新型工业控制系统勒索蠕虫威胁与防御

工业控制系统（ICS）的大规模攻击对于电力生产、输配电、石油化工、水处理和传输等涉及国计民生的关键基础设施是一个巨大的威胁,目前提出的针对ICS的勒索蠕虫受限于工控网络隔离的特性,难以大规模传播。基于观察到的ICS实际开发场景,针对ICS高度隔离化的问题,提出一种基于新的攻击路径的勒索蠕虫威胁模型。此威胁模型首先将工程师站作为初次感染目标,然后以工程师站作为跳板,对处于内部网络的工业控制设备进行攻击,最后实现蠕虫式感染和勒索。基于此威胁模型,实现了ICSGhost——一种勒索蠕虫原型。在封闭的实验环境中,ICSGhost能够以预设的攻击路径对ICS进行蠕虫式感染;同时,针对该勒索蠕虫威胁,讨论了防御方案。实验结果表明此种威胁切实存在,并且由于其传播路径基于ICS实际的开发场景,较难检测和防范。     

可信执行环境访问控制建模与安全性分析

可信执行环境(TEE)的安全问题一直受到国内外学者的关注. 利用内存标签技术可以在可信执行环境中实现更细粒度的内存隔离和访问控制机制, 但已有方案往往依赖于测试或者经验分析表明其有效性, 缺乏严格的正确性和安全性保证. 针对内存标签实现的访问控制提出通用的形式化模型框架, 并提出一种基于模型检测的访问控制安全性分析方法. 首先, 利用形式化方法构建基于内存标签的可信执行环境访问控制通用模型框架, 给出访问控制实体的形式化定义, 定义的规则包括访问控制规则和标签更新规则; 然后利用形式化语言B以递增的方式设计并实现该框架的抽象机模型, 通过不变式约束形式化描述模型的基本性质; 再次以可信执行环境的一个具体实现TIMBER-V为应用实例, 通过实例化抽象机模型构建TIMBER-V访问控制模型, 添加安全性质规约并运用模型检测验证模型的功能正确性和安全性; 最后模拟具体攻击场景并实现攻击检测, 评估结果表明提出的安全性分析方法的有效性.     

一种抵御差分侧信道分析的椭圆曲线同构方法

椭圆曲线密码（ECC）被广泛应用于便携式密码设备中,虽然ECC具有很高的安全级别,但在密码设备的实现上则很容易受到差分侧信道攻击（DSCA）。现有的研究成果都是以增加ECC的冗余操作来抵御DSCA攻击,这会降低ECC的运行效率,从而影响ECC在计算资源受限的密码设备中的使用。基于同构映射理论,建立椭圆曲线等价变换模型,设 计一种能防御DSCA攻击ECC的安全方法,几乎不增加ECC的计算开销。安全性评估表明,该方法能够防御DSCA攻击。     

基于RBAC模型的访问控制技术的研究

本文通过对基于秘密信息的身份认证方法和基于物理安全性的身份认证方法的介绍,以及对基于RBAC（基于角色的访问控制）模型的授权技术的研究,来探讨如何打造一个更加安全的网络。     

面向格密码的能耗分析攻击技术

量子计算的飞速发展对传统密码的安全性带来巨大挑战,Peter Shor提出的量子计算模型下分解整数和计算离散对数的多项式时间算法对基于传统数论难题的密码系统构成了威胁.美国国家标准与技术研究院(NIST)于2016年开始征集后量子公钥密码算法标准,其中,大多基于格、基于哈希、基于编码、基于多变量这四种密码体制,而基于格的密码体制在其公钥尺寸、计算效率和安全性方面具有更好的平衡性,所占比例最大.然而,格密码的实现在实际环境中易遭受能耗分析攻击(Power Analysis Attacks).能耗分析攻击是利用密码设备运行过程中产生的功耗、电磁等信息,攻击者建立这些旁路信息与密码算法中间值之间的联系从而恢复密钥等敏感信息.自从能耗分析攻击出现以来,该类攻击手段严重威胁了密码系统的安全.随着量子计算的发展,后量子密码的安全性日益成为密码研究的热点,特别地,近期NIST公布了最新轮的后量子密码算法,作为占据比例最多的格密码,其侧信道安全性也受到了学术界的广泛关注.本文针对格密码的能耗分析攻击技术从攻击模型、攻击目标、攻击条件开展研究,分析了面向格密码的攻击原理、格密码的各个算子的侧信道安全性,...     

