2019-03-17 10:53:20 +00:00
<!DOCTYPE html>
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/apple-touch-icon-next.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/favicon-32x32-next.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/favicon-16x16-next.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "Hexo, NexT" >
< meta property = "og:type" content = "website" >
< meta property = "og:title" content = "混元霹雳手" >
< meta property = "og:url" content = "https://cool-y.github.io/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
< meta property = "og:locale" content = "zh-Hans" >
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "混元霹雳手" >
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Muse',
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/" >
< title > 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left
page-home">
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
< p class = "site-subtitle" > < / p >
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
2019-03-17 10:58:24 +00:00
< li class = "menu-item menu-item-about" >
2019-03-17 12:57:39 +00:00
< a href = "/about/" rel = "section" >
2019-03-17 10:58:24 +00:00
2019-03-22 09:26:45 +00:00
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
2019-03-17 10:58:24 +00:00
关于
< / a >
< / li >
2019-03-17 10:53:20 +00:00
< li class = "menu-item menu-item-tags" >
2019-03-17 12:57:39 +00:00
< a href = "/tags/" rel = "section" >
2019-03-17 10:53:20 +00:00
2019-03-17 12:56:42 +00:00
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
2019-03-17 10:53:20 +00:00
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
2019-03-17 12:57:39 +00:00
< a href = "/categories/" rel = "section" >
2019-03-17 10:53:20 +00:00
2019-03-22 09:26:45 +00:00
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
2019-03-17 10:53:20 +00:00
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
2019-03-22 09:26:45 +00:00
< li class = "menu-item menu-item-schedule" >
< a href = "/schedule/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-calendar" > < / i > < br >
日程表
< / a >
< / li >
< li class = "menu-item menu-item-sitemap" >
< a href = "/sitemap.xml" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-sitemap" > < / i > < br >
站点地图
< / a >
< / li >
2019-03-17 10:53:20 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< section id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/16/qq数据库的加密解密/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.gif" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" >
< a class = "post-title-link" href = "/2019/03/16/qq数据库的加密解密/" itemprop = "url" > qq数据库的加密与解密< / a > < / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-16T18:35:27+08:00" >
2019-03-16
< / time >
< / span >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "qq数据库采用简单加密——异或加密" > < a href = "#qq数据库采用简单加密——异或加密" class = "headerlink" title = "qq数据库采用简单加密——异或加密" > < / a > qq数据库采用简单加密——异或加密< / h1 > < h2 id = "数据获取:" > < a href = "#数据获取:" class = "headerlink" title = "数据获取:" > < / a > 数据获取:< / h2 > < p > DENGTA_META.xml—IMEI:867179032952446< br > databases/2685371834.db——数据库文件< / p >
< h2 id = "解密方式:" > < a href = "#解密方式:" class = "headerlink" title = "解密方式:" > < / a > 解密方式:< / h2 > < p > 明文msg_t 密文msg_Data key: < br > msg_t = msg_Data[i]^IMEI[i%15]< / p >
< p > 实验:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > import sqlite3< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > IMEI = ' 867179032952446' < / span > < br > < span class = "line" > conn = sqlite3.connect(' 2685371834.db' )< / span > < br > < span class = "line" > c = conn.cursor()< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > def _decrypt(foo):< / span > < br > < span class = "line" > substr = ' ' < / span > < br > < span class = "line" > #print(len(foo))< / span > < br > < span class = "line" > for i in range(0,len(foo)):< / span > < br > < span class = "line" > substr += chr(ord(foo[i]) ^ ord(IMEI[i%15]))< / span > < br > < span class = "line" > return substr< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > #rem = c.execute(" SELECT uin, remark, name FROM Friends" )< / span > < br > < span class = "line" > Msg = c.execute(" SELECT msgData, senderuin, time FROM mr_friend_0FC9764CD248C8100C82A089152FB98B_New" )< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > for msg in Msg:< / span > < br > < span class = "line" > uid = _decrypt(msg[1])< / span > < br > < span class = "line" > print(" \n" +uid+" :" )< / span > < br > < span class = "line" > try:< / span > < br > < span class = "line" > msgData = _decrypt(msg[0]).decode(' utf-8' )< / span > < br > < span class = "line" > print(msgData)< / span > < br > < span class = "line" > except:< / span > < br > < span class = "line" > pass< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< h2 id = "结果" > < a href = "#结果" class = "headerlink" title = "结果" > < / a > 结果< / h2 > < p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1552728077/qq.png" alt > < / p >
< / div >
