Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

1 / 34

History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents History

2 / 34

distributed processing: – traditionally done according to client/server paradigm – based on remote procedure call (RPC) t ues req

remote procedure

Client reply

a) local procedure call

t ues req

Client rep ly

b) remote procedure call

transparent to client

marshalling

unmarshalling

client-stub

server-stub

unmarshalling

Server

marshalling

network Netzwerk

requ est

reply

transparent to client

1

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents History

3 / 34

advantages of RPC: – details hidden from client – client can access remote procedures as if they were local – basis for construction of distributed systems

disadvantages of RPC: – far slower than local procedure call – data must be carried over the network Ù RPC susceptible to network delays and transmission errors Ù possibly large amounts of data carried over the network

in the mid 90s, a new approach to distributed processing emerged: mobile agents – mobile agent: piece of software which can migrate in a network while carrying along both code and data – idea: equip mobile agent with task and related data and then sent it out; the agent will return with the result

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

4 / 34

History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

2

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents What is a Mobile Agent?

5 / 34

mobile agent characteristics: – mobile agents act autonomously (but on behalf of a user) – can communicate with other agents, with users, and with the hosts in the network – required: mobile agent system (MAS) for agent execution and support – mobile agents usually written in platform independent programming languages – byte-code interpreted by mobile agent system (e.g. Java) – mobile agents can implement specific network protocols for communication

Security i n Communication Networks WS‘00/01

thus: mobile agent = software, data, and execution context

14. Chapter: Mobile Agents Applications

6 / 34

some examples of mobile agent applications: – information retrieval in a network, e.g. · collecting and filtering information · merely results are returned to the user

– electronic commerce · meeting concept · negotiating best deal when trading goods at various market places, e.g. finding cheapest flight

– service customisation and user localisation in wireless networks · mobile agent follows its user who is moving from cell to cell

– network management · benefit of locality: local access to network components · no frequent polling required, i.e. reduced network load · no influence of network delays and transmission errors

– distributed simulations

3

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

7 / 34

History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Security Issues

8 / 34

“real life” analogies: – picture a travelling salesman who intends to stay at a hotel – salesman = mobile agent; landlord = host · · · · · · · ·

salesman can be killed by landlord salesman can kill the landlord salesman can be hypnotised by landlord (“sell me things for ridiculous price”) salesman can hypnotise landlord (“give me your best room for ridiculous price”) salesman can get lost on journey salesman can be given incorrect information by landlord and thus sell nothing salesman can permanently ask landlord silly questions (“harassment”) landlord can promise to reserve room but then have none

new problems, no analogy: · salesman can be cloned to sell products quicker and/or more reliable, but then more rooms required or even entire hotel blocked · risk of virus, worms etc.

4

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Security Issues

9 / 34

therefore: – mobile agents require (application dependent) security mechanisms – three layers involved: hardware, operating system, application

direct measure: – security domains · access restrictions depending on security classes of individual components, e.g. – restricted access of mobile agents to resources – mobile agents are only allowed to visit well known and secure hosts

– communication security · encrypted transfer of mobile agents · authentication of hosts and agent

generally: – a mobile agent can harm a host – a mobile agent can harm other agents – host can harm a mobile agent

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

10 / 34

History What is a Mobile Agent? General security issues Types of attacks Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

5

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

11 / 34

damage or modification: – MA Ù host: MA modifies or damages files, configuration, hardware etc. · example 1: access restrictions of host modified, in order to allow other mobile agents to access secure information · example 2: a malicious mobile agent might try to gain control over parts of the host system in order to influence other agents · combined attacks of multiple agents possible (these are the worst)

– host Ù MA: MA modified by host · both code and data of MA can be manipulated · example: a malicious host may attempt to cleverly place its own offer for a product; this can be achieved either by manipulation of data (set other offers to higher price) or by manipulation of code (select highest price instead of lowest price)

– MA Ù MA: code or data of MA modified by another MA · analogous to host Ù MA

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

12 / 34

denial of service: – MA Ù host: attempt to overload the host · by incessant requests to be processed by the host · by continuous spawning of new mobile agents through cloning

– host Ù MA: host can deny services which are vital for the agent, thus blocking the agent · example 1: host denies access rights to information required by mobile agent · example 2: host denies communication, i.e. network connection; in this case, the agent is stranded, without being able to send out a notification

– MA Ù MA: analogous to MA Ù host · example: a mobile agent spams another one with incessant messages, thus causing buffer overflows or provoking deadlocks

6

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

13 / 34

breaking of privacy / information theft: – MA Ù host: · a mobile agent can steal secret information, even if it is – neither allowed to store it – nor to send it over the network

· needs help of other agents, i.e. combined attack; difficult or impossible to detect these combined attacks

– example:

Security i n Communication Networks WS‘00/01

· let MA1 have access to a restricted file, but no access rights to store information or send it over the network · nonetheless, MA1 can pass information to another agent, MA2, through a covert channel · a covert channel allows to hide information such that it cannot be noticed by an uninitiated observer, e.g. by specific behaviour (similar to steganography”)