基于蠕虫和代理的工控系统攻击建模

在网络安全领域，只有更好地了解攻击，才能掌握抵御技术。本文聚焦于工业控制系统中最接近工业生产设备的工业控制设备——可编程逻辑控制器PLC，不再局限于传统的“上位机-PLC-级联设备”攻击模式，通过将PLC蠕虫与PLC代理结合实现攻击适应性更强的“PLC-PLC-级联设备”攻击模式，实现一条以暴露在可直接访问环境中的PLC为源头，能够使内网环境中的所有PLC都遭受攻击的完整攻击链，在该攻击链中加入不同攻击形式并最终构建出攻击模型。通过搭建实验环境进行仿真实验，表明该攻击模型可改变工业控制系统运行状态，对工业控制系统安全运行造成威胁。最后，对于该攻击模式给出针对性的防护建议。     

基于安全熵的访问控制模型量化分析方法

针对访问控制模型的量化分析问题,提出基于安全熵的安全性量化分析方法。结合信息论有关知识引入安全熵概念,基于安全熵对模型的安全性进行定义;应用该方法对BLP等经典安全模型进行了量化分析,验证了该方法的实用性,并指出了访问控制模型和BLP模型对非授权间接访问防护方面的不足。实验结果表明,该方法适用于访问控制模型的安全性度量以及系统的访问控制能力评估。     

借助Hypervisor强化TrustZone对非安全世界的监控能力

ARM TrustZone技术已经在Android手机平台上得到了广泛的应用,它把Android手机的硬件资源划分为两个世界,非安全世界（Non-Secure World）和安全世界（Secure World）.用户所使用的Android操作系统运行在非安全世界,而基于TrustZone对非安全世界监控的系统（例如,KNOX,Hypervision）运行在安全世界.这些监控系统拥有高权限,可以动态地检查Android系统的内核完整性,也可以代替Android内核来管理非安全世界的内存.但是由于TrustZone和被监控的Android系统分处于不同的世界, world gap（世界鸿沟）的存在导致处于安全世界的监控系统不能完全地监控非安全世界的资源（例如,Cache）.TrustZone薄弱的拦截能力和内存访问控制能力也弱化了它对非安全世界的监控能力.首次提出一种可扩展框架系统HTrustZone,能结合Hypervisor来协助TrustZone抵御利用world gap的攻击,增强其拦截能力和内存访问控制能力,从而为非安全世界的操作系统提供更高的安全性保障.并在Raspberry Pi2开发板上实现了HTrustZone的原型系统,实验结果表明：HTrustZone的性能开销仅增加了3%左右.     

涉密企业主机审计与监控的方案

主机监控系统是针对于防止内部攻击的一套安全系统,综合利用密码、访问控制和审计跟踪等技术手段,对数据信息的存储、传播和处理过程实施安全保护,可提高系统内部的安全性。     

一种新的高效主机监控审计系统

主机监控系统是针对于防止内部攻击的一套安全系统,综合利用密码、访问控制和审计跟踪等技术手段,对数据信息的存储、传播和处理过程实施安全保护,可提高系统内部的安全性。     

Security flaws of remote user access over insecure networks

Remote user authentication based on passwords over untrusted networks is the conventional method of authentication in the Internet and mobile communication environments. Typical secure remote user access solutions rely on pre-established secure cryptographic keys, public-key infrastructure, or secure hardware. Recently, Peyravian and Jeffries proposed password-based protocols for remote user authentication, password change, and session key establishment over insecure networks without requiring any additional private- or public-key infrastructure. In this paper we point out security flaws of Peyravian–Jeffries’s protocols against off-line password guessing attacks and Denial-of-Service attacks.     

Neural Network Techniques for Proactive Password Checking

This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: how can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers     

HRPDF:A Software-Based Heterogeneous Redundant Proactive Defense Framework for Programmable Logic Controller

Programmable logic controllers(PLCs)play a critical role in many industrial control systems,yet face in-creasingly serious cyber threats.In this paper,we propose a novel PLC-compatible software-based defense mechanism,called Heterogeneous Redundant Proactive Defense Framework(HRPDF).We propose a heterogeneous PLC architecture in HRPDF,including multiple heterogeneous,equivalent,and synchronous runtimes,which can thwart multiple types of attacks against PLC without the need of external devices.To ensure the availability of PLC,we also design an inter-process communication algorithm that minimizes the overhead of HRPDF.We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device,respectively.The results show that HRPDF can defend against multiple types of attacks with 10.22％additional CPU and 5.56％additional memory overhead,and about 0.6 ms additional time overhead.     

