Mobile Code and Security IssuesKazım Bayram

Yıldırım Beyazıt University Management Information Systems 2014

1

What is the Mobile Code?

Mobile Code- Is software transferred between systems and executed on a local

system without explicit installation by the recipient.

- Can be executed on one or several hosts.

- Can transfer from host to another host and execute easily.

- Includes Scripts like JavaScript, VBScript, Java applets , Office Macros,

DLLs, Activex Controls etc.

2

3Advantages of Mobile Code

- Eliminate installation and configuration problem and reduce

distribution cost.

- Can run many platforms

- Increase the scalability of client/server applications

- Achieves performance advantages

- Achieves interoperability of distributed applications

4Categories of Mobile Code

Categorize by mobility: - Code on Demand- One method of categorising the mobile code is based on code mobility.

- Remote Evaluation

- A client sends code to a remote machine for execution.

- Mobile Agents- Objects or code with the ability to migrate between machines autonomously.

5Categories of Mobile Code

Type of Mobility Category Mobility of Code Resources Processor

Weak

Code on demand Remote to Local Local side Local

Remote evaluation Local to Remote Remote side Local

StrongMobile agent Migration Remote side Agent’s originator

6Categories of Mobile Code

Categorize by type of code:- Source code

- Intermediate code

- Binary code

- Just-in-time compilation

7Interpreter vs Compiler

- Interpreters read and parse source or intermediate code and execute

it. ex: java, Phyton, php, Java, .Net platforms. (Write Once Run

Anywhere)

- Compilers convert source code to binary code and execute every time

same code. (ex: C++, C ,Assembly) (Write Once Compile Anywhere)

- Compiler faster than Interpreter

- Platform dependency is lower on interpreter

8Source Code?

9Intermediate Code

10Binary (Machine) Code

11Just-in-Time Compilation

Speed of Binary Code

+

Portability of

Intermediate or Source Code

12Properties of Mobile Code

- Comes in a variety of forms

- Often runs unannounced and unbeknownst to the user

- Runs with the privilege of the user

- Distributed in executable form

- Run in multiple threads

- Can launch other programs

13Security Issues Of Mobile Code

- Host Security Against Malicious Code

- Mobile Code Security against Malicious Host

14Host Security

- Sandboxing

- Code Signing

- Combined form of Code Signing and Sandboxing

15Sandboxing

- Mobile code is executed inside a restricted area called a sandbox

system functionality.

- Virtual Machines , Linux OS security mechanism, Application testing

platforms, etc.

16Sandboxing

Mobile Code

Local Code

Host

NetworkMobileCode

Sandbox = Restricted Environment

Resources

17Code Signing

- The code digitally signing a software identifies the produces who

created and signed it with one way hashing method and

- It enables the platform to verify that the code has not been modified

since it was signed by creator.

18Code Signing

Local Code

Host

Network MobileCode

Mobile Code

A6D30781

Control Area

A6D30781

Resources

19Sandboxing and Code Signing

Mobile Code

ResourcesLocal Code

Host

Sandbox = Restricted Environment

Network MobileCode

A6D30781

Control Area

A6D30781

20Mobile Code Security

Tampering Prevention Techniques

- Mobile Cryptography

- Obfuscated Code

- Cooperating Agents

21Mobile Cryptography

- Encrypting sending and receiving data

- The data can be decrypt via encryption key || scheme

- Data received by an “black box” and if the request is valid it responses,

else they block the requested profile.

- Various means of code obfuscation and authentication techniques are

proposed to achieve this time-limited “black box”.

22Mobile Cryptography

23Obfuscated Code

- Obfuscation is a technique of enforcing the security policy by applying

a behavior-preserving transformation to the code before it is being

dispatched to different hosts. Can run many platforms

- It aims to protect the code from being analyzed and understood by

the host; thereby, making the extraction and corruption of sensitive

data or .

24Obfuscated Code

25Cooperating Agents

- Distributing critical tasks of a single mobile agent between two or

more cooperating agents.

- Each of the two cooperating agents executes the tasks in one of two

disjoint sets of platforms.

