Upload
grady
View
59
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Application Security Models for Mobile Agent Systems. The 1 st International Workshop on Security and Trust Management (STM’05) Sept 15, 2005 Milan, Italy. Department of Computer Science Florida State University. J. Todd McDonald Alec Yasinsac. Overview. Motivation - PowerPoint PPT Presentation
Citation preview
1
Application Security Models for Mobile Agent Systems
Department of Computer ScienceDepartment of Computer ScienceFlorida State UniversityFlorida State University
J. Todd McDonald J. Todd McDonald Alec YasinsacAlec Yasinsac
The 1The 1stst International Workshop on International Workshop on Security and Trust Management (STM’05)Security and Trust Management (STM’05)
Sept 15, 2005Sept 15, 2005Milan, ItalyMilan, Italy
2
Overview Motivation Defining mobile agent trust Defining trust-enhanced security Defining application security models
Military model Trade model Neutral-services model
Questions
3
Defining Security Requirements = Confidentiality, integrity, authentication… Mechanisms = Enforce security requirements
Defining Trust Subjective non-Boolean expectation of behavior Non-reflexive, changing, context-driven Acquired or delegated
Using Trust with Mobile Agent Security Consider all mobile agent principals Link requirements to mechanisms Reason about trust for generic mechanisms Initialize trust model based on context
Motivation
4
Overview Motivation Defining mobile agent trust Defining trust-enhanced security Defining application security models
Military model Trade model Neutral-services model
Questions
5
The Big Picture
6
Defining Mobile Agent TrustAgentHost
Code developerApplication owner
Host manager
PRINCIPALS
TRUST RELATIONSHIPS
7
Defining Mobile Agent Trust
8
Defining Mobile Agent Trust
Dispatching/ Execution Hosts DH → EH[i] EH[i] → DH EH[i] → EH[j]
Trusted Hosts DH → TH[i] TH[i] → DH EH[i] → TH[j] TH[j] → EH[i] TH[i] → TH[j]
Hosts and Agents ax → EH[i] EH[i] → ax ax → TH[i] TH[i] → ax DH → ax ax → DH ax → ay
People to Hosts/Agents AO → CD AO → DH AO → EH[i] CD → AO CD → DH CD → EH[i] DH → CD DH → AO EH[i] → CD EH[i] → AO
9
Defining Mobile Agent Trust
Simplifying Assumptions A ≈ CD
Agents are UNIQUE INSTANCES of agent code
Code developers write agent code
DH ≈ AO Applications owners use agent code The host that dispatches an agent The user that owns the application
HM ≈ Host owner, systems manager, user All aspects of physical execution environment
10
Overview Motivation Defining mobile agent trust Defining trust-enhanced security Defining application security models
Military model Trade model Neutral-services model
Questions
11
Security Requirements + Mechanisms
DETECTIONDETECTION PREVENTIONPREVENTION
Trust remains constantStronger/most reliableHarder to deploy/implement
Detection of violations alter trustWeaker/less reliable
Easier to deploy/implement
Idea:Idea:• use stronger mechanisms for less trusted/unknown principals use stronger mechanisms for less trusted/unknown principals • weaker mechanisms for more trusted/known principalsweaker mechanisms for more trusted/known principals
Corollary: Corollary: • application environmentapplication environment determines trust levels determines trust levels• trust levels dictate initial security requirementstrust levels dictate initial security requirements
12
Security Requirements + Mechanisms
DETECTIONDETECTION PREVENTIONPREVENTION
Stronger/most reliableHarder to deploy/implement
Detection of violations alter trustWeaker/less reliable
Easier to deploy/implement
Execution Tracing Execution Tracing (Vigna/Tan-Moreau)(Vigna/Tan-Moreau)
AgentAgentExecution Execution
IntegrityIntegrityAgent Agent
Non-repudiationNon-repudiationHostHost
Non-repudiationNon-repudiationAgentAgentState State
IntegrityIntegrity
AgentAgentCode Code
IntegrityIntegrity
13
Security Requirements + Mechanisms
DETECTIONDETECTION PREVENTIONPREVENTION
Stronger/most reliableHarder to deploy/implement
Detection of violations alter trustWeaker/less reliable
Easier to deploy/implement
Execution Tracing Execution Tracing (Tan-Moreau)(Tan-Moreau)
Agent Agent AvailabilityAvailability
Host Host AvailabilityAvailability
14
Formalizing Trust Relationships
DHDH
EHEH
EHEH
CDCD
AOAO
DHODHO
EHOEHO
EHOEHO
AA
What does knowing the true identity ofDH do for you?
