1 / 65

Mobile Agent Security

Overview. Review of what I did last timeWhat is an agent again?BenefitsDrawbacksSecurity IssuesDifferent types of attacksServer to server, server to agent, agent to server, agent to agentHow they do the attack masquerading, etc.AgletsMalicious HostsClassification of threatsSecurity Goal

vea
Download Presentation

Mobile Agent Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Mobile Agent Security Dan Gaudette Graduate Seminar Class November 25, 2003

    2. Overview Review of what I did last time What is an agent again? Benefits Drawbacks Security Issues Different types of attacks Server to server, server to agent, agent to server, agent to agent How they do the attack – masquerading, etc. Aglets Malicious Hosts Classification of threats Security Goals Malicious Host Detection Countermeasures

    3. Mobile Agent [5] Agents typically possess several (or all) of the following characteristics: Small in size Goal oriented Communicative Cooperative Flexible

    4. Mobile Agent [5] Mobile Agents can travel across the heterogeneous network in order to perform an assigned task. Mobile Agents are one of the popular and simpler ways of retrieving information from the Internet. Aglets are fundamentally Java-based autonomous software mobile agents. An aglet carries its state and as well as data along with it while traveling across the network. Basic idea: Create once, go anywhere.

    5. Mobile Agent They are often used in information searching, filtering and retrieving applications, low-level network maintenance, testing, fault-diagnosis and for dynamically upgrading existing services [13].

    6. Mobile Agent Benefits [5] Reduce human work Handle information overload Provide automated help Reduction of network traffic Adaptive Negotiation capabilities Learning capabilities Briefly go over the previously mentioned benefitsBriefly go over the previously mentioned benefits

    7. Mobile Agent Drawbacks [5] Security is a huge issue Main reason why agents aren’t as popular as they could be Lack of mobile agent standards Each implementation has it’s own specific benefits and drawbacks No coordination, cooperation, or communication between agents especially between different kinds of agents

    8. Aglets

    9. Aglet – Implementation of an Agent Why study Aglets? clear and simple structure good GUI (Tahiti server) very accessible use good documentation high user acceptance open source / freeware works on Java2

    10. A Little More on Aglets [8] Implemented standards: MASIF - Mobile Agent System Interoperability Facility works with CORBA Communication: Sockets message-passing between agents ATP (support HTTP tunneling) problems with firewalls Mobility: weak mobility Java serialization (byte code)

    11. A Little More on Aglets [8] Security policy: built-in security mechanism through Tahiti server three roles (aglet, manufacturer, owner) context and server security network domain agents are shielded using proxy object standard Java security (JDK keytool) Practical uses: TabiCan – electronic marketplace for air tickets in Japan (thousand machines)

    12. Developing Aglets [8] Aglets Software Development Kit (ASDK) developed by IBM is a Java-based framework for implementing mobile agents called aglets. It provides a network agent class loader that enables mobility of agent code, data and state information. Aglets package can be downloaded from the Sourceforge.net or the IBM website.

    13. Aglets [8] Aglets are Java objects that can move from one host on the Internet to another. An aglet that executes on one host can suddenly halt execution, dispatch itself to a remote host, and resume execution there. When the aglet moves, it takes along its program code as well as its data.

    14. Aglet Architecture [7] Aglets architecture consists of two APIs and two implementation layers. Java Aglet API Aglets Runtime Layer – The implementation of Aglet API Agent Transport and Communication Interface (ATCI with ATP as an application-level protocol) Transport Layer

    15. Aglet API [7] Internet agent developers can develop platform independent aglets written in Java programming language and expect them to run on any host that supports Aglet API. Aglet: Provides methods that control the mobility and lifecycle of an aglet. Aglet Context: Provides the execution environment at the remote site. Aglet Proxy: Provides a handle that is used to access the aglet. Message: An object exchanged between aglets.

