Application Security Models for Mobile Agent Systems

1

Application Security Models for Mobile Agent Systems

Department of Computer ScienceDepartment of Computer ScienceFlorida State UniversityFlorida State University

J. Todd McDonald J. Todd McDonald Alec YasinsacAlec Yasinsac

The 1The 1stst International Workshop on International Workshop on Security and Trust Management (STM’05)Security and Trust Management (STM’05)

Sept 15, 2005Sept 15, 2005Milan, ItalyMilan, Italy

2

Overview Motivation Defining mobile agent trust Defining trust-enhanced security Defining application security models

Military model Trade model Neutral-services model

Questions

3

Defining Security Requirements = Confidentiality, integrity, authentication… Mechanisms = Enforce security requirements

Defining Trust Subjective non-Boolean expectation of behavior Non-reflexive, changing, context-driven Acquired or delegated

Using Trust with Mobile Agent Security Consider all mobile agent principals Link requirements to mechanisms Reason about trust for generic mechanisms Initialize trust model based on context

Motivation

4



Questions

5

The Big Picture

6

Defining Mobile Agent TrustAgentHost

Code developerApplication owner

Host manager

PRINCIPALS

TRUST RELATIONSHIPS

7

Defining Mobile Agent Trust

8


Dispatching/ Execution Hosts DH → EH[i] EH[i] → DH EH[i] → EH[j]

Trusted Hosts DH → TH[i] TH[i] → DH EH[i] → TH[j] TH[j] → EH[i] TH[i] → TH[j]

Hosts and Agents ax → EH[i] EH[i] → ax ax → TH[i] TH[i] → ax DH → ax ax → DH ax → ay

People to Hosts/Agents AO → CD AO → DH AO → EH[i] CD → AO CD → DH CD → EH[i] DH → CD DH → AO EH[i] → CD EH[i] → AO

9


Simplifying Assumptions A ≈ CD

Agents are UNIQUE INSTANCES of agent code

Code developers write agent code

DH ≈ AO Applications owners use agent code The host that dispatches an agent The user that owns the application

HM ≈ Host owner, systems manager, user All aspects of physical execution environment

10



Questions

11

Security Requirements + Mechanisms

DETECTIONDETECTION PREVENTIONPREVENTION

Trust remains constantStronger/most reliableHarder to deploy/implement

Detection of violations alter trustWeaker/less reliable

Easier to deploy/implement

Idea:Idea:• use stronger mechanisms for less trusted/unknown principals use stronger mechanisms for less trusted/unknown principals • weaker mechanisms for more trusted/known principalsweaker mechanisms for more trusted/known principals

Corollary: Corollary: • application environmentapplication environment determines trust levels determines trust levels• trust levels dictate initial security requirementstrust levels dictate initial security requirements

12



Stronger/most reliableHarder to deploy/implement



Execution Tracing Execution Tracing (Vigna/Tan-Moreau)(Vigna/Tan-Moreau)

AgentAgentExecution Execution

IntegrityIntegrityAgent Agent

Non-repudiationNon-repudiationHostHost

Non-repudiationNon-repudiationAgentAgentState State

IntegrityIntegrity

AgentAgentCode Code

IntegrityIntegrity

13



Stronger/most reliableHarder to deploy/implement



Execution Tracing Execution Tracing (Tan-Moreau)(Tan-Moreau)

Agent Agent AvailabilityAvailability

Host Host AvailabilityAvailability

14

Formalizing Trust Relationships

DHDH

EHEH

EHEH

CDCD

AOAO

DHODHO

EHOEHO

EHOEHO

AA

What does knowing the true identity ofDH do for you?

15

Defining Trust-Enhanced Security

DHDH

EHEH

EHEH

AA

AA

?? Actions decrease trust Trust affects

Allowed security mechanisms

Itinerary Policy Code distribution

THTH

16

Requirements Among Principals

AO (DH) → EH Code privacy Code integrity State integrity State privacy Agent availability Agent anonymity Host authenticity Host non-repudiation

EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity

EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation

EH → A (CD) Agent code safety

Host availability Host integrity

Agent code authenticity Agent code integrity

17

Defining Trust-Enhanced Security Trust in the Agent Life Cycle

Creation/Development: Binding trust to code developer Ownership: Binding trust to application owner Dispatching: Binding trust to dispatching host Execution: Binding trust to prior hosts + dispatcher Migration: Binding trust to next host Termination: Binding trust of application result to entire

set of execution hosts + network

18

Defining Trust-Enhanced Security Application Owners Acquire Trust Regarding Executing HostsExecuting Hosts Acquire Trust Regarding Application Owners[DH] [DH] { PAST EH } { PAST EH } [ CURRENT EH ] [ CURRENT EH ] { FUTURE EH} { FUTURE EH} [DH] [DH]

