Information System Security AABFS-Jordan Summer 2006 Mobile Code Security Prepared by: Mossab Al Hunaity Supervised by: Dr. Loai Tawalbeh.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Computer Technology Timpview High School. A collection of local, regional, national, and international computer networks that are linked together to exchange.
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Mobile Agents Mouse House Creative Technologies Mike OBrien.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus
Cryptography and Network Security
14 Publishing a Web Site Section 14.1 Identify the technical needs of a Web server Evaluate Web hosts Compare and contrast internal and external Web hosting.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Security, Social and Legal Issues Regarding Software and Internet.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Information Security in Distributed Systems Distributed Systems1.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
P ROTOCOL FOR COLLABORATING MOBILE AGENTS IN THE NETWORK INTRUSION DETECTION SYSTEMS. By Olumide Simeon Ogunnusi Shukor Abd Razak.
Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.
Computer Security By Duncan Hall.
Network Security Celia Li Computer Science and Engineering York University.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
INCS 741: Cryptography Overview and Basic Concepts.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
TOPIC: Applications of Web Technologies in Distributed Systems
Secure Sockets Layer (SSL)
Cryptographic Hash Function
Topic: Java Security Models
State your reasons or how to keep proofs while optimizing code
Operating System Concepts
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Information System Security AABFS-Jordan Summer 2006 Mobile Code Security Prepared by: Mossab Al Hunaity Supervised by: Dr. Loai Tawalbeh

Outline Introduction (5 minutes) Advantages of Mobile codes (Agents) Mobile Code (Agent) Applications Mobile Code Security (20 minutes) Protecting the Host Protecting the Agent Mobile Code Security in Practice (10 minutes) Conclusions (5 minutes) Questions

Introduction Software agents are programs that act on behalf of their creators. Mobile code (agents ) are software codes (agents ) that have the ability to travel from one place to another to do the work assigned to them autonomously. Code data Agent (Mobile Code)

Advantages of Mobile codes (Agents) Better network performance and Utilization Automation of a sequence of tasks on different locations Distribution and Update of software packages.

Mobile Code (Agent) Applications Data collection from many place implement a network backup tool Searching and filtering visit many sites, search through the information available at each site to match a search criterion Monitoring E.g. in a stock market host, wait for a certain stock to hit a certain price, notify its user or even buy some of the stocks on behalf of them. Targeted information dissemination Distribute interactive news or advertisements

Mobile Agent Applications / cont. Parallel processing distribute processes easily over many computers in the network E-Commerce A mobile agent could do your shopping, including making orders and even paying Entertainment Games, players Negotiating negotiate to establish a meeting time, get a reasonable price for a deal

Mobile Code Security In the past, mobile code was machine dependent and could only run on very specific machine architectures, today this is not the case we are becoming increasingly vulnerable to malicious attacks and defective software roaming the internet security of mobile code is emerging as one of the most important challenges facing computer research today

Basic Concepts Trust Security is based on the notion of trust. Basically, software can be divided into two categories, trusted software (All software from our side) and un trusted software (All software not from our side) Safety Policy A code is safe if it follows Control Flow, Memory, and Stack Safety

Mobile Code Security Dimensions Protecting the host from a malicious Mobile Code. Sandboxing Code Signing Firewalling Proof-carrying code Protecting Mobile Code from the Execution Environment Active and Passive attacks

Protecting the Host There are various ways by which a malicious agent can harm the host. An agent may steal or manage to get illegal access to some private data, e.g. the financial data of a company from a database residing on the host. An agent may damage or consume the host resources like deleting some files, consume a lot of processing power or network bandwidth or cause denial of services as well

How to Protect The Host Sandboxing Code Signing Firewalling Proof-carrying code

Sandboxing The basic idea behind sandboxing is to make the foreign mobile code to be executed within a sandbox in the host operating system. Then the mobile code can be controlled efficiently by allowing monitored access to local host resources like CPU time, memory, etc. so that denial of service attacks by the mobile code like over consuming resources do not occur. One of the most known examples of sandboxing technology is the Security Manager of Java and Code Access Security in dot net.

