潘柱廷 ( 大潘 ) jordan pan blog.jordanpan mailto:jordan@venustech
DESCRIPTION
安全与可信 security and trusted 脆弱性安全 vs. 结构性安全 Vulnerability vs. Structure 攻防两端如何在结构性安全环境中寻求空间 Space in the structural environment. 潘柱廷 ( 大潘 ) Jordan Pan http://blog.jordanpan.cn mailto:[email protected]. 摘要 Summary. 脆弱性安全 Vulnerability-oriented security 结构性安全 Structural security - PowerPoint PPT PresentationTRANSCRIPT
1
安全与可信security and trusted
脆弱性安全 vs. 结构性安全Vulnerability vs. Structure攻防两端如何在结构性安全环境中寻求空间Space in the structural environment
潘柱廷 ( 大潘 ) Jordan Panhttp://blog.jordanpan.cn
mailto:[email protected]
2
摘要 Summary
• 脆弱性安全 Vulnerability-oriented security• 结构性安全 Structural security• 结构性安全中的脆弱性
Vulnerabilities in structures• 结构性威胁 Structural threats
3
脆弱性安全Vulnerability-oriented security
4
脆弱性 Vulnerabilities
• 弱口令 simple password• 病毒 virus• 操作系统漏洞 OS flaw• 协议漏洞 protocol flaw• 造成拒绝服务攻击的性能限制
performance limitation• 防火墙配置不当 bad configuration of firewalls• … …
5
面向脆弱性的安全Vulnerability-oriented security
• 防病毒系统 anti-virus system• 漏洞扫描系统 vulnerability scanner• 补丁管理系统 patch management system• 入侵检测系统 IDS• 防拒绝服务攻击系统 anti-DoS• 防火墙 Firewall• 多功能安全网关 UTM• … …
6
PSPC 需求驱动筐架 Requirement Driven BaCaMeth
需求筐架Req.BCM.
来自内部From Internal
来自外部From External
主动引导Active
体系化Systematic
政策性Policy
被动要求Passive
问题型Problem
合规性Compliance
7
面向脆弱性的风险管理Vulnerability-oriented risk management
8
国家标准中的风险管理关系图Risk management elements in Chinese standard
使命Mission
脆弱性Vulnerability
安全需求Requirement
安全措施Safeguard
资产价值Asset value
资产Asset
威胁Threat
风险Risk
残余风险Residual R.
事件Event
依赖On
拥有Have
被满足
Sat
isfi
ed b
y
抗击 Resist
利用
暴露Explore
降低Reduce
增加incre
ase增加
Increase
增加Increase
导出Lead
演变成
Occur
未被满足 not satisfied by
未控制Uncontrolled
可能诱发Invoke
残留
Leave
成本
Cos
t
9
最精简的风险管理3要素模型3-element risk management model
三要素风险管理模型3-element risk management model
资产和业务Asset
保障措施Safeguard
威胁Threat
10
2006 SC Awards• Best anti-malware solution
– Best Anti-spyware – Best Anti-trojan – Best Anti-virus – Best Anti-worm
• Best Content Security Solution – Best Anti-spam – Best Email Content Filtering – Best Email Security – Best IM security – Best Intellectual Property Protection
• Best Network Security Solution – Best Wireless Security – Best Enterprise Firewall – Best Intrusion Detection – Best Intrusion Prevention – Best Desktop Firewall
• Best Remote Access – Best VPN - SSL – Best VPN - Ipsec – Best Endpoint Security Solution – Best Web Filtering – Best Encryption
• Best Identity Management Solution – Best Password Management – Best Authentication – Best Single Sign-on – Best Two-Factor Solution
• Best Unified Threat Solution – Best Integrated Security Software – Best Integrated Security Appliance – Best Managed Security Service – Best Email Managed Service
• Best Network Security Management – Best Event Management – Best Computer Forensics – Best Policy Management – Best Security Audit – Best Security Management Tool
• Best Vulnerability Assessment and Remediation
– Best Patch Management – Best Vulnerability Assessment
Source from: http://www.scmagazine.com/uk/awards/previous/26104/year/2006/
11
脆弱性安全的产业环境Vulnerability-oriented security industrial environment
威胁方Threat agents
厂商Provider
用户User
12
木桶原理的迷失Misleading of Cask Rule
• 误导– 将整体结构仅仅简化为防御结构– 不考虑防御纵深问题– 只考虑静态的结果状态– 没有成本观念– … …
• Misleading– Only consider prevention structure– Not consider deep prevention– Only consider static state– Not consider cost-effective– … …
13
结构性安全Structural security
基本结构 basic structure
紧密结构 tight structure
松散结构 loose structure
14
访问控制的 RM 机制Reference monitor of access control
• 访问控制的 RM 机制是非常基本的安全结构
• Reference monitor of access control is a very basic security structure
15
RM 机制有效的结构性条件Structural conditions of valid RM mechanism
• 三个条件– 不能被绕过– 不可篡改– 足够小,可以被证明
• 3 conditions of VRM– Can not be bypass– Can not be tampered– Be small enough, can
be proved
16
Randomly GeneratedSymmetric Key (seed + PRNG)
Alice
Publickey
Privatekey
Private key
Public key
Bob
密钥交换过程Key Exchange Process
messagemessage
X15/^ow83h7ERH39DJ3H
messagemessage
X15/^ow83h7ERH39DJ3H
17
紧密安全结构的代表——可信计算Tight security structure — Trusted Computing
http://www.trustedcomputinggroup.org
• 可信的定义 Definition of trust– 可信就是,一个设备的行为是按照其预期目标和指定方式执行的
Trust is the expectation that a device will behave in a particular manner for a specific purpose.
