Embed Size (px)
Citation preview
The Mobile Code Paradigm and Its Security Issues
Anthony Chan
September 13, 1999
Presentation Outline
• Drawbacks of client/server paradigm
• Classification of mobile code paradigm
• Mobile code applications and technologies
• Security concerns of mobile code paradigm
• Attack model of malicious hosts against mobile agents
• Conclusion
Client/Server Paradigm
• The most common paradigm being used for distributed application design
• Two problems:– high network bandwidth requirement (large
number of message transfer)– requirement for user-computer interactivity
• Mobile code emerges as a more efficient alternative
Classification of Mobile Code
Paradigm Local side Remote side Computationtakes place at
Know-howProcessor
Client/server -
Resources
Remote side
Know-howProcessor
Remoteevaluation
Resources
Remote side
Know-howProcessor
Code ondemand
Resources
Local side
Know-howProcessor
Mobilecode
Mobileagent
Resources
Remote side
Ghezzi and Vigna’s classification of mobile code paradigms
Mobile Code Applications
• Examples of mobile code systems:– remote evaluation: rsh utility, SQL queries– code on demand: Java applets– mobile agents:
• not common yet, but a lot of platforms for mobile agents being developed worldwide (e.g., Aglets from IBM, Concordia from Mitsubishi)
• Hurdle: SECURITY
Security Concerns of Mobile Code
• A basic requirement:– an application developed using the mobile code
paradigm can be as secure as the same application developed using the client/server paradigm
– otherwise mobile code could not be used for security-critical applications, which are very common
Security Attacks
• Actions that compromises security requirements of an application
• Attacks to Client/server: masquerading, forging, etc.
• Additional attacks to remote evaluation/code-on-demand: Trojan horses
• Additional attacks to mobile agents: agent tampering (data/execution)
Security Mechanisms• Mechanisms designed to prevent, detect or recover
from security attacks
• Security mechanisms for client/server:– Kerberos, Secure Socket Layer (SSL), etc.– very well established
• Security mechanism for REV/COD:– sandboxing and code verification
• Security mechanism for mobile agents:– not established at all
Attack model of malicious hosts against mobile agents
(Other agents)
Environment
Malicious Host
Malicious Host
Agent
System callRead/manipulate properties; control execution
Read/manipulate
Model proposed by Fritz Hohl:Attacks scenarios that can be described:
•spy out and modify the whole data part of an agent
•spy out and modify the code part of an agent
•manipulate the code execution sequence of an agent
•manipulate the execution environment of an agent
A mobile agent application
Handheld PC (running Windows CE)
System analyzes the request and asks the server for data
Proxy Server
Get the request from client and send agents to database servers
Network
agent
agent
agent Databases (Oracle server)
Agents get appropriate data here and bring back to proxy server
CLIENT SERVER
A Traveling Information Agent system
agent
Network
Attacks to the sample agents• Possible attacks to the system described:
– a malicious host may spy out and modify data collected by the agent, thus false information is reported to user
– a malicious host may spy out the code of the agent, thereby get to learn what information the particular user is interested in
– a malicious host may manipulate the execution sequence of the agent, and make the agent request some information for it illegitimately
– a malicious host may manipulate the information obtained from the databases, and report false information to the agent
Conclusion• Mobile code as an alternative to client/server for
distributed applications• Security as a major hurdle to mobile code• Mobile code (especially mobile agents) faces more
attacks than client/server do, while the corresponding security mechanisms are not well established
• An application to illustrate attacks to agents• Efforts should be devoted to secure agents