TRUST ACQUISITION →INITIAL TRUST

FINAL TRUST

[DH] [DH] { PAST EH } { PAST EH } [ CURRENT EH ] [ CURRENT EH ] { FUTURE EH} { FUTURE EH} [DH] [DH]


FINAL TRUST

Application 1

Application 2

19

Defining Trust-Enhanced Security Trust decisions for agent

Which security mechanism do I require? Which hosts can I migrate too? Which code parts can I distribute?

Trust decisions for host Which security mechanism do I use? Do I allow agent access to resource X? Do I authorize agent to do Y? Do I share my policy information?

20

CDCDCDCD

AOAO

Defining Trust-Enhanced Security

EHEHAA

Before migration?Before migration?Decision is whether ornot to MIGRATE to the host

F = KL = NDT = S

EHEH

AOAO

AA

At host?At host?Decision is whether orDecision is whether ornot to EXECUTE on hostnot to EXECUTE on host

F = UKL = NDT = E

21

Defining Trust-Enhanced Security Trusted Third Parties (Trusted Hosts)

Increase/decrease trust among one or more principles

Based on their services: Allow hosts to trust agents more/less Allow agents to trust hosts more/less Allow hosts to trust other hosts more/less

May provide implementation or PART of a particular security mechanism

22



Questions

23

Defining Application Security Models Essence of Military ModelMilitary Model

“Maginot” line Dispatching Hosts Executing Hosts Trusted Hosts ≠ Only “known” principles allowed Static (ordered/unordered) itineraries “Centralized” management domain

Overarching management of code Members of C (codebase) known a priori Safety of C (codebase) evaluated a priori

Single and multiple agent applications

24

Defining Application Security Models

DHDHAOAO

EHEH THTH AACDCD

DHDHAOAO

k / HT k / T k / HT k / T

EHEH k / T k / T k / HT k / T

THTH k / HT k / HT k / HT k / HT

AACDCD

k / T k / T k / HT k / T

Military ModelMilitary Model

HT = HT = Highly Highly trustedtrustedT =T =TrustedTrustedND = ND = Non-Non-determineddeterminedU = U = UntrustedUntrustedHU =HU = Highly Highly untrusteduntrusted

k = k = KnownKnownuk = uk = UnknownUnknown

25

Defining Application Security Models Variance of StrongStrong Military ModelMilitary Model

ALL execution hosts are equipped with tamper-proof hardware

Have equivalent trust levels as that of trusted host (highly trusted)

26

Defining Application Security Models Essence of Trade ModelTrade Model

E-commerce: buyers/sellers Dispatching Hosts ∩ Executing Hosts = Trusted Hosts = Unknown principles Dynamic and static itineraries Single agent applications No infrastructure for code management

Members and safety of C (codebase) not known a priori

27


Trade ModelTrade Model

DHDHAOAO

EHEH THTH AACDCD

DHDHAOAO

k / HT k / Uuk / HU

k / Tuk / ND

k / NDuk / U

EHEH k / Uuk / HU

k / Uuk / HU

k / Tuk / ND

k / Uuk / HU

THTH k / NDuk / U

k / Uuk / HU

k / Tuk / ND

k / NDuk / U

AACDCD

k / Tuk / ND

k / Uuk / HU

k / Tuk / ND

k / NDuk / HU



28

Questions

29

Defining Application Security Models Essence of Neutral Services ModelNeutral Services Model

Databases: One-of-many service providers Dispatching Hosts ∩ Executing Hosts = Trusted Hosts ≠ OR Trusted Hosts = Communities of “unknown” principles with

common trust levels Static or dynamic itineraries Single and multiple agent applications

30


Neutral Services ModelNeutral Services Model



DHDHAOAO

EHEH THTH AACDCD

DHDHAOAO

k / HT k / NDuk / U

k / Tuk / T

k / Tuk / ND

EHEH k / NDuk / U

k / NDuk / ND

k / Tuk / T

k / Tuk / ND

THTH k / NDuk / ND

k / NDuk / ND

k / Tuk / T

k / NDuk / ND

AACDCD

k / NDuk / ND

k / Uuk / HU

k / Tuk / T

k / Tuk / ND

31

Related Works

Trust: Distributed, Decentralized, Ad-hoc Gambetta (1990) Yahalom, Klein, Beth (1993) Rasmusson and Jansson (1996) Blaze, Feigenbaum, Lacy (1996) Grandison and Sloman (2000) – Survey Kagal et al. (2001) Cahill et al. (2003) Capra (2004) Burmester and Yasinsac (2004)

