分布式漏洞评估系统的设计与实现
摘要
计算技术的发展给人们生活带来了深远的影响,在生产系统中普遍引入了种类繁多的计算系统。一方面,计算技术的进步提高了社会生产力,另一方面,计算技术本身的脆弱性也让生产系统面临威胁。计算系统的漏洞常为攻击者所利用,从而对生产系统造成一定的影响,而在生产系统中引入漏洞评估系统,可一定程度地缓解这种不利影响,巩固生产系统的安全性。
漏洞曝露的增长较之补丁发布要快的事实与安全工具生产商的技术力量配置不均衡的事实都使得安全工具生产商彼此之间需要更宽广范围的合作与理解。而安全工具生产商之间技术标准的不一致使得彼此之间不能相互理解和消费对方生产的安全数据,使得漏洞评估日趋复杂,不利于漏洞的快速排除。另外,计算网络在规模、配置、性能上的差异对漏洞评估也有着不同的需求,而单一结构型漏洞评估技术要么需要较高的计算成本,要么需要额外的网络资源,对计算网络造成一定影响,不能适应多种计算网络。
基于上述事实的考虑,为了减少计算成本、节省网络开销、缩短漏洞发现到应用补丁之间的窗口期,经过对漏洞评估相关的理论与技术的研究后,本文设计并且初步实现了一个分层多服务器型,混合结构型分布式漏洞评估系统。
该系统1)采用多服务器结构以实现客户业务的分流;2)采用分层结构对多服务器进行统一集中的管理;3)支持多种漏洞评估技术,可根据计算网络运行状况选择合适的漏洞评估方式;4)采用插件架构以提高系统的扩展性,可通过添加插件的方式对新漏洞进行评估;5)采用NASL脚本等成熟技术以实现基于网络的漏洞评估;6)引入CPE、CVE、OVAL等国际标准增强安全工具之间的互操作性;7)给出了基于web的友好的人机交互界面,可方便地浏览/发现主机,添加/删除评估任务等。
该系统的实现证明该设计方案具备较强的伸缩性,较高的实用价值,有利于消除安全工具生产商的技术力量配置差异,有利于缩短漏洞发现到应用补丁之间的窗口期,有利于增强生产系统的安全性。
The development of computing technologies brought people's lives profound influences, various computing systems were introduced into production systems. On the one hand, advances in computing technologies improved the social productive forces; on the other hand, vulnerabilities of computing technologies themselves threatened production systems. Vulnerabilities in computing systems are often used by attackers and affect production systems certainly. The introduction of vulnerability assessment system into production systems can alleviate the adverse effects and consolidate the security of production systems.
The fact that the growth speed of vulnerability exposure is faster than patching publishing, and the imbalance in technical force configuration between security tools manufacturers make them need a broader range of cooperation and understanding. Differences between standards in use make manufacturers can not understand and consume security data produced by them each other and vulnerability assessment more difficult and complex to cleanup. In addition, the differences in size, configuration, performance of computing networks make them have different requirements on vulnerability assessment, while a single structure-based vulnerability assessment technologies require either higher computing cost or additional network resources, place certain affection on computing networks, are not applicable to every computing network.
Considering the above facts, to reduce computing cost, save network expense and shorten the window between vulnerability exposure and patching publishing, after research on vulnerability assessment relevant rationale and technologies, the paper designs and initially implements an multi-tiered servers-based, mixed-structural, distributed vulnerability assessment system.
The system 1) arranges multiple servers to handle clients' business; 2) centralizes the management of servers by demarcating servers into multiple layers; 3) supports multiple vulnerability assessment methods and can select appropriate method according to the performance of the computing network; 4) uses plug-in architecture to improve the scalablility of the system and can assessment new vulnerabilities through adding new plugins; 5) uses mature techonologies such as NASL to archive network-based vulnerability assessment; 6) introduces international standards such as CPE, CVE, OVAL to strengthen the interoperability between security tools; 7) has a friendly web-based human-machine interface, operators can browse/discovery hosts, add/remove assessment tasks through it.
The implementation of the system proves that the design schema has strong flexiblility,highly utility value, is helpful to eliminate differences in technical force configuration between security tools manufacturers, shorten the window between vulnerability exposure and patching publishing and strenthen the security of production systems.
