Mobile Agents and Security

Presented by: Chan Hing Wing, Anthony

March 29, 1999
Room 1027, SHB, CUHK
 Introduction
• Problem of the Client/Server Paradigm
• Mobile Code Paradigms and Technologies
• Security Issues in Distributed Systems
• Security Concerns for Mobile Code
Paradigms
• Security Services of Mobile Code
Technologies
 The Client/Server Paradigm
• Client/Server Paradigm
– conventional design paradigm (i.e., example or pattern,
Webster) of distributed applications
– two processes (client and server) running on two
different hosts; communicate by message exchange
– Example: a simple network file server
• handle only one file per client request (I.e., no mput / mget)
• file listing service also provided
– How to delete all files starting with “f”?
 Problems, Client/Server
– The only way:
• list all files on server
• figure out files starting with “f”
• delete files one by one
– Problems:
• large number of exchanged messages (2n+2 messages for deleting n
files)
• requirement of user-computer interactivity
– Solution:
• upgrade the server and client (to provide mdelete)
– inflexible: how about next time I want mput/mget?
– any other solution?
 The Mobile Code Paradigm
• It would be great if I could send a self-
executing code fragment (instead of a single
instruction) to the server side, that decides
which file to delete for me dynamically!
• Advantages
– reduced network traffic (only code sending, and
perhaps an acknowledgement)
– no need for user-computer interactivity
 Mobile Code Paradigm (MCP)
• Common examples of mobile code:
– rsh in Unix (remote evaluation)
– SQL queries (remote evaluation)
– downloading Java applets (code on demand)

• Other possible applications (mobile agent):

– mobile computing
– electronic commerce, etc.
 MCP Classification
Paradigm Local side Remote side Computation
takes place at
Client/server - Know-how Remote side
Processor
Resources
Remote Know-how Remote side
Mobile evaluation Processor
code Resources
Code on Know-how Local side
demand Processor
Resources
Mobile Know-how Remote side
agent Processor
Resources
• know-how: the code to be executed
• resources: input/output of code
• processor: abstract machine that carries out holds the state of computation
 Mobile Agents
• Mobile Agents:
– The most interesting form of mobile code; one form of
“Intelligent Agents”, which is a hot topic in the AI field
– Mobility: programs can move across different machines
and platforms, and run on different host machines
– Agency: programs act autonomously for the their
users / owners
– Agents can move with different execution states,
therefore, they can co-operate to perform complex tasks
 Supporting Technologies
• Client/Server: Sockets / RPC / CORBA
• Remote evaluation: rsh, SQL, etc.
• Code on demand: Java applets
• Mobile Agents?
– Many Mobile Agent Systems (MAS) being developed, e.g.,
Aglets from IBM, Odyssey from General Magic, and
Objectspace’s Voyager (ORB)
– OMG is drafting the Mobile Agent System Interoperability
Facility (MASIF) to allow for cross-MAS agents under
CORBA
 Security Issues in Distributed
Systems
• General system security requirements:
– integrity
– authenticity
– confidentiality
– availability, for both code and data
• Widely adopted security model:
– each particular “computing base” forms a “security
fortress”, everything (code, data, users, computers) in
the same fortress are trusted
 Client/Server Security
• Client/Server security:
– usually adopt the security fortress model
– major challenges:
• client/server authentication (establishing trust with
another side)
• data/request confidentiality across insecure channel
(by encryption)
– already well developed
 Mobile Code Security Concerns
• Remote evaluation:
– fortress model also applicable
– challenges:
• code sender/receiver authentication
• code encryption across the channel
• Code on demand:
– can also apply the fortress model
– challenges:
• client: building trust on downloaded code (sandboxing, applet signing)
• server: verifying the correct client (authentication)
 Mobile Agent Security
• More complex/challenging because of:
– roaming agents
– co-operating agents
– security fortress model does not apply well
• Two aspects:
– host security:
• protecting the host against malicious agents
– agent security
• protecting the agents against malicious host
 Host security
• Agent Integrity
– sandboxing, run-time verification, proof-carrying code
• Agent Authentication
– digital signatures (analogy: signed applets)
• Authorization
– access control lists
• Allocation (against denial-of-service attack)
– market-based mechanism
 Agent Security
• Example:
– An agent roams around the Internet to look for the lowest
price of a air ticket; it remembers the lowest price it finds
most recently
– Data tampering: change of execution state of agents by
malicious hosts (“brain-flush” the agent of the lowest price
it remembers)
– Execution tampering: change of code or execution sequence
by malicious hosts (deliberately set the local price as the
lowest price, and push the agent to return immediately)
 Agent Protection
• Some proposed approaches:
– Agent tampering detection
• range verification, timing information
• addition of dummy items and functions
• state appraisal functions, cryptographic watermarks
– Agent tampering prevention
• shared secrets, interlocking of agents
– a fault-tolerance approach
• execution of encrypted functions
• Not very well developed
 Security Services, RPC
• Sockets: no security services at all!
• Sun RPC:
– secure RPC services for authentication (man
secure_rpc) with four options
– Kerberos v5: authentication, per-session key generation
– ssleay: free library functions implementing SSLv3, for
authentication and encryption
– Proposed standard: Generic Security Services Application
Program Interface version 2 (GSS-API v.2) (RFC2078)
 Security Services, CORBA
• CORBA Security Services specification
– required implementation of objects Credentials,
Principal Authenticator, Security Context, Access
Control, etc.
– support authentication, authorization, security auditing,
etc.
– however, existing implementation of the specification is
unknown
– some vendors add their own security add-on for their
ORB product (e.g., SSL pack for Visibroker)
 Security Services of MAS
• Aglets and Odyssey:
– Host protection based on Java security model
(sandboxing and signed applets)
– No information about agent protection
• Voyager:
– SSL for communication security
– No details available about host and agent
security
 Conclusion
• Mobile agents as a emerging paradigm to
substitute/complement client/server
• Mobile agent systems being developed
worldwide
• Security concerns as a blocking factor
• Two different views: mobile agents as
security challenge / chance
Questions and Answers
The End