15
Defining Trust-Enhanced Security
DHDH
EHEH
EHEH
AA
AA
?? Actions decrease trust Trust affects
Allowed security mechanisms
Itinerary Policy Code distribution
THTH
16
Requirements Among Principals
AO (DH) → EH Code privacy Code integrity State integrity State privacy Agent availability Agent anonymity Host authenticity Host non-repudiation
EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity
EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation
EH → A (CD) Agent code safety
Host availability Host integrity
Agent code authenticity Agent code integrity
17
Defining Trust-Enhanced Security Trust in the Agent Life Cycle
Creation/Development: Binding trust to code developer Ownership: Binding trust to application owner Dispatching: Binding trust to dispatching host Execution: Binding trust to prior hosts + dispatcher Migration: Binding trust to next host Termination: Binding trust of application result to entire
set of execution hosts + network
18
Defining Trust-Enhanced Security Application Owners Acquire Trust Regarding Executing HostsExecuting Hosts Acquire Trust Regarding Application Owners[DH] [DH] { PAST EH } { PAST EH } [ CURRENT EH ] [ CURRENT EH ] { FUTURE EH} { FUTURE EH} [DH] [DH]
TRUST ACQUISITION →INITIAL TRUST
FINAL TRUST
[DH] [DH] { PAST EH } { PAST EH } [ CURRENT EH ] [ CURRENT EH ] { FUTURE EH} { FUTURE EH} [DH] [DH]
TRUST ACQUISITION →INITIAL TRUST
FINAL TRUST
Application 1
Application 2
19
Defining Trust-Enhanced Security Trust decisions for agent
Which security mechanism do I require? Which hosts can I migrate too? Which code parts can I distribute?
Trust decisions for host Which security mechanism do I use? Do I allow agent access to resource X? Do I authorize agent to do Y? Do I share my policy information?
20
CDCDCDCD
AOAO
Defining Trust-Enhanced Security
EHEHAA
Before migration?Before migration?Decision is whether ornot to MIGRATE to the host
F = KL = NDT = S
EHEH
AOAO
AA
At host?At host?Decision is whether orDecision is whether ornot to EXECUTE on hostnot to EXECUTE on host
F = UKL = NDT = E
21
Defining Trust-Enhanced Security Trusted Third Parties (Trusted Hosts)
Increase/decrease trust among one or more principles
Based on their services: Allow hosts to trust agents more/less Allow agents to trust hosts more/less Allow hosts to trust other hosts more/less
May provide implementation or PART of a particular security mechanism
22
Overview Motivation Defining mobile agent trust Defining trust-enhanced security Defining application security models
Military model Trade model Neutral-services model
Questions
23
Defining Application Security Models Essence of Military ModelMilitary Model
“Maginot” line Dispatching Hosts Executing Hosts Trusted Hosts ≠ Only “known” principles allowed Static (ordered/unordered) itineraries “Centralized” management domain
Overarching management of code Members of C (codebase) known a priori Safety of C (codebase) evaluated a priori
Single and multiple agent applications
24
Defining Application Security Models
DHDHAOAO
EHEH THTH AACDCD
DHDHAOAO
k / HT k / T k / HT k / T
EHEH k / T k / T k / HT k / T
THTH k / HT k / HT k / HT k / HT
AACDCD
k / T k / T k / HT k / T
Military ModelMilitary Model