< footer class = "post-footer" >
< div class = "post-eof" > < / div >
< / footer >
< / div >
< / article >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/16/BIBA访问控制模型实现(python)/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.gif" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" >
< a class = "post-title-link" href = "/2019/03/16/BIBA访问控制模型实现(python)/" itemprop = "url" > 利用python实现BIBA模型< / a > < / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-16T15:35:27+08:00" >
2019-03-16
< / time >
< / span >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "基于python语言的BIBA模型图形界面实现" > < a href = "#基于python语言的BIBA模型图形界面实现" class = "headerlink" title = "基于python语言的BIBA模型图形界面实现" > < / a > 基于python语言的BIBA模型图形界面实现< / h1 > < h2 id = "一、实验目的:" > < a href = "#一、实验目的:" class = "headerlink" title = "一、实验目的:" > < / a > 一、实验目的:< / h2 > < ol >
< li > < strong > 查阅资料, < / strong > < / li >
< li > < strong > 通过编程实现基于biba模型的完整性访问控制, < / strong > < / li >
< li > < strong > 使用python语言实现, < / strong > < / li >
< / ol >
< hr >
< h2 id = "二、实验环境:" > < a href = "#二、实验环境:" class = "headerlink" title = "二、实验环境:" > < / a > 二、实验环境:< / h2 > < ul >
< li > 操作系统: < / li >
< li > 工具版本: , < / li >
< / ul >
< hr >
< h2 id = "三、实验原理:" > < a href = "#三、实验原理:" class = "headerlink" title = "三、实验原理:" > < / a > 三、实验原理:< / h2 > < h4 id = "1-什么是安全模型" > < a href = "#1-什么是安全模型" class = "headerlink" title = "1. 什么是安全模型" > < / a > 1. 什么是安全模型< / h4 > < ul >
< li > 系统的元素 < blockquote >
< p > 具有行为能力的主体< br > 不具有行为能力的客体< / p >
< / blockquote >
< / li >
< li > 系统的操作行为< blockquote >
< p > 可以执行的命令:读、写、执行< / p >
< / blockquote >
< / li >
< li > 对系统行为的约束方式< blockquote >
< p > 对行为的控制策略< / p >
< / blockquote >
< / li >
< li > 模型从抽象层次规定了系统行为和约束行为的方式< / li >
< li > 模型往往用状态来表示< blockquote >
< p > 系统行为所依赖的环境< br > 行为对系统产生的效果< / p >
< / blockquote >
< h4 id = "2-biba完整性模型: > < a href = "#2-biba完整性模型: class = "headerlink" title = "2. biba完整性模型: > < / a > 2. biba完整性模型: < / h4 > < ul >
< li > 完整性威胁问题< blockquote >
< p > 完整性的威胁就是一个子系统在初始时刻认为不正常的修改行为;< br > 来源:内部& 外部;< br > 类型:直接& 间接< / p >
< / blockquote >
< / li >
< / ul >
< / li >
< / ul >
< table >
< thead >
< tr >
< th > 外部的直接< / th >
< th > 外部的间接< / th >
< th > 内部的直接< / th >
< th > 内部的间接< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > 外部系统恶意地篡改另一个系统的数据或程序< / td >
< td > 一个外部系统插入恶意的子程序< / td >
< td > 修改自己的代码< / td >
< td > 修改自己的指针< / td >
< / tr >
< / tbody >
< / table >
< ul >
< li > biba模型的完整性定义< blockquote >
< p > 完整性级别高的实体对完整性低的实体具有完全的支配性,反之如果一个实体对另一个实体具有完全的控制权,说明前者完整性级别更高,这里的实体既可以是主体也可以是客体。< br > 完整性级别和可信度有密切的关系,完整级别越高,意味着可信度越高。< / p >
< / blockquote >
< / li >
< li > biba模型的规则 < / li >
< / ul >
< ul >
< li style = "list-style: none" > < input type = "checkbox" > 对于写和执行操作,有如下规则:< blockquote >
< p > < strong > 写规则控制< / strong > < br > 当且仅当主体S的完整性级别大于或等于客体O的完整性级别时, < strong > 上写< / strong > 。< br > < strong > 执行操作控制< / strong > < br > 当且仅当主体S2的完整性级别高于或等于S1,主体S1可以执行主体S2。 < / p >
< / blockquote >
< / li >
< li style = "list-style: none" > < input type = "checkbox" > 关于读操作,有不同的控制策略:< blockquote >
< p > < strong > 低水标模型< / strong > < br > 任意主体可以读任意完整性级别的客体,但是如果主体读完整性级别比自己低的客体时,主体的完整性级别将为客体完整性级别,否则,主体的完整性级别保持不变。< br > < strong > 环模型< / strong > < br > 不管完整性级别如何,任何主体都可以读任何客体< br > < strong > 严格完整性模型< / strong > < br > 这个模型对读操作是根据主客体的完整性级别严格控制的,即只有完整性级别低或相等的主体才可以读完整性级别高的客体,称为< strong > 下读< / strong > < / p >
< / blockquote >
< / li >
< / ul >
< p > < strong > 一般都是指毕巴严格完整性模型,总结来说是上写、下读< / strong > < / p >
< hr >
< h2 id = "四、实验内容:" > < a href = "#四、实验内容:" class = "headerlink" title = "四、实验内容:" > < / a > 四、实验内容:< / h2 > < h3 id = "1-用户登录实现" > < a href = "#1-用户登录实现" class = "headerlink" title = "1. 用户登录实现" > < / a > 1. 用户登录实现< / h3 > < p > < strong > 核对用户输入的账户密码与存储的是否匹配< / strong > < / p >
< p > < img src = "https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG" alt = "login" > < / p >
< ul >
< li > 从用户输入框获取账户和密码< / li >
< li > 检查输入信息是否合法(为空)< / li >
< li > 从password.txt中获取, < / li >
< li > 检查输入的账户是否存在< / li >
< li > 若存在,检查对应的密码是否正确< / li >
< li > < p > 若正确,判断是管理员还是普通用户,并跳转相应的界面< / p >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > checkPass< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > nameIn = self.lineEdit.text()< / span > < br > < span class = "line" > passwdIn = self.lineEdit_2.text()< / span > < br > < span class = "line" > md5 = hashlib.md5()< / span > < br > < span class = "line" > md5.update(passwdIn.encode(< span class = "string" > "utf-8"< / span > ))< / span > < br > < span class = "line" > passwdIn = md5.hexdigest()< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > (nameIn == < span class = "string" > ''< / span > ) < span class = "keyword" > or< / span > (passwdIn == < span class = "string" > ''< / span > ):< / span > < br > < span class = "line" > QMessageBox.warning(self,< / span > < br > < span class = "line" > < span class = "string" > "警告"< / span > ,< / span > < br > < span class = "line" > < span class = "string" > "账号和密码不能为空"< / span > ,< / span > < br > < span class = "line" > QMessageBox.Yes)< / span > < br > < span class = "line" > self.lineEdit.setFocus()< / span > < br > < span class = "line" > print(nameIn, passwdIn)< / span > < br > < span class = "line" > fr = open(< span class = "string" > './etc/passwd.txt'< / span > )< / span > < br > < span class = "line" > arrayofLines = fr.readlines()< / span > < br > < span class = "line" > numberofLines = len(arrayofLines)< / span > < br > < span class = "line" > < span class = "keyword" > for< / span > line < span class = "keyword" > in< / span > arrayofLines:< / span > < br > < span class = "line" > line = line.strip()< / span > < br > < span class = "line" > listFromLine = line.split(< span class = "string" > ':'< / span > )< / span > < br > < span class = "line" > name = listFromLine[< span class = "number" > 0< / span > ]< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > name == nameIn:< / span > < br > < span class = "line" > numberofLines = < span class = "number" > -1< / span > < / span > < br > < span class = "line" > passwd = listFromLine[< span class = "number" > 1< / span > ]< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > passwd == passwdIn:< / span > < br > < span class = "line" > group = listFromLine[< span class = "number" > 2< / span > ]< / span > < br > < span class = "line" > print(< span class = "string" > "\n登录成功!\n"< / span > )< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > name == < span class = "string" > 'root'< / span > :< / span > < br > < span class = "line" > print(< span class = "string" > 'root登录'< / span > )< / span > < br > < span class = "line" > rootUI.show()< / span > < br > < span class = "line" >
< / li >
< / ul >
< hr >
< h3 id = "2-管理员功能实现" > < a href = "#2-管理员功能实现" class = "headerlink" title = "2. 管理员功能实现" > < / a > 2. 管理员功能实现< / h3 > < p > < strong > 管理员可以对用户进行增、删、查的操作< / strong > < / p >
< p > < img src = "https://github.com/Cool-Y/BIBA-model/blob/master/img/rootUI.PNG" alt = "login" > < / p >
< h4 id = "增加用户的实现" > < a href = "#增加用户的实现" class = "headerlink" title = "增加用户的实现" > < / a > 增加用户的实现< / h4 > < blockquote >
< ul >
< li > 获取管理员输入的用户名、密码和用户等级< / li >
< li > 将明文密码转换为md5值< / li >
< li > 判断输入的账户是否已经存在以及是否为空< / li >
< li > 如果没有问题, < / li >
< / ul >
< / blockquote >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > adduser< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > print(< span class = "string" > '开始添加'< / span > )< / span > < br > < span class = "line" > name = self.lineEdit_4.text()< / span > < br > < span class = "line" > passwd = self.lineEdit_6.text()< / span > < br > < span class = "line" > md5 = hashlib.md5()< / span > < br > < span class = "line" > md5.update(passwd.encode(< span class = "string" > "utf-8"< / span > ))< / span > < br > < span class = "line" > passwd = md5.hexdigest()< / span > < br > < span class = "line" > group = self.comboBox.currentText()< / span > < br > < span class = "line" > self.name = name< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > self.euxit():< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > name == < span class = "string" > ''< / span > < span class = "keyword" > or< / span > passwd == < span class = "string" > ''< / span > :< / span > < br > < span class = "line" > QMessageBox.warning(self,< / span > < br > < span class = "line" > < span class = "string" > "警告"< / span > ,< / span > < br > < span class = "line" > < span class = "string" > "账号和密码不能为空"< / span > ,< / span > < br > < span class = "line" > QMessageBox.Yes)< / span > < br > < span class = "line" > self.lineEdit.setFocus()< / span > < br > < span class = "line" > < span class = "keyword" > else< / span > :< / span > < br > < span class = "line" > cur_path = os.getcwd()< / span > < br > < span class = "line" > filename = cur_path + < span class = "string" > '/etc/passwd.txt'< / span > < / span > < br > < span class = "line" > fi = open(filename, < span class = "string" > 'r+'< / span > )< / span > < br > < span class = "line" > str = name + < span class = "string" > ':'< / span > + passwd + < span class = "string" > ':'< / span > + group + < span class = "string" > '\n'< / span > < / span > < br > < span class = "line" > print(< span class = "string" > '成功增加用户'< / span > + str + < span class = "string" > '\n'< / span > )< / span > < br > < span class = "line" > fi.seek(< span class = "number" > 0< / span > , < span class = "number" > 2< / span > )< / span > < br > < span class = "line" > fi.write(str)< / span > < br > < span class = "line" > fi.close()< / span > < br > < span class = "line" > < span class = "keyword" > else< / span > :< / span > < br > < span class = "line" > QMessageBox.warning(self,< / span > < br > < span class = "line" > < span class = "string" > "警告"< / span > ,< / span > < br > < span class = "line" > < span class = "string" > "用户已存在"< / span > ,< / span > < br > < span class = "line" > QMessageBox.Yes)< / span > < br > < span class = "line" > self.lineEdit.setFocus()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h4 id = "查询已有用户的实现" > < a href = "#查询已有用户的实现" class = "headerlink" title = "查询已有用户的实现" > < / a > 查询已有用户的实现< / h4 > < blockquote >
