Title: Secure Mobile Agents: Techniques, Modeling and Application
1Secure Mobile Agents Techniques, Modeling and
Application
- Presented by Chan Hing Wing, Anthony
- Dec 15, 1999
- Room 1027, SHB, CUHK
2Introduction
- Evolution of mobile agents
- Security concerns of mobile agents
- Techniques to protect mobile agents
- Security modeling of mobile agents
- SIAS a mobile agent application and its security
issues - Conclusion and future work
3What are Mobile Agents?
- A form of mobile code
- Mobility programs can move across different
machines and platforms, and run on different host
machines - Agency programs act autonomously for the their
users / owners - Agents can move with different execution states,
therefore, they can roam around the network to
perform complex tasks
4Mobile Code Classification
Know-how the code to execute Resources
input/output for code execution Processor
abstract machine that holds the state of
computation
Ghezzi and Vignas classification of mobile code
paradigms
5Why Mobile Agents?
- Seven Good Reasons for Mobile Agents (in CACM,
March, 1999) - They reduce the network load
- They overcome network latency
- They encapsulate protocols
- They execute asynchronously and autonomously
- They adapt dynamically
- They are naturally heterogeneous
- They are robust and fault-tolerant
6Mobile Agent Security Concerns
- Two aspects
- host security
- protecting a host against malicious agents
- protecting a host against other hosts can be done
in traditional manner - agent security
- protecting agents against malicious hosts
- protecting agents from other agents would be easy
if agents can be protected from malicious hosts
7Host Security
- Agent Integrity
- sandboxing, run-time verification, proof-carrying
code - Agent Authentication
- digital signatures (analogy signed applets)
- Authorization
- access control lists
- Allocation (against denial-of-service attack)
- market-based mechanism
8Agent Security
Model proposed by Fritz Hohl
- Attacks scenarios that can be described
- spying out and modification of the data part of
an agent - spying out and modification of the code part of
an agent - manipulation of the code execution sequence of an
agent - manipulation of the execution environment of an
agent
Environment
Read/manipulate
Malicious Host
(Other agents)
Read/manipulate properties control execution
System call
Agent
9Techniques to Protect Agents
- Three branches of solutions
- Establishing a closed network
- sends agent to trusted hosts only
- effective but sacrifice system openness
- Agent tampering detection
- detect and recover from any tampering with agents
- not suitable for very critical actions, for which
detection may be too late - Agent tampering prevention
- prevent agent from being tampered with
- Not very well developed
10Agent Tampering Prevention - Examples
- Protected Agent States Neeran Karnik
- Simple ideas to protect agent data
- read-only states states of the agent are
digitally signed by the sender - append-only logs information provided to agent
is digitally signed by the info provider - targeted states states of the agent are
encrypted with the public key of a targeted host,
therefore other hosts cannot understand them
11Another Example
- Mobile Cryptography Tomas Sander
- protect the code part of an agent
- proved to be applicable to polynomial functions
only, for the time being
Alice asks Bob sends agent to Bob to calculate
f(x) for her
Alice s function f
(1)
P(E(f))
(2)
P(E(f))
key
Bobs input x
E(f(x))
P(E-1)
(3)
f(x)
(4)
Alice
Bob
12Security Model for Mobile Agents
Host 2
Host n
Host 1
Agent
The agent stay at host i for a time period
ti Assume independent, exponential, distribution
of time-to-breach (Jonssons experiment) at each
host i, i.e., P(breach at host i) 1 -
exp(-?iti), for i 1 to n where ?i vki is a
constant v index of vulnerability ki index of
malice
13Proposed Security Model (contd)
Security of system P(no breach at all
hosts) exp(-?1t1)exp(-?2t2)...exp(-?ntn),
A Possible Application of the model Assume we
can estimate ?i for each i from 1 to n, then we
can determine the upper limits of time to stay on
each host i (a set of values of ti) for the agent
to become free of breach at a certain probability
(ref time-limited black-box)
14Problems of the model
- The validity of the assumption of exponential
distribution of attacker behavior should be
questioned - Even though the assumption is valid, it seems
difficult to give estimates to the indices of
malice (ki) and vulnerabilities (v)
15SIAS Shopping Information Agent System
- An experiment with mobile agent applications
- Collaboration with two undergraduate students
- Users send agents to query prices in an
electronic marketplace - System is built using Java, and the Concordia
mobile agent toolkit from Mitsubishi
16SIAS System Control Flow
17SIAS Agent Properties
- An agent in SIAS carries three properties
- list of product Ids (Id-list)
- products of which prices are to be queried
- list of product quantities (Q-list)
- quantities of products at which price are to be
queried - list of product entries (E-list)
- information returned to agents from hosts in the
marketplace
18SIAS Security Problems
- Modification of the Id-list and Q-list
- Malicious host may modify the products and
quantities to be queried in its favor - Spying out and modification of the E-list
- Malicious host may spy out and modify the price
information collected by an agent from a
competing host - Modification of the itinerary of an agent
- Malicious host may simply send agent to other
hosts, or directly back to sender, skipping
competing hosts
19SIAS Security Enhancements
- Product ID list changed to Product ID
listsigA(Product ID list) - Product Quantity
list changed to Product Quantity
listsigA(Product Quantity list) - Query
result changed to DA(Query resultsigH(Query
result)) - New attribute (chain of encrypted
itineraries) EHN(EH(N-1)(EH2(EH1(Itinerary at
Host 1) Itinerary at Host 2) Itinerary at
Host N-1) Itinerary at Host N) Key A agent H
host H(k) k-th host visited by the
agent sigX(Y) digital signature of Y using the
private key of X EX(Y) the ciphertext of Y
encrypted by the private key of X DX(Y)
ciphertext of Y encrypted by the public key of X.
20SIAS Control Flow with Security
21SIAS Evaluation of Security Enhancements
- Assume the key server, key generation, and the
communication channel are secure - Since the enhancements are based on cryptographic
techniques, protection to the agent properties is
provable
22SIAS Performance Evaluation
SIAS without security measures
23SIAS with security measures implemented
24SIAS with a malicious host trying to modify
product list of agent
25SIAS with a malicious host trying to modify the
itinerary of agent
26Conclusion
- Mobile agents as an emerging paradigm to
substitute/complement client/server - Mobile agent security needs particular attention
- Some agent protection techniques have been
introduced - A model is proposed for evaluating security of
mobile agent systems, with application and
problems discussed - An experiment (SIAS) carried out with security
and performance evaluation
27Future Work
- Conduct experiment to test and evaluate different
protection methods of mobile agents, e.g., mobile
cryptography - Explore both cryptographic and non-cryptographic
security mechanisms to protect mobile agents - Scale up SIAS, with further security enhancements
28Questions and Answers
29The End