View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Mobile Agents and Security
Presented by: Chan Hing Wing, Anthony
March 29, 1999
Room 1027, SHB, CUHK
Introduction
• Problem of the Client/Server Paradigm
• Mobile Code Paradigms and Technologies
• Security Issues in Distributed Systems
• Security Concerns for Mobile Code Paradigms
• Security Services of Mobile Code Technologies
The Client/Server Paradigm• Client/Server Paradigm
– conventional design paradigm (i.e., example or pattern, Webster) of distributed applications
– two processes (client and server) running on two different hosts; communicate by message exchange
– Example: a simple network file server• handle only one file per client request (I.e., no mput / mget)
• file listing service also provided
– How to delete all files starting with “f”?
Problems, Client/Server– The only way:
• list all files on server
• figure out files starting with “f”
• delete files one by one
– Problems:• large number of exchanged messages (2n+2 messages for deleting n
files)
• requirement of user-computer interactivity
– Solution:• upgrade the server and client (to provide mdelete)
– inflexible: how about next time I want mput/mget?– any other solution?
The Mobile Code Paradigm
• It would be great if I could send a self-executing code fragment (instead of a single instruction) to the server side, that decides which file to delete for me dynamically!
• Advantages– reduced network traffic (only code sending, and
perhaps an acknowledgement)– no need for user-computer interactivity
Mobile Code Paradigm (MCP)
• Common examples of mobile code:– rsh in Unix (remote evaluation)– SQL queries (remote evaluation)– downloading Java applets (code on demand)
• Other possible applications (mobile agent):– mobile computing– electronic commerce, etc.
MCP Classification
• know-how: the code to be executed• resources: input/output of code• processor: abstract machine that carries out holds the state of computation
Paradigm Local side Remote side Computationtakes place at
Know-howProcessor
Client/server -
Resources
Remote side
Know-howProcessor
Remoteevaluation
Resources
Remote side
Know-howProcessor
Code ondemand
Resources
Local side
Know-howProcessor
Mobilecode
Mobileagent
Resources
Remote side
Mobile Agents• Mobile Agents:
– The most interesting form of mobile code; one form of “Intelligent Agents”, which is a hot topic in the AI field
– Mobility: programs can move across different machines and platforms, and run on different host machines
– Agency: programs act autonomously for the their users / owners
– Agents can move with different execution states, therefore, they can co-operate to perform complex tasks
Supporting Technologies• Client/Server: Sockets / RPC / CORBA• Remote evaluation: rsh, SQL, etc.• Code on demand: Java applets• Mobile Agents?
– Many Mobile Agent Systems (MAS) being developed, e.g., Aglets from IBM, Odyssey from General Magic, and Objectspace’s Voyager (ORB)
– OMG is drafting the Mobile Agent System Interoperability Facility (MASIF) to allow for cross-MAS agents under CORBA
Security Issues in Distributed Systems
• General system security requirements:– integrity– authenticity– confidentiality– availability, for both code and data
• Widely adopted security model:– each particular “computing base” forms a “security
fortress”, everything (code, data, users, computers) in the same fortress are trusted
Client/Server Security
• Client/Server security:– usually adopt the security fortress model– major challenges:
• client/server authentication (establishing trust with another side)
• data/request confidentiality across insecure channel (by encryption)
– already well developed
Mobile Code Security Concerns• Remote evaluation:
– fortress model also applicable– challenges:
• code sender/receiver authentication• code encryption across the channel
• Code on demand:– can also apply the fortress model– challenges:
• client: building trust on downloaded code (sandboxing, applet signing)
• server: verifying the correct client (authentication)
Mobile Agent Security
• More complex/challenging because of:– roaming agents– co-operating agents– security fortress model does not apply well
• Two aspects:– host security:
• protecting the host against malicious agents
– agent security• protecting the agents against malicious host
Host security• Agent Integrity
– sandboxing, run-time verification, proof-carrying code
• Agent Authentication– digital signatures (analogy: signed applets)
• Authorization– access control lists
• Allocation (against denial-of-service attack)– market-based mechanism
Agent Security• Example:
– An agent roams around the Internet to look for the lowest price of a air ticket; it remembers the lowest price it finds most recently
– Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers)
– Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)
Agent Protection
• Some proposed approaches:– Agent tampering detection
• range verification, timing information
• addition of dummy items and functions
• state appraisal functions, cryptographic watermarks
– Agent tampering prevention• shared secrets, interlocking of agents
– a fault-tolerance approach
• execution of encrypted functions
• Not very well developed
Security Services, RPC
• Sockets: no security services at all!
• Sun RPC:– secure RPC services for authentication (man secure_rpc) with four options
– Kerberos v5: authentication, per-session key generation– ssleay: free library functions implementing SSLv3, for
authentication and encryption– Proposed standard: Generic Security Services
Application Program Interface version 2 (GSS-API v.2) (RFC2078)
Security Services, CORBA• CORBA Security Services specification
– required implementation of objects Credentials, Principal Authenticator, Security Context, Access Control, etc.
– support authentication, authorization, security auditing, etc.
– however, existing implementation of the specification is unknown
– some vendors add their own security add-on for their ORB product (e.g., SSL pack for Visibroker)
Security Services of MAS
• Aglets and Odyssey:– Host protection based on Java security model
(sandboxing and signed applets)– No information about agent protection
• Voyager:– SSL for communication security– No details available about host and agent
security
Conclusion
• Mobile agents as a emerging paradigm to substitute/complement client/server
• Mobile agent systems being developed worldwide
• Security concerns as a blocking factor
• Two different views: mobile agents as security challenge / chance