漏洞曝露的增长较之补丁发布要快的事实与安全工具生产商的技术力量配置不均衡的事实都使得安全工具生产商彼此之间需要更宽广范围的合作与理解。而安全工具生产商之间技术标准的不一致使得彼此之间不能相互理解和消费对方生产的安全数据,使得漏洞评估日趋复杂,不利于漏洞的快速排除。另外,计算网络在规模、配置、性能上的差异对漏洞评估也有着不同的需求,而单一结构型漏洞评估技术要么需要较高的计算成本,要么需要额外的网络资源,对计算网络造成一定影响,不能适应多种计算网络。
基于上述事实的考虑,为了减少计算成本、节省网络开销、缩短漏洞发现到应用补丁之间的窗口期,经过对漏洞评估相关的理论与技术的研究后,本文设计并且初步实现了一个分层多服务器型,混合结构型分布式漏洞评估系统。
该系统1)采用多服务器结构以实现客户业务的分流;2)采用分层结构对多服务器进行统一集中的管理;3)支持多种漏洞评估技术,可根据计算网络运行状况选择合适的漏洞评估方式;4)采用插件架构以提高系统的扩展性,可通过添加插件的方式对新漏洞进行评估;5)采用NASL脚本等成熟技术以实现基于网络的漏洞评估;6)引入CPE、CVE、OVAL等国际标准增强安全工具之间的互操作性;7)给出了基于web的友好的人机交互界面,可方便地浏览/发现主机,添加/删除评估任务等。
该系统的实现证明该设计方案具备较强的伸缩性,较高的实用价值,有利于消除安全工具生产商的技术力量配置差异,有利于缩短漏洞发现到应用补丁之间的窗口期,有利于增强生产系统的安全性。
The development of computing technologies brought people's lives profound influences, various computing systems were introduced into production systems. On the one hand, advances in computing technologies improved the social productive forces; on the other hand, vulnerabilities of computing technologies themselves threatened production systems. Vulnerabilities in computing systems are often used by attackers and affect production systems certainly. The introduction of vulnerability assessment system into production systems can alleviate the adverse effects and consolidate the security of production systems.
The fact that the growth speed of vulnerability exposure is faster than patching publishing, and the imbalance in technical force configuration between security tools manufacturers make them need a broader range of cooperation and understanding. Differences between standards in use make manufacturers can not understand and consume security data produced by them each other and vulnerability assessment more difficult and complex to cleanup. In addition, the differences in size, configuration, performance of computing networks make them have different requirements on vulnerability assessment, while a single structure-based vulnerability assessment technologies require either higher computing cost or additional network resources, place certain affection on computing networks, are not applicable to every computing network.
Considering the above facts, to reduce computing cost, save network expense and shorten the window between vulnerability exposure and patching publishing, after research on vulnerability assessment relevant rationale and technologies, the paper designs and initially implements an multi-tiered servers-based, mixed-structural, distributed vulnerability assessment system.
The system 1) arranges multiple servers to handle clients' business; 2) centralizes the management of servers by demarcating servers into multiple layers; 3) supports multiple vulnerability assessment methods and can select appropriate method according to the performance of the computing network; 4) uses plug-in architecture to improve the scalablility of the system and can assessment new vulnerabilities through adding new plugins; 5) uses mature techonologies such as NASL to archive network-based vulnerability assessment; 6) introduces international standards such as CPE, CVE, OVAL to strengthen the interoperability between security tools; 7) has a friendly web-based human-machine interface, operators can browse/discovery hosts, add/remove assessment tasks through it.
The implementation of the system proves that the design schema has strong flexiblility,highly utility value, is helpful to eliminate differences in technical force configuration between security tools manufacturers, shorten the window between vulnerability exposure and patching publishing and strenthen the security of production systems.
