1、单位代码10学 号分 类 号TP393密 级文献翻译计算机安全概述院(系)名 称 专 业 名 称 学 生 姓 名 指 导 教 师 2012年2月28日英文译文计算机安全概述摘 要计算机安全主要包括用于检测和组织的防御方法组织任何可能的入侵者。计算机安全的原则因此在各种有威胁的入侵者的压力下产生。首先给出现有的已知存在于系统中的安全威胁的例子。第二部分介绍了安全威胁的分类，最后一节提出来一些保护机制和技术来确保一个计算机系统的安全。本文没有涉及硬件安全，通信安全的问题，也没有涉及到一些敏感的信息。也许最公开的威胁是一个入侵者猜测用户的密码。随着个人电脑，拨号调制解调器和代理服务器的出现，这成了一2、个大问题。穿甲弹通常有一个常用的密码列表，然后他们可以尝试在个人电脑的帮助下使用他们解密。另外，如果密码太短他们很容易找到一份详细的搜索。还有标准的账户，默认的密码总是系统分配的，而且可能没有更改。另一种威胁是所谓的欺骗。这是通过通过与用户交谈进行欺骗，导致信息的外泄。例如，欺骗程序可以让一个毫无戒心的用户访问该网站，通过漏斗欺骗程序的机器，让欺骗程序，检查受害者的所有活动，包括任何密码或受害人的存款数目。欺骗程序也可能导致虚假或误导数据以受害人的名义进入网站服务器，反之以网站服务器的名义对受害人。总之，攻击者观察和控制所有工作在网站服务器上的受害者。另外一个例子也可以用来举例，欺骗程序可能会3、显示在终端的登陆界面，这使得终端的现实为空闲。然后，当一毫无戒心的用户开始通信终端，欺骗程序录入登录名并要求用户的密码。在获得信息之后，欺骗程序显示一个再试一次的消息或者其他东西，并返回他先前获得的所有权。另一个威胁是用户对敏感信息的浏览，这发生在一个合法的可用的所有文件和手机的点点滴滴的有用的信息。例如，一个浏览器可能会在不经意间找到一个公共可读的文件留下的密码。一个更复杂的威胁，通常被认为是已知的特洛伊木马，是一个比打算做的更多或者是一个以为用来做好事的程序，而实际上它是在后台做一些讨厌的。例如，一个背景程序或者一些软件可能会被公开。然后，当没有检测到这个程序时，特洛伊木马，以用户的访问权4、利和自己的执行文件暗中读取用户的文件，甚至还邮寄给游戏的创造者，如果用户用户自己登录到了网络。最近，我们看到了被誉为互联网网站荣誉的分布式拒绝服务攻击。黑客利用这些木马策划攻击。另一个威胁是一个狡猾疲惫的共享资源用户，这样的结果使得合法的用户无法完成工作。例如，一个网络前端的用户可以利用现有的信息所有的缓冲区使合法用户不可能完成任何有用的工作。故意造成崩溃的所有工作提高到一个停止系统是这种类型的威胁一个更深的例子。另一类威胁是一个能够从由数据库返回的非敏感信息和敏感数据推断统计数据库用户的结果。例如，如果RAM是只有在一个特定班级心理学一个主要可以推断出平均成绩的等级课程和在班级中的所有非心理5、学专业学生的平均成绩。读者可能会问，“如果有这么多的计算机犯罪，为什么我没有听说过呢？”统计显示，所有的计算机犯罪中大约1%被发现，7%被检测出来的犯罪被报道过。33个报道的罪犯中有一个被定罪，22000个人中有一个蹲监狱。犯罪不被报道的原因之一是因为一次成功的攻击经常显示出一些如电可以被其他潜在的黑客攻击。此外，他们的犯罪也经常被视作恶作剧，当人们发现了之后也不会引起足够重视来报警。本节尝试进行给中威胁的分类，这种分类等级曾经被邓宁使用过。浏览介绍了主要和次要存储器通过搜索方法搜索残余信息。浏览器通常是不找什么特别的，但警惕可能有用的信息。浏览器可能会发现包含敏感信息的文件或包含有助于访问其6、他敏感信息的信息。最有用的威慑是组织浏览时控制、限制用户只能使用中获取信息但也阻碍了浏览使用。泄露是信息一个未经授权的用户在用户传输的过程中访问。大众步步高游戏就是这种类型的威胁。根据推论威胁存在可能一个用户从非敏感数据中推断出敏感信息。这种通常是关于个人群体相关信息，来获取有关个人信息。推论控制在下一节介绍时用来对付这种类型的威胁。篡改是指未经过允许对那些存储在计算机中有价值的信息作出改变的过程。一个例子是一个学生在篡改他的分数在年级文件中。篡改可以避免如果只允许用户修改它们自己的文件。加密检查总结，可用于检测篡改。这种方法使用密码块链接，如加密技术，以生成每个文件的检验和。这种方法使用检测7、技术，比如加密技术，以生成每个文件的检验和。这种技术只能检测出来改变，但不能阻止它们。数据的意外破坏虽然是无辜的，但是代价却很昂贵。意外破坏可能是软件和硬件缺陷。例如，有缺陷的软件可以允许程序写入超出其数据空间，并覆盖其他用户的数据。访问控制技术可以用来限制覆盖到用户的空间，自己的数据。加密检查总结，也可以用来检测销毁意外的数据。浏览，泄露和推理是数据安全的主要威胁，并且篡改和意外销毁是影响数据完整性的威胁。这两种威胁的分类既不符合保密或完整性类别的伪装和拒绝服务。伪装是过程，其中一个入侵者能够访问在另一个用户的账户添加到系统的应用。欺骗和猜测密码是伪装的威胁。首先入侵者冒充系统，然后入侵者冒8、充为合法用户。拒绝服务的威胁限制合法用户做有用的工作。这就是狡猾的用户耗尽所有可用的资源威胁的例子。本节介绍保护机制用来提高计算机安全保护。该机制介绍分为认证机制，访问控制，推力控制。另外，这种渗透分析的方法，形式化验证技术，并将其转换渠道分析方法进行了介绍。认证机制-认证机制主要解决的是伪装的威胁。第一个机制讨论的是安全注意的关键。关键之处在于，当通过在终端的用户的打击，杀死任何真实系统监听器之外运行的终端，从而保证了可信路径到系统。这将欺骗毫无戒心的用户的尝试。然后，重要的是使用户集中安全注意键，养成开始与系统之间对话的习惯。确保这种系统的一个方式是，只显示登陆提示后键才被按下。防止密码猜9、测可以使用简单的指引。每个人都应该选择长密码（至少8个字符），它并不明显，而不应使用容易喜欢配偶的姓名或名称猜测的密码。此外，密码不应该写在明显的位置。另外，用户应该培养成输入密码时应有合适的时间间隔。大部分的指引可以采取强制执行的制度。例如，密码的程序可以需要很长的密码，可以核对密码，选择了一个明显的密码或报告错误消息像字典的东西如果是相同的登录（PC用户常用的做法）。登录程序还可以告知用户是时候改密码了。密码文件存储在系统可能像其他文件一样受损。因此，它并不是好的做法存储密码在硬盘中。相反，一个单向函数（一个函数在计算机上是不可行的逆确定）用于确定密码，并且存储密码在文件中。当用户的密码在10、登录时经过函数运算与存储的结果比较，通过使用单向函数登录文件可以公开密码。允许访问该对象。一个主题的能力定义或环境或主题可以直接访问。读者应注意，访问列表中的列对应的访问和功能对应一行。两种方法的一个重要方面是，无论是能力和访问的元素必须是不可伪造的，否则，整个保护机制就会终端。一个保证这些元素的不可伪造的方法是通过一个立即通过限制访问这些值得信赖的一段代码。下面介绍的参考监视器就是这样一个机制。访问控制访问控制机制执行政策汪汪包含访问层次。也就是说，主题可能从最高到最低权限，其中自动获得更多的特权用户的权限的用户的权利，至少在不同的行列。例如在UNIX系统的超级用户一个主题权限可以访问系统中11、的任何对象。附:英文原文An Overview of Computer SecurityAbstracComputer security consists largely of defensive methods used to detect and thwartwould-be intruders. The principles of computer security thus arise from the kinds of threats intruders can impose. This paper begins by giving examples of known securit12、y threats in existing systems. The second section presents a classification of security threats, and the last section presents some protection mechanisms and techniques for ensuring security of a computer system.This paper doesnt address the topics of physical security, communication security, and b13、reaches of trust by personnel with the access to sensitive information.Probably the most publicized threat is the result of an intruder guessing a userspassword. With the advent of personal computers, dial-up modems and proxy servers this has become much more of a problem. Penetrators