< p > 从passwd.txt中逐行读出< / p >
< / blockquote >
< p > < img src = "https://github.com/Cool-Y/BIBA-model/blob/master/img/existUser.PNG" alt = "login" > < / p >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > readuser< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > print(< span class = "string" > 'readuser'< / span > )< / span > < br > < span class = "line" > cur_path = os.getcwd()< / span > < br > < span class = "line" > filename = cur_path + < span class = "string" > '/etc/passwd.txt'< / span > < / span > < br > < span class = "line" > fo = open(filename)< / span > < br > < span class = "line" > arrayofLines = fo.readlines()< / span > < br > < span class = "line" > names = < span class = "string" > ''< / span > < / span > < br > < span class = "line" > < span class = "keyword" > for< / span > line < span class = "keyword" > in< / span > arrayofLines:< / span > < br > < span class = "line" > line = line.strip()< / span > < br > < span class = "line" > listFromLine = line.split(< span class = "string" > ':'< / span > )< / span > < br > < span class = "line" > names = names + listFromLine[< span class = "number" > 0< / span > ] + < span class = "string" > '\n'< / span > < / span > < br > < span class = "line" > self.textEdit.setPlaceholderText(names)< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h4 id = "删除用户的实现" > < a href = "#删除用户的实现" class = "headerlink" title = "删除用户的实现" > < / a > 删除用户的实现< / h4 > < blockquote >
< p > 从passwd.txt中逐行读出用户名, , , < / p >
< / blockquote >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > rmuser< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > print(< span class = "number" > 1< / span > )< / span > < br > < span class = "line" > cur_path = os.getcwd()< / span > < br > < span class = "line" > filename = cur_path + < span class = "string" > '/etc/passwd.txt'< / span > < / span > < br > < span class = "line" > rmName = self.lineEdit.text()< / span > < br > < span class = "line" > < span class = "keyword" > with< / span > open(filename, < span class = "string" > 'r'< / span > ,encoding=< span class = "string" > "utf-8"< / span > ) < span class = "keyword" > as< / span > r:< / span > < br > < span class = "line" > lines = r.readlines()< / span > < br > < span class = "line" > lenl = len(lines)< / span > < br > < span class = "line" > < span class = "keyword" > with< / span > open(filename, < span class = "string" > 'w'< / span > ,encoding=< span class = "string" > "utf-8"< / span > ) < span class = "keyword" > as< / span > w:< / span > < br > < span class = "line" > < span class = "keyword" > for< / span > line < span class = "keyword" > in< / span > lines:< / span > < br > < span class = "line" > l = line.strip()< / span > < br > < span class = "line" > listFromLine = l.split(< span class = "string" > ':'< / span > )< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > rmName == listFromLine[< span class = "number" > 0< / span > ]:< / span > < br > < span class = "line" > print(< span class = "string" > '删除用户'< / span > + rmName)< / span > < br > < span class = "line" > < span class = "keyword" > continue< / span > < / span > < br > < span class = "line" > < span class = "keyword" > if< / span > line == < span class = "string" > '\n'< / span > :< / span > < br > < span class = "line" > print(< span class = "string" > 'find换行'< / span > )< / span > < br > < span class = "line" > line = < span class = "string" > ''< / span > < / span > < br > < span class = "line" > w.write(line)< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< hr >
< h3 id = "3-普通用户功能实现" > < a href = "#3-普通用户功能实现" class = "headerlink" title = "3. 普通用户功能实现" > < / a > 3. 普通用户功能实现< / h3 > < p > < strong > 普通用户可以完成对合法权限文件的读取、增加内容(上写下读)以及创建文件的操作< / strong > < / p >
< p > < img src = "https://github.com/Cool-Y/BIBA-model/blob/master/img/normal.PNG" alt = "login" > < / p >
< h4 id = "读取文件内容" > < a href = "#读取文件内容" class = "headerlink" title = "读取文件内容" > < / a > 读取文件内容< / h4 > < blockquote >
< p > 双击文件名< br > 获取选中文件和当前用户的完整性级别< br > 如果用户的级别低于文件,则读取文件内容< / p >