32

Related Works General mobile agent security

McDonald, Yasinsac, Thompson (2005) Claessens, Preneel, Vandewalle (2003) Bierman and Cloete (2002) Jansen & Karygiannis (2000) Chess (1998)

Mobile agent security and trust Tripathi, Ahmed, Karnik (2001) Tan and Moreau (2001) Robles & Borrell (2002) Patrick (2002) Lin et al. (2004)

33

Formalizing Trust Relationships Trust notions:

peer / collaborative / trusted / honest

competitive / malicious / adversarial

neutral not trusted but not dishonest

Hosts

Execution

Dispatching

Trusted

trust/belief

trust/belief

trust/belieftrust/belief

trust/belief

trust/belief

34

Formalizing Trust Levels

Trust notions Unidirectional: The trust one way is not

necessarily the corresponding trust the other way Limited: Specific only to a given security objective

(you could be trustworthy in one respect but not another)

Specific: Trust can encompass entire sets of agents/hosts or deal with specific hosts and specific agents and specific people

Goal: Given initial trust relationships, derive new ones according to rules

35

Formalizing Trust Relationships Initial Assumptions for Principles

1..* Agents (A) ≈ Code Developer (CD)

1 Dispatching Host (DH) ≈ Application Owner (AO)

Servers ≈ Server Owner/Manager

Agents are uniquely identifiable

36

The Trust Algorithm

EHEH

Before migration?Before migration?Decision is whether ornot to migrate TO the host

At host?At host?Decision is whether orDecision is whether ornot to execute ON hostnot to execute ON host

F = KL = NDT = S

EHEH

AOAOAA

37

The Trust Algorithm

TRUSTTUPLES

DHDH

AA Before migration?Before migration?Decision is whether ornot to migrate TO the host


F = KL = NDT = S

EHEH

38

The Trust Algorithm

TRUSTTUPLES

THTH



DHDH

39

The Trust Algorithm

TRUSTTUPLES

THTH



THTH

40

The Trust Algorithm

TRUSTTUPLES

EHEH



THTH

41

The Trust Algorithm

TRUSTTUPLES

THTH



EHEH

42

The Trust Algorithm

TRUSTTUPLES

DHDH



EHEH

43

Formalizing Trust Relationships

P = { p1, p2 }: p1, p2 { DH | EH | TH | A } F = { K | UK }

K = known, UK = unknown Associate? Acquaintance? Third-hand?

TL = { HT | T | UK | U | HU } HT = Highly trusted T = Trusted UK = Unknown U = Untrusted HU = highly untrusted

O: Security Objective Set of 1 or more?

[Principle] [Trust Level] → [Principle] [Trust Level] → [Foreknowledge] [Principle] [Timeliness] with (O)[Foreknowledge] [Principle] [Timeliness] with (O)

44


Trustworthiness of the agent code might be expressed in terms of three requirements: AuthenticationAuthentication of the code’s designer and the

code’s identity IntegrityIntegrity verification that code received is the

same as code transmitted by an application owner Probabilistic proofs that code meets some

predefined security policy or safety requirements

45


DHDH

EHEH

EHEH

CDCD

AOAO

DHODHO

EHOEHO

EHOEHO

AA

46


EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation

47


EH → A (CD) Agent code safety

Host availability Host integrity

Agent code authenticity Agent code integrity

48


EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity

49


Hosts and Agents ax → EH[i]

EH[i] → ax ax → TH[i]

TH[i] → ax

DH → ax

ax → DH ax → ay

50


People to Hosts/Agents AO → CD AO → DH AO → EH[i] CD → AO CD → DH CD → EH[i] DH → CD DH → AO EH[i] → CD EH[i] → AO

Application Owner = AO; Code Developer = CDApplication Owner = AO; Code Developer = CD

51

Defining Trust-Enhanced Security Executing Hosts Acquire Trust Regarding Application Owners

[ALL PRIOR APPS] [ CURRENT APP ][ALL PRIOR APPS] [ CURRENT APP ]


FINAL TRUST

[ALL PRIOR APPS] [ CURRENT APP ][ALL PRIOR APPS] [ CURRENT APP ]


FINAL TRUST

Host 1

Host 1

Documents

Application Security Models for Mobile Agent Systems