HT = HT = Highly Highly trustedtrustedT =T =TrustedTrustedND = ND = Non-Non-determineddeterminedU = U = UntrustedUntrustedHU =HU = Highly Highly untrusteduntrusted
k = k = KnownKnownuk = uk = UnknownUnknown
25
Defining Application Security Models Variance of StrongStrong Military ModelMilitary Model
ALL execution hosts are equipped with tamper-proof hardware
Have equivalent trust levels as that of trusted host (highly trusted)
26
Defining Application Security Models Essence of Trade ModelTrade Model
E-commerce: buyers/sellers Dispatching Hosts ∩ Executing Hosts = Trusted Hosts = Unknown principles Dynamic and static itineraries Single agent applications No infrastructure for code management
Members and safety of C (codebase) not known a priori
27
Defining Application Security Models
Trade ModelTrade Model
DHDHAOAO
EHEH THTH AACDCD
DHDHAOAO
k / HT k / Uuk / HU
k / Tuk / ND
k / NDuk / U
EHEH k / Uuk / HU
k / Uuk / HU
k / Tuk / ND
k / Uuk / HU
THTH k / NDuk / U
k / Uuk / HU
k / Tuk / ND
k / NDuk / U
AACDCD
k / Tuk / ND
k / Uuk / HU
k / Tuk / ND
k / NDuk / HU
HT = HT = Highly Highly trustedtrustedT =T =TrustedTrustedND = ND = Non-Non-determineddeterminedU = U = UntrustedUntrustedHU =HU = Highly Highly untrusteduntrusted
k = k = KnownKnownuk = uk = UnknownUnknown
28
Questions
29
Defining Application Security Models Essence of Neutral Services ModelNeutral Services Model
Databases: One-of-many service providers Dispatching Hosts ∩ Executing Hosts = Trusted Hosts ≠ OR Trusted Hosts = Communities of “unknown” principles with
common trust levels Static or dynamic itineraries Single and multiple agent applications
30
Defining Application Security Models
Neutral Services ModelNeutral Services Model
HT = HT = Highly Highly trustedtrustedT =T =TrustedTrustedND = ND = Non-Non-determineddeterminedU = U = UntrustedUntrustedHU =HU = Highly Highly untrusteduntrusted
k = k = KnownKnownuk = uk = UnknownUnknown
DHDHAOAO
EHEH THTH AACDCD
DHDHAOAO
k / HT k / NDuk / U
k / Tuk / T
k / Tuk / ND
EHEH k / NDuk / U
k / NDuk / ND
k / Tuk / T
k / Tuk / ND
THTH k / NDuk / ND
k / NDuk / ND
k / Tuk / T
k / NDuk / ND
AACDCD
k / NDuk / ND
k / Uuk / HU
k / Tuk / T
k / Tuk / ND
31
Related Works
Trust: Distributed, Decentralized, Ad-hoc Gambetta (1990) Yahalom, Klein, Beth (1993) Rasmusson and Jansson (1996) Blaze, Feigenbaum, Lacy (1996) Grandison and Sloman (2000) – Survey Kagal et al. (2001) Cahill et al. (2003) Capra (2004) Burmester and Yasinsac (2004)
32
Related Works General mobile agent security
McDonald, Yasinsac, Thompson (2005) Claessens, Preneel, Vandewalle (2003) Bierman and Cloete (2002) Jansen & Karygiannis (2000) Chess (1998)
Mobile agent security and trust Tripathi, Ahmed, Karnik (2001) Tan and Moreau (2001) Robles & Borrell (2002) Patrick (2002) Lin et al. (2004)
33
Formalizing Trust Relationships Trust notions:
peer / collaborative / trusted / honest
competitive / malicious / adversarial
neutral not trusted but not dishonest
Hosts
Execution
Dispatching
Trusted
trust/belief
trust/belief
trust/belieftrust/belief
trust/belief
trust/belief
34
Formalizing Trust Levels
Trust notions Unidirectional: The trust one way is not
necessarily the corresponding trust the other way Limited: Specific only to a given security objective