14. Chapter: Mobile Agents Types of Attacks

14 / 34

covert channel: an analogy – two prisoners are allowed to enter the prison’s library – they can see each other, but are not allowed to talk – only one of them is allowed to read – how can information be passed between them? – example: 0,1-stream · 0 = reading quietly for n seconds · 1 = leafing wildly through the book for n seconds

(MA: busy waiting) (MA: sleeping)

This can be observed and interpreted by another mobile agent

7

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

15 / 34

breaking of privacy / information theft (cont.): – host Ù MA: · example 1: a host might extract sensitive data such as passwords from the agent · example 2: host copies a part or the whole of the MA code · direct measures: software and data encryption but: since host must execute the MA code, software encryption is difficult and limited

– MA Ù MA: · MA might attempt to read other MA’s code or data · it is a question of good software engineering of the mobile agent system to prevent this

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

16 / 34

harassment: – MA Ù host: · MA can attempt to install unwanted software at the host, e.g. a program which causes a jerky screen

– host Ù MA: · host processes MA so slowly that the processed information becomes useless · host analyses MA to get information about the MA’s owner

social engineering: – MA Ù host: · example: MA pretends to be the system administrator and retrieves password information

– host Ù MA · example: host purposefully provides wrong information to the MA; thus the MA will make wrong decisions

8

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Types of Attacks

17 / 34

combined attacks – example: harassment + information theft + redirection + ...

the types of attacks presented above can be deployed in various strategies: example: – event-triggered attack/logical bombs: · MA installs additional software which causes damage, but which remains inactive until triggered by a specific event · example: software activated on a special date (e.g. Michelangelo Virus) · example: software activated if a special user logs in

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

18 / 34

History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

9

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Host Protection

19 / 34

basic principle: – “Information Fortress Model”: access to resources only via well defined interfaces

authentication credential: – Host requests one or more credentials of MA which are signed by certain instances · example: a certificate authority signs credentials for a mobile agent; hosts which the MA has already visited add their credential

access control and monitoring: – MA has certain access control rights to resources which are monitored by the host. – “A MA cannot do anything harmful if it is not allowed to do so.”

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Host Protection

20 / 34

code verification: – host analyses the MA code prior to execution – execute the MA only if analysis shows that the MA code is harmless – problems: · in general it is undecidable whether the MA code is harmless or not – compare to termination problem of Turing Machines: – the termination problem is undecidable for Turing Machines, i.e. no algorithm exists which is able to decide for all Turing Machines and for all types of input whether the Turing Machine will stop on a specific input or whether it will not

· interpretation of code even to a certain extent (e.g. check which secure resources an agent accesses) is time consuming · if a host is granted too much time etc. for analysing MA code, a malicious host can e.g. attempt information theft, for instance decrypt data contained in the MA

10

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Host Protection

21 / 34

limitation techniques: limit the number of attempts, of time intervals, etc. – time limit: maximum MA lifetime · absolute limit – problem: MA execution might be delayed due to host crash, lost connection, etc.

· cumulative limit – maximum overall execution time

– number of accesses · limit the number of accesses to resources; increase waiting times between successive trials

– range limit · limit the number of hops, i.e. the maximum number of visited hosts · limit the area in which the MA is allowed to roam

– duplication limit · limit the number of MA clones

audit logging – logging of MA operations (e.g. for legal purposes) and attaching logs to MA

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Host Protection

22 / 34

combined mechanisms: – host is able to take action at three instants: · on MA arrival · during MA execution time · on MA departure MA arrival Host Operations

MA execution

MA departure

Access Monitoring

Add new Credentials

Limit check (time, range, duplication...)

Modify Limit checks

Credentials o.k.?

choose Security Class

Code Verification

Additionally:

Call the Police

Audit Logging during execution

11

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5

23 / 34

History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2

Host protection MA protection

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

24 / 34

two categories of approaches to protect MA against malicious hosts: – improved reliability through redundancy – encryption

replication: – in order to ensure that its task is most definitely completed, a MA can replicate at will, i.e. create as many duplicates as possible – in addition: intermediate (trusted) hosts can check whether a MA is still intact (e.g. using check sums); only intact MA are passed on – if more than one duplicate completes the task, the duplicates vote for the correct result (restricted to read-only operations of MA)

persistence: – upon arrival of MA, the host stores the MA within a persistent storage; after a host crash the MA can then be restarted – problem: if the MA has a maximum lifetime (absolute limit), it might be restarted after its lifetime has been expired

12

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

25 / 34

redirection: – intelligence in the MA allows selection of alternative routes, if the default route is blocked

sliding encryption – protection of collected data against theft of modification by using sliding encryption (e.g. by using its own private key) – multiple encapsulated encryption: Encrypt