抗电路板级物理攻击的操作系统防御技术研究

计算设备处理和存储日益增多的敏感信息,如口令和指纹信息等,对安全性提出更高要求.物理攻击技术的发展催生了一种通过攻击电路板级硬件组件来获取操作系统机密信息的攻击方法：电路板级物理攻击.该类攻击具有工具简单、成本低、易流程化等特点,极容易被攻击者利用形成黑色产业,是操作系统面临的新安全威胁和挑战.在处理器上扩展内存加密引擎可抵抗该类攻击,但是目前大部分计算设备并未配备该硬件安全机制.学术界和产业界提出软件方式抗电路板级物理攻击的操作系统防御技术,该类技术已成为近年来的研究热点.深入分析了该类技术的研究进展,总结其技术优势和不足,并探讨其发展趋势.首先,介绍了电路板级物理攻击的定义、威胁模型、现实攻击实例.之后,介绍软件方式抗电路板级物理攻击的操作系统防御技术所依赖的一些基础技术.然后,对该类防御技术的研究进展按照保护范围进行分类总结和归纳.最后,分析了该类防御技术的优势与不足,给出工程实现建议,并探讨该类防御技术未来的研究趋势.     

ECB4CI: an enhanced cancelable biometric system for securing critical infrastructures

Physical access control is an indispensable component of a critical infrastructure. Traditional password-based methods for access control used in the critical infrastructure security systems have limitations. With the advance of new biometric recognition technologies, security control for critical infrastructures can be improved by the use of biometrics. In this paper, we propose an enhanced cancelable biometric system, which contains two layers, a core layer and an expendable layer, to provide reliable access control for critical infrastructures. The core layer applies random projection-based non-invertible transformation to the fingerprint feature set, so as to provide template protection and revocability. The expendable layer is used to protect the transformation key, which is the main weakness contributing to attacks via record multiplicity. This improvement enhances the overall system security, and undoubtedly, this extra security is an advantage over the existing cancelable biometric systems.     

基于SM9算法的移动互联网身份认证方案研究

移动互联网单服务器环境下传统身份认证方案存在用户需要针对不同的服务器记忆相应的不同口令,以及传统认证方式中的口令泄漏等安全问题.为解决以上问题,文章提出一种移动互联网单服务器环境下基于SM9算法的身份认证方案.用户针对不同的应用系统,仅需记忆统一的标识和口令,即可在不同的应用系统中通过身份认证,从而获得应用服务和访问资...     

A practical password-based two-server authentication and key exchange system

Most password-based user authentication systems place total trust on the authentication server where cleartext passwords or easily derived password verification data are stored in a central database. Such systems are, thus, by no means resilient against offline dictionary attacks initiated at the server side. Compromise of the authentication server by either outsiders or insiders subjects all user passwords to exposure and may have serious legal and financial repercussions to an organization. Recently, several multiserver password systems were proposed to circumvent the single point of vulnerability inherent in the single-server architecture. However, these multiserver systems are difficult to deploy and operate in practice since either a user has to communicate simultaneously with multiple servers or the protocols are quite expensive. In this paper, we present a practical password-based user authentication and key exchange system employing a novel two-server architecture. Our system has a number of appealing features. In our system, only a front-end service server engages directly with users while a control server stays behind the scene; therefore, it can be directly applied to strengthen existing single-server password systems. In addition, the system is secure against offline dictionary attacks mounted by either of the two servers.     

石化企业工业控制系统非网联接

石化企业工业控制系统在与接入因特网的其他信息系统联网时有可能受到来自外部网络的攻击。为了实现石化企业工业控制系统与其他网络之间安全的数据交换,本文提出一种利用非网结构进行单向传输的设计方案;论述单向数据传输的原理和采用的安全策略,并对非网联接进行安全性测试。测试结果显示,该非网联接方案能够有效地防止来自外部网络的黑客、木马、病毒等对工业控制系统的攻击,保护石化企业工业控制系统安全运行。     

工业控制系统的信息安全问题研究

分析了工业控制系统的安全要求、典型的威胁与攻击形式,阐释了工业控制系统信息安全与传统IT信息安全的区别;分析了现有的控制系统信息安全的解决思路,结合SP800-82工业控制系统（ICS）安全指南,介绍了控制系统网络防护的主要措施;总结了热点研究趋势,包括安全通讯协议和安全控制器的设计.     

NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers

Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.