– 一个可信平台应当至少提供三个基本特性:保护能力、完整性测量和完整性报告A trusted platform should provide at least three basic features: protected capabilities, integrity measurement and integrity reporting.
(From section 4.1, TCG Architecture Overview 1.0)
18
TCG 的基石性原理Fundamental rule of TCG
• 信任根就像“公理”一样,是信任的基础。在PC 系统中,常常用硬件芯片实现。
• Roots of trust– In TCG systems roots of trust are components that
must be trusted because misbehavior might not be detected.
• 信任链则是信任传递的机制。常常采用密码技术。
• Chains of trust– Transitive trust also known as “Inductive Trust”, i
s a process where the Root of Trust gives a trustworthy description of a second group of functions.
19
一个包含 TPM 的 PCReference PC platform containing a TCG TPM
20
TCG – 可信平台模块TCG – Trusted Platform Module (TPM)
• 一个可信平台常常拥有三个可信根There are commonly three Roots of Trust in a trusted platform– 测量可信根 root of trust for measurement (RTM)– 存储可信根 root of trust for storage (RTS) – 报告可信根 root of trust for reporting (RTR)
21
证明协议和消息交换Attestation protocol and message exchange
22
TPM – 存储可信根的体系结构TPM – Root of Trust for Storage (RTS)
23
TPM 部件体系结构TPM component architecture
24
TCG 软件分层TCG software layering
25
可信平台的生命周期The trusted platform lifecycle
26
可信平台上的用户认证User authentication using trusted platforms
27
可信平台上的用户认证User authentication using trusted platforms
28
经典的四角模型The classical four corners model
29
四角模型的可信平台实现Detailed TP deployment architecture
30
TCG对于可信计算平台的划分8 categories of Trusted platform
体系结构体系结构 ArchitectureArchitecture
TPMTPM
移动设备移动设备 MobileMobile 客户端客户端 PC ClientPC Client
服务器服务器 ServerServer
软件包软件包Software StackSoftware Stack
存储存储 StorageStorage可信网络连接可信网络连接
Trusted Network ConnectTrusted Network Connect
31
TCG 的 IWG 和 TNC 的对应关系the IWG and TNC architecture
32
TNC 体系结构TNC architecture
33
TNC 体系结构下的消息流Message flow between components
34
拥有 TPM 的 TNC 体系结构The TNC architecture with the TPM
35
思科的自防御网络体系Cisco’s self-defending network
36
思科的自防御网络体系Cisco’s self-defending network
37
松散安全结构的代表——框架和方案Loose security structure — Framework
• 松散结构中的各个部件关联关系,常常靠人的集成来实现The connection among the components of loose structure is always integrated by human.
• 松散结构常常表现为框架 Framework– 技术框架 Technology framework– 管理体系 Management system
• ISO27001, ISO20000, etc.
38
39
技术功能是 PDR 的衍生PDR can express technology framework
40
检测能力是松散技术结构的关联要素Detection make the loose structure tight
• 攻击者不得不面对越来越多的Attackers have to face more– 入侵检测 IDS– 漏洞扫描 scanner– 应用审计系统 Application auditing system– 日志系统 log system– 蜜罐 honey pot– 取证系统 forensic system– 监控平台 monitoring platform– 等等 etc.
41
一个信息安全管理体系的结构Structure of a ISMS (modified ISO27001)
PHY 环境与设备
POL 方针和策略
NET 网络与通信
SYS 主机与系统
APP 应用与业务
DAT 数据/文档/介质
RSK 风险管理
BCM 业务连续性管理
ENG项目工程
OPR 运行与维护
ORG人员和组织
CPL合规性
42
结构性安全中的脆弱性Vulnerabilities in structures
43
你对刚才阐述的结构性安全有什么感觉?What’s your feeling about structural security?