- The cooperating agents share the same data and exchange

information in a secret way. This technique reduces the possibility of

the shared data being pilfered by a single host

- On any error, they communication way could be changed.

26Developing Security Mechanism

- Developing sound, reliable security mechanisms is a nontrivial task.

- It could be too complex and difficult

- Reducing effort, security services that rely on well-known, well-

understood, and well-tested security mechanisms. Also, by describing

the security of the mobile-code system in terms of the language and

OS security mechanisms, system administrators can better evaluate the

security implications of deploying the system.

27Language Support for Safety

The features of the language needed to ensure that various code units do

not interfere with each other

- Heavy address space protection mechanisms

- Type-safe feature (CTS, CLS)

- Designing a modular system (OOD , OOP)

- Replace general library routines that could compromise security more

specific ( relevant with sandbox)

- Granting access to resources (relevant with sandbox)

28OS Level Security

- Authentication- Username / Password, User card/key, User attribute - fingerprint/ eye retina pattern/ signature, UID

- Program Threats- Trojan, HorseTrap, DoorLogic, BombVirus

- System Threats- Worms, PortScanning, Denial of Service(DoS)

- Viruses

- Stack and Buffer Overflow

29Safety Policies for Mobile Code

- Control flow safety

- Memory safety

- Stack safety

30

31Trust

- Security is based on the notion of trust.

- Two software category : Trusted or not

- All software on our side of the trust boundary is trusted and is known

as the trusted code base.

- All security implementations rely on some trusted code.

- The trusted-code base should include the local operating system

kernel, but can also include other items of trusted software, like trusted

compilers or trusted program runtime environments (e.g., the Java

interpreter).

32Performance and Security

Secu

rity

Perfo

rman

ce

33Java vs C (Test based on OpenJDK and GCC)

34Performance and Security

35All in All

- Any system is completely safety

- Any signature, encryption system are perfect. It can be solved.

- Any software has some bugs and some security holes.

- Hybrid Systems should use on projects for much more safety

- Performance and Security should be balanced.

36ISO/IEC 27000 series

- ISO/IEC 27000 is part of a growing family of ISO/IEC Information

Security Management Systems (ISMS) standards, the 'ISO/IEC 27000

series'.

- ISO/IEC 27000 is an international standard entitled:

- Information technology

- Security techniques

- Information security management systems

- The series provides best practice recommendations on information

security management, risks and controls within the context of an

overall information security management system (ISMS).

37ISO/IEC 27001

- The series provides best practice recommendations on information

security management, risks and controls within the context of an

overall information security management system (ISMS).

38ISO/IEC 27002Information security techniques

- Based on ISO/IEC 27001

- IT Risk assessment

- Security policy – management direction

- Organization of information security – governance of information security

- Asset management – inventory and classification of information assets

- Human resources security – security aspects for employees joining, moving and leaving an organization

- Access control – restriction of access rights to networks, systems, applications, functions and data

- Information systems acquisition, development and maintenance – building security into applications

- Information security incident management – anticipating and responding appropriately to information security

breaches

- Business continuity management – protecting, maintaining and recovering business-critical processes and

systems

- Compliance – ensuring conformance with information security policies, standards, laws and regulations

39References

- Programmıng language abstractıons for mobıle code (http://infoscience.epfl.ch/record/140630/files/EPFL_TH4515.pdf)

- Mobile Code Security Sergio Loureiro, Refik Molva, Yves Roudier) (http://www.eurecom.fr/~nsteam/Papers/mcs5.pdf)

- Morton, Bruce. "Code Signing". CASC. Retrieved 21 February 2014. (https://casecurity.org/wp-

content/uploads/2013/10/CASC-Code-Signing.pdf)

- Electronic Business: Concepts, Methodologies, Tools, and Applications (In Lee, Western Illinois University, USA)

- Dr. Lawrie Brown. "Mobile Code Security". Australian Defence Force Academy. Retrieved April 23, 2012.

(http://seit.unsw.adfa.edu.au/staff/sites/lpb/papers/mcode96.html)

- Abraham Silberschatz, Greg Gagne, and Peter Baer Galvin, "Operating System Concepts, Seventh Edition ", Chapter 15

(http://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html)

- http://www.iso.org/