计算机安全-翻译(井凯).doc

南 京 工 程 学 院毕业设计文献资料翻译 （原文及译文）原文名称： Computer security 课题名称：基于Windows平台的个人防火墙研究与设计学生姓名： 井 凯 学 号： 208050517指导老师： 郭 丽 红 所在系部： 通信工程学院 专业名称： 通信工程(计算机通信) 2009 年 3 月 南 京目录英文原文：3Computer security3Hardware mechanisms that protect computers and data3Secure operating systems4Security architecture5Security by design5Early history of security by design6Secure coding6中文翻译：8计算机安全8保护计算机和数据的硬件机制8安全的操作系统8安全架构9安全设计9早期历史的安全设计10安全代码10英文原文：原文地址：/wiki/Computer_securityComputer securityFrom Wikipedia, the free encyclopediaThis article is about computer security through design and engineering.Computer security is a branch of technology known as information security as applied to computers. The objective of computer security varies and can include protection of information from theft or corruption, or the preservation of availability, as defined in the security policy.Computer security imposes requirements on computers that are different from most system requirements because they often take the form of constraints on what computers are not supposed to do. This makes computer security particularly challenging because it is hard enough just to make computer programs do everything they are designed to do correctly. Furthermore, negative requirements are deceptively complicated to satisfy and require exhaustive testing to verify, which is impractical for most computer programs. Computer security provides a technical strategy to convert negative requirements to positive enforceable rules. For this reason, computer security is often more technical and mathematical than some computer science fields.Typical approaches to improving computer security (in approximate order of strength) can include the following: Physically limit access to computers to only those who will not compromise security. Hardware mechanisms that impose rules on computer programs, thus avoiding depending on computer programs for computer security. Operating system mechanisms that impose rules on programs to avoid trusting computer programs. Programming strategies to make computer programs dependable and resist subversion. Hardware mechanisms that protect computers and dataHardware based or assisted computer security offers an alternative to software-only computer security. Devices such as dongles may be considered more secure to the physical access required in order to be compromised.While many software based security solutions encrypt the data to prevent data from being stolen, a malicious program may corrupt the data in order to make it unrecoverable or unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering.Secure operating systemsOne use of the term computer security refers to technology to implement a secure operating system. Much of this technology is based on science developed in the 1980s and used to produce what may be some of the most impenetrable operating systems ever. Though still valid, the technology is in limited use today, primarily because it imposes some changes to system management and also because it is not widely understood. Such ultra-strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced in an operating environment. An example of such a Computer security policy is the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented correctly, can ensure the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. The design methodology to produce such secure systems is precise, deterministic and logical.Systems designed with such methodology represent the state of the art of computer security although products using such security are not widely known. In sharp contrast to most kinds of software, they meet specifications with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems designed this way are used primarily to protect national security information, military secrets, and the data of international financial institutions. These are very powerful security tools and very few secure operating systems have been certified at the highest level (Orange Book A-1) to operate over the range of Top Secret