have a list of14、 the commonly used passwords and they can then try them all with the aid of their personal computer. In addition, if passwords are short they are easily found by an exhaustive search 1. There are also standard accounts with default passwords that are distributed with systems, and may not have been c15、hanged.Another common threat is called spoofing. This is accomplished by fooling a user intobelieving that he/she is talking to the system, resulting in information being revealed. For instance, a spoofer can make an unsuspecting user accesses the web funneled through the spoofers machine, allowing 16、the spoofer to monitor all of the victims activities including any passwords or account numbers the victim enters. The spoofer can also cause false or misleading data to be sent to web servers in the victims name, or to the victim in the name of any web server. the attacker observes and controls eve17、rything the victim does on the web.Another example that can be cited for instance, the spoofer may display what looks like the system login prompt on a terminal to make the terminal appear to be idle. Then when an unsuspecting user begins to communicate with the terminal, the spoofer retrieves the l18、ogin name and asks for the users password. After obtaining the information, the spoofer displays a try again message or something and returns ownership that was previously obtained by himAnother threat is user browsing for sensitive information. This occurs when a legitimateuser peruses any files th19、at are available and gleans useful information. For instance, a browser may locate a password inadvertently left in a publicly readable file.A more sophisticated threat, commonly known as the Trojan horse, is the result of aprogram doing more that it is supposed to or its a program that appears to d20、o something good,while its actually doing something nasty in the background. For instance, a backgammon program or some software may be made public. However, when the unsuspecting plays against the program, the Trojan horse, executing with the users own access rights to his files surreptitiously rea21、ds the users files and might even also mail them to the creator of the game, if the user has himself logged onto the net. Recently, we saw reputed internet sites susceptible to what are called distributed denial of service attacks. Hackers using Trojans mastermind these attacks.Another threat is the22、 result of a devious user exhausting a shared resource so thatlegitimate users cannot complete the work. For instance, the devious user of a network front-end might use all of the available message buffers making it impossible for the legitimate users to accomplish any useful work. The intentional c23、rashing of the system causing all work to a halt is a further example of this type of threat.Another class of threats is the result of a user of a statistical database being able to infer sensitive data from non-sensitive information returned by the database. For instance, if Ram is the only psychol24、ogy major in a particular class one can deduce Rams grade from the average grade of the course and the average grade of all non-psychology majors in the class.The reader may be asking , “If there is so much computer crime why havent I hearedabout it?” Statistics show that approximately 1% of all com25、puter crime is detected , 7% of the detected crrimes are reproted , 1 out of 33 criminals reported are convicted, and 1 out of 22,000 ends up in jail 3. One reason crimes are not reported is that a successful attack often reveals vulnerabilities that can be exploited by other potential attackers. Fu26、rthermore, may of the crimes are viewed as pranks, and the people who detect them do not think they are serious enough to report to the police 4.This section attempts to categorise the various threats. The classifications used were first used by Denning 2.Browsing