Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
1 / 34
History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents History
2 / 34
distributed processing: – traditionally done according to client/server paradigm – based on remote procedure call (RPC) t ues req
remote procedure
Client reply
a) local procedure call
t ues req
Client rep ly
b) remote procedure call
transparent to client
marshalling
unmarshalling
client-stub
server-stub
unmarshalling
Server
marshalling
network Netzwerk
requ est
reply
transparent to client
1
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents History
3 / 34
advantages of RPC: – details hidden from client – client can access remote procedures as if they were local – basis for construction of distributed systems
disadvantages of RPC: – far slower than local procedure call – data must be carried over the network Ù RPC susceptible to network delays and transmission errors Ù possibly large amounts of data carried over the network
in the mid 90s, a new approach to distributed processing emerged: mobile agents – mobile agent: piece of software which can migrate in a network while carrying along both code and data – idea: equip mobile agent with task and related data and then sent it out; the agent will return with the result
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
4 / 34
History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
2
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents What is a Mobile Agent?
5 / 34
mobile agent characteristics: – mobile agents act autonomously (but on behalf of a user) – can communicate with other agents, with users, and with the hosts in the network – required: mobile agent system (MAS) for agent execution and support – mobile agents usually written in platform independent programming languages – byte-code interpreted by mobile agent system (e.g. Java) – mobile agents can implement specific network protocols for communication
Security i n Communication Networks WS‘00/01
thus: mobile agent = software, data, and execution context
14. Chapter: Mobile Agents Applications
6 / 34
some examples of mobile agent applications: – information retrieval in a network, e.g. · collecting and filtering information · merely results are returned to the user
– electronic commerce · meeting concept · negotiating best deal when trading goods at various market places, e.g. finding cheapest flight
– service customisation and user localisation in wireless networks · mobile agent follows its user who is moving from cell to cell
– network management · benefit of locality: local access to network components · no frequent polling required, i.e. reduced network load · no influence of network delays and transmission errors
– distributed simulations
3
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
7 / 34
History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Security Issues
8 / 34
“real life” analogies: – picture a travelling salesman who intends to stay at a hotel – salesman = mobile agent; landlord = host · · · · · · · ·
salesman can be killed by landlord salesman can kill the landlord salesman can be hypnotised by landlord (“sell me things for ridiculous price”) salesman can hypnotise landlord (“give me your best room for ridiculous price”) salesman can get lost on journey salesman can be given incorrect information by landlord and thus sell nothing salesman can permanently ask landlord silly questions (“harassment”) landlord can promise to reserve room but then have none
new problems, no analogy: · salesman can be cloned to sell products quicker and/or more reliable, but then more rooms required or even entire hotel blocked · risk of virus, worms etc.
4
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Security Issues
9 / 34
therefore: – mobile agents require (application dependent) security mechanisms – three layers involved: hardware, operating system, application
direct measure: – security domains · access restrictions depending on security classes of individual components, e.g. – restricted access of mobile agents to resources – mobile agents are only allowed to visit well known and secure hosts
– communication security · encrypted transfer of mobile agents · authentication of hosts and agent
generally: – a mobile agent can harm a host – a mobile agent can harm other agents – host can harm a mobile agent
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
10 / 34
History What is a Mobile Agent? General security issues Types of attacks Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
5
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
11 / 34
damage or modification: – MA Ù host: MA modifies or damages files, configuration, hardware etc. · example 1: access restrictions of host modified, in order to allow other mobile agents to access secure information · example 2: a malicious mobile agent might try to gain control over parts of the host system in order to influence other agents · combined attacks of multiple agents possible (these are the worst)
– host Ù MA: MA modified by host · both code and data of MA can be manipulated · example: a malicious host may attempt to cleverly place its own offer for a product; this can be achieved either by manipulation of data (set other offers to higher price) or by manipulation of code (select highest price instead of lowest price)
– MA Ù MA: code or data of MA modified by another MA · analogous to host Ù MA
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
12 / 34
denial of service: – MA Ù host: attempt to overload the host · by incessant requests to be processed by the host · by continuous spawning of new mobile agents through cloning
– host Ù MA: host can deny services which are vital for the agent, thus blocking the agent · example 1: host denies access rights to information required by mobile agent · example 2: host denies communication, i.e. network connection; in this case, the agent is stranded, without being able to send out a notification
– MA Ù MA: analogous to MA Ù host · example: a mobile agent spams another one with incessant messages, thus causing buffer overflows or provoking deadlocks
6
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
13 / 34
breaking of privacy / information theft: – MA Ù host: · a mobile agent can steal secret information, even if it is – neither allowed to store it – nor to send it over the network
· needs help of other agents, i.e. combined attack; difficult or impossible to detect these combined attacks
– example:
Security i n Communication Networks WS‘00/01
· let MA1 have access to a restricted file, but no access rights to store information or send it over the network · nonetheless, MA1 can pass information to another agent, MA2, through a covert channel · a covert channel allows to hide information such that it cannot be noticed by an uninitiated observer, e.g. by specific behaviour (similar to steganography”)
14. Chapter: Mobile Agents Types of Attacks
14 / 34
covert channel: an analogy – two prisoners are allowed to enter the prison’s library – they can see each other, but are not allowed to talk – only one of them is allowed to read – how can information be passed between them? – example: 0,1-stream · 0 = reading quietly for n seconds · 1 = leafing wildly through the book for n seconds
(MA: busy waiting) (MA: sleeping)
This can be observed and interpreted by another mobile agent
7
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
15 / 34
breaking of privacy / information theft (cont.): – host Ù MA: · example 1: a host might extract sensitive data such as passwords from the agent · example 2: host copies a part or the whole of the MA code · direct measures: software and data encryption but: since host must execute the MA code, software encryption is difficult and limited
– MA Ù MA: · MA might attempt to read other MA’s code or data · it is a question of good software engineering of the mobile agent system to prevent this
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
16 / 34
harassment: – MA Ù host: · MA can attempt to install unwanted software at the host, e.g. a program which causes a jerky screen
– host Ù MA: · host processes MA so slowly that the processed information becomes useless · host analyses MA to get information about the MA’s owner
social engineering: – MA Ù host: · example: MA pretends to be the system administrator and retrieves password information
– host Ù MA · example: host purposefully provides wrong information to the MA; thus the MA will make wrong decisions
8
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Types of Attacks
17 / 34
combined attacks – example: harassment + information theft + redirection + ...