to unclassified (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing MLS LAN.) The assurance of security depends not only on the soundness of the design strategy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security functionality and assurance level (such as EAL levels), and these are specified in a Protection Profile for requirements and a Security Target for product descriptions. None of these ultra-high assurance secure general purpose operating systems have been produced for decades or certified under the Common Criteria.In USA parlance, the term High Assurance usually suggests the system has the right security functions that are implemented robustly enough to protect DoD and DoE classified information. Medium assurance suggests it can protect less valuable information, such as income tax information. Secure operating systems designed to meet medium robustness levels of security functionality and assurance have seen wider use within both government and commercial markets. Medium robust systems may provide the same security functions as high assurance secure operating systems but do so at a lower assurance level (such as Common Criteria levels EAL4 or EAL5). Lower levels mean we can be less certain that the security functions are implemented flawlessly, and therefore less dependable. These systems are found in use on web servers, guards, database servers, and management hosts and are used not only to protect the data stored on these systems but also to provide a high level of protection for network connections and routing services.Security architecture Security Architecture can be defined as the design artifacts that describe how the security controls (security countermeasures) are positioned, and how they relate to the overall information technology architecture. These controls serve the purpose to maintain the systems quality attributes, among them confidentiality, integrity, availability, accountability and assurance.In simpler words, a security architecture is the plan that shows where security measures need to be placed. If the plan describes a specific solution then, prior to building such a plan, one would make a risk analysis. If the plan describes a generic high level design (reference architecture) then the plan should be based on a threat analysis.Security by designThe technologies of computer security are based on logic. There is no universal standard notion of what secure behavior is. Security is a concept that is unique to each situation.Security is extraneous to the function of a computer application, rather than ancillary to it, thus security necessarily imposes restrictions on the applications behavior.There are several approaches to security in computing, sometimes a combination of approaches is valid:1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity). 2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example). 3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity). 4. Trust no software but enforce a security policy with trustworthy mechanisms. Many systems have unintentionally resulted in the first possibility. Since approach two is expensive and non-deterministic, its use is very limited. Approaches one and three lead to failure. Because approach number four is often based on hardware mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.There are myriad strategies and techniques used to design security systems. There are few, if any, effective strategies to enhance security after design.One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.The design should use defense in depth, where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.Subsystems should default to secure settings, and wherever possible should be designed to fail secure rather than fail insecure (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the window of vulnerability is kept as short as possible.Early history of security by designThe early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics security was broken, not once, but repeatedly. The strategy