Encrypt

DH1

DH2

DH i = Data collected at host i

– better than: Encrypt

DH1

Encrypt

DH2

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

26 / 34

code obfuscation – the code of the MA is sent in encrypted form, together with an execution unit which makes the MA executable – lifetime of the execution unit limited (one-way key) – side effect (and drawback of the concept): execution of MA risky for host (Trojan Horse)

encrypted data manipulation – – – –

data contained in MA is encrypted code can be interpreted/stolen/modified, but data cannot newly collected data is encrypted too so that other hosts cannot interpret data but: code verification approaches are possible

trail obscuring: – MA continuously modifies its “look” (structure of code etc.) to prevent the tracing of its path (and thus the determination of its profile) – aim: profile hiding

13

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

27 / 34

code obscuring combined with limitation technique (time limit) – other than in trail obscuring, the code is modified only on MA initiation – idea: · make code difficult to understand · use timestamp to ensure MA becomes invalid by the time a malicious host understands what the MA does (important: strength of attack, compare attacker model in chapter 7 “anonymity”; non-omnipresent attacker assumed)

– mechanisms for structured “mess up” of MA code intentionally ignore principles for good software engineering: · variable names never have a meaning · they do not use modules or any other kind of structuring elements · they complicate data on purpose

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

28 / 34

code obscuring (cont.) – example for mess-up mechanism: recomposition of variables · take all variables in use in a program, mix these variables and individually spread their bits over newly created variables · then adopt variable access in code accordingly (can be automated) · example: original code: buy(bestagency, ticket, wallet); bestagency

ticket

wallet

conversion function: Public Address c7(Bitstring b) Public Good c4( Bitstring b) Public Money c3(Bitstring b) v23

v19

new code: buy(c7(v23[0]+v19[4]+v23[3]), c4(v19[0]+v19[3]+v23[1], c3(v23[2]+v19[1]+v23[4]))

14

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

29 / 34

encrypted code – generally: code must be executed and thus cannot be encrypted – but: interesting approach with composition of functions for special tasks – example: · · · ·

let A be a linear mapping (i.e. a matrix) held by Alice Bob holds data x1,..., x n Alice wants Bob to calculate yi :=Ax i for i=1...n, without revealing A to Bob idea: – Alice selects random matrix S which is regular, i.e. S-1 exists and calculates B:=SA – Alice sends B to Bob, Bob calculates z i:=Bxi for i=1...n and return z1 ,...,zn – Alice calculates yi:=S-1 zi for i=1...n

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

30 / 34

encrypted code (cont.) – this example can be generalised – let f be a rational function – f can be encrypted by combining it with another function s – let s be a rational function where s can be efficiently inverted – let E(f) := s ° f – given such a combination, security of E(f) is given due to the decomposition problem: – decomposition problem: given a multi-variant, rational function h which can be decomposed as h := s ° f, no algorithm can determine all s and f in polynomial time (compare RSA algorithm) many people believe that there is a polynomial algorithm for RSA (some speculations say of the order n6 )

15

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Mobile Agent Protection

31 / 34

encrypted code (cont.) – this approach does not work for all kinds of functions – Sander and Tschudin e.g. have examined the fundamental restrictions imposed on functions for this kind of encryption – for specific classes of functions such as polynomial and rational functions, this approach offers an encryption of code which was thought to be impossible

Security i n Communication Networks WS‘00/01

– the challenge is to specify these classes of functions – as programs are usually built with modules and blocks of code, this approach offers a mechanism to secure crucial parts of mobile agent code

14. Chapter: Mobile Agents Limitation of Mobile Agent Protection

32 / 34

state appraisal (type of attack used here: damage/modification) – attempt to protect temporal modification of parts of the MA, as this can lead to misleading results – example: goal: find cheapest flight (economy) X ->Y

Host 1

Host 2

Host 3

economy -> business value 1 MA

evil hosts business -> economy set value to real (high) value

Host N

Host N-1

– in such a scenario, only security domains offer a solution

16

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Summary and Evaluation

33 / 34

generally valid: – –

protection of host and protection of MA are often contradictory, i.e. there is no globally optimal solution protection of host through “Information Fortress Model”

3 principles: – – –

policy: protect resources against unauthorized manipulation integrity (of code and data): guarantees enforcement of policy secrecy: encryption techniques for sensitive data

additional problem: – –

currently, mobile agent systems (MAS), i.e. those parts of the host which allow the MA to execute, are developed independently consequence: different MAS do not cooperate; each MAS must aim to protect its host and its agents; vendor specific solutions only

Security i n Communication Networks WS‘00/01

14. Chapter: Mobile Agents Summary and Evaluation • •

34 / 34

mobile agent technology is a young and promising field of research future research aspects concerning security of MAS: – – – – – –

tracing the MA during its migration path monitoring of operations executed by MA (both human and artificial guards) improved monitoring enables detection of attacks via suspicious patterns and legal prosecution hiding the current location of a MA cooperation and communication of MAS mutual authentication MA ⇔ host

17