Mobile Agents and Security

Presented by: Chan Hing Wing, Anthony

March 29, 1999

Room 1027, SHB, CUHK

Introduction

• Problem of the Client/Server Paradigm

• Mobile Code Paradigms and Technologies

• Security Issues in Distributed Systems

• Security Concerns for Mobile Code Paradigms

• Security Services of Mobile Code Technologies

The Client/Server Paradigm• Client/Server Paradigm

– conventional design paradigm (i.e., example or pattern, Webster) of distributed applications

– two processes (client and server) running on two different hosts; communicate by message exchange

– Example: a simple network file server• handle only one file per client request (I.e., no mput / mget)

• file listing service also provided

– How to delete all files starting with “f”?

Problems, Client/Server– The only way:

• list all files on server

• figure out files starting with “f”

• delete files one by one

– Problems:• large number of exchanged messages (2n+2 messages for deleting n

files)

• requirement of user-computer interactivity

– Solution:• upgrade the server and client (to provide mdelete)

– inflexible: how about next time I want mput/mget?– any other solution?

The Mobile Code Paradigm

• It would be great if I could send a self-executing code fragment (instead of a single instruction) to the server side, that decides which file to delete for me dynamically!

• Advantages– reduced network traffic (only code sending, and

perhaps an acknowledgement)– no need for user-computer interactivity

Mobile Code Paradigm (MCP)

• Common examples of mobile code:– rsh in Unix (remote evaluation)– SQL queries (remote evaluation)– downloading Java applets (code on demand)

• Other possible applications (mobile agent):– mobile computing– electronic commerce, etc.

MCP Classification

• know-how: the code to be executed• resources: input/output of code• processor: abstract machine that carries out holds the state of computation

Paradigm Local side Remote side Computationtakes place at

Know-howProcessor

Client/server -

Resources

Remote side

Know-howProcessor

Remoteevaluation

Resources

Remote side

Know-howProcessor

Code ondemand

Resources

Local side

Know-howProcessor

Mobilecode

Mobileagent

Resources

Remote side

Mobile Agents• Mobile Agents:

– The most interesting form of mobile code; one form of “Intelligent Agents”, which is a hot topic in the AI field

– Mobility: programs can move across different machines and platforms, and run on different host machines

– Agency: programs act autonomously for the their users / owners

– Agents can move with different execution states, therefore, they can co-operate to perform complex tasks

Supporting Technologies• Client/Server: Sockets / RPC / CORBA• Remote evaluation: rsh, SQL, etc.• Code on demand: Java applets• Mobile Agents?

– Many Mobile Agent Systems (MAS) being developed, e.g., Aglets from IBM, Odyssey from General Magic, and Objectspace’s Voyager (ORB)

– OMG is drafting the Mobile Agent System Interoperability Facility (MASIF) to allow for cross-MAS agents under CORBA

Security Issues in Distributed Systems

• General system security requirements:– integrity– authenticity– confidentiality– availability, for both code and data

• Widely adopted security model:– each particular “computing base” forms a “security

fortress”, everything (code, data, users, computers) in the same fortress are trusted

Client/Server Security

• Client/Server security:– usually adopt the security fortress model– major challenges:

• client/server authentication (establishing trust with another side)

• data/request confidentiality across insecure channel (by encryption)

– already well developed

Mobile Code Security Concerns• Remote evaluation:

– fortress model also applicable– challenges:

• code sender/receiver authentication• code encryption across the channel

• Code on demand:– can also apply the fortress model– challenges:

• client: building trust on downloaded code (sandboxing, applet signing)

• server: verifying the correct client (authentication)

Mobile Agent Security

• More complex/challenging because of:– roaming agents– co-operating agents– security fortress model does not apply well

• Two aspects:– host security:

• protecting the host against malicious agents

– agent security• protecting the agents against malicious host

Host security• Agent Integrity

– sandboxing, run-time verification, proof-carrying code

• Agent Authentication– digital signatures (analogy: signed applets)

• Authorization– access control lists

• Allocation (against denial-of-service attack)– market-based mechanism

Agent Security• Example:

– An agent roams around the Internet to look for the lowest price of a air ticket; it remembers the lowest price it finds most recently

– Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers)

– Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)

Agent Protection

• Some proposed approaches:– Agent tampering detection

• range verification, timing information

• addition of dummy items and functions

• state appraisal functions, cryptographic watermarks

– Agent tampering prevention• shared secrets, interlocking of agents

– a fault-tolerance approach

• execution of encrypted functions

• Not very well developed

Security Services, RPC

• Sockets: no security services at all!

• Sun RPC:– secure RPC services for authentication (man secure_rpc) with four options

– Kerberos v5: authentication, per-session key generation– ssleay: free library functions implementing SSLv3, for

authentication and encryption– Proposed standard: Generic Security Services

Application Program Interface version 2 (GSS-API v.2) (RFC2078)

Security Services, CORBA• CORBA Security Services specification

– required implementation of objects Credentials, Principal Authenticator, Security Context, Access Control, etc.

– support authentication, authorization, security auditing, etc.

– however, existing implementation of the specification is unknown

– some vendors add their own security add-on for their ORB product (e.g., SSL pack for Visibroker)

Security Services of MAS

• Aglets and Odyssey:– Host protection based on Java security model

(sandboxing and signed applets)– No information about agent protection

• Voyager:– SSL for communication security– No details available about host and agent

security

Conclusion

• Mobile agents as a emerging paradigm to substitute/complement client/server

• Mobile agent systems being developed worldwide

• Security concerns as a blocking factor

• Two different views: mobile agents as security challenge / chance

Questions and Answers

The End