the types of attacks presented above can be deployed in various strategies: example: – event-triggered attack/logical bombs: · MA installs additional software which causes damage, but which remains inactive until triggered by a specific event · example: software activated on a special date (e.g. Michelangelo Virus) · example: software activated if a special user logs in
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
18 / 34
History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
9
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Host Protection
19 / 34
basic principle: – “Information Fortress Model”: access to resources only via well defined interfaces
authentication credential: – Host requests one or more credentials of MA which are signed by certain instances · example: a certificate authority signs credentials for a mobile agent; hosts which the MA has already visited add their credential
access control and monitoring: – MA has certain access control rights to resources which are monitored by the host. – “A MA cannot do anything harmful if it is not allowed to do so.”
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Host Protection
20 / 34
code verification: – host analyses the MA code prior to execution – execute the MA only if analysis shows that the MA code is harmless – problems: · in general it is undecidable whether the MA code is harmless or not – compare to termination problem of Turing Machines: – the termination problem is undecidable for Turing Machines, i.e. no algorithm exists which is able to decide for all Turing Machines and for all types of input whether the Turing Machine will stop on a specific input or whether it will not
· interpretation of code even to a certain extent (e.g. check which secure resources an agent accesses) is time consuming · if a host is granted too much time etc. for analysing MA code, a malicious host can e.g. attempt information theft, for instance decrypt data contained in the MA
10
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Host Protection
21 / 34
limitation techniques: limit the number of attempts, of time intervals, etc. – time limit: maximum MA lifetime · absolute limit – problem: MA execution might be delayed due to host crash, lost connection, etc.
· cumulative limit – maximum overall execution time
– number of accesses · limit the number of accesses to resources; increase waiting times between successive trials
– range limit · limit the number of hops, i.e. the maximum number of visited hosts · limit the area in which the MA is allowed to roam
– duplication limit · limit the number of MA clones
audit logging – logging of MA operations (e.g. for legal purposes) and attaching logs to MA
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Host Protection
22 / 34
combined mechanisms: – host is able to take action at three instants: · on MA arrival · during MA execution time · on MA departure MA arrival Host Operations
MA execution
MA departure
Access Monitoring
Add new Credentials
Limit check (time, range, duplication...)
Modify Limit checks
Credentials o.k.?