< / blockquote >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > readfile< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > dict = self.getGrade()< / span > < br > < span class = "line" > fgrade = str(dict[self.file_path])< / span > < br > < span class = "line" > ugrade = self.lineEdit_2.text()< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ugrade > = fgrade:< / span > < br > < span class = "line" > print(ugrade+ < span class = "string" > ' 正在读取 '< / span > +fgrade)< / span > < br > < span class = "line" > filename = self.file_path< / span > < br > < span class = "line" > print(filename)< / span > < br > < span class = "line" > fr = open(filename)< / span > < br > < span class = "line" > lines = < span class = "string" > ''< / span > < / span > < br > < span class = "line" > arrayofLines = fr.readlines()< / span > < br > < span class = "line" > < span class = "keyword" > for< / span > line < span class = "keyword" > in< / span > arrayofLines:< / span > < br > < span class = "line" > lines += line< / span > < br > < span class = "line" > self.textEdit.setText(lines)< / span > < br > < span class = "line" > print(< span class = "string" > '读取成功\n'< / span > )< / span > < br > < span class = "line" > < span class = "keyword" > else< / span > :< / span > < br > < span class = "line" > QMessageBox.warning(self,< / span > < br > < span class = "line" > < span class = "string" > "警告"< / span > ,< / span > < br > < span class = "line" > < span class = "string" > "您的用户等级太高"< / span > ,< / span > < br > < span class = "line" > QMessageBox.Yes)< / span > < br > < span class = "line" > self.lineEdit.setFocus()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h4 id = "增加文件内容" > < a href = "#增加文件内容" class = "headerlink" title = "增加文件内容" > < / a > 增加文件内容< / h4 > < blockquote >
< p > 双击文件名< br > 获取选中文件和当前用户的完整性级别< br > 如果用户的级别高于文件,则写入文件内容< / p >
< / blockquote >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > writefile< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > dict = self.getGrade()< / span > < br > < span class = "line" > fgrade = dict[self.file_path]< / span > < br > < span class = "line" > ugrade = self.lineEdit_2.text()< / span > < br > < span class = "line" > print(ugrade + < span class = "string" > ' 正在写入 '< / span > + fgrade)< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > ugrade < = fgrade:< / span > < br > < span class = "line" > filename = self.file_path< / span > < br > < span class = "line" > str = self.textEdit.toPlainText()< / span > < br > < span class = "line" > print(str)< / span > < br > < span class = "line" > fo = open(filename, < span class = "string" > 'r+'< / span > )< / span > < br > < span class = "line" > fo.seek(< span class = "number" > 0< / span > , < span class = "number" > 2< / span > )< / span > < br > < span class = "line" > fo.write(str)< / span > < br > < span class = "line" > < span class = "keyword" > else< / span > :< / span > < br > < span class = "line" > QMessageBox.warning(self,< / span > < br > < span class = "line" > < span class = "string" > "警告"< / span > ,< / span > < br > < span class = "line" > < span class = "string" > "您的用户等级太低"< / span > ,< / span > < br > < span class = "line" > QMessageBox.Yes)< / span > < br > < span class = "line" > self.lineEdit.setFocus()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h4 id = "创建文件" > < a href = "#创建文件" class = "headerlink" title = "创建文件" > < / a > 创建文件< / h4 > < blockquote >
< p > 获取当前用户名和输入的文件名< br > 在当前路径下创建名为用户名的文件< br > 并对新创建的文件与用户等级建立字典, , < br > 这个字典方便读写时判断等级高低< / p >
< / blockquote >
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > touchfile< / span > < span class = "params" > (self)< / span > :< / span > < / span > < br > < span class = "line" > urName = self.lineEdit.text()< / span > < br > < span class = "line" > filename = self.lineEdit_4.text()< / span > < br > < span class = "line" > cur_path = os.getcwd()< / span > < br > < span class = "line" > new_path = os.path.join(cur_path + < span class = "string" > '/file'< / span > , urName)< / span > < br > < span class = "line" > print(urName)< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > os.path.exists(new_path) == < span class = "literal" > False< / span > :< / span > < br > < span class = "line" > os.mkdir(new_path)< / span > < br > < span class = "line" > os.chdir(new_path)< / span > < br > < span class = "line" > fr = open(filename, < span class = "string" > 'w'< / span > )< / span > < br > < span class = "line" > key = (new_path + < span class = "string" > '/'< / span > + filename).replace(< span class = "string" > '\\'< / span > , < span class = "string" > '/'< / span > )< / span > < br > < span class = "line" > fr.close()< / span > < br > < span class = "line" > os.chdir(cur_path)< / span > < br > < span class = "line" > fa = open(< span class = "string" > './etc/ac.txt'< / span > , < span class = "string" > 'r'< / span > )< / span > < br > < span class = "line" > a = fa.read()< / span > < br > < span class = "line" > < span class = "keyword" > if< / span > a == < span class = "string" > ''< / span > :< / span > < br > < span class = "line" > dict = { } < / span > < br > < span class = "line" > < span class = "keyword" > else< / span > :< / span > < br > < span class = "line" > dict = eval(a)< / span > < br > < span class = "line" > dict[key] = self.lineEdit_2.text()< / span > < br > < span class = "line" > fr = open(< span class = "string" > './etc/ac.txt'< / span > , < span class = "string" > 'w'< / span > )< / span > < br > < span class = "line" > fr.write(str(dict))< / span > < br > < span class = "line" > fr.close()< / span > < br > < span class = "line" > fa.close()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< hr >
< h2 id = "五、心得体会:" > < a href = "#五、心得体会:" class = "headerlink" title = "五、心得体会:" > < / a > 五、心得体会:< / h2 > < h2 id = "六、改进部分:" > < a href = "#六、改进部分:" class = "headerlink" title = "六、改进部分:" > < / a > 六、改进部分:< / h2 >
< / div >
< footer class = "post-footer" >
< div class = "post-eof" > < / div >
< / footer >
< / div >
< / article >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/16/wwifi半双工侧信道攻击学习笔记/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.gif" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" >
< a class = "post-title-link" href = "/2019/03/16/wwifi半双工侧信道攻击学习笔记/" itemprop = "url" > wifi半双工侧信道攻击学习笔记< / a > < / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-16T15:35:27+08:00" >
2019-03-16
< / time >
< / span >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "TCP侧信道分析及利用的学习报告" > < a href = "#TCP侧信道分析及利用的学习报告" class = "headerlink" title = "TCP侧信道分析及利用的学习报告" > < / a > TCP侧信道分析及利用的学习报告< / h1 > < h2 id = "背景知识" > < a href = "#背景知识" class = "headerlink" title = "背景知识" > < / a > 背景知识< / h2 > < h3 id = "测信道" > < a href = "#测信道" class = "headerlink" title = "测信道" > < / a > 测信道< / h3 > < p > < strong > 香农信息论< / strong > < / p >
< p > < img src = "./1.png" alt = "信息熵" > < / p >
< p > < strong > 什么是信息?< / strong > 用来减少随机不确定的东西< / p >
< p > < strong > 什么是加密?< / strong > 类似于加噪声,增加随机不确定性< / p >
< blockquote >
< p > “从密码分析者来看,一个保密系统几乎就是一个通信系统。待传的消息是统计事件,加密所用的密钥按概率选出,加密结果为密报,这是分析者可以利用的,类似于受扰信号。”< / p >
< / blockquote >
< p > < strong > 侧信道随之出现< / strong > 越过加密算法增加的随机不定性,从其他的渠道获取数据标签,确定信息内容。< / p >
< ol >
< li > 早期:采集加密电子设备在运行过程中的时间消耗、功率消耗或者电磁辐射消耗等边缘信息的差异性< / li >
< li > 而随着研究的深入, < / li >
< li > 并在Web应用交互信息传递越来越频繁时, < / li >
< / ol >
< p > < strong > 侧信道攻击的流程< / strong > 第一个就是侧信道泄露的截取,第二个是信息的恢复。< / p >
< hr >
< h3 id = "网络攻击" > < a href = "#网络攻击" class = "headerlink" title = "网络攻击" > < / a > 网络攻击< / h3 > < ol >
< li > 中间人攻击< blockquote >
< p > “指攻击者与通讯的两端分别创建独立的联系,并交换其所收到的数据,使通讯的两端认为他们正在通过一个私密的连接与对方直接对话,但事实上整个会话都被攻击者完全控制。”< / p >
< / blockquote >
< / li >
< / ol >
< p > < img src = "./2-Man_in_the_middle_attack.svg.png" alt > < / p >
< ul >
< li > 公共wifi、路由器劫持< / li >
< li > 一般使用加密来防御< / li >
< li > 加密的代价:维护密钥证书、影响功能(运营商无法做缓存)< / li >
< / ul >
< ol start = "2" >
< li > 非中间人攻击/偏离路径攻击/off-path attack< blockquote >
< p > 通信线路之外,攻击者看不到双方的消息,没办法截获和发送通信包。智能伪造成一方给另一方发消息。< / p >
< / blockquote >
< / li >
< / ol >
< ul >
< li > 攻击成功需要:消息合法+最先到达< / li >
< li > 防御措施: < br > 双方在通信前交换一个随机数,这个随机数在每次的通信中都要被附带,而中间人看不见这个随机数,因此伪造的消息被认为不合法。< / li >
< li > 攻击者如何得到这个随机数:侧信道< / li >
< / ul >
< hr >
< h3 id = "TCP三次握手" > < a href = "#TCP三次握手" class = "headerlink" title = "TCP三次握手" > < / a > TCP三次握手< / h3 > < p > < img src = "./3-Connection_TCP.png" alt > < / p >
< blockquote >
< ol >
< li > 客户端通过向服务器端发送一个SYN来创建一个主动打开, < em > 随机数A< / em > 。< / li >
< li > 服务器端应当为一个合法的SYN回送一个SYN/ACK。ACK的确认码应为A+1, < em > 随机产生的序号B< / em > 。< / li >
< li > 最后, , , , < / li >
< / ol >
< / blockquote >
< p > 通过三次握手,确定对方不是非中间人< / p >
< p > < strong > < em > TCP序列号的问题< / em > < / strong > < / p >
< table >
< thead >
< tr >
< th style = "text-align:center" > 1985< / th >
< th style = "text-align:center" > 1995< / th >
< th style = "text-align:center" > 2001< / th >
< th style = "text-align:center" > 2004< / th >
< th style = "text-align:center" > 2007< / th >
< th style = "text-align:center" > 2012< / th >
< th style = "text-align:center" > 2012< / th >
< th style = "text-align:center" > 2016< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td style = "text-align:center" > Morris< / td >
< td style = "text-align:center" > Mitnik< / td >
< td style = "text-align:center" > Zalewsky< / td >
< td style = "text-align:center" > Waston< / td >
< td style = "text-align:center" > kLM< / td >
< td style = "text-align:center" > Herzberg< / td >
< td style = "text-align:center" > 作者< / td >
< td style = "text-align:center" > 作者< / td >
< / tr >
< tr >
< td style = "text-align:center" > 初始序列可预测< / td >
< td style = "text-align:center" > 真实利用< / td >
< td style = "text-align:center" > 漏洞仍在< / td >
< td style = "text-align:center" > BGP DoS< / td >
< td style = "text-align:center" > Windows攻击< / td >
< td style = "text-align:center" > Puppet-assisted< / td >
< td style = "text-align:center" > Malware-assisted< / td >
< td style = "text-align:center" > off-path attack< / td >
< / tr >
< / tbody >
< / table >
< ol >
< li > 90年代时发现并不随机: < / li >
< li > 2007年在windows场景下用IDID侧信道猜出序列号: , < / li >
< / ol >
< hr >
< h2 id = "Malware-assisted" > < a href = "#Malware-assisted" class = "headerlink" title = "Malware-assisted" > < / a > Malware-assisted< / h2 > < p > < strong > 攻击模型:< / strong > < br > 给受害者安装一个无特权的应用程序( ) , , < br > < img src = "./5-攻击模型.PNG" alt > < / p >
< p > < strong > 如何劫持TCP< / strong > < / p >
< ol >
< li > < p > 需要的信息: , , < br > 使用netstat命令获取: < br > < img src = "./4-netstat获取信息.jpg" alt > < / p >
< / li >
< li > < p > 任务: , < / p >
< / li >
< li > 如何验证序列号正确:通过某种侧信道,这个恶意软件在后台可以提供反馈。< / li >
< / ol >
< h3 id = "变种一:防火墙" > < a href = "#变种一:防火墙" class = "headerlink" title = "变种一:防火墙" > < / a > 变种一:防火墙< / h3 > < p > < strong > 攻击过程:< / strong > TCP三次握手之后产生A和B, , , , , < / p >
< p > < strong > 具体侧信道方案:< / strong > CPU资源使用率( ) > TCP计数器( ) > 低噪音计数器:包被丢掉时,一个相应的错误计数器。< / p >
< p > < strong > 解决方法:< / strong > 关闭防火墙检查序列号的功能< / p >
< h3 id = "变种二:无防火墙" > < a href = "#变种二:无防火墙" class = "headerlink" title = "变种二:无防火墙" > < / a > 变种二:无防火墙< / h3 > < p > 具体侧信道方案: , < br > 影响范围: < / p >
< hr >
< h2 id = "Pure-off-path-无恶意软件协助" > < a href = "#Pure-off-path-无恶意软件协助" class = "headerlink" title = "Pure off-path:无恶意软件协助" > < / a > Pure off-path:无恶意软件协助< / h2 > < blockquote >
< p > 不植入恶意软件, : , < / p >
< / blockquote >
< h3 id = "Global-Rate-Limit" > < a href = "#Global-Rate-Limit" class = "headerlink" title = "Global Rate Limit" > < / a > Global Rate Limit< / h3 > < blockquote >
< p > USENIX 2016 : Off-Path TCP Exploits: Global Rate Limit Considered Dangerous< / p >
< / blockquote >
< p > < strong > 侧信道:< / strong > 所有的侧信道, , < strong > < em > 服务器上< / em > < / strong > 的共享资源,< strong > < em > 限速器< / em > < / strong > ( ) ( ) < / p >
< p > < strong > 如何利用共享限速器:< / strong > < br > 先判断是否建立了连接。然后伪造TCP包, , , , , ( ) ; , < / p >
< p > < img src = "./6-GRL-R.png" alt > < / p >
< p > < img src = "./7-GRL-L.png" alt > < / p >
< p > < strong > 评估:< / strong > 是否建立了连接:< 10s ; Seq: ; < 10s< / p >
< p > < strong > 解决方案:< / strong > 1. 加噪音, ; < / p >
< hr >
< h3 id = "Unfixable-WiFi-timing" > < a href = "#Unfixable-WiFi-timing" class = "headerlink" title = "Unfixable WiFi timing" > < / a > Unfixable WiFi timing< / h3 > < blockquote >
< p > USENIX 2018 : Off-Path TCP Exploit: How Wireless Routers< br > Can Jeopardize Your Secrets< br > 之前的漏洞无论是计数器还是限速器都属于软件,很好更正,但这篇文章的漏洞利用无法修复。< / p >
< / blockquote >
< p > < strong > TCP收包的原理: < / strong > 通常TCP收包要看这个包是否匹配了当前的某一个连接。如果连接匹配上了, ; , , ; , , , < br > < img src = "./8-收包原理.jpg" alt > < / p >
< p > < strong > 侧信道:< / strong > 攻击者伪装成服务器给客户端发包,正确的序列号会有< strong > < em > 回复< / em > < / strong > ,错误则没有。但回复时发送给服务器的,有没有回复攻击者并不知道。那么如何去判断有没有回复,利用无线网络的 < strong > < em > 半双工< / em > < / strong > 传输。< br > 让有回包和没有回包的时间差异放大。< / p >
< p > < strong > 判断流程:< / strong > 客户端和路由器之间wifi通信。攻击者依次发送三个数据包, , , , , < br > < img src = "./8-noTrigger.PNG" alt > < / p >
< p > < img src = "./8-trigger.PNG" alt > < / p >
< p > < strong > 评估:< / strong > 在本地环境下, , < / p >
< p > < strong > 攻击应用:< / strong > < br > < strong > 1. 攻击模型:< / strong > 受害者访问了我们的钓鱼网站, ( ) , ( ) , < / p >
< blockquote >
< p > 与理想情况的不同: ; < / p >
< / blockquote >
< pre > < code > Attacker -------wire----------|
Router ---------wireless-------Victim (client)
Server -------wire----------|
< / code > < / pre > < p > < strong > 2. 攻击目标:< / strong > 推断出客户端和服务器是否建立了连接; ; ( ) , , , < / p >
< p > < strong > 3. 攻击过程:< / strong > 假设傀儡已经建立了连接, ( ) , , , , , , , < / p >
< p > < strong > 4. 细节:< / strong > < / p >
< ul >
< li > < strong > 连接(四元组)推断:< / strong > 每一轮使用30个重复包测试一个端口, , < strong > < em > web缓存投毒< / em > < / strong > ,还需要傀儡初始化连接来协助,根据系统不同,有不同的端口选择算法可以优化:< strong > < em > windows& macOS< / em > < / strong > 使用全局和顺序端口分配策略为其TCP连接选择短暂的端口号, , < strong > < em > NAT< / em > < / strong > 端口保留,不需要关心外部端口被转换成不可预知的内部端口。< strong > < em > 来自同一域名的多个IP地址< / em > < / strong > ,这意味着攻击者需要付出更大的代价来推断端口号。< / li >
< li > < strong > 序列号推断:< / strong > 通过利用时序侧信道来判断是否存在相应的响应,从而将窗口序列号与窗外序列号区分开来。一旦我们得到一个 < strong > < em > 窗口内序列号< / em > < / strong > ,通过进行二分搜索进一步将序列号空间缩小到单个值 < strong > < em > RCV.NXT< / em > < / strong > 。如果还要使用傀儡建立的连接发起web缓存投毒, : < strong > < em > 增大接收窗口的大小< / em > < / strong > , , , < br > < img src = "./9-序列号推断.PNG" alt > < / li >
< li > < p > < strong > TCP劫持: < / strong > 通过劫持傀儡初始化的连接, , < strong > < em > windows< / em > < / strong > : , < br > 因此, , < strong > < em > ( ) < / em > < / strong > , , , , , , < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > websocket.send(|wnd|*i)< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 因此, , , , < br > < img src = "./9-http注入.PNG" alt > < br > < strong > < em > ( ) < / em > < / strong > , , , ( ) , < br > 此外, , , ( ) , , , , < / p >
< / li >
< / ul >
< hr >
< h2 id = "Discussion" > < a href = "#Discussion" class = "headerlink" title = "Discussion" > < / a > Discussion< / h2 > < p > 时序侧信道来自无线网络的半双工性质。由于无线协议中固有的冲突和回退, , , < br > 虽然作者只讨论威胁模型, , ( , ) , ( ) < br > 此外, , , , , , , < / p >
< / div >
< footer class = "post-footer" >
< div class = "post-eof" > < / div >
< / footer >
< / div >
< / article >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/16/小米固件工具mkxqimage/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.gif" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" >
< a class = "post-title-link" href = "/2019/03/16/小米固件工具mkxqimage/" itemprop = "url" > 小米固件工具mkxqimage< / a > < / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-16T14:57:56+08:00" >
2019-03-16
< / time >
