We propose the monadic linear logic programming language LolliMon as a new foundation for the specification of distributed trust management systems, particularly the RT framework. LolliMon possesses features that make it well-suited to this application, including rigorous logical foundations, an expressive formula language, strong typing, and saturation as a proof resolution strategy. We specify certificate chain discovery in full RT for authorization in a distributed environment where certificates may be stored non-locally and selective retrieval is necessary. The uniform LolliMon specification of authorization and certificate chain discovery eases formal reasoning about the system, and scales to a rich collection of trust management features. The executable LolliMon specification also serves as a prototype implementation.
{"title":"Specifying distributed trust management in LolliMon","authors":"Jeff Polakow, C. Skalka","doi":"10.1145/1134744.1134753","DOIUrl":"https://doi.org/10.1145/1134744.1134753","url":null,"abstract":"We propose the monadic linear logic programming language LolliMon as a new foundation for the specification of distributed trust management systems, particularly the RT framework. LolliMon possesses features that make it well-suited to this application, including rigorous logical foundations, an expressive formula language, strong typing, and saturation as a proof resolution strategy. We specify certificate chain discovery in full RT for authorization in a distributed environment where certificates may be stored non-locally and selective retrieval is necessary. The uniform LolliMon specification of authorization and certificate chain discovery eases formal reasoning about the system, and scales to a rich collection of trust management features. The executable LolliMon specification also serves as a prototype implementation.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130977222","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Over the last decades, software quality attributes such as maintainability, reliability, and understandability have been widely studied. In contrast, less attention has been paid to the field of software security. Attackability is a concept proposed recently in the research literature t to measure the extent that a software system or service could be the target of successful attacks. Like most external attributes, attackability is to some extent disconnected from the internal of software products. To improve the quality of software products we need to be able to affect its internal features. So, for attackability measures to be useful for software products enhancement, we need to identify related internal software attributes. We study in this paper the empirical relationship between attackability as an external software quality attribute with coupling as an internal software attribute. Specifically, we use a case study based on denial of service (DOS) attacks conducted against a on line medical record keeping system. Through regression analysis, we establish that there is a strong correlation between attackability and coupling.
{"title":"Empirical relation between coupling and attackability in software systems:: a case study on DOS","authors":"M. Y. Liu, I. Traoré","doi":"10.1145/1134744.1134756","DOIUrl":"https://doi.org/10.1145/1134744.1134756","url":null,"abstract":"Over the last decades, software quality attributes such as maintainability, reliability, and understandability have been widely studied. In contrast, less attention has been paid to the field of software security. Attackability is a concept proposed recently in the research literature t to measure the extent that a software system or service could be the target of successful attacks. Like most external attributes, attackability is to some extent disconnected from the internal of software products. To improve the quality of software products we need to be able to affect its internal features. So, for attackability measures to be useful for software products enhancement, we need to identify related internal software attributes. We study in this paper the empirical relationship between attackability as an external software quality attribute with coupling as an internal software attribute. Specifically, we use a case study based on denial of service (DOS) attacks conducted against a on line medical record keeping system. Through regression analysis, we establish that there is a strong correlation between attackability and coupling.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114334960","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Type systems for secure information flow are useful for efficiently checking that programs have secure information flow. They are, however, conservative, so that they often reject safe programs as ill-typed. Accordingly, users have to check whether the rejected programs indeed have insecure flows. To remedy this problem, we propose a method for automatically finding a counterexample of secure information flow (input states that actually lead to leakage of secret information). Our method is a novel combination of type-based analysis and model checking; Suspicious execution paths (that may cause insecure information flow) are first found by using the result of a type-based information flow analysis, and then a model checker is used to check whether the paths are indeed unsafe. We have formalized and implemented the method. The result of preliminary experiments shows that our method can often find counterexamples faster than a method using a model checker alone.
