NIST SP800-28v2：Web浏览器安全与移动代码指南

需积分: 5 130 浏览量更新于2024-07-16 收藏 1003KB PDF 举报

"NIST SP800-28v2.pdf" 是一份由美国国家标准与技术研究所（NIST）发布的指南，旨在提供对当前活跃内容和移动代码技术的概述，帮助用户在应用和处理这些技术时做出明智的IT安全决策。这份文档重点关注桌面和笔记本电脑等终端用户系统的威胁、技术风险以及防护措施。尽管电子邮件客户端等各类终端用户应用也可能涉及活跃内容，但主要讨论焦点仍集中在Web浏览器上，因为它们是活跃内容的主要传递渠道。对于Web浏览器的准则同样适用于其他终端用户应用。本指南适用于那些希望增强现有和未来活跃内容安全性的组织，以减少相关的安全事件。它提出了适用于所有系统的通用原则，旨在减少活跃内容和移动代码带来的安全风险。尽管该文档全面涵盖了活跃内容和移动代码的安全问题，但它不包括以下几个方面： 1. **特定技术的详细配置**：本指南不会深入到特定软件或平台的详细配置步骤，而是提供一般性的最佳实践和策略。 2. **内部网络管理**：对于如何管理和保护内部网络免受活跃内容和移动代码攻击的具体方法，该指南可能没有涵盖。 3. **应用程序开发和测试**：虽然讨论了用户端应用的风险，但如何在开发过程中确保代码安全、进行安全测试等内容不在本指南的范围内。 4. **法律和合规性要求**：文件可能不涉及与活跃内容和移动代码相关的法规遵从性问题，如数据隐私法或行业特定标准。 5. **持续监控和响应**：如何实施持续的监控机制来检测和应对活跃内容威胁，以及建立应急响应流程，可能不在本指南的讨论之列。 6. **用户教育和意识**：尽管用户教育是防止安全事件的关键，但本指南可能不包含关于提高员工对活跃内容风险认识的详细策略。 7. **第三方服务和供应商风险管理**：如何评估和管理依赖于第三方服务或供应商的活跃内容风险可能未在指南中详细说明。 8. **新兴技术和趋势**：由于技术的快速发展，本指南可能不涵盖所有新兴的活跃内容和移动代码技术及其相关风险。 NIST SP800-28v2提供了对活跃内容和移动代码的基本理解，以及如何在组织层面实施基本的安全措施。它是一个重要的参考资源，可以帮助IT专业人员和管理者构建更安全的网络环境，但不应将其视为全面的安全解决方案，而应与其他专门针对上述未涵盖领域的资源结合使用。

GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE

2. Background

The private and public sectors depend heavily upon IT systems to carry out essential, mission-critical

functions. As existing technology evolves and new technologies are introduced to provide new

capabilities and features, new vulnerabilities are often introduced as well. Organizations implementing

and using advanced technologies must be increasingly on guard.

One category of technologies that has emerged in recent years is active content. Although the term has

different connotations among individuals, it is used here in its broadest sense to refer to electronic

documents that contain embedded software components, which can carry out or trigger actions

automatically without an individual directly or knowingly invoking the actions. Examples of active

content documents are PDF

documents; Web pages conveying or linking to mobile code such as

JavaScript, VBScript, Java applets, and ActiveX controls; desktop application files containing macros;

and Hypertext Markup Language (HTML) encoded email bearing executable content or attachments.

Taken to its extreme, active content becomes, in effect, a delivery mechanism for mobile code. The

purpose of this document is to provide an overview of active content, its technological underpinnings, and

suitable security measures, so that organizations understand the associated security risks and can make

informed IT security decisions on their applications.

Being able to download files and electronic documents off the Internet is a useful function and a common

practice for many people today. Web pages serve as an electronic counterpart to paper documents such as

forms, brochures, magazines, and newspapers. Although paper documents come in different shapes and

sizes, they are composed entirely of text and graphics. Web pages can entail active content capable of

delivering digitally encoded multimedia information or even an interactive experience enabled by

embedded computer instructions.

