Mobile Code Security Evaluation

Presented by: Chan Hing Wing, Anthony

April 26, 1999

Room 1027, SHB, CUHK

Introduction

Problems of the client/server paradigm The mobile code paradigm (MCP) and

supporting implementation technologies Security evaluation of mobile code

paradigms and technologies A security model for mobile agents Conclusion and future work

The Client/Server Paradigm– The conventional design paradigm (i.e., example

or pattern, Webster) of distributed applications– Two processes (client and server) running on

two different hosts; communicate by message exchange

– Example: a simple network file server• handle only one file per client request (I.e., no mput / mget)

• file listing service also provided

– How to delete all files starting with “f”?

Problems, Client/Server– The only way:

• list all files on server• figure out files starting with “f”• delete files one by one

– Problems:• large number of exchanged messages• requirement of user-computer interactivity

– Solution:• upgrade the server and client (to provide mdelete)

– inflexible: how about next time I want mput/mget?– any other solution?

The Mobile Code Paradigm

It would be great if I could send a self-executing code fragment (instead of a single instruction) to the server side, that decides which file to delete for me dynamically!

Advantages– reduced network traffic (only code sending,

and perhaps an acknowledgement)– no need for user-computer interactivity

Mobile Code Paradigm (MCP) Three forms of MCP (Ghezzi & Vigna):

– remote evaluation (REV), code on demand (COD), mobile agent (MA)

Common examples of mobile code:– rsh in Unix (REV)– SQL queries (REV)– downloading Java applets (COD)

Other possible applications (MA):– mobile computing– electronic commerce, etc.

Mobile Agents– The most interesting form of mobile code; one form

of “Intelligent Agents”, which is a hot topic in the AI field

– Mobility: programs can move across different machines and platforms, and run on different host machines

– Agency: programs act autonomously for the their users / owners

– Agents can move with different execution states, therefore, they can roam around the network to perform complex tasks

Why Mobile Agents? “Seven Good Reasons for Mobile Agents” (in

CACM, March, 1999):– They reduce the network load– They overcome network latency– They encapsulate protocols– They execute asynchronously and autonomously– They adapt dynamically– They are naturally heterogeneous– They are robust and fault-tolerant

Supporting Technologies Client/Server: Sockets / RPC / CORBA Remote evaluation: rsh, SQL, etc. Code on demand: Java applets Mobile Agents?

– Many Mobile Agent Systems (MAS) being developed, e.g., Aglets from IBM, Odyssey from General Magic, and Objectspace’s Voyager (ORB)

– OMG is drafting the Mobile Agent System Interoperability Facility (MASIF) to allow for cross-MAS agents under CORBA

Security Evaluation of MCP

Before we adopt MCP, we should evaluate the security “cost” and “benefit” of MCP, compared with the client/server paradigm

Two criteria for accepting MCP in application development:– no extra security attacks without

corresponding security mechanisms– easy-to-use, reliable security services

provided by supporting technologies

Client/Server Security Client/Server security:

– usually adopt the “security fortress” model• each particular “computing base” forms a “security fortress”,

everything (code, data, users, computers) in the same fortress are trusted

– major challenges:• client/server authentication (establishing trust with another

side)• data/request confidentiality across insecure channel (by

encryption)

– already well developed

Mobile Code Security Concerns Remote evaluation:

– fortress model also applicable– challenges:

• code sender/receiver authentication• code encryption across the channel

Code on demand:– can also apply the fortress model– challenges:

• client: building trust on downloaded code (sandboxing, applet signing)

• server: verifying the correct client (authentication)

Mobile Agent Security More complex/challenging because of:

– roaming agents– co-operating agents

Two aspects:– host security:

• protecting the host against malicious agents• fortress model applies

– agent security• protecting the agents against malicious host• fortress model does not apply!

Host security Agent Integrity

– sandboxing, run-time verification, proof-carrying code

Agent Authentication– digital signatures (analogy: signed applets)

Authorization– access control lists

Allocation (against denial-of-service attack)– market-based mechanism

Agent Security Example:

– An agent roams around the Internet to look for the lowest price of an air ticket; it remembers the lowest price it finds most recently

– Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers)

– Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)

Agent Protection Some proposed approaches:

– Agent tampering detection• range verification, timing information• addition of dummy items and functions• state appraisal functions, cryptographic watermarks

– Agent tampering prevention• time-limited black-box [Hohl]• shared secrets, interlocking of agents

– a fault-tolerance approach

• execution of encrypted functions [Sander & Tschudin]

Not very well developed

Security Services, RPC Sockets: no security services at all! Sun RPC:

– secure RPC services for authentication (man secure_rpc) with four options

– Kerberos v5: authentication, per-session key generation– ssleay: free library functions implementing SSLv3, for

authentication and encryption– Proposed standard: Generic Security Services

Application Program Interface version 2 (GSS-API v.2) (RFC2078)

Security Services, CORBA CORBA Security Services specification

– required implementation of objects Credentials, Principal Authenticator, Security Context, Access Control, etc.

– support authentication, authorization, security auditing, etc.

– however, existing implementation of the specification is unknown

– some vendors add their own security add-on for their ORB product (e.g., SSL pack for Visibroker)

Security Services of MAS

Aglets and Odyssey:– Host protection based on Java security

model (sandboxing and signed applets)– No information about agent protection

Voyager:– SSL for communication security– No details available about host and agent

security

Summary of Evaluation

Client/server Mobile agentsREV/COD

More possible attacks,mechanisms less developed

RPC MASCORBA

Higher level of abstraction,services less developed

Intuitively speaking,

Security Model for Mobile Agents

Agent

Host 1 Host 2 Host n…

The agent stay at host i for a time period ti

Assume independent, exponential, distribution of time-to-breach (Jonsson’s experiment) at each host i, i.e.,

P(breach at host i) = 1 - exp(-iti), for i = 1 to n

where i = vki is a constant;

v: index of vulnerability; ki: index of malice

Proposed Security Model (cont’d)

Security of system = P(no breach at all hosts)

= exp(-1t1)exp(-2t2)...exp(-ntn),

A Possible Application of the model:

Assume we can estimate i for each i from 1 to n,

then we can determine the upper limits of time to stay on each host i (a set of values of ti) for the agent to become free of breach at a certain probability (ref: time-limited black-box)

Conclusion Mobile agents as an emerging paradigm to

substitute/complement client/server Mobile agent systems being developed

worldwide Security concerns as a major factor Mobile agent security needs particular

attention A model is proposed for evaluating security of

mobile agent systems

Future Work Derive new security mechanisms to protect

mobile agents Implement security services for mobile

agents Conduct experiment to verify the proposed

model Evaluate different security mechanisms

and services based on the proposed model

Questions and Answers

The End