引文
[1]Internet Systems Consortium.The ISC Domain Survey[EB/OL].https://www.isc.org/so lutions/survey,2008-12-23/2009-03-25
[2]The CERT Organization.CERT Statistics(Historical)[EB/OL].http://www.cert.org/stats /-vuls,2009-02-12/2009-03-25
[3]The Secunia Corporation.Secunia 2008 Report[EB/OL].http://secunia.com/gfx/Secuni a2008Report.pdf,2009-01-03/2009-03-25
[4]IBM Internet Security Systems.X-Force(?) 2008 Trend & Risk Report.http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf,2009-01-05/2009-03-25
[5]The Symantec Corporation.赛门铁克公布“冲击波”病毒最新数据[EB/OL].http://www.symantec.com/region/cn/press/cn_030819_b.html,2003-08-19/2009-03-25
[6]The Kingsoft Corporation.冲击波、震荡波、扫荡波对比[EB/OL].http://www.duba.n et/zt/zdb/,2008-12-19/2009-03-25
[7]The CNCERT Organization.“震荡波”蠕虫公告六:感染主机数统计[EB/OL].http://w ww.cert.org.cn/articles/bulletin/common/2004050821639.shtml,2004-05-08/2009-03-25
[8]The SINA Corporation.专家极度担忧:电子邮件可能帮助震荡波为虐[EB/OL].http://tech.sina.com.cn/s/n/2004-05-07/1008358127.shtml,2004-05-07/2009-03-25
[9]The Hexun Corporation.08年最大蠕虫病毒扫荡波令数十万电脑网络崩溃[EB/OL].h ttp://it.hexun.corn/2008-11-10/111051787.html,2008-11-10/2009-03-25
[10]Anonymous.Maximum Security:A Hacker's Guide to Protecting Your Intemet Site and Network[M].Canada:Sams Publishing,1997:219-228
[11]The Wikipedia Corporation.Chris Klaus[EB/OL].http://en.wikipedia.org/wiki/Chris_K1aus,2008-12-05/2009-03-26
[12]The Wikipedia Corporation.Dan Farmer[EB/OL].http://en.wikipedia.org/wiki/Dan_Far mer,2009-03-10/2009-03-26
[13]The Wikipedia Corporation.Wietse Venemap[EB/OL].http://en.wikipedia.org/wiki/Wiet se_Venema,2009-01-29/2009-03-27
[14]The Wikipedia Corporation.Nessus(soflware)[EB/OL].http://en.wikipedia.org/wiki/Ness us_(software),2009-03-11/2009-03-27
[15]The MITRE Organization.Similar Standards[EB/OL].http://cve.mitre.org/,2009-03-11/2009-03-27
[16]陈秀真,李建华.基于OVAL的新型漏洞评估系统[J].小型微型计算机系统.2007.9(28):1554-1557
[17]吕欣.信息系统安全度量理论和方法研究[J].计算机科学.2008.35(11):42-44
[18]赵芳芳.计算机网络安全漏洞检测与攻击图构建的研究[D].上海:上海交通大学,2008
[19]陈秀真,郑庆华,管晓宏,冯力.基于模糊信息融合的漏洞评估方法[J].小型微型计算机系统,2004,25(8):1424-1427
[20]高静峰,林柏钢,倪一涛.基于粗糙集理论的漏洞检测技术研究[J].信息安全与通信保密,2007(1):63-68
[21]袁浩.计算机网络渗透测试研究[D].重庆:重庆大学,2007
[22]The Wikipedia Organization.Vulnerability_(computing)[EB/OL].http://en.wikipedia.org /wiki/Vulnerability_(computing),2009-03-05/2009-03-27
[23]National Insistute of Standards and Technology.Creating a Patch and Vulnerability Management Program[EB/OL].http://csre.nist.gov/publications/nistpubs/800-40-Ver2/S P800-40v2.pdf,2005-11-03/2009-03-27
[24]System Security Study Committee.Computers at Risk:Safe Computing in the Infor mation Age[M].Washington:National Academy Press,2001
[25]Algirdas Avizienis,Jean-Claude Laprie,Brian Randell,Carl Landwehr.Basic Conce pts and Taxonomy of Dependable and Secure Computing[J].IEEE Transactions on Dependable and Secure Computing,2004.1(1):11-33
[26]W.A.Arbaugh,W.L.Fithen,J.McHugh.Windows of vulnerability:A case study analysis[J].IEEE Computer,2000.33(12):52-59
[27]The FreeBSD Corporation.Buffer Overflows[EB/OL].http://www.freebsd.org/doc/en/books/developers-handbook/secure-bufferov.html,2008-12-11/2009-03-27.