Active content involves a host of technologies such as built-in macro processing, scripting languages, and

virtual machines, which blur the distinctions between code and data. Electronic documents have evolved

to the point that they are themselves programs or contain programs that can be self-triggered. Loading a

document into a word processor can produce the same effect as executing a program and requires that

appropriate caution is taken.

The popularity of the Internet has particularly spurred the trend toward active content. A dynamic

weather map, a stock ticker, and live camera views or programmed broadcasts appearing on a Web page

are common examples of use of this technology. Web sites are also increasingly adopting technologies,

such as Asynchronous JavaScript and XML (AJAX) and Adobe Flash, through which partial page update

transactions with remote Web servers or Web services can occur dynamically in the background—

providing a richer, more responsive interface for users than a complete page reload [

Mcl05]. Capabilities

for Web access have also spread from desktop and laptop computers to portable handheld devices, such as

cell phones and personal digital assistants (PDA), and Internet appliances. Like any technology, active

content can provide a useful capability for legitimate purposes, but can also become a source of

vulnerabilities for an attacker to exploit. A significant share of today’s malware involves active content.

Many Web sites offer electronic documents that act in much the same way as paper documents—allowing

users to access and view content, follow references to other documents, and furnish information by filling

in forms. That is, Web pages delivered from Web servers to individuals via Web browsers impart an

inherent document metaphor [

Ven99]. The value of this metaphor is that people are familiar with

While this document discusses certain manufacturers’ products and standards, it is not intended to imply recommendation or

endorsement by NIST, nor is it intended to imply that the products and standards identified are necessarily the best

available.

2-1

GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE

handling paper documents and can quickly adapt to using electronic facsimiles appearing within Web

pages, since they understand the basic operations. One drawback is that the document metaphor is

generally considered non-threatening and can lull the user into a false sense of security. Moreover,

strictly observing the document metaphor somewhat limits the way in which Web-based applications

function. In particular, non-textual content does not lend itself to paper document style handling. For

example, streaming or continuous delivery media, such as a live radio transmission or voice

communication, can transpire only as it occurs in real time.

Increasingly, Web sites are offering interfaces that move beyond the document metaphor towards general-

purpose vehicles to provision electronic services. In particular, many Web sites are relying on user-

generated content, including social networking, photo and video sharing, bookmarking, and knowledge-

sharing. These sites are becoming increasingly popular, with many organizations deploying one or more

knowledge-sharing Web site sites for internal or external users. In August 2007, a video sharing site was

the fourth most visited page on the Web, while social networking sites were the sixth, seventh, eighth, and

ninth most visited.

These Web sites are more interactive than previous Web pages, allowing users—both

legitimate and malicious—to modify or add to existing content. This situation imparts more challenges to

organizations that must secure their computer systems against potential threats associated with user-

generated content (see Section 3 for more information about threats). Where historically the flow of

information on the Web was from Web sites to the user, the advent of user-generated content allows

information to flow freely in both directions—making it more difficult for organizations to control what

information leaves or enters networked systems.

A wide variety of active content implementations are available for Web sites to deploy, including PDF,

JavaScript, Java, ActiveX, and other technologies which are discussed in Section 4. Each active content

implementation may require a different interpreter on a user’s computer (i.e., installed as a browser

component), further complicating the security configuration for organizations. Because each interpreter

may be supplied by a different manufacturer, users have the responsibility to track the installed browser

components and update them whenever a vulnerability is discovered. The lack of a centralized

configuration management system may lead to vulnerable unpatched systems. Similarly, new versions of

active content implementations may alter how the interpreter presents active content. It is not uncommon

for patches to active content components to be incompatible with the active content generated by an

organization’s Web sites, requiring organizations to choose from one of two potentially costly

alternatives: continue using incompatible and possibly vulnerable browser components, or update the

Web site.

While active content introduces a number of security risks into organizations’ computer systems, it is

often impractical for security policies to prohibit the use of active content. Many commercial off-the-

shelf (COTS) Web applications rely on active content—and many legitimate external Web sites, from

news aggregators to online banking and research databases, also use it. As such, many organizations

choose to examine and mitigate the risks associated with active content rather than simply disallowing

active content.

The Top Sites in English from Alexa is available at http://www.alexa.com/site/ds/top_sites?ts_mode=lang&lang=en.

2-2

GUIDELINES ON ACTIVE CONTENT AND MOBILE CODE

Language Interpretation—Code versus Data: At one time, the security risks associated

with the use of computers were relatively straightforward. Instructions were distinct from the

data on which they operated, and some hardware could even distinguish internally between

instructions and data (e.g., using separate memory banks). Over the years, the situation

changed; tools emerged to facilitate application development in higher-level languages in lieu

of machine languages, generic applications appeared, hardware processing speeds increased

dramatically, and, in many situations, the divide between code and data completely vanished.

One example of the merging of code and data is a script. Scripts are data files or portions of

data files that will be processed by an interpreter or a just-in-time (JIT) compiler. An interpreter

processes commands from a script and executes those commands directly. Without a script,

such commands would be supplied by a source file and converted into object code (i.e., native

machine instructions) by a compiler—preserving the separation of code and data. Many

scripting languages are intended to be embedded in data, using reserved characters or

keywords (e.g., "<” and “if” in JavaScript) to distinguish instructions from data. Interpretive

languages range from lists of simple macro-type commands to complete programming

languages. Rather than execute commands directly, a JIT compiler will compile the

commands into machine code. By caching the commands and their associated machine

code, a JIT compiler can greatly improve the performance of an interpreted language.

With the arrival of the Web came the desire to make static pages more dynamic by using

interpreters throughout the system architecture. Today, most data files contain instructions

that aid in the presentation or use of the data. Interpreters are ubiquitous: spreadsheet

formulas, database query languages, word processing macros, and script interpreters are not

only embedded in Web browsers and servers, but also are used as standalone development

tools to forge applications from existing program components.

While these technology improvements facilitate computer use, they also can involve serious

risks, which are often not readily apparent. Many of these risks are associated with passing

disguised commands (e.g., using special characters) or unexpected commands to an

interpreter. A program that uses an interpreter to process unfiltered user-supplied information

may be fed a string containing special characters that appears to be legitimate data, but will

instead be treated as a parameter for or extension of an intended command, or as a new

unintended command sequence. Injecting commands into a vulnerable application for

execution is known as a command injection attack. For instance, many web pages take user

input directly to compose a SQL database query; through specially crafted input, exploit code

can be inserted, resulting in a SQL injection attack. Some applications use multiple

interpreters in tandem, passing the output of one directly into another, which further

compounds the problem, since a harmful operation may be brought about and executed

unobtrusively along the way.

2.1 Browser Anatomy

Browser is the generic term used to refer to software that lets individuals view pages from various

sources, including Web servers on the Internet, which make up the World Wide Web. Firefox and

Internet Explorer are two popular Web browsers that aid in navigating text, graphics, hyperlinks, audio,

video, and other multimedia information and services on the Web. Although Web browsers support a

number of protocols, such as the File Transfer Protocol [

FTP], they rely mainly on a simple, request-

response communications protocol, HTTP [

HTTP], for Web access. The browser requests information

from a specific Web site by sending a method request to the Web server conveying the Universal

Resource Identifier (URI) of the desired resource (e.g., the Uniform Resource Locator (URL) of a Web

page), client information, and content handling capabilities. Appendix A contains a brief summary of the

2-3

剩余61页未读，继续阅读

艾米的爸爸

粉丝: 791
资源: 314

NIST SP800-28v2：Web浏览器安全与移动代码指南

NIST SP800-153.pdf

NIST SP800-177r1.pdf

NIST SP800-175B.pdf

NIST SP800-45v2.pdf

NIST SP800-44v2.pdf

NIST SP800-28.pdf

NIST SP800-171.pdf

NIST SP800-107.pdf

NIST SP800-147.pdf

NIST SP800-14.pdf

最新资源