Upload
jaunie
View
27
Download
1
Embed Size (px)
DESCRIPTION
The Security Architecture of the M&M Mobile Agent Framework. P. Marques, N. Santos , L. Silva, J. Silva CISUC, University of Coimbra, Portugal [email protected]. Outlook. M&M Overview Java and Mobile Agents security M&M Security Requirements Challenges/Problems Architecture. M&M Overview. - PowerPoint PPT Presentation
Citation preview
122 August 2001
The Security Architecture of The Security Architecture of the M&M Mobile Agent the M&M Mobile Agent
Framework Framework
P. Marques, N. Santos, L. Silva, J. SilvaCISUC, University of Coimbra, Portugal
222 August 2001
Outlook
M&M Overview Java and Mobile Agents security M&M Security
Requirements Challenges/Problems Architecture
322 August 2001
M&M Overview
M&M Overview Java and Mobile Agents security M&M Security
Requirements Challenges/Problems Architecture
Conclusion
422 August 2001
M&M OverviewM&M Programming Model
HOST A HOST B
other app objects
Application B
other app objects
Application A
Middleware MobilityComponents
522 August 2001
M&M OverviewThe component approach
Component approach: mobile agent support built as a set of components
Applications become agent-enabled by using binary software components (JavaBeans and ActiveX)
Easy to program (Visual Builder Tools) Security is integrated into the application security
framework Agents can be application specific Only the required components are included in each
application
622 August 2001
Java and Mobile Agents security
M&M Overview
Java and Mobile Agents security M&M Security
Requirements Challenges/Problems Architecture
Conclusion
722 August 2001
Java and Mobile Agents securityThe good
Dynamic class loading Object serialization Fine-grained security framework Sandbox model Many powerfull APIs Simple to program
822 August 2001
Java and Mobile Agents securityThe bad
Notion of thread but no notion of process All classes are loaded to the same JVM A mis-behaving agent may deadlock the JVM No standard and correct way of killing a thread.
No resource control mechanism The standard security model has no notion of user
Authentication and authorization based on who signed the code and where it came from
Java was designed for single-user environments. No operating-system like features!
922 August 2001
M&M Security
M&M Overview Java and Mobile Agents security
M&M Security Requirements Challenges/Problems Architecture
Conclusion
1022 August 2001
M&M SecurityRequirements
General security models are hard to implement How to protect agents from
hosts? Limited model: agent-
accountable environments Infrastructure owned by
cooperating organizations Contract: do not attack any
agent executing on their hosts Useful in the real world
This model assumes: Hosts do not attack agents Agents may mis-behave and
attack hosts and other agents
Host
attacks
atta
cks
attacks
atta
cks
1122 August 2001
M&M SecurityRequirements
Protect the agent runtime from agents Unauthorized access or operation Excessive resource consumption Overflow by agents
Protect agents from agents Tampering or eavesdropping Killing
Limited protection of agents from hosts Cryptography to hide secrets from hosts
1222 August 2001
M&M SecurityChallenges
How to establish the notion of user Agent permissions should be granted based on its owner. The same agent code may be used by several different
entities
But, in the standard Java model: Each class can only have one ProtectionDomain The policy files do not support the notion of user.
How to have different ProtectionDomains for the same agent code?
1322 August 2001
M&M SecurityChallenges
Integration with applications M&M components should integrate seamlessly with
existing applications If the application has already instantiated a
SecurityManager the M&M must work with it.
But, before JDK 1.2 Security policy coded in the SecurityManager Each application had a specific SecurityManager.
After JDK 1.2 Security policy in external files The SecurityManager need not be changed
1422 August 2001
M&M SecurityArchitecture
1522 August 2001
M&M SecurityArchitecture
Works with Java 2 security model. Only requires that a standard SecurityManager be instantiated.
Uses standard Java 2 policy files. Principals: agent owner, agent programmer and hosts Each principal has a pair of private/public keys Strong isolation between agents and system resources
Proxies avoid direct communications between agents and other mobility components.
The Java 2 AccessController protects accesses to the Java API
1622 August 2001
M&M SecurityArchitecture
Authentication Each agent is given an AgentIdentity at creation: agent
name, owners, hash of the code, creation and expiration dates. Signed by the agent owners’ private keys.
Hosts use the agent owners’ public keys to validate migrations Virtual signers: the authenticated owners of the agent.
Authorization For each agent a new ClassLoader is created:
AgentClassLoader ProtectionDomain defined with the virtual signers In the policy files the virtual signers are specified in the
“signedBy” field.
1722 August 2001
M&M SecurityArchitecture
Standard Java Classloading M&M agents ClassLoading
Ag en tI n s tan c e A
Ag en t C las s
Ag en tI n s tan c e B
Ag en tC las s L o ad er A Ag en tC las s L o ad er B
P r o tec tio n D o m ain BP r o tec tio n D o m ain A
Ag en tI d en tity A Ag en tI d en tity BC las s
C las s L o ad er
I n s tan c eA I n s tan c eB
P r o tec tio n D o m ain
1822 August 2001
M&M SecurityArchitecture
Remote Management Interfaces (via RMI) Authentication of the client Server code runs with the permissions of the client
Remote Instalable services Run with the permissions of the principal who installed
it.
More features: Extensive logging facilities Cryptographic primitives for agents: confidentiality and
integrity Migrations protected by SSL sockets
1922 August 2001
M&M SecurityArchitecture
Limitations Resource control. Some solutions
modified JVM JVM Profiling Interfaces
Integration with existing applications If the SecurityManager is modified it may not work. In practise: most modified SecurityManagers still work
with the Mobility components. Logging of API calls
The agent calls the API directly. How to log them? Changing the SecurityManager is not an option.
2022 August 2001
Conclusions
Right now it is not possible to define a perfect security model for mobile agents. Most applications can deal with the risk of the current
models: Accept the risk, if cost is reasonable Use external security mechanisms
The Java language is good for programming mobile agents, but has some limitations: lack of processes, lack of resource control mechanisms, lack of multi-user support
2122 August 2001
Questions?