    16. Aglet Life Cycle [7] Different stages in an aglet execution are shown in the figure. Aglets can be: created, cloned, dispatched, retracted, deactivated, activated, disposed

    17. Aglets Security and Communication [7] Security in Aglets Security is a prime concern for mobile agent technology, and aglets provide an extensible security model in the form of an AgletSecurityManager, as a subclass of the Java Security Manager. Aglets Communication Messaging between aglets involves sending, receiving, and handling messages synchronously as well as asynchronously. Aglets communicate with each other by exchanging Message objects.

    18. Malicious Hosts

    19. Malicious Hosts [2] Goals: to analyze the different security threats that can possibly be imposed on agents by malicious hosts to provide a classification of these threats to describe the current solution approaches that are implemented to address the identified problems

    20. Malicious Hosts A malicious hosting node can launch several types of security attacks on the mobile agent and divert its intended execution towards a malicious goal or alter it’s data or other information in order to benefit from the agent’s mission [10].

    21. Malicious Hosts Example For example: A Mobile Travel Agent is sent out by a user to visit several airlines, find the best offer and book and pay the best flight [11]. A malicious host might spy out the price limits set by the user and the offers by competitors. [9] It might tamper the agent to change the competitors prices.

    22. Malicious Hosts Example It could advance the agents program counter to the preferred branch of conditional code. [3] It might steal the mobile agent’s electronic money, credit card number or cryptographic keys. It might hoodwink the competition by modifying the agent to want to reserve 100 tickets from the competitor so the flight appears full. [3]

    23. Classification of Malicious Host Security Threats [2] Base the classification of threats on the five fundamental concerns of users gaining access of computer network services [12]: Integrity Availability Confidentiality Authentication Non-Repudiation Using these fundamental security requirements we identify the following security classes that mobile agents can possibly encounter from their executing hosts.

    24. Class 1: Integrity attacks [2] Tampering with the agent’s code, state or data implies that the integrity of the mobile agent has been violated. The motive may be malicious or accidental. There are two subclasses of integrity attacks: integrity interference information modification

    25. 1.1: Integrity interference [2] Occurs when the executing host interferes with the mobile agent’s execution mission, but does not alter any information related to the agent. Examples include the cases where the executing host transmits the mobile agent incorrectly does not execute the mobile agent completely transmits the agent to a host that is not specified in the itinerary executes the agent arbitrarily

    26. 1.2: Information modification [2] Occurs when the executing host takes actions against a mobile agent in an unauthorized way. Examples include altering, corrupting, manipulating, deleting, misinterpreting agents incorrect execution of the agent’s Code, data, control flow, status interfering with the interaction between different agents, and alters the communication between them for its own benefit.

    27. Class 2: Availability refusal [2] When a mobile agent arrives at a host it must be given privileges and access to resources that are necessary to carry out the task. Availability refusal occurs if an authorized mobile agent is prevented from accessing objects or resources to which it should have legitimate access. Mostly deliberate actions performed by the executing nodes in order to obstruct the agent. There are three subclasses: denial-of-service delay-of-service transmission-refusal

    28. 2.1: Denial of service [2] Occurs when the requested resources that the agent needs to accomplish its mission are denied. Examples include A malicious host bombards the agent with so much irrelevant information that the agent finds it impossible to complete its goals A malicious host refuses an agent a specific service

    29. 2.2: Delay of service [2] Occurs when the host lets the mobile agent wait for the service and only provide the service or provide access to the required resources after a certain amount of time. Examples include: A host keeps an agent deactivated until after it is too late to buy air tickets from a competitor

    30. 2.3: Transmission refusal [2] Occurs when a malicious host disregards the itinerary of the mobile agent and refuses to transmit the agent to the next host that is specified by the agent.

