The Mobile Code Paradigm and Its Security Issues

1. The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999

2. Presentation Outline • Drawbacks of client/server paradigm • Classification of mobile code paradigm • Mobile code applications and technologies • Security concerns of mobile code paradigm • Attack model of malicious hosts against mobile agents • Conclusion

3. Client/Server Paradigm • The most common paradigm being used for distributed application design • Two problems: • high network bandwidth requirement (large number of message transfer) • requirement for user-computer interactivity • Mobile code emerges as a more efficient alternative

4. Classification of Mobile Code Ghezzi and Vigna’s classification of mobile code paradigms

5. Mobile Code Applications • Examples of mobile code systems: • remote evaluation: rsh utility, SQL queries • code on demand: Java applets • mobile agents: • not common yet, but a lot of platforms for mobile agents being developed worldwide (e.g., Aglets from IBM, Concordia from Mitsubishi) • Hurdle: SECURITY

6. Security Concerns of Mobile Code • A basic requirement: • an application developed using the mobile code paradigm can be as secure as the same application developed using the client/server paradigm • otherwise mobile code could not be used for security-critical applications, which are very common

7. Security Attacks • Actions that compromises security requirements of an application • Attacks to Client/server: masquerading, forging, etc. • Additional attacks to remote evaluation/code-on-demand: Trojan horses • Additional attacks to mobile agents: agent tampering (data/execution)

8. Security Mechanisms • Mechanisms designed to prevent, detect or recover from security attacks • Security mechanisms for client/server: • Kerberos, Secure Socket Layer (SSL), etc. • very well established • Security mechanism for REV/COD: • sandboxing and code verification • Security mechanism for mobile agents: • not established at all

9. Attack model of malicious hosts against mobile agents Model proposed by Fritz Hohl: • Attacks scenarios that can be described: • spy out and modify the whole data part of an agent • spy out and modify the code part of an agent • manipulate the code execution sequence of an agent • manipulate the execution environment of an agent Environment Read/manipulate Malicious Host (Other agents) Read/manipulate properties; control execution System call Agent

10. A mobile agent application Handheld PC (running Windows CE) System analyzes the request and asks the server for data agent Proxy Server Get the request from client and send agents to database servers agent Databases (Oracle server) Agents get appropriate data here and bring back to proxy server Network Network agent agent SERVER CLIENT A Traveling Information Agent system

11. Attacks to the sample agents • Possible attacks to the system described: • a malicious host may spy out and modify data collected by the agent, thus false information is reported to user • a malicious host may spy out the code of the agent, thereby get to learn what information the particular user is interested in • a malicious host may manipulate the execution sequence of the agent, and make the agent request some information for it illegitimately • a malicious host may manipulate the information obtained from the databases, and report false information to the agent

12. Conclusion • Mobile code as an alternative to client/server for distributed applications • Security as a major hurdle to mobile code • Mobile code (especially mobile agents) faces more attacks than client/server do, while the corresponding security mechanisms are not well established • An application to illustrate attacks to agents • Efforts should be devoted to secure agents