choose Security Class
Code Verification
Additionally:
Call the Police
Audit Logging during execution
11
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Contents 14.1 14.2 14.3 14.4 14.5
23 / 34
History What is a Mobile Agent? General security issues Types of attack Security mechanisms in the MA context 14.5.1 14.5.2
Host protection MA protection
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
24 / 34
two categories of approaches to protect MA against malicious hosts: – improved reliability through redundancy – encryption
replication: – in order to ensure that its task is most definitely completed, a MA can replicate at will, i.e. create as many duplicates as possible – in addition: intermediate (trusted) hosts can check whether a MA is still intact (e.g. using check sums); only intact MA are passed on – if more than one duplicate completes the task, the duplicates vote for the correct result (restricted to read-only operations of MA)
persistence: – upon arrival of MA, the host stores the MA within a persistent storage; after a host crash the MA can then be restarted – problem: if the MA has a maximum lifetime (absolute limit), it might be restarted after its lifetime has been expired
12
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
25 / 34
redirection: – intelligence in the MA allows selection of alternative routes, if the default route is blocked
sliding encryption – protection of collected data against theft of modification by using sliding encryption (e.g. by using its own private key) – multiple encapsulated encryption: Encrypt
Encrypt
DH1
DH2
DH i = Data collected at host i
– better than: Encrypt
DH1
Encrypt
DH2
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
26 / 34
code obfuscation – the code of the MA is sent in encrypted form, together with an execution unit which makes the MA executable – lifetime of the execution unit limited (one-way key) – side effect (and drawback of the concept): execution of MA risky for host (Trojan Horse)
encrypted data manipulation – – – –
data contained in MA is encrypted code can be interpreted/stolen/modified, but data cannot newly collected data is encrypted too so that other hosts cannot interpret data but: code verification approaches are possible
trail obscuring: – MA continuously modifies its “look” (structure of code etc.) to prevent the tracing of its path (and thus the determination of its profile) – aim: profile hiding
13
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
27 / 34
code obscuring combined with limitation technique (time limit) – other than in trail obscuring, the code is modified only on MA initiation – idea: · make code difficult to understand · use timestamp to ensure MA becomes invalid by the time a malicious host understands what the MA does (important: strength of attack, compare attacker model in chapter 7 “anonymity”; non-omnipresent attacker assumed)
– mechanisms for structured “mess up” of MA code intentionally ignore principles for good software engineering: · variable names never have a meaning · they do not use modules or any other kind of structuring elements · they complicate data on purpose
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
28 / 34
code obscuring (cont.) – example for mess-up mechanism: recomposition of variables · take all variables in use in a program, mix these variables and individually spread their bits over newly created variables · then adopt variable access in code accordingly (can be automated) · example: original code: buy(bestagency, ticket, wallet); bestagency
ticket
wallet
conversion function: Public Address c7(Bitstring b) Public Good c4( Bitstring b) Public Money c3(Bitstring b) v23
v19
new code: buy(c7(v23[0]+v19[4]+v23[3]), c4(v19[0]+v19[3]+v23[1], c3(v23[2]+v19[1]+v23[4]))
14
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
29 / 34
encrypted code – generally: code must be executed and thus cannot be encrypted – but: interesting approach with composition of functions for special tasks – example: · · · ·
let A be a linear mapping (i.e. a matrix) held by Alice Bob holds data x1,..., x n Alice wants Bob to calculate yi :=Ax i for i=1...n, without revealing A to Bob idea: – Alice selects random matrix S which is regular, i.e. S-1 exists and calculates B:=SA – Alice sends B to Bob, Bob calculates z i:=Bxi for i=1...n and return z1 ,...,zn – Alice calculates yi:=S-1 zi for i=1...n
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
30 / 34
encrypted code (cont.) – this example can be generalised – let f be a rational function – f can be encrypted by combining it with another function s – let s be a rational function where s can be efficiently inverted – let E(f) := s ° f – given such a combination, security of E(f) is given due to the decomposition problem: – decomposition problem: given a multi-variant, rational function h which can be decomposed as h := s ° f, no algorithm can determine all s and f in polynomial time (compare RSA algorithm) many people believe that there is a polynomial algorithm for RSA (some speculations say of the order n6 )
15
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Mobile Agent Protection
31 / 34
encrypted code (cont.) – this approach does not work for all kinds of functions – Sander and Tschudin e.g. have examined the fundamental restrictions imposed on functions for this kind of encryption – for specific classes of functions such as polynomial and rational functions, this approach offers an encryption of code which was thought to be impossible
Security i n Communication Networks WS‘00/01
– the challenge is to specify these classes of functions – as programs are usually built with modules and blocks of code, this approach offers a mechanism to secure crucial parts of mobile agent code
14. Chapter: Mobile Agents Limitation of Mobile Agent Protection
32 / 34
state appraisal (type of attack used here: damage/modification) – attempt to protect temporal modification of parts of the MA, as this can lead to misleading results – example: goal: find cheapest flight (economy) X ->Y
Host 1
Host 2
Host 3
economy -> business value 1 MA
evil hosts business -> economy set value to real (high) value
Host N
Host N-1
– in such a scenario, only security domains offer a solution
16
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Summary and Evaluation
33 / 34
generally valid: – –
protection of host and protection of MA are often contradictory, i.e. there is no globally optimal solution protection of host through “Information Fortress Model”
3 principles: – – –
policy: protect resources against unauthorized manipulation integrity (of code and data): guarantees enforcement of policy secrecy: encryption techniques for sensitive data
additional problem: – –
currently, mobile agent systems (MAS), i.e. those parts of the host which allow the MA to execute, are developed independently consequence: different MAS do not cooperate; each MAS must aim to protect its host and its agents; vendor specific solutions only
Security i n Communication Networks WS‘00/01
14. Chapter: Mobile Agents Summary and Evaluation • •
34 / 34
mobile agent technology is a young and promising field of research future research aspects concerning security of MAS: – – – – – –
tracing the MA during its migration path monitoring of operations executed by MA (both human and artificial guards) improved monitoring enables detection of attacks via suspicious patterns and legal prosecution hiding the current location of a MA cooperation and communication of MAS mutual authentication MA ⇔ host
17