    31. Class 3: Confidentiality attacks [2] When the assets of the mobile agent are illegally accessed or disposed by its host, the privacy of the mobile agent is not respected and comes under attack. There are three subclasses of confidentiality attacks: Eavesdropping Theft Reverse Engineering

    32. 3.1: Eavesdropping [2] Occurs when the host spies on the agent and gathers information about the mobile agent’s information or about the intercommunication between agents. Although the host may not attempt to alter the agent, it can use this information for it’s own benefits.

    33. 3.2: Theft [2] Occurs when the malicious host not only spies on the agent, but also removes information from the agent. Theft and eavesdropping are closely related. The malicious host may also “steal” the agent itself, use it for its own purposes, or simply kill it.

    34. 3.3: Reverse Engineering [2] Occurs when the malicious host captures the mobile agent, analyzes its data and state in order to manipulate future or existing agents. Different to a theft attack, a reverse engineering attack enables the host to construct its own similar agents, or update the profile of information to which the agent gets access.

    35. Class 4: Authentication risks [2] In the case of the malicious host problem, the agent must be able to correctly identify and authenticate its executing host. The host may hide it’s own identity or refuse to present it’s own credentials which may jeopardize the intended goal of the agent. There are two subclasses of authentication attacks: Masquerading Cloning

    36. 4.1: Masquerading [2] Occurs when an executing host masks itself as one of the hosts on the agent’s itinerary when it is actually not on it.

    37. 4.2: Cloning [2] Occurs when a host creates an exact copy of the mobile agent. Each agent carries its own credentials in order to gain authorized access to the services of its executing hosts. Examples include: When a host creates a clone of the mobile agent this causes unique agent authentication problems.

    38. Malicious Host Detection

    39. Malicious Host Detection [9] Threat diagnostic, using AND/OR tree and risk analysis, is a mechanism to protect mobile agents against malicious host attacks. The method is based on analyzing the probable causes of mobile agent failure to perform its intended function. It uses the symptoms of different types of malicious host attacks and arranges them in a logical order depending on the expected outcomes.

    40. Malicious Host Detection [9] Mobile agents consist of three parts: code, a data state and an execution state that allows them to continue their program on the next platform [6]. Mobile agents transport sensitive information such as secret keys, electronic money, and other private data. We need to have a program that actively protects itself against an execution environment that possibly may divert the intended execution towards a malicious goal [11].

    41. Threat Diagnostic AND/OR Tree [9] One analytical threat derivation technique is the threat tree approach [1] who’s goal is to prevent mobile agent failures due to malicious host attacks. Need to determine some symptoms for every attack class. Need to develop a threat tree using a relationship between the attacks and symptoms of these attacks based on the logical AND/OR relation in which attack can occur only if one the symptoms could occur. Then one can identify the attack type based on the symptoms it produces

    42. Protecting mobile agents from malicious hosts [9] Attacks against mobile agents are classified as active and passive attacks [4]. In a passive attack, the attacker does not interfere with the mobile agent, but only attempts to extract useful information from it. In active attacks, the attacker can arbitrarily intercept and modify code and data of the mobile agent. In the next table, we see the malicious host known attacks and the attack symptoms.

    44. Malicious Host Detection [9] The objective is to allow an agent to execute security-sensitive computations even in an un-trusted execution environment. If this objective is not met due to the nature of an attack, then the agent will self-destruct. Figure 1: symptoms for every malicious hosts attack classes

    47. Ranking of Critical Malicious Host Attacks [9] Experiments were carried out with Java code to create a 1000 random malicious host generator (RMH). The RMH provided six malicious host attack classes with fourteen attack symptoms.

    48. Probability of Malicious Host Attack Cases

    49. Countermeasures

    50. Countermeasures To Mobile Agent Security Threats [2] Countermeasures reduce the vulnerability of the mobile agent against malicious hosts. Mobile agent computing allows for both prevention and detection mechanisms. Prevention mechanisms aim to protect the mobile agent to such an extent that it becomes difficult, or at least very expensive to attack the agent detection mechanisms perform checks to discover possible security breaches We discuss four types of countermeasures based on trust, recording and tracking, cryptography and time techniques.

