Mobile Code and Security Issues
-
Upload
kazim-bayram -
Category
Technology
-
view
701 -
download
1
Transcript of Mobile Code and Security Issues
![Page 1: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/1.jpg)
Mobile Code and Security IssuesKazım Bayram
Yıldırım Beyazıt University Management Information Systems 2014
1
![Page 2: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/2.jpg)
What is the Mobile Code?
Mobile Code- Is software transferred between systems and executed on a local
system without explicit installation by the recipient.
- Can be executed on one or several hosts.
- Can transfer from host to another host and execute easily.
- Includes Scripts like JavaScript, VBScript, Java applets , Office Macros,
DLLs, Activex Controls etc.
2
![Page 3: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/3.jpg)
3Advantages of Mobile Code
- Eliminate installation and configuration problem and reduce
distribution cost.
- Can run many platforms
- Increase the scalability of client/server applications
- Achieves performance advantages
- Achieves interoperability of distributed applications
![Page 4: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/4.jpg)
4Categories of Mobile Code
Categorize by mobility: - Code on Demand- One method of categorising the mobile code is based on code mobility.
- Remote Evaluation
- A client sends code to a remote machine for execution.
- Mobile Agents- Objects or code with the ability to migrate between machines autonomously.
![Page 5: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/5.jpg)
5Categories of Mobile Code
Type of Mobility Category Mobility of Code Resources Processor
Weak
Code on demand Remote to Local Local side Local
Remote evaluation Local to Remote Remote side Local
StrongMobile agent Migration Remote side Agent’s originator
![Page 6: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/6.jpg)
6Categories of Mobile Code
Categorize by type of code:- Source code
- Intermediate code
- Binary code
- Just-in-time compilation
![Page 7: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/7.jpg)
7Interpreter vs Compiler
- Interpreters read and parse source or intermediate code and execute
it. ex: java, Phyton, php, Java, .Net platforms. (Write Once Run
Anywhere)
- Compilers convert source code to binary code and execute every time
same code. (ex: C++, C ,Assembly) (Write Once Compile Anywhere)
- Compiler faster than Interpreter
- Platform dependency is lower on interpreter
![Page 8: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/8.jpg)
8Source Code?
![Page 9: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/9.jpg)
9Intermediate Code
![Page 10: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/10.jpg)
10Binary (Machine) Code
![Page 11: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/11.jpg)
11Just-in-Time Compilation
Speed of Binary Code
+
Portability of
Intermediate or Source Code
![Page 12: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/12.jpg)
12Properties of Mobile Code
- Comes in a variety of forms
- Often runs unannounced and unbeknownst to the user
- Runs with the privilege of the user
- Distributed in executable form
- Run in multiple threads
- Can launch other programs
![Page 13: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/13.jpg)
13Security Issues Of Mobile Code
- Host Security Against Malicious Code
- Mobile Code Security against Malicious Host
![Page 14: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/14.jpg)
14Host Security
- Sandboxing
- Code Signing
- Combined form of Code Signing and Sandboxing
![Page 15: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/15.jpg)
15Sandboxing
- Mobile code is executed inside a restricted area called a sandbox
system functionality.
- Virtual Machines , Linux OS security mechanism, Application testing
platforms, etc.
![Page 16: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/16.jpg)
16Sandboxing
Mobile Code
Local Code
Host
NetworkMobileCode
Sandbox = Restricted Environment
Resources
![Page 17: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/17.jpg)
17Code Signing
- The code digitally signing a software identifies the produces who
created and signed it with one way hashing method and
- It enables the platform to verify that the code has not been modified
since it was signed by creator.
![Page 18: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/18.jpg)
18Code Signing
Local Code
Host
Network MobileCode
Mobile Code
A6D30781
Control Area
A6D30781
Resources
![Page 19: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/19.jpg)
19Sandboxing and Code Signing
Mobile Code
ResourcesLocal Code
Host
Sandbox = Restricted Environment
Network MobileCode
A6D30781
Control Area
A6D30781
![Page 20: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/20.jpg)
20Mobile Code Security
Tampering Prevention Techniques
- Mobile Cryptography
- Obfuscated Code
- Cooperating Agents
![Page 21: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/21.jpg)
21Mobile Cryptography
- Encrypting sending and receiving data
- The data can be decrypt via encryption key || scheme
- Data received by an “black box” and if the request is valid it responses,
else they block the requested profile.
- Various means of code obfuscation and authentication techniques are
proposed to achieve this time-limited “black box”.
![Page 22: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/22.jpg)
22Mobile Cryptography
![Page 23: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/23.jpg)
23Obfuscated Code
- Obfuscation is a technique of enforcing the security policy by applying
a behavior-preserving transformation to the code before it is being
dispatched to different hosts. Can run many platforms
- It aims to protect the code from being analyzed and understood by
the host; thereby, making the extraction and corruption of sensitive
data or .
![Page 24: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/24.jpg)
24Obfuscated Code
![Page 25: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/25.jpg)
25Cooperating Agents
- Distributing critical tasks of a single mobile agent between two or
more cooperating agents.