{"title":"Combining type-based analysis and model checking for finding counterexamples against non-interference","authors":"Hiroshi Unno, N. Kobayashi, A. Yonezawa","doi":"10.1145/1134744.1134750","DOIUrl":"https://doi.org/10.1145/1134744.1134750","url":null,"abstract":"Type systems for secure information flow are useful for efficiently checking that programs have secure information flow. They are, however, conservative, so that they often reject safe programs as ill-typed. Accordingly, users have to check whether the rejected programs indeed have insecure flows. To remedy this problem, we propose a method for automatically finding a counterexample of secure information flow (input states that actually lead to leakage of secret information). Our method is a novel combination of type-based analysis and model checking; Suspicious execution paths (that may cause insecure information flow) are first found by using the result of a type-based information flow analysis, and then a model checker is used to check whether the paths are indeed unsafe. We have formalized and implemented the method. The result of preliminary experiments shows that our method can often find counterexamples faster than a method using a model checker alone.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114422561","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Katia Hristova, Tom Rothamel, Yanhong A. Liu, S. Stoller
This paper describes the design, analysis, and implementation of an efficient algorithm for information flow analysis expressed using a type system. Given a program and an environment of security classes for information accessed by the program, the algorithm checks whether the program is well typed, i.e., there is no information of higher security classes flowing into places of lower security classes according to a lattice of security classes, by inferring the highest or lowest security class as appropriate for each program node. We express the analysis as a set of Datalog-like rules based on the typing and subtyping rules, and we use a systematic method to generate specialized algorithms and data structures directly from the Datalog-like rules. The generated implementation traverses the program multiple times and uses a combination of linked and indexed data structures to represent program nodes, environments, and types. The time complexity of the algorithm is linear in the size of the input program, times the height of the lattice of security classes, plus a small overhead for preprocessing the security classes. This complexity is confirmed through our prototype implementation and experimental evaluation on code generated from high-level specifications for real systems.
{"title":"Efficient type inference for secure information flow","authors":"Katia Hristova, Tom Rothamel, Yanhong A. Liu, S. Stoller","doi":"10.1145/1134744.1134759","DOIUrl":"https://doi.org/10.1145/1134744.1134759","url":null,"abstract":"This paper describes the design, analysis, and implementation of an efficient algorithm for information flow analysis expressed using a type system. Given a program and an environment of security classes for information accessed by the program, the algorithm checks whether the program is well typed, i.e., there is no information of higher security classes flowing into places of lower security classes according to a lattice of security classes, by inferring the highest or lowest security class as appropriate for each program node. We express the analysis as a set of Datalog-like rules based on the typing and subtyping rules, and we use a systematic method to generate specialized algorithms and data structures directly from the Datalog-like rules. The generated implementation traverses the program multiple times and uses a combination of linked and indexed data structures to represent program nodes, environments, and types. The time complexity of the algorithm is linear in the size of the input program, times the height of the lattice of security classes, plus a small overhead for preprocessing the security classes. This complexity is confirmed through our prototype implementation and experimental evaluation on code generated from high-level specifications for real systems.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126922411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adding a sound information flow security policy to an existing program is a difficult task that requires major analysis of andchanges to the program. In this paper we show how refactoring programs into distinct components of high and low security is a useful methodology to aid in the production of programs with sound information flow policies. Our methodology proceeds as follows. Given a program with no information flow controls, a program sliceris used to identify code that depends on high security inputs. High security code so identified is then refactored into a separate component, which may be accessed by the low security component via public method calls. A security policy that labels input data and checks the output points can then enforce the desired end-to-end security property. Controlled information releases can occur at explicit declassification points if deemed safe. The result is a well-engineered program with explicit interfaces between components of different security levels.