[28]Jaikumar Vijayan.Dangling Pointers Could Be Dangerous[EB/OL].http://www.pcworl d.com/article/134982/dangling_pointers_could_be_dangerous.html,2007-07-24/2009-03-27
[29]Tim Newsham.Format String Attacks[EB/OL].http://muse.linuxmafia.org/lost+found/f ormat-string-attacks.pdf,2000-12-20/2009-03-27
[30]Microsoft Development Networks.SQL Injection[EB/OL].http://msdn.microsoft.corn/e n-us/library/ms 161953.aspx,2009-03-01/2009-03-27
[31]Wojjie.Code Injection Vulnerabilities Explained[EB/OL].http://theserverpages.com/arti cles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html,2004-07-31/2009-03-28
[32]The Wikipedia Organization.Directory Traversal[EB/OL].http://en.wikipedia.org/wiki /Directory_traversal,2008-12-02/2009-03-28
[33]Jinpeng Wei,PCalton Pu.TOCTTOU vulnerabilities in UNIX-style file systems:an anatomical study[A].Proceedings of the 4th conference on USENIX Conference on File and Storage Technologies[C],2005:12-12
[34]The Wikipedia Organization.Symlink race[EB/OL].http://en.wikipedia.org/wiki/Symlin k_race,2009-02-04/2009-03-28
[35]Stijn Huyghe.FTP 'Bounce Attack' Fundamentals[EB/OL].http://www.ks.uni-freiburg.de/download/comsysSS06/practical_02_traffic_and_dns/FTP_Bounce_Attack_Fundame ntals.pdf,2003-07-23/2009-03-28
[36]Niels Provos,Markus Friedl,Peter Honeyman.Preventing Privilege Escalation[A].Proc eedings of the 12th conference on USENIX Security Symposium[C].USENIX Asso ciation,2003:16-16,
[37]The MITRE Corporation.CWE-2000:Comprehensive CWE Dictionary[EB/OL].http://cwe.mitre.org/data/slices/2000.html,2009-03-10/2009-03-28
[38]The MITRE Corporation.CAPEC View by Classification(Release 1.2)[EB/OL].http://capec.mitre.org/data/index.html,2009-02-06/2009-03-28
[39]SANS Institute.Network-and Host-Based Vulnerability Assessments:An Introductio n to a Cost Effective and Easy to Use Strategy[EB/OL].http://www.sans.org/reading _room/whitepapers/auditing/network_and_hostbased_vulnerability_assessments an intr oduction to a cost_effective_and_easy_to_use_strategy_1200?show=1200.php&cat=au diting,2003-06-14/2009-03-29
[40]ALEXANDER IVANOV SOTIROV.AUTOMATIC VULNERABILITY DETECTION USING STATIC SOURCE CODE ANALYSIS[EB/OL].http://gcc.vulncheck.org/soti rov05automatic.pdf,2005-12-30/2009-03-29
[41]Marco de Vivo,Eddy Carrasco,Germinal Isern,Gabriela O.de Vivo.A review of por t scanning techniques[J].ACM SIGCOMM Computer Communication Review,1999,29(2):41-48
[42]Gordon Fyodor Lyon.Nmap Network Scanning:The Official Nmap Project Guide t o Network Discovery and Security Scanning[M].Nmap Project,2009:1-468
[43]The MITRE Corporation.About CPE[EB/OL].http://cpe.mitre.org/about/index.html,2007-12-19/2009-03-29
[44]The MITRE Corporation.About CVE[EB/OL].http://cve.mitre.org/about/index.html,2008-06-04/2009-03-29
[45]The MITRE Corporation.About OVAL[EB/OL].http://oval.mitre.org/oval/about/index.html,2008-03-06/2009-04-04
[46]Michel Arboi.The NASL2 reference manual[EB/OL].http://www.nessus.org/doc/nasl2_refe rence.pdf,2005-04-29/2009-04-04
[47]金晨光.基于Kerberos的计算机内部网络安全模型研究[D].西安:西安电子科技大学,2001
[48]Paul Johns.Signing and Marking ActiveX Controls[EB/OL].http://msdn.microsoft.com/e n-us/library/ms974305.aspx,1996-10-15/2009-04-05