- Each of the two cooperating agents executes the tasks in one of two
disjoint sets of platforms.
- The cooperating agents share the same data and exchange
information in a secret way. This technique reduces the possibility of
the shared data being pilfered by a single host
- On any error, they communication way could be changed.
![Page 26: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/26.jpg)
26Developing Security Mechanism
- Developing sound, reliable security mechanisms is a nontrivial task.
- It could be too complex and difficult
- Reducing effort, security services that rely on well-known, well-
understood, and well-tested security mechanisms. Also, by describing
the security of the mobile-code system in terms of the language and
OS security mechanisms, system administrators can better evaluate the
security implications of deploying the system.
![Page 27: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/27.jpg)
27Language Support for Safety
The features of the language needed to ensure that various code units do
not interfere with each other
- Heavy address space protection mechanisms
- Type-safe feature (CTS, CLS)
- Designing a modular system (OOD , OOP)
- Replace general library routines that could compromise security more
specific ( relevant with sandbox)
- Granting access to resources (relevant with sandbox)
![Page 28: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/28.jpg)
28OS Level Security
- Authentication- Username / Password, User card/key, User attribute - fingerprint/ eye retina pattern/ signature, UID
- Program Threats- Trojan, HorseTrap, DoorLogic, BombVirus
- System Threats- Worms, PortScanning, Denial of Service(DoS)
- Viruses
- Stack and Buffer Overflow
![Page 29: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/29.jpg)
29Safety Policies for Mobile Code
- Control flow safety
- Memory safety
- Stack safety
![Page 30: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/30.jpg)
30
![Page 31: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/31.jpg)
31Trust
- Security is based on the notion of trust.
- Two software category : Trusted or not
- All software on our side of the trust boundary is trusted and is known
as the trusted code base.
- All security implementations rely on some trusted code.
- The trusted-code base should include the local operating system
kernel, but can also include other items of trusted software, like trusted
compilers or trusted program runtime environments (e.g., the Java
interpreter).
![Page 32: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/32.jpg)
32Performance and Security
Secu
rity
Perfo
rman
ce
![Page 33: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/33.jpg)
33Java vs C (Test based on OpenJDK and GCC)
![Page 34: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/34.jpg)
34Performance and Security
![Page 35: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/35.jpg)
35All in All
- Any system is completely safety
- Any signature, encryption system are perfect. It can be solved.
- Any software has some bugs and some security holes.
- Hybrid Systems should use on projects for much more safety
- Performance and Security should be balanced.
![Page 36: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/36.jpg)
36ISO/IEC 27000 series
- ISO/IEC 27000 is part of a growing family of ISO/IEC Information
Security Management Systems (ISMS) standards, the 'ISO/IEC 27000
series'.
- ISO/IEC 27000 is an international standard entitled:
- Information technology
- Security techniques
- Information security management systems
- The series provides best practice recommendations on information
security management, risks and controls within the context of an
overall information security management system (ISMS).
![Page 37: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/37.jpg)
37ISO/IEC 27001
- The series provides best practice recommendations on information
security management, risks and controls within the context of an
overall information security management system (ISMS).
![Page 38: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/38.jpg)
38ISO/IEC 27002Information security techniques
- Based on ISO/IEC 27001
- IT Risk assessment
- Security policy – management direction
- Organization of information security – governance of information security
- Asset management – inventory and classification of information assets
- Human resources security – security aspects for employees joining, moving and leaving an organization
- Access control – restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance – building security into applications
- Information security incident management – anticipating and responding appropriately to information security
breaches
- Business continuity management – protecting, maintaining and recovering business-critical processes and
systems
- Compliance – ensuring conformance with information security policies, standards, laws and regulations
![Page 39: Mobile Code and Security Issues](https://reader034.fdocuments.in/reader034/viewer/2022051720/587f2fe81a28ab121d8b5f1f/html5/thumbnails/39.jpg)
39References
- Programmıng language abstractıons for mobıle code (http://infoscience.epfl.ch/record/140630/files/EPFL_TH4515.pdf)
- Mobile Code Security Sergio Loureiro, Refik Molva, Yves Roudier) (http://www.eurecom.fr/~nsteam/Papers/mcs5.pdf)
- Morton, Bruce. "Code Signing". CASC. Retrieved 21 February 2014. (https://casecurity.org/wp-
content/uploads/2013/10/CASC-Code-Signing.pdf)
- Electronic Business: Concepts, Methodologies, Tools, and Applications (In Lee, Western Illinois University, USA)
- Dr. Lawrie Brown. "Mobile Code Security". Australian Defence Force Academy. Retrieved April 23, 2012.
(http://seit.unsw.adfa.edu.au/staff/sites/lpb/papers/mcode96.html)
- Abraham Silberschatz, Greg Gagne, and Peter Baer Galvin, "Operating System Concepts, Seventh Edition ", Chapter 15
(http://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html)
- http://www.iso.org/