{"title":"Refactoring programs to secure information flows","authors":"Scott F. Smith, M. Thober","doi":"10.1145/1134744.1134758","DOIUrl":"https://doi.org/10.1145/1134744.1134758","url":null,"abstract":"Adding a sound information flow security policy to an existing program is a difficult task that requires major analysis of andchanges to the program. In this paper we show how refactoring programs into distinct components of high and low security is a useful methodology to aid in the production of programs with sound information flow policies. Our methodology proceeds as follows. Given a program with no information flow controls, a program sliceris used to identify code that depends on high security inputs. High security code so identified is then refactored into a separate component, which may be accessed by the low security component via public method calls. A security policy that labels input data and checks the output points can then enforce the desired end-to-end security property. Controlled information releases can occur at explicit declassification points if deemed safe. The result is a well-engineered program with explicit interfaces between components of different security levels.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127000562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper we propose a novel microkernel-based virtual machine (µKVM), a new code-based security framework with a simple and declarative security architecture. The main design goals of the µKVM are to put a clear, inviolable programming interface between different codebases or security components, and to limit the size of the trusted codebase in the spirit of a microkernel. Security policies are enforced solely on the interface because all data must explicitly pass through the inviolable interface. The architecture of the µKVM effectively removes the need for expensive runtime stack inspection, and applies the principle of least privilege to both library and application code elegantly and efficiently. We have implemented a prototype of the proposed µKVM. A series of benchmarks show that the prototype preserves the original functionality of Java and compares favorably with the J2SDK performance-wise.
{"title":"A microkernel virtual machine:: building security with clear interfaces","authors":"Xiaoqi Lu, Scott F. Smith","doi":"10.1145/1134744.1134754","DOIUrl":"https://doi.org/10.1145/1134744.1134754","url":null,"abstract":"In this paper we propose a novel microkernel-based virtual machine (µKVM), a new code-based security framework with a simple and declarative security architecture. The main design goals of the µKVM are to put a clear, inviolable programming interface between different codebases or security components, and to limit the size of the trusted codebase in the spirit of a microkernel. Security policies are enforced solely on the interface because all data must explicitly pass through the inviolable interface. The architecture of the µKVM effectively removes the need for expensive runtime stack inspection, and applies the principle of least privilege to both library and application code elegantly and efficiently. We have implemented a prototype of the proposed µKVM. A series of benchmarks show that the prototype preserves the original functionality of Java and compares favorably with the J2SDK performance-wise.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125660800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable web applications by means of static source code analysis. To this end, we present a novel, precise alias analysis targeted at the unique reference semantics commonly found in scripting languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing a novel, iterative two-phase algorithm for fast and precise resolution of file inclusions.We integrated the presented concepts into Pixy~cite{jovanovic06:pixy_short}, a high-precision static analysis tool aimed at detecting cross-site scripting vulnerabilities in PHP scripts. To demonstrate the effectiveness of our techniques, we analyzed three web applications and discovered 106 vulnerabilities. Both the high analysis speed as well as the low number of generated false positives show that our techniques can be used for conducting effective security audits.
{"title":"Precise alias analysis for static detection of web application vulnerabilities","authors":"N. Jovanović, Christopher Krügel, E. Kirda","doi":"10.1145/1134744.1134751","DOIUrl":"https://doi.org/10.1145/1134744.1134751","url":null,"abstract":"The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable web applications by means of static source code analysis. To this end, we present a novel, precise alias analysis targeted at the unique reference semantics commonly found in scripting languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing a novel, iterative two-phase algorithm for fast and precise resolution of file inclusions.We integrated the presented concepts into Pixy~cite{jovanovic06:pixy_short}, a high-precision static analysis tool aimed at detecting cross-site scripting vulnerabilities in PHP scripts. To demonstrate the effectiveness of our techniques, we analyzed three web applications and discovered 106 vulnerabilities. Both the high analysis speed as well as the low number of generated false positives show that our techniques can be used for conducting effective security audits.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"261 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116236101","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterferencewhich ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult.In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifiers they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Java-like language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.