< / span >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "小米固件工具mkxqimage" > < a href = "#小米固件工具mkxqimage" class = "headerlink" title = "小米固件工具mkxqimage" > < / a > 小米固件工具mkxqimage< / h1 > < p > 小米自己改了个打包解包固件的工具,基于 trx 改的(本质上还是 trx 格式),加了 RSA 验证和解包功能,路由系统里自带:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > Usage:< / span > < br > < span class = "line" > mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]< / span > < br > < span class = "line" > [-x file]< / span > < br > < span class = "line" > [-I]< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< h2 id = "固件解包" > < a href = "#固件解包" class = "headerlink" title = "固件解包" > < / a > 固件解包< / h2 > < p > 固件工具mkxqimage完成对固件的解包, , , , < / p >
< h2 id = "固件打包" > < a href = "#固件打包" class = "headerlink" title = "固件打包" > < / a > 固件打包< / h2 > < p > 小米官方在打包固件时用RSA私钥计算出固件的RSA签名, , < / p >
< h2 id = "固件格式" > < a href = "#固件格式" class = "headerlink" title = "固件格式" > < / a > < a href = "http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target = "_blank" rel = "noopener" > 固件格式< / a > < / h2 > < p > 路由固件的格式,基本是基于 openwrt 的 trx 这个简单的二进制文件格式< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00< / span > < br > < span class = "line" > 20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00< / span > < br > < span class = "line" > FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 第1~ : , ; < br > 第5~ : , : ; < br > 第9~12字节: ; < br > 第13~ : , ; < br > 第15~ : , ; < br > 第17~ : , , , ; < br > 第21~ : , , , ; < br > 第33字节开始是固件的正式内容开始。< / p >
< h2 id = "小米开启ssh工具包" > < a href = "#小米开启ssh工具包" class = "headerlink" title = "小米开启ssh工具包" > < / a > 小米开启ssh工具包< / h2 > < p > 使用mkxqimage解包< br > (现在会提示秘钥不存在)< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > error fopen public key< / span > < br > < span class = "line" > Image verify failed, not formal image< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 如果能解包应该可以得到脚本文件upsetting.sh< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > #!/bin/sh< / span > < br > < span class = "line" > nvram set ssh_en=1< / span > < br > < span class = "line" > nvram set flag_init_root_pwd=1< / span > < br > < span class = "line" > nvram commit< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 执行脚本文件upsetting.sh后, , , , , : < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > flg_init_pwd=`nvram get flag_init_root_pwd`< / span > < br > < span class = "line" > if [ " $flg_init_pwd" = " 1" ]; then< / span > < br > < span class = "line" > init_pwd=`mkxqimage -I`< / span > < br > < span class = "line" > (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root< / span > < br > < span class = "line" > nvram unset flag_init_root_pwd< / span > < br > < span class = "line" > nvram commit< / span > < br > < span class = "line" > fi< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 初始密码是mkxqimage -I的结果, , , : < / p >
< p > 初始密码计算算法为:< / p >
< p > < code > substr(md5(SN+" A2E371B0-B34B-48A5-8C40-A7133F3B5D88" ), 0, 8)< / code > < / p >
< p > < strong > < em > A2E371B0-B34B-48A5-8C40-A7133F3B5D88< / em > < / strong > 为分析mkxqimage得到的salt< / p >
< / div >
< footer class = "post-footer" >
< div class = "post-eof" > < / div >
< / footer >
< / div >
< / article >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/03/16/hello-world/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.gif" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" >
< a class = "post-title-link" href = "/2019/03/16/hello-world/" itemprop = "url" > Hello World< / a > < / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-03-16T14:53:10+08:00" >
2019-03-16
< / time >
< / span >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< p > 你好!我是混元霹雳手< / p >
< / div >
< footer class = "post-footer" >
< div class = "post-eof" > < / div >
< / footer >
< / div >
< / article >
< / section >
< / div >
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
< section class = "site-overview-wrap sidebar-panel sidebar-panel-active" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
< p class = "site-description motion-element" itemprop = "description" > < / p >
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
< span class = "site-state-item-count" > 5< / span >
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
< span class = "site-state-item-count" > 4< / span >
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< / div >
< / section >
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
< div class = "copyright" > © < span itemprop = "copyrightYear" > 2019< / span >
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< span class = "post-meta-divider" > |< / span >
< div class = "theme-info" > 主题 — < a class = "theme-link" target = "_blank" href = "https://github.com/iissnan/hexo-theme-next" > NexT.Muse< / a > v5.1.4< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
< / div >
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://aimingoo.github.io/gitmint/style/default.css" >
< script src = "https://aimingoo.github.io/gitmint/dist/gitmint.browser.js" > < / script >
<!-- END LOCAL -->
< / body >
< / html >