[49]Xing Xing Li.Explore Eclipse's plug-in signature mechanism[EB/OL],http://www.ib m.com/developerworks/opensource/library/os-eclipse-plugin-sigs/index.html,2008-11-18/2009-04-05
[2]The CERT Organization.CERT Statistics(Historical)[EB/OL].http://www.cert.org/stats /-vuls,2009-02-12/2009-03-25
[3]The Secunia Corporation.Secunia 2008 Report[EB/OL].http://secunia.com/gfx/Secuni a2008Report.pdf,2009-01-03/2009-03-25
[4]IBM Internet Security Systems.X-Force(?) 2008 Trend & Risk Report.http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf,2009-01-05/2009-03-25
[5]The Symantec Corporation.赛门铁克公布“冲击波”病毒最新数据[EB/OL].http://www.symantec.com/region/cn/press/cn_030819_b.html,2003-08-19/2009-03-25
[6]The Kingsoft Corporation.冲击波、震荡波、扫荡波对比[EB/OL].http://www.duba.n et/zt/zdb/,2008-12-19/2009-03-25
[7]The CNCERT Organization.“震荡波”蠕虫公告六:感染主机数统计[EB/OL].http://w ww.cert.org.cn/articles/bulletin/common/2004050821639.shtml,2004-05-08/2009-03-25
[8]The SINA Corporation.专家极度担忧:电子邮件可能帮助震荡波为虐[EB/OL].http://tech.sina.com.cn/s/n/2004-05-07/1008358127.shtml,2004-05-07/2009-03-25
[9]The Hexun Corporation.08年最大蠕虫病毒扫荡波令数十万电脑网络崩溃[EB/OL].h ttp://it.hexun.corn/2008-11-10/111051787.html,2008-11-10/2009-03-25
[10]Anonymous.Maximum Security:A Hacker's Guide to Protecting Your Intemet Site and Network[M].Canada:Sams Publishing,1997:219-228
[11]The Wikipedia Corporation.Chris Klaus[EB/OL].http://en.wikipedia.org/wiki/Chris_K1aus,2008-12-05/2009-03-26
[12]The Wikipedia Corporation.Dan Farmer[EB/OL].http://en.wikipedia.org/wiki/Dan_Far mer,2009-03-10/2009-03-26
[13]The Wikipedia Corporation.Wietse Venemap[EB/OL].http://en.wikipedia.org/wiki/Wiet se_Venema,2009-01-29/2009-03-27
[14]The Wikipedia Corporation.Nessus(soflware)[EB/OL].http://en.wikipedia.org/wiki/Ness us_(software),2009-03-11/2009-03-27
[15]The MITRE Organization.Similar Standards[EB/OL].http://cve.mitre.org/,2009-03-11/2009-03-27
[16]陈秀真,李建华.基于OVAL的新型漏洞评估系统[J].小型微型计算机系统.2007.9(28):1554-1557
[17]吕欣.信息系统安全度量理论和方法研究[J].计算机科学.2008.35(11):42-44
[18]赵芳芳.计算机网络安全漏洞检测与攻击图构建的研究[D].上海:上海交通大学,2008
[19]陈秀真,郑庆华,管晓宏,冯力.基于模糊信息融合的漏洞评估方法[J].小型微型计算机系统,2004,25(8):1424-1427
[20]高静峰,林柏钢,倪一涛.基于粗糙集理论的漏洞检测技术研究[J].信息安全与通信保密,2007(1):63-68
[21]袁浩.计算机网络渗透测试研究[D].重庆:重庆大学,2007
[22]The Wikipedia Organization.Vulnerability_(computing)[EB/OL].http://en.wikipedia.org /wiki/Vulnerability_(computing),2009-03-05/2009-03-27
[23]National Insistute of Standards and Technology.Creating a Patch and Vulnerability Management Program[EB/OL].http://csre.nist.gov/publications/nistpubs/800-40-Ver2/S P800-40v2.pdf,2005-11-03/2009-03-27
[24]System Security Study Committee.Computers at Risk:Safe Computing in the Infor mation Age[M].Washington:National Academy Press,2001
[25]Algirdas Avizienis,Jean-Claude Laprie,Brian Randell,Carl Landwehr.Basic Conce pts and Taxonomy of Dependable and Secure Computing[J].IEEE Transactions on Dependable and Secure Computing,2004.1(1):11-33
[26]W.A.Arbaugh,W.L.Fithen,J.McHugh.Windows of vulnerability:A case study analysis[J].IEEE Computer,2000.33(12):52-59
[27]The FreeBSD Corporation.Buffer Overflows[EB/OL].http://www.freebsd.org/doc/en/books/developers-handbook/secure-bufferov.html,2008-12-11/2009-03-27.