(you could be trustworthy in one respect but not another)
Specific: Trust can encompass entire sets of agents/hosts or deal with specific hosts and specific agents and specific people
Goal: Given initial trust relationships, derive new ones according to rules
35
Formalizing Trust Relationships Initial Assumptions for Principles
1..* Agents (A) ≈ Code Developer (CD)
1 Dispatching Host (DH) ≈ Application Owner (AO)
Servers ≈ Server Owner/Manager
Agents are uniquely identifiable
36
The Trust Algorithm
EHEH
Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
F = KL = NDT = S
EHEH
AOAOAA
37
The Trust Algorithm
TRUSTTUPLES
DHDH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
F = KL = NDT = S
EHEH
38
The Trust Algorithm
TRUSTTUPLES
THTH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
DHDH
39
The Trust Algorithm
TRUSTTUPLES
THTH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
THTH
40
The Trust Algorithm
TRUSTTUPLES
EHEH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
THTH
41
The Trust Algorithm
TRUSTTUPLES
THTH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
EHEH
42
The Trust Algorithm
TRUSTTUPLES
DHDH
AA Before migration?Before migration?Decision is whether ornot to migrate TO the host
At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host
EHEH
43
Formalizing Trust Relationships
P = { p1, p2 }: p1, p2 { DH | EH | TH | A } F = { K | UK }
K = known, UK = unknown Associate? Acquaintance? Third-hand?
TL = { HT | T | UK | U | HU } HT = Highly trusted T = Trusted UK = Unknown U = Untrusted HU = highly untrusted
O: Security Objective Set of 1 or more?
[Principle] [Trust Level] → [Principle] [Trust Level] → [Foreknowledge] [Principle] [Timeliness] with (O)[Foreknowledge] [Principle] [Timeliness] with (O)
44
Defining Mobile Agent Trust
Trustworthiness of the agent code might be expressed in terms of three requirements: AuthenticationAuthentication of the code’s designer and the
code’s identity IntegrityIntegrity verification that code received is the
same as code transmitted by an application owner Probabilistic proofs that code meets some
predefined security policy or safety requirements
45
Defining Mobile Agent Trust
DHDH
EHEH
EHEH
CDCD
AOAO
DHODHO
EHOEHO
EHOEHO
AA
46
Requirements Among Principals
EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation
47
Requirements Among Principals
EH → A (CD) Agent code safety
Host availability Host integrity
Agent code authenticity Agent code integrity
48
Requirements Among Principals
EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity
49
Defining Mobile Agent Trust
Hosts and Agents ax → EH[i]
EH[i] → ax ax → TH[i]
TH[i] → ax
DH → ax
ax → DH ax → ay
50
Defining Mobile Agent Trust
People to Hosts/Agents AO → CD AO → DH AO → EH[i] CD → AO CD → DH CD → EH[i] DH → CD DH → AO EH[i] → CD EH[i] → AO
Application Owner = AO; Code Developer = CDApplication Owner = AO; Code Developer = CD
51
Defining Trust-Enhanced Security Executing Hosts Acquire Trust Regarding Application Owners
[ALL PRIOR APPS] [ CURRENT APP ][ALL PRIOR APPS] [ CURRENT APP ]
TRUST ACQUISITION →INITIAL TRUST
FINAL TRUST
[ALL PRIOR APPS] [ CURRENT APP ][ALL PRIOR APPS] [ CURRENT APP ]
TRUST ACQUISITION →INITIAL TRUST
FINAL TRUST
Host 1
Host 1