describes the method of searching t27、hrough main and secondary memory forresidue information. The browser is usually not looking for anything in particular, but is alert to possibly useful information. The breowser may find files containing sensitive information or containing information that helps to access other sensisitive informati28、on. The most useful deterrent to browsing is the use of controls that restrict users to only accessing information in their own data space.Enciphering data also deters browsing.Leakage is the transmission of information to an unauthorised user from a process that is allowed to access the data. The p29、ublic backgammon game is this type of threat.An inference threat exists if a user can deduce sensitive information from non-sensitivedata. This is usually the result of correlating information about groups of individuals to obtain information about an individual. The inference controls presented in 30、the next section are used to counter this type of threat.Tampering refers to the processof making unauthorised changestothevalue ofinformation stored in the computer. An example of tampering is a student changing his/her grade in the grade file. Tampering is avoided by allowing users to modify only 31、their files. Cryptography check summing can be used for detecting tampering. This method uses cryptographic techniques, such as cipher block chaining, to generate a check sum for each file. The technique only detects changes; it doesnt prevent them.Accidental data destruction although often innocent32、, can be costly. Accidentaldestruction may be caused by both hardware and software failures. For instance, faulty software could allow a program to write beyond its data space and overwrite another users data. Access control techniques can be used to limit overwriting to the users own data space. Cr33、yptographic check summing can also be used for detecting accidental data destruction.Browsing, leakage and inference are threats to the secrecy of data, tampering andaccidental destructions are threats to the integrity of data. Two threat classifications that fit into neither the secrecy or integrit34、y category are masquerading and denial of service. Masquerading refers to the process where an intruder gains access to the stystem under another users account. Spoofing and pasword guessing are masquerading threats. In the first the intruder is posing as the system, in the second the intruder is po35、sing as a legitimate user.Denial of service threats prevent legitimate users from getting useful work done. Thedevious user exhausting all available resources is an example of this threat.This section intoduces protection mechnasims used to enhance computer security. Themechnasims presented are grou36、ped into authentication mechnasims, access control, and inference control. In additon, the methods of penetration analysis, formal verification techniques, and convert channel analysis are introduced.Authentication Mechanisms Authetication mechanisms primarily address themasquerading threat. The fir37、st mechanism discussed is the secure attention key. This key, when hit by a user at a terminal, kills any process running at the terminal except the true system listener and thus guarantees a trusted path to the system. This will foil attempts at spoofing the unsuspecting user. However, it is import38、ant that users make a habit of always hitting the secure attention key to begin a dialogue with the system. One way of ensuring this for the system to only display the login prompt after the key is depressed.Simple guidelines can be used to deter password guessing. One should choose a longpassword (39、at least 8 characters) that is not obvious, and should not use easily guessable passwords like a spouses name or a login name. In addition, a password should not be written in the obvious place. Furthermore, users should be trained to change their passwords at appropriate intervals. Most of the guid40、elines can be enforced by the system. For instance, password program can require long passwords and can check the password chosen against a dictionary of obvious passwords or something like reporting an error message if the password is the same as the login(a common practise by an average pc user). 41、The login program can also inform the user that it is time to change passwords.Password files stored in the system may be compromised like any other file. Therefore, it is not good practise to store passwords in the clear. Instead, a one way function (i.e., a function whose inverse is computationall42、y infeasible to determine) is used to enchiper passwords and the result is stored in the password file. When a users password is presented at the login time it is enchipered and compared to the stored value. By using one way functions to enchiper passwords the login file can be made public.Access Co43、ntrol Assuming that by using authentication mechanisms and good password practice the system can guarantee that users are who they claim to be, the next step is to provide a means of limiting a users access to only those files that policy determines should be accessed. These controls are referred to44、 as access control.When describing access control policies and mechanisms it is necessary to consider the subjects and objects of the system. Subjects are the users of the system along with any active entities that act on behalf of the user or the system (eg. user processes). Objects are the resourc45、es or entities of the system (eg. files, programs, devices). The access control mechanism determines for each subject what access modes such as read (R), write (W), or execute (X), it has for each object.A convenient way of describing a protection system is with an access matrix . In theaccess matri46、x rows correspond to subjects and columns correspond to objects. Each enrty in the matrix is a set of access rights that indicate the access that the subject associated with the row has for the object associated with the column. The following is an example access matrix. From the matrix one can dete47、rmine that subject S3 has read and write access to the object O2 and execute access to the object O3.An example of access matrix There are two common ways of representing an access matrix in a computer system: access control lists (sometimes called authorization lists) and capability lists (often ca48、lled c-lists). With the access list approach each object has an access list associated with it. This list contains the name of each subject that has access to the object along with the modes of access allowed. In contrast the capability list approach associates a list with each subject. The elements49、 of the list are capabilities which can be thought of as tickets that contain an objects name and the modes ofaccess allowed to the object. A subjects capability defines the environment or domain that the subject may directly access.The reader should note that an access list corresponds to a column 50、in the access and acapability corresponds to a row. An important aspect of either approach is that both thecapabilities and the elements of access must be unforgeable or else the entire protection mechanism breaks down. One way of guaranteeing the unforgeability of these elements is by restricting a51、ccess to them through an intermediatry trusted piece of code. The reference monitor introduced below is one such mechanism. Access control policies enforced by the access control mechanisms often incorporate access hierarchies. That is, subjects may have different ranks ranging from the most to the least privileged, where the more privileged user automatically gets the rights of the least privileged user. For instance, in a UNIX system a subject with the superuserprivilege can access any object in the system.