Security Considerations in Adaptive Middleware

Security and Mobile Agents

Ajanta – Mobile Agent’s research project papers (http://www.cs.umn.edu/Ajanta/publications.html)

H.Spafford and Diego Zamboni, Purdue University - “Intrusion detection using autonomous agents”. (http://www.elsevier.nl/gej-ng/10/15/22/49/30/25/article.pdf)

Sau-Koon Ng “Protecting mobile Agents Against Malicious Hosts”, University of Hong Kong (http://www.informatik.uni-stuttgart.de/ipvr/vs/projekte/mole/security/ngthesis.pdf)

Sander and Tchudin, ICSI/Berkeley"Protecting mobile Agents Against Malicious Hosts" (http://citeseer.nj.nec.com/cache/papers2/cs/16015/http:zSzzSzwww.icsi.berkeley.eduzSz~tschudinzSzpszSzma-security.pdf/sander98protecting.pdf)

• Implementing Intrusion Detection System as a part of Adaptive middleware layer using autonomous Agent’s technology

• Security problems related with the Agent’s mobility

1. Agent’s operation in the hostile environment (securing agents against malicious host)

2. Malicious agents activity (securing host against malicious agents)

Major Directions of Study

Intrusion Detection System – Major Requirements

• Adaptability• Configurability• Minimal system overhead• Fault tolerance• Subversion resistance• Scalability• Dynamic reconfiguration• Compatibility• Graceful degradation of service

Why Autonomous

Agents?

Do we Need

Mobility?

Autonomous Agents - Advantages

• Possibility to add/remove agents to monitor most interesting effects during certain period of time

• An agent can be configured specifically for the host needs where it runs - this gives possibility to implement wide range of security policies

• By dynamically enabling/disabling agents we can use system resources only for the tasks needed and therefore minimize system overhead

• We can enable cross-verification between agents to keep their integrity

• With increasing amount of hosts in the system we can dynamically increase amount of agents therefore making IDS scalable

• If couple of agents are stopped (lets say for maintenance) other can continue working therefore allowing dynamic reconfiguration

• Agents can run on different platforms (like Windows NT family PCs or Sun servers) providing compatibility of IDS with different platforms

• If one agent accidentally stops for any reason only operation of couple of those related with it may be affected

Autonomous Agents - Advantages

Example of Existing IDS Architecture AAFID

Filter

Filter

Filter

AutonomousAgents

AutonomousAgents

AutonomousAgents

Transceiver

Transceiver

Transceiver

Monitors

Monitors

GUI

Can it be improved with the mobility? How?

AAFID Description

Filters – platform and OS specific entities. Their purpose – extract necessary data providing therefore hardware and OS abstraction layer

Autonomous Agents – in AAFID just dynamically enabled and disabled host specific threads with tight purpose (counting amount of opened connections)

Transceivers – host specific entities responsible for collecting data from agents operating on current host and transferring that data to higher entities

Monitors – entities which get information from different hosts, analyze it and can produce alarm in case of attack

GUI – user interface

Issues:• Confidentiality• Integrity

Mobile Agent Operation in the Hostile Environment

Three types of information to protect:

• Static information which is not relevant for Agent’s successful operation (No Read Access, No Write Access)• Static information to which Agent should have an Access (Read Only)• Dynamic information, including Agent’s code (Read and Write Access)

Protection MethodsStatic Data – No access on intermediate hostsAsymmetrical Encryption using public & private key technologyAgent carries public key of the source host (for encryption) and public keys of all nodes it visits (for integrity)

Static Data – Read only Access on intermediate hostsOnly Integrity can be provided with the method mentioned above

Dynamic Data When attacker has complete access to the memory where the code is executed, the protection becomes more difficult and even impossible “theoretically”

How can we made tampering process more difficult?

Dynamic Code Protection Methods

• Special type of Encryption mechanism which leaves code executable

• Adding noisy code in order to increase Agent’s “Entropy” and hide Agent’s real intention

Mathematical model

Problem:

• Alice has an algorithm to compute f

• Bob has an input x and should compute f(x)

• Bob should learn nothing about f

• Bob should not interact with Alice during the computation of f(x)

Solution:

f(x) E(f) (x)

P(E(f)) (x) x

Alice

Bob

1. Alice encrypts f

2. Alice creates a program P(E(f)) which implements E(f)

3. Alice sends P(E(f)) to Bob

4. Bob executes P(E(f)) at x

5. Bob sends P(E(f))(x) to Alice

6. Alice decrypt P(E(f))(x) and obtains f(x)

Some Definitions

Lets consider two rings – R, S and function E: R S

Let’s call encryption function E

- additively homomorphic if there is an efficient algorithm PLUS to compute E(x+y) from E(x) and E(y)

- multiplicatively homomorphic if there is an efficient algorithm MULT to compute E(xy) from E(x) and E(y)

- mixed multiplicatively homomorphic if there is an efficient algorithm MIXED-MULT to compute E(xy) from E(x) and y

Homomorphic Encryption Scheme

Let E: R R be an additively and mixed multiplicatively homomorphic encryption scheme.

s

s

is

iiiii XXXap ...21

21 21...Consider polynomial function

Alice’s operation while creating P(X) for Bob:

1. Replace each coefficient by

2. In all summands replace “multiplication” operation of coefficients by with MIXED-MULT

3. Replace “addition” operation with PLUS

4. Send P to Bob

siiia ...21

siiiaE ...21

siiia ...21

sis

i XX ...11

Homomorphic Encryption Scheme

Operations on Bob’s host:

1. Run P on his private input

and store a list

2. Produce list of summands by calling MIXED-MULT

Note: according to MIXED-MULT definition and properties of E

Bob gets for each summand

3. Elements of M are added by calling PLUS

As the result Bob gets exactly E(p(x))

4. Bob sends result back to Alice

Alice decrypts the result simply by applying E-1 and obtains p(x)

,..........,: 11

sis

i xxL

,.........,: 1

1 1...s

s

is

iii xxaEM

Protecting the Host against Mobile Code

General Steps:

• Verification• Authentication• Authorization• Execution