{"title":"Trusted declassification:: high-level policy for a security-typed language","authors":"Boniface Hicks, Dave King, P. Mcdaniel, M. Hicks","doi":"10.1145/1134744.1134757","DOIUrl":"https://doi.org/10.1145/1134744.1134757","url":null,"abstract":"Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterferencewhich ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult.In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifiers they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Java-like language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"58 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114672959","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
MOBILE is an extension of the .NET Common Intermediate Language that supports certified In-Lined Reference Monitoring. Mobile programs have the useful property that if they are well-typed with respect to a declared security policy, then they are guaranteed not to violate that security policy when executed. Thus, when an In-Lined Reference Monitor (IRM) is expressed in Mobile, it can be certified by a simple type-checker to eliminate the need to trust the producer of the IRM.Security policies in Mobile are declarative, can involve unbounded collections of objects allocated at runtime, and can regard infinite-length histories of security events exhibited by those objects. The prototype Mobile implementation enforces properties expressed by finite-state security automata - one automaton for each security-relevant object - and can type-check Mobile programs in the presence of exceptions, finalizers, concurrency, and non-termination. Executing Mobile programs requires no change to existing .NET virtual machine implementations, since Mobile programs consist of normal managed CIL code with extra typing annotations stored in .NET attributes.
{"title":"Certified In-lined Reference Monitoring on .NET","authors":"Kevin W. Hamlen, J. G. Morrisett, F. Schneider","doi":"10.1145/1134744.1134748","DOIUrl":"https://doi.org/10.1145/1134744.1134748","url":null,"abstract":"MOBILE is an extension of the .NET Common Intermediate Language that supports certified In-Lined Reference Monitoring. Mobile programs have the useful property that if they are well-typed with respect to a declared security policy, then they are guaranteed not to violate that security policy when executed. Thus, when an In-Lined Reference Monitor (IRM) is expressed in Mobile, it can be certified by a simple type-checker to eliminate the need to trust the producer of the IRM.Security policies in Mobile are declarative, can involve unbounded collections of objects allocated at runtime, and can regard infinite-length histories of security events exhibited by those objects. The prototype Mobile implementation enforces properties expressed by finite-state security automata - one automaton for each security-relevant object - and can type-check Mobile programs in the presence of exceptions, finalizers, concurrency, and non-termination. Executing Mobile programs requires no change to existing .NET virtual machine implementations, since Mobile programs consist of normal managed CIL code with extra typing annotations stored in .NET attributes.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126515191","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing systems often do a poor job of meeting the principle of least privilege. I will discuss how object capability systems and language-based methods can help address this shortcoming. In language-based object capability systems, an object reference is treated as a capability; unforgeability of references ensures unforgeability of capabilities; and all privileges are expressed as capabilities in this way. This makes it possible to decompose the system into distrusting "privilege-separated" components, providing each component with the least privilege it needs to do its job; to reason about the privileges and powers available to various program elements, often in a local (modular) way; and to avoid common pitfalls, such as confused deputy and TOCTTOU vulnerabilities. I will attempt to introduce the audience to some work in this area that is perhaps not so widely known, and I will describe some work in progress to construct a subset of Java, called Joe-E, that is intended to enable capability-style programming using a programming syntax that is familiar to Java programmers.
{"title":"Object capabilities for security","authors":"D. Wagner","doi":"10.1145/1134744.1134745","DOIUrl":"https://doi.org/10.1145/1134744.1134745","url":null,"abstract":"Existing systems often do a poor job of meeting the principle of least privilege. I will discuss how object capability systems and language-based methods can help address this shortcoming. In language-based object capability systems, an object reference is treated as a capability; unforgeability of references ensures unforgeability of capabilities; and all privileges are expressed as capabilities in this way. This makes it possible to decompose the system into distrusting \"privilege-separated\" components, providing each component with the least privilege it needs to do its job; to reason about the privileges and powers available to various program elements, often in a local (modular) way; and to avoid common pitfalls, such as confused deputy and TOCTTOU vulnerabilities. I will attempt to introduce the audience to some work in this area that is perhaps not so widely known, and I will describe some work in progress to construct a subset of Java, called Joe-E, that is intended to enable capability-style programming using a programming syntax that is familiar to Java programmers.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"05 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127267729","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: