Chan, H. W., & Anthony. (1999). Secure mobile agents: Techniques, modeling and application. Retrieved from http://www.cse.cuhk.edu.hk/~lyu/ student/mphil/anthony/term3.ppt
Felmetsger, V., & Vigna, G. (2005). Exploiting OS-level mechanisms to implement mobile code security. Retrieved from http://www.cs.ucsb.edu/ ~vigna/pub/2005_felmetsger_vigna_ICECCS05. pdf
Ghezzi, C., & Vigna, G. (1997). Mobile code paradigms and technologies: A case study. In K.
Rothermet & R. Popescu-Zeletin (Eds.), Mobile agents, First International Workshop, MA’97, Proceedings (LNCS 1219, pp. 39-49) Berlin, Germany: Springer.
Hefeeda, M., & Bharat, B. (n.d.) On mobile code security. Center of Education and Research in Information Assurance and Security, and Depart-ment of Computer Science, Purdue University, West Lafayette, IN. Retrieved from http://www. cs.sfu.ca/~mhefeeda/Papers/OnMobileCodeSe-curity.pdf
Hohl, F. (1997). An approach to solve the problem of malicious hosts. Universität Stuttgart, Fakultät In-formatik, Fakultätsbericht Nr. 1997/03. Retrieved from http://www.informatik.uni-stuttgart.de/cgi-bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ncstrl. XVWXWWJDUWB¿7575ELE
Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from malicious hosts. Retrieved from http://citeseer.ist.psu.edu/hohl-98time.html
Hohl, F. (1998). Mobile agent security and reli-ability. Proceedings of the Ninth International Symposium on Software Reliability Engineering (ISSRE ’98).
Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from malicious hosts. Mobile Agents and Security, 1419 of LNCS. Springer-Verlag.
IBM Aglets. (2002). Retrieved from http://www. trl.ibm.com/aglets/
Jansen, W., & Karygiannis, T. (n.d.). Mobile agent security (NIST Special Publication 800-19) Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-19/sp800-19.pdf
Java Agent Development Framework. (2005). Retrieved from http://jade.tilab.com/
Karjoth, G., Lange, D. B., & Oshima, M. (1997). A security model for aglets. IEEE Internet
2196
Mobile Code and Security Issues
Computing, 1(4), 68-77. [Electronic version]. Oppliger, R. (2000). Security technologies for
Retrieved from http://www.ibm.com/java/educa-tion/aglets/
Loureiro, S., Molva, R., & Roudier, Y. (2000,
the World Wide Web. Computer Security Series. Artech House Publishers.
Proof-Carrying Code. (2002). Retrieved from
February). Mobile code security. Proceedings http://raw.cs.berkeley.edu/pcc.html
of ISYPAR 2000 (4ème Ecole d’Informatique des Systems Parallèles et Répartis), Code Mo-bile, France. Retrieved from www.eurecom. fr/~nsteam/Papers/mcs5.pdf
Lucco, S., Sharp, O., & Wahbe, R. (1995). Om-niware: A universal substrate for mobile code. In Fourth International World Wide Web Confer-ence, MIT. [Electronic version] Retrieved from http://www.w3.org/pub/Conferences/WWW4/ Papers/165/
McGraw, G., & Morrisett, G. (2000). Attacking malicious code. Retrieved from http://www. cs.cornell.edu/Info/People/jgm/lang-based-se-curity/maliciouscode.pdf
Mobile Code and Mobile Code Security. (2005). Retrieved from http://www.cs.nyu.edu/~yingxu/ privacy/0407/main.html
Mobile Code Security. (1996). [Electronic ver-sion] Retrieved from http://www.unsw.adfa.edu. au/~lpb/papers/mcode96.html
Mobile Code Security and Computing with En-crypted Functions [Electronic version] Retrieved from http://www.zurich.ibm.com/security/mo-bile
Motlekar, S. (2005). Code obfuscation. Retrieved from http://palisade.paladion.net/issues/2005Aug/ code-obfuscation/
Muller, A. (2000). Mobile code security: Taking the Trojans out of the Trojan horse. Retrieved from www.cs.uct.ac.za/courses/CS400W/NIS/ papers00/amuller/essay1.htm
Necula, G. C., & Lee, P. (1998). Safe, untrusted agents using proof-carrying code. Lecture Notes in Computer Science, (1419). Springer-Verlag.
Robust Obfuscation. (2005). Retrieved from http://www.cs.arizona.edu/~collberg/Research/ Obfuscation/
Roger, A. G. (2001). Malicious mobile code: Vi-rus protection for Windows [Electronic version]. O’Reilly & Associates.
Rubin, A. D., & Geer, D. E. (1998). Mobile code security. IEEE Internet Computing.
Sander, T., & Tschudin, C. (1998a). Towards mobile cryptography. Proceedings of the IEEE Symposium on Security and Privacy.
Sander, T., & Tschudin, C. (1998b). Protecting mobile agents against malicious hosts. [Electronic version] In G. Vigna (Ed.). Mobile agents and se-curity, Lecture Notes in Computer Science, 1419 (pp. 44-60). Retrieved from http://citeseer.ist.psu. edu/article/sander97protecting.html
SNARE — System iNtrusion Analysis and Re-porting Environment (2005). [Electronic version] Retrieved from http://www.intersectalliance. com/projects/Snare
Telescript Language Reference. (1995). Retrieved from http://citeseer.ist.psu.edu/inc95telescript. html
Tennenhouse, D. L., & Wetherall, D. J. (1996) Towards an active network architecture. Computer Communication Review. Retrieved from http:// www.tns.lcs.mit.edu/publications/ccr96.html
Vigna, G. (1997, June). Protecting mobile agents through tracing. Proceedings of the 3rd ECOOP Workshop on Mobile Object Systems, Jyvälskylä, Finland. Retrieved from http://www.cs.ucsb. edu/~vigna/listpub.html
This work was previously published in Web Services Security and E-Business, edited by G. Radhamani and G. Rao, pp. 75-92, copyright 2007 by IGI Publishing (an imprint of IGI Global).
2197
2198
Chapter 7.15 Secure Authentication
Process for High Sensitive Data E-Services: A Roadmap
Claudio Agostino Ardagna University of Milan, Italy
Ernesto Damiani University of Milan, Italy
Fulvio Frati University of Milan, Italy
Salvatore Reale
Siemens Mobile Communication S.p.A., Italy
EXECUTIVE SUMMARY
The widespread diffusion of online services pro-YLGHGE\SXEOLFDQGSULYDWHRUJDQL]DWLRQV¿UVWO\ driven by e-commerce and more recently by e-government applications, has stressed the need of secure ways to authenticate users who need to access online resources. The huge number of resources accessible on the Web leads to differ-ent authentication mechanisms implementations that often require multiple log-on actions also in intradomain multiservices scenario. In case of
high sensitive services, users’ authentication plays a role of paramount importance. In this article is presented a case study that gives a roadmap of authentication mechanisms implemented at different levels of services’ software structure. The discussion starts by illustrating different authentication solutions implemented at operating system, application server or components level to conclude with Single Sign-On approach. For each solution, pros and cons are discussed. The SSO system, called CAS++, developed as an extension to Yale University’s CAS, is then presented.
Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
...
- tailieumienphi.vn
nguon tai.lieu . vn