• 复杂 complex• 怀疑其完备性 concern about the completion• 成本 cost• 蠢人永远有 stupid guys are there• … …
44
不要被“结构性安全”给忽悠了!Do not be misled by structural security
• 不要被“结构性安全”给忽悠了!脆弱性安全和结构性安全并不是对立的,也不是两个发展阶段;脆弱性安全也有结构,结构性安全也有脆弱性。
• Do not be misled by structural security– Vulnerability-oriented security also has structure– Structural security also has vulnerabilities
45
借助非技术环节来侵害技术结构Find vulnerabilities from non-technology parts
Randomly GeneratedSymmetric Key (seed + PRNG)
Alice
Publickey
Privatekey
Private key
Public key
Bob
46
借助非技术环节来侵害技术结构Find vulnerabilities from non-technology parts
Randomly GeneratedSymmetric Key (seed + PRNG)
Alice
Publickey
Privatekey
Private key
Public key
Bob Private key
Public key
Carl
线路的透明插入,可以完成对于加密通信的嗅探攻击
47
借助非技术环节来侵害技术结构Find vulnerabilities from non-technology parts
Randomly GeneratedSymmetric Key (seed + PRNG)
Alice
Publickey
Privatekey
Private key
Public key
Bob Private key
Public key
Carl
48
结构性安全的局限性Limitation of structural security
• 结构是在环境中的、有边界的environment and boundary
49
在生命周期中寻找弱点 Find vulnerabilities along the lifecycle
• 厂家的生产环节常常会埋有后门back doors embedded during manufacturing
• 没有一个系统是完美的No perfect system
• … …
50
在结构的时序中寻找突破Find vulnerabilities through time sequence
• 以文档保密系统为例Sample: Document protection system
• 文档的生成环节最可能存在漏洞Vulnerabilities during creating documentation
51
结构性安全的局限性Limitation of structural security
• 结构是在环境中的、有边界的environment and boundary
• 在不同阶段、不同人手中保持安全很困难different phases and organizations
52
在人性中寻找弱点Find vulnerabilities from human behavior
• 社交工程攻击 Social Engineering• 隐私保护 Privacy protection• 自由倾向 Anti-DRM• 懒惰 Lazy• … …
53
结构性安全的局限性Limitation of structural security
• 结构是在环境中的、有边界的environment and boundary
• 在不同阶段、不同人手中保持安全很困难different phases and organizations
• 人把科学变成了艺术Human transform science to art
54
结构本身可能就有问题Find vulnerabilities from structure itself
55
• 对于 AR/PEP/PDP 的伪装,可能打破整个结构every role may be spoofed
• 所有看似漂亮的结构,其性能和可用性问题可能会非常严重,会轻易被拒绝服务攻击击垮Most beautiful structures have performance and availability problems and may be easy to be kick down by DoS.
• 那么多传统攻击方式,可能有的还有效Some traditional attacks are still effective
结构本身可能就有问题Find vulnerabilities from structure itself
56
结构性安全还要继续博弈We are still in the game
• 怎么博弈?How to Play the game?– 你了解对方的结构吗?
Do you know the structure of all players?– 你了解对方了解多少自己的结构吗?
Do you know “how much have the other player known about your structure” ?
57
结构性威胁Structural threats
知识、资源和原则Knowledge, Resources and Principles
58
知识Knowledge
• 寻求对于系统更深层次技术结构的研究Who know lower?
• 寻求对于系统宏观结构的了解Who know the macro-structure better?
• 寻求对于具体对象的全面了解How many details do you know?
• … …
59
资源Resources
• 从分布式拒绝服务攻击到僵尸网络,掌握具有结构和组织的攻击体Botnet is a sample of structural software organization for attacking
• 在时序上组成结构,非常有利于攻击Time sequence spreading is a good thinking of structural attack
• … …
60
结构的一些关键字Key words of structure
• Business• Distribution• Hierarchy• Time sequence• Life-cycle• Management
– Organization– Regular– Process Control
• Value
• 业务• 分布式• 层次• 时序• 生命周期• 管理
– 组织– 制度– 过程控制
• 价值
61
流程化的结构思路Process-oriented structure
processprocess
inputinput outputoutput
Process ownerProcess owner
operatoroperator
Infra-Infra-structurestructure
KnowledgeKnowledgebasebase
LOGLOGArchiveArchive
ProcessProcessimprovingimproving
MonitorMonitor
62
原则Principles
• 安全没有百分之百 No 100% Security• 安全相对性的三个原则 3 security relativity rule
–生存原则 survival rule
–风险原则 Risk rule
–保镖原则 bodyguard rule自身完备性要求
Perfective requirement
63
总结 Conclusion
• 脆弱性安全 Vulnerability-oriented security• 结构性安全 Structural security• 结构性安全中的脆弱性
Vulnerabilities in structures• 结构性威胁 Structural threats
64
总结:一个可以持续研究下去的课题Conclusion: A good problem to keep approaching
脆弱性防御V.O. defend
结构性防御Structural
defend
脆弱性攻击V.O. attack
结构性攻击Structural
attack
脆弱性和结构性 Vulnerability-oriented vs. structural
攻击
和防守
def
end
vs.
atta
ck
65
谢谢…Thanks…
大潘 Jordan Pan