was known as penetrate and test and has become widely known as a non-terminating process that fails to produce computer security. This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.Secure codingIf the operating environment is not based on a secure operating system capable of maintaining a domain for its own execution, and capable of protecting application code from malicious subversion, and capable of protecting the system from subverted code, then high degrees of security are understandably not possible. While such secure operating systems are possible and have been implemented, most commercial systems fall in a low security category because they rely on features not supported by secure operating systems (like portability, et al.). In low security operating environments, applications must be relied on to participate in their own protection. There are best effort secure coding practices that can be followed to make an application more resistant to malicious subversion.In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.Some common languages such as C and C+ are vulnerable to all of these defects (see Seacord, Secure Coding in C and C+). Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion.Recently another bad coding practice has come under scrutiny:dangling pointers. The first known exploit for this particular problem was presented in July 2007. Before this publication the problem was known but considered to be academic and not practically exploitable.In summary, secure coding can provide significant payback in low security operating environments, and therefore worth the effort. Still there is no known way to provide a reliable degree of subversion resistance with any degree or combination of secure coding.中文翻译：计算机安全本文来自维基百科-自由的百科全书本文是通过设计和工程实践来阐述计算机安全。计算机安全是信息安全技术的一个分支，主要适用于计算机领域。安全政策所定义的作为计算机安全的体现，可以包括保护信息不被窃取或讹误，或有效存储。计算机安全的规定要求基于计算机上面而不同于大多数其他系统的要求，因为他们采取的形式往往是限制计算机不去支持这样做。这使得计算机安全的维持特别具有挑战性的，因为使计算机程序执行的所有的行为都属于在预先设计中的正确行为是很困难的。 此外，反面需要复杂的伪装，需要详尽的测试来满足认证，这对大多数计算机程序来讲是不切实际的。计算机安全提供了一种技术方案，把反面需求转化为积极的可执行的规则。因此，计算机安全相较于一些计算机科学领域往往是更多的偏向于技术和数学领域.典型增强计算机安全（在近似命令的强度）的方法包括以下内容：物理限制那些不会遵守安全条例的电脑访问。 通过硬件机制对计算机程序实施规则，从而避免根据计算机程序出现计算机安全问题。 通过操作系统的实现机制，对程序施加规则，以避免信任的计算机程序出现问题。 程序设计中的策略，使计算机程序是可靠的而且能够抵御破坏的。保护计算机和数据的硬件机制基于以及协助维持计算机安全的硬件为纯软件的计算机安全提供了一种替代。类似加密狗的设备被认为对物理访问的安全条例来讲是相当安全的。当许多软件的安全解决方案是通过对数据进行加密以防止数据被窃取时，一个恶意程序却可以通过损坏数据，以使这些数据无法被恢复或者无法被使用。基于硬件的安全解决方案可以保护读写的数据通道，因此具有能够抵抗干扰和破坏的强大的防御能力。安全的操作系统一个常用的保证计算机安全的参考实施方式是去运行一个安全的操作系统。用大多数的技术是基于20世纪80年代的科技发展成果来生产一些可能是当时最坚不可摧操作系统。 虽然现在仍然在使用，但是这些技术在今天所能实现的功能已经非常有限，主要是因为它对系统管理施加了太多变化，也因为它不再得到广泛理解。这种超强的安全作业系统是基于操作系统内核技术，可以保证一定的安全策略得到绝对的执行的作业环境。Bell-LaPadula模型就是这种计算机安全策略的一个例子。该策略是基于一个耦合的特殊微处理器的硬件特性，往往包含内存管理单元，以一个特别的修正器件来接入执行操作系统内核。这种形式的架构，对一个关键部件的设计和执行是正确的操作系统来说是安全的，可以保证绝对不会有的恶意入侵发生。此功能被启用，不只是因为这个配置方案是一项安全的策略，而且在理论上完全保护系统自身免受侵犯。普通的操作系统，在另一方面不具备足够的性能来保证最大程度的安全。这种生产安全系统的设计方法充分体现了精确，确定和逻辑。使用这种方法进行设计的系统代表了目前计算机安全技术的先进水平，虽然这种产品使用的这种安全策略并不是广为人知的。 在详细的对比了大多数种类的软件后，他们找到了大小、重量和能耗等规格符合规范的产品。操作系统设计成这样的安全主要为了保护国家信息安全，军事机密，以及国际金融机构的数据。这些非常强有力的安全工具和非常少量的安全操作系统已经被认证为最高级别（橙皮书A 1级 ），作为经营范围为“绝密”到“机密” 的组织（包括霍尼韦的SCOMP ，美国空军的SACDIN ，国安局的blacker和波音公司的MLS LAN）使用。安全的保证不仅取决于稳健的设计策略，而且取决于对正确执行的保证，因此，把安全程度的强度定义为COMPUSEC 。这个通用标准的安全强度量化包括两个组成部分，安全功能和保证水平（例如EAL水平），而且这些都要求在保护外形和产品说明中说明的。这些超高安全保证的通用操作系统没有一个在数十年轻的通用标准下得到认证。按照美国的说法，高级保障这个词通常意味着系统拥有着确实的安全功能，用来实施强有力的，足以保护美国国防部和能源部机密资料的功能。中级保障意味着它能够保护宝贵的资料较少，如个人所得税的信息。安全的操作系统被设计成能够满足中等程度的鲁棒性的安全功能和保证能够广泛地使用在政府和商业部门。中等偏上的系统可提供和高级安全操作系统相同程度的安全功能，但这样做只能保证在较低的水平（如通用标准水平EAL4或EAL5）。较低的层次意味着我们要少一些需求才能保证安全职能执行得完美无缺，因此并不是很可靠。这些系统被使用在Web服务器，防火墙，数据库服务器，以及管理主机，不仅要保护存储在这些系统中的数据，而且还要对网络连接和路由服务提供高水准的保护。安全架构安全体系架构可以被定义为人工的设计，用来描述安全控制(安全对抗措施)是怎样被安置的，以及他们是如何与整个信息技术架构相关联。这些控制符合需要维护的目标系统的功能特性,包括它们的可信任性，完整性，有效性以及责任和保障。简单的说，一个安全体系架构是一个显示哪里需要设置安全措施的计划。如果在计划描述和实施一个具体的解决办法之前，做一个风险分析报告。如果计划描述了一个高等级的设计(参考结构体系)那么计划应该基于这份威胁分析进行设计。安全设计计算机安全技术是基于逻辑的。没有通用的标准来概括什么是安全的行为。“安全”这个概念对每一个个体都是独特的。安全对于计算机的应用来讲是一个额外的功能，而不是附属于计算机的，因而安全需要强加制约于应用程序的行为上。以下是几种应用于运算的安全方案，有时采用几种相结合的方法是有效的：1.相信所有软件的存在都遵守安全策略，但软件不是可信(这是因为计算机是不可靠的)；2.相信所有软件遵守安全策略和软件被确认为可信(通过繁琐的分支和路径分析)