Download - Mobile Code Security Evaluation
Mobile Code Security Evaluation
Presented by: Chan Hing Wing, Anthony
April 26, 1999
Room 1027, SHB, CUHK
Introduction
Problems of the client/server paradigm The mobile code paradigm (MCP) and
supporting implementation technologies Security evaluation of mobile code
paradigms and technologies A security model for mobile agents Conclusion and future work
The Client/Server Paradigm– The conventional design paradigm (i.e., example
or pattern, Webster) of distributed applications– Two processes (client and server) running on
two different hosts; communicate by message exchange
– Example: a simple network file server• handle only one file per client request (I.e., no mput / mget)
• file listing service also provided
– How to delete all files starting with “f”?
Problems, Client/Server– The only way:
• list all files on server• figure out files starting with “f”• delete files one by one
– Problems:• large number of exchanged messages• requirement of user-computer interactivity
– Solution:• upgrade the server and client (to provide mdelete)
– inflexible: how about next time I want mput/mget?– any other solution?
The Mobile Code Paradigm
It would be great if I could send a self-executing code fragment (instead of a single instruction) to the server side, that decides which file to delete for me dynamically!
Advantages– reduced network traffic (only code sending,
and perhaps an acknowledgement)– no need for user-computer interactivity
Mobile Code Paradigm (MCP) Three forms of MCP (Ghezzi & Vigna):
– remote evaluation (REV), code on demand (COD), mobile agent (MA)
Common examples of mobile code:– rsh in Unix (REV)– SQL queries (REV)– downloading Java applets (COD)
Other possible applications (MA):– mobile computing– electronic commerce, etc.
Mobile Agents– The most interesting form of mobile code; one form
of “Intelligent Agents”, which is a hot topic in the AI field
– Mobility: programs can move across different machines and platforms, and run on different host machines
– Agency: programs act autonomously for the their users / owners
– Agents can move with different execution states, therefore, they can roam around the network to perform complex tasks
Why Mobile Agents? “Seven Good Reasons for Mobile Agents” (in
CACM, March, 1999):– They reduce the network load– They overcome network latency– They encapsulate protocols– They execute asynchronously and autonomously– They adapt dynamically– They are naturally heterogeneous– They are robust and fault-tolerant
Supporting Technologies Client/Server: Sockets / RPC / CORBA Remote evaluation: rsh, SQL, etc. Code on demand: Java applets Mobile Agents?
– Many Mobile Agent Systems (MAS) being developed, e.g., Aglets from IBM, Odyssey from General Magic, and Objectspace’s Voyager (ORB)
– OMG is drafting the Mobile Agent System Interoperability Facility (MASIF) to allow for cross-MAS agents under CORBA
Security Evaluation of MCP
Before we adopt MCP, we should evaluate the security “cost” and “benefit” of MCP, compared with the client/server paradigm
Two criteria for accepting MCP in application development:– no extra security attacks without
corresponding security mechanisms– easy-to-use, reliable security services
provided by supporting technologies
Client/Server Security Client/Server security:
– usually adopt the “security fortress” model• each particular “computing base” forms a “security fortress”,
everything (code, data, users, computers) in the same fortress are trusted
– major challenges:• client/server authentication (establishing trust with another
side)• data/request confidentiality across insecure channel (by
encryption)
– already well developed
Mobile Code Security Concerns Remote evaluation:
– fortress model also applicable– challenges:
• code sender/receiver authentication• code encryption across the channel
Code on demand:– can also apply the fortress model– challenges:
• client: building trust on downloaded code (sandboxing, applet signing)
• server: verifying the correct client (authentication)
Mobile Agent Security More complex/challenging because of:
– roaming agents– co-operating agents
Two aspects:– host security:
• protecting the host against malicious agents• fortress model applies
– agent security• protecting the agents against malicious host• fortress model does not apply!
Host security Agent Integrity
– sandboxing, run-time verification, proof-carrying code
Agent Authentication– digital signatures (analogy: signed applets)
Authorization– access control lists
Allocation (against denial-of-service attack)– market-based mechanism
Agent Security Example:
– An agent roams around the Internet to look for the lowest price of an air ticket; it remembers the lowest price it finds most recently
– Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers)
– Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)
Agent Protection Some proposed approaches:
– Agent tampering detection• range verification, timing information• addition of dummy items and functions• state appraisal functions, cryptographic watermarks
– Agent tampering prevention• time-limited black-box [Hohl]• shared secrets, interlocking of agents
– a fault-tolerance approach
• execution of encrypted functions [Sander & Tschudin]
Not very well developed
Security Services, RPC Sockets: no security services at all! Sun RPC:
– secure RPC services for authentication (man secure_rpc) with four options
– Kerberos v5: authentication, per-session key generation– ssleay: free library functions implementing SSLv3, for
authentication and encryption– Proposed standard: Generic Security Services
Application Program Interface version 2 (GSS-API v.2) (RFC2078)
Security Services, CORBA CORBA Security Services specification
– required implementation of objects Credentials, Principal Authenticator, Security Context, Access Control, etc.
– support authentication, authorization, security auditing, etc.
– however, existing implementation of the specification is unknown
– some vendors add their own security add-on for their ORB product (e.g., SSL pack for Visibroker)
Security Services of MAS
Aglets and Odyssey:– Host protection based on Java security
model (sandboxing and signed applets)– No information about agent protection
Voyager:– SSL for communication security– No details available about host and agent
security
Summary of Evaluation
Client/server Mobile agentsREV/COD
More possible attacks,mechanisms less developed
RPC MASCORBA
Higher level of abstraction,services less developed
Intuitively speaking,
Security Model for Mobile Agents
Agent
Host 1 Host 2 Host n…
The agent stay at host i for a time period ti
Assume independent, exponential, distribution of time-to-breach (Jonsson’s experiment) at each host i, i.e.,
P(breach at host i) = 1 - exp(-iti), for i = 1 to n
where i = vki is a constant;
v: index of vulnerability; ki: index of malice
Proposed Security Model (cont’d)
Security of system = P(no breach at all hosts)
= exp(-1t1)exp(-2t2)...exp(-ntn),
A Possible Application of the model:
Assume we can estimate i for each i from 1 to n,
then we can determine the upper limits of time to stay on each host i (a set of values of ti) for the agent to become free of breach at a certain probability (ref: time-limited black-box)
Conclusion Mobile agents as an emerging paradigm to
substitute/complement client/server Mobile agent systems being developed
worldwide Security concerns as a major factor Mobile agent security needs particular
attention A model is proposed for evaluating security of
mobile agent systems
Future Work Derive new security mechanisms to protect
mobile agents Implement security services for mobile
agents Conduct experiment to verify the proposed
model Evaluate different security mechanisms
and services based on the proposed model
Questions and Answers
The End