[28]Jaikumar Vijayan.Dangling Pointers Could Be Dangerous[EB/OL].http://www.pcworl d.com/article/134982/dangling_pointers_could_be_dangerous.html,2007-07-24/2009-03-27
[29]Tim Newsham.Format String Attacks[EB/OL].http://muse.linuxmafia.org/lost+found/f ormat-string-attacks.pdf,2000-12-20/2009-03-27
[30]Microsoft Development Networks.SQL Injection[EB/OL].http://msdn.microsoft.corn/e n-us/library/ms 161953.aspx,2009-03-01/2009-03-27
[31]Wojjie.Code Injection Vulnerabilities Explained[EB/OL].http://theserverpages.com/arti cles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html,2004-07-31/2009-03-28
[32]The Wikipedia Organization.Directory Traversal[EB/OL].http://en.wikipedia.org/wiki /Directory_traversal,2008-12-02/2009-03-28
[33]Jinpeng Wei,PCalton Pu.TOCTTOU vulnerabilities in UNIX-style file systems:an anatomical study[A].Proceedings of the 4th conference on USENIX Conference on File and Storage Technologies[C],2005:12-12
[34]The Wikipedia Organization.Symlink race[EB/OL].http://en.wikipedia.org/wiki/Symlin k_race,2009-02-04/2009-03-28
[35]Stijn Huyghe.FTP 'Bounce Attack' Fundamentals[EB/OL].http://www.ks.uni-freiburg.de/download/comsysSS06/practical_02_traffic_and_dns/FTP_Bounce_Attack_Fundame ntals.pdf,2003-07-23/2009-03-28
[36]Niels Provos,Markus Friedl,Peter Honeyman.Preventing Privilege Escalation[A].Proc eedings of the 12th conference on USENIX Security Symposium[C].USENIX Asso ciation,2003:16-16,
[37]The MITRE Corporation.CWE-2000:Comprehensive CWE Dictionary[EB/OL].http://cwe.mitre.org/data/slices/2000.html,2009-03-10/2009-03-28
[38]The MITRE Corporation.CAPEC View by Classification(Release 1.2)[EB/OL].http://capec.mitre.org/data/index.html,2009-02-06/2009-03-28
[39]SANS Institute.Network-and Host-Based Vulnerability Assessments:An Introductio n to a Cost Effective and Easy to Use Strategy[EB/OL].http://www.sans.org/reading _room/whitepapers/auditing/network_and_hostbased_vulnerability_assessments an intr oduction to a cost_effective_and_easy_to_use_strategy_1200?show=1200.php&cat=au diting,2003-06-14/2009-03-29
[40]ALEXANDER IVANOV SOTIROV.AUTOMATIC VULNERABILITY DETECTION USING STATIC SOURCE CODE ANALYSIS[EB/OL].http://gcc.vulncheck.org/soti rov05automatic.pdf,2005-12-30/2009-03-29
[41]Marco de Vivo,Eddy Carrasco,Germinal Isern,Gabriela O.de Vivo.A review of por t scanning techniques[J].ACM SIGCOMM Computer Communication Review,1999,29(2):41-48
[42]Gordon Fyodor Lyon.Nmap Network Scanning:The Official Nmap Project Guide t o Network Discovery and Security Scanning[M].Nmap Project,2009:1-468
[43]The MITRE Corporation.About CPE[EB/OL].http://cpe.mitre.org/about/index.html,2007-12-19/2009-03-29
[44]The MITRE Corporation.About CVE[EB/OL].http://cve.mitre.org/about/index.html,2008-06-04/2009-03-29
[45]The MITRE Corporation.About OVAL[EB/OL].http://oval.mitre.org/oval/about/index.html,2008-03-06/2009-04-04
[46]Michel Arboi.The NASL2 reference manual[EB/OL].http://www.nessus.org/doc/nasl2_refe rence.pdf,2005-04-29/2009-04-04
[47]金晨光.基于Kerberos的计算机内部网络安全模型研究[D].西安:西安电子科技大学,2001
[48]Paul Johns.Signing and Marking ActiveX Controls[EB/OL].http://msdn.microsoft.com/e n-us/library/ms974305.aspx,1996-10-15/2009-04-05
[49]Xing Xing Li.Explore Eclipse's plug-in signature mechanism[EB/OL],http://www.ib m.com/developerworks/opensource/library/os-eclipse-plugin-sigs/index.html,2008-11-18/2009-04-05