Sandbox variation in Java

Code Signing Idea is to authenticate the mobile code before it is actually executed. The producer of the code is required to sign it. And the code consumer verifies the signature of the producer before using it Digital signatures are created using RSA

Code Signing Details RSA takes longer time for signing long documents. So the usual practice is to sign the hash of code and distribute it along with the code. This method saves time and insure integrity Changing original code at one bit will result in complete change of hash of message. At the receiver end the client computes the hash of mobile code it received and compares it with that sent by the user to ensure data integrity.

Firewalling Selectively choose whether or not to run a program at the very point where it enters the client domain. For example, if an organization is running a firewall or web proxy, it identify Java applets, examine them, and decide whether or not to serve them to the client. Research Usually it hard to implement.

Proof-Carrying Code Enables a host to determine that a program code provided by another system is safe to install and execute. The basic idea of PCC is that the code producer is required to provide an encoding of a proof that his/her code adheres to the security policy specified by the code consumer. The proof is encoded in a form that can be transmitted digitally. Therefore, the code consumer can quickly validate the code using a simple, automatic, and reliable proof- checking process

PCC process Step 1: the producer prepare the un trusted code he adds annotations to the code, which helps the code consumer to understand the safety- relevant properties of the code. then he sends the annotated code to the code consumer to execute it. Step 2: The code consumer performs a fast but detailed inspection of the annotated code. This I accomplished using a program, called VCGen and produce safety predicate

PCC process / cont. Step 3: Upon receiving the safety predicate, the producer attempts to prove it, and sends a formal proof back to the code consumer. Step 4: The code consumer performs a proof validation Step 5: after the executable code has passed both the VCGen checks and the proof check, it is trusted not to violate the safety policy and It can be safely installed for execution, without any further need for run-time checking

Protecting the Agent Protecting the Agent during the Transfer Protecting the Agent during the Execution

Protecting the Agent during the Transfer As a mobile agent moves around the network, its code as well as its data is vulnerable to various security threats. There are two known types of attacks passive attacks and active attacks

Passive Attacks An adversary attempts to extract some information from messages exchanged between two Agents without modifying the contents of the messages (eavesdropping). Usually cryptographic mechanisms, such as RSA and ElGamal cryptosystems are used to protect against this kind of attacks

Active Attacks Attacker in this case is able to modify the data or the code of a mobile agent to benefit from them or impersonate a legitimate principal in the system and intercept messages intended for that principal Data integrity mechanisms can be used to protect against tampering (message digest technique ) Collision-Free Hash Functions MD5 Authentication mechanisms can be used to protect against impersonation.

Protecting The Agent during the Execution In general, it is very difficult to protect an Agent from the environment that is responsible for its execution. Therefore, protecting an agent is more difficult and challenging than protecting the host resources from a malicious agent

Dangers to Agents A host may simply destroy the agent and hence impede the function of its parent application. A host may steal sensitive information carried by the agent such as a private key of the agents owner. A host may modify the data carried by the agent for its favor. For instance, it might change the price quoted by another competitor. Or modify the agents code to perform some dangerous actions when it returns to its home site.

How to Protect the Agent during the Execution Limited blackbox security Computing with encrypted functions. Cryptographic traces

Limited blackbox security The key idea of blackbox security is to generate an executable code from a given agent specification. This generated code is executed as a blackbox by the host, i.e. the host can not modify or read it but it only can execute it as is.

Computing with encrypted functions. The Key idea is that there is no intrinsic reason why a program must be executed in a plaintext form Therefore, one can have a computer executes a cipher program without understanding it.

Cryptographic traces The mechanism is based on post-mortem analysis of data (called traces) that are collected during the execution of an agent. The traces are then used as a basis for code execution verification, i.e. has the code executed its designated tasks properly or not?

Conclusion Mobile code security is a very important research topic. There are many models for achieving Mobile code security but we still need more secure and fast approches.

Mobile Code Security in Practice We are going to see how to implement some of those principles using the Dot Net technology.

Questions

References Papers : M. Abadi and B. Bhargava, On Mobile Code Security, CERIAS Tech Report,2001. S. Ramdous and G. Kannan, SECURITY OF MOBILE CODE, Journal of Cryptology, 2(1),2002, pp Alfonso Fuggetta et al, Understanding Code mobility, IEEE Transactions on Software Engineering Wayne A. Jansen, Countermeasures for Mobile Agent Security, National Institute of Standards and technology. ty/CryptoSpec.html.

Thank You ! Mossab Al Hunaity Dr. Loai Tawalbeh

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.