    51. Type 1: Trust-based computing [2] Prevention Tamper Resistant Hardware Trusted execution environment Detection Detection objects

    52. Type 2: Countermeasures based on Recording and Tracking [2] Prevention Anonymous itinerary Phone home Using a mobile agent system Detection Path histories Itinerary recording with replication and voting Mutual itinerary recording Server replication Reference states

    53. Type 3: Countermeasures based on cryptographic techniques [2] Prevention Sliding encryption Computing with encrypted functions Environmental key generation Digital signatures Detection Cryptographic Tracing Partial result encapsulation Partial result authentication codes

    54. Type 4: Countermeasures based on time techniques [2] Prevention Time sensitive agents Detection Time sensitive agents

    55. Threat Classes and Corresponding Suitable Countermeasures Table

    60. Conclusions We have described classes of security threats being imposed on mobile agents by malicious hosts integrity attacks, availability refusals, confidentiality attacks and authentication risks It appears that most of the available countermeasures focus on integrity attacks, while very few exist to counter the others. The creation of a trusted execution environment is the one measure that covers all the threats. Whether it is feasible to construct a trusted execution environment under Internet conditions remains to be seen. The malicious host problem is intriguing and offers many opportunities for further research.

    61. Conclusions One alternative to a trusted execution environment is to have protective measures added to the mobile agent code itself. In this case, the agent will self-destruct when an attack has taken place. The overhead encountered with this alternative approach is the main problem of applying it in all types of mobile agents. [9]

    62. Future Work Multi-Layer Protection of Mobile Code Complete Obfuscation Encrypted Execution Code Watermarking Encrypting Java Archives and its Application to Mobile Agent Security

    63. References: [1]: Edward G. Amoroso. Fundamentals of Computer Security Technology. Prentice-Hall International, Inc. 1994. [2]: Elmarie Bierman and Elsabe Cloete. Classification of Malicious Host Threats in Mobile Agent Computing. Technikon Pretoria and University of South Africa. 2002. [3]: William M. Farmer, Joshua D. Guttman and Vipin Swarup. Security for Mobile Agents: Issues and Requirements. MITRE. 1997. [4]: Warwick Ford. Computer Communications Security – Principles, Standard Protocols and Techniques. Prentice Hall,1994. [5]: Dan Gaudette. Mobile Agents: An Introduction. Lakehead University. October 28, 2003.

    64. References: [6]: Fritz Hohl. A framework to protect mobile agent by using reference states. University of Stuttgart, Germany. March 2000. [7]: Geetha .N. Kapse. Airline Ticket Information Retrieval Using Mobile Agents. California State University, Sacramento. April 29, 2003. [8]: Giang Nguyen, Tung Dang. Agent Platform Evaluation And Comparison. June 2002. [9]: Magdy Saeb, Meer Hamza, and Ashraf Soliman. Protecting Mobile Agents against Malicious Host Attacks Using Threat Diagnostic AND/OR Tree. Arab Academy for Science, Technology & Maritime Transport Computer Engineering Department, Alexandria, Egypt.

    65. References: [10]: T. Sander and C. Tschudin. Protecting Mobile Agents against Malicious Hosts. Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science. No. 1419, pp.44-60. 1998. [11]:Toms Sander and Christian F. Tschudin. Protecting Mobile Agent Against Malicious Hosts. International Computer Science Institute pp. 92-97, 1998. [12]: B. Schneier. 2000 Secrets and Lies. Digital Security in a Networked World. John Wiley & Sons, Inc. [13]: A.R. Tripathi, N.M. Karnik, T. Ahmed, R.D. Singh, A. Prakash, V. Kakani, and M.K. Vora. Design of the Ajanta System for Mobile Agent Programming. The Journal of Systems and Software. 2001.

More Related