440 likes | 613 Views
Lecture 8: Mobile Agents. SIF8072 Distributed Artificial Intelligence and Intelligent Agents. http://www.idi.ntnu.no/~agent/ 6 March 2003. Lecturer: Sobah Abbas Petersen Email: sap@idi.ntnu.no. Lecture Outline. What are mobile agents? Remote Procedure Calls vs. mobile agents Security
E N D
Lecture 8: Mobile Agents SIF8072 Distributed Artificial IntelligenceandIntelligent Agents http://www.idi.ntnu.no/~agent/ 6 March 2003 Lecturer: Sobah Abbas Petersen Email: sap@idi.ntnu.no
Lecture Outline • What are mobile agents? • Remote Procedure Calls vs. mobile agents • Security • Threats, security of host, security of agent • Typology of mobile agents • Implementation of mobile agents • Telescript • TCL/TK
References - Curriculum • Wooldridge: ”Introduction to MAS”, • Chapter 10, Section 10.4 • Not in curriculum: • White, J. E., Mobile Agents, in Bradshaw, J. (ed.), Software Agents, MIT Press, Cambridge, MA, 1997, p. 437-472. • D. M. Chess, C. G. Harrison, A. Kershenbaum. Mobile Agents: Are they a good idea? Research Report, IBM Research Division, T. J. Watson Research Center, 1995, 21 pages.
What are Mobile Agents • Agents that are capable of transmitting themselves – their programs and their state – across a computer network, and recommencing execution at a remote site. • The program chooses when and where to migrate. • It can suspend its execution at an arbitrary point, transport itself to another machine and resume execution. • Moving programs while they run!
Service Client Network Server PC Current Approach - Remote Procedure Calls • Enables one computer to call procedures in another. • The two computers agree in advance upon a protocol: • The effects of each remotely accessible procedure and the types of its arguments and results. • Each interaction entails two acts of communication - request & acknowledge • ongoing interaction requires ongoing communication! • e.g.: From a file server, delete all files that are atleast two months old.RPC: n files => 2(n+1) messages
New Approach -Remote Programming Local procedure Call Agent Client Service • One computer not only calls procedures on another computer, but also provides the procedures. • Each message contains the procedure + its arguments. • The two computers agree in advance upon a language: • instructions and the types of data that are allowed. • A user computer and a server can interact without using the network once the agent is transported • ongoing interaction does not require ongoing communication! Client Network Server PC
Advantages of RP over RPC • Tactical • Performance - due to less message passing over the network. • Less connection time - need network connection to transport the agent. • Computer delegates a task to the agent. • Strategic • Customisation - agents let manufacturers of user s/w extend the functionalities of the server s/w. • In a RPC application, the server component needs to be statically installed by the user. In RP, they are dynamically installed by the application itself - each is an agent. • New RPC-based applications - business decisions by the provider. New RP-based applications - buying decision by the user. • A public network becomes like a platform.
Why Mobile Agents • Mobile agent = procedure + its state. • Efficient use of network resources. • Low-bandwidth networks.
Basic Mobile Agent Environment • A mobile agent environment is a software system which is distributed over a network of heterogeneous computers. • Its primary task is to provide an environment in which mobile agents can execute. • It implements the majority of models which appear in the mobile agent definition.
What is security ”If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take the letter and lock it in a safe and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world’s best safecrackers can study the locking mechanisms – and you still can’t open the safe and read the letter – that’s security.”
Security Model • General security requirements: • Secrecy • requires that the information in a computer system be accessible for reading by authorised parties only. • Integrity • requires that the computer system assets can be modified by authorised parties only. • Availability • requires that the computer system assets be available to authorised parties.
Information source Information destination Information source Information destination Information source Information destination Types of Threats 1 • Interruption: an asset of the system is destroyed (threat of availability). • Interception: unauthorised party gains access to an asset (threat of secrecy)
Information source Information destination Information source Information destination Types of Threats 2 • Modification: unauthorised party tampers with an asset (threat of integrity) • Fabrication: unauthorised party inserts counterfeit object into the system (threat of integrity)
Design Principles for Security • Least privilege – (need-to-know) only the smallest set of privileges to complete the job; the access rights should be acquired by explicit permission only. • Economy of mechanism- security mechanisms should be as small as possible; an integral part of the design. • Acceptability - security mechanisms should not interfere unduly with the work of the users. • Complete mediation – every access must be checked against the access control information. • Open design – mechanisms can be reviewed by many experts, and users must have high confidence in them.
Main Intruders • Hackers • Viruses • Fraudulent users • Incompetent users • Technology by itself cannot solve the security problem. • Technology for security must be complemented by an awareness of security issues and disciplined application of techniques.
What does security do? 1 • Security systems attempt to get you reliable answers to the following types of questions: • Who is accessing our information system? (Identification) • Can I be sure who made the request? (Verification) • Can I be sure that this message has not been modified since it was sent? (Integrity) • Is this user entitled to make use of this resource? (Access control)
What does security do? 2 • Will this program cause damage or disruption? (Viruses) • Can I safely send this message on a public network? (Privacy) • Can I be sure that this user will actually pay for the service s/he is requesting? (Nonrepudiation) • Can I be sure that this server will do what I want? (reputation)
Security in Using Agents 1 • Some general issues in using agents: • Delegation: you are delegating to the agent some of your authority. This means that agents are doing things that you cannot always see. • Mobility: they may be doing it on the other side of the planet. Or, an agent from the other side of the planet may be doing it on your server.
Security in Using Agents 2 • Some general issues in using agents, contd.: • Viruses: agents share many characteristics with viruses. In creating an environment for agents, there is the additional risk that we expose weaknesses that may enable viruses to breed. • Trust: humans have classified their co-workers into those who are reliable and those who are not.
Mobile Agents and Viruses • It’s impossible, in principle, to verify with complete certainty that an arbitrary program is not a virus. • In practice, the problem of writing a program that can verify the correct behaviour of another program is unsolved. • It’s difficult to define the necessary and sufficient tests that an agent must pass in order to determine its intentions. • Some precautions: • Restriction of access to critical resources. • Restriction on altering other programs.
Delegation • The purpose of an agent is to perform some tasks that would otherwise be performed by its user. • The agent may need many, if not all, of the access rights of the user. • In a security environment, this can be readily achieved by passing the copy of the user’s certificate to the agent. • In this regard, the agent is indistinguishable from any other applications employed by the user. • However, the certificates are valid for a finite period, defined by the security administrators.
Security for Hosts 1 • Limiting delegation: • Give the agent and the user separate identities • Secure co-processors: have a physically separate processor on which the agent is run, execute the agent in a ”padded cell” • Allow the agent to interact with the system environment only in a language with limited expressiveness (e.g. ACL) • Limiting resource consumption: • Limit the amount of each resource that an agent is permitted to consume • Limit the amount of e.g. money and processor time an agent can access (e.g. Telescript)
Security for Hosts 2 • Unix-like access rights on hosts. • Safe libraries for access to filestore, process space, etc. • Some agent languages allow security properties of an agent to be verified on receipt. • Host must handle crashed programs cleanly – what do you tell an owner when their agent crashes?
Security for Agents 1 • We need to protect mobile agents from malicious hosts because: • Agents have a right to privacy! • We often do not want to send our programs, as to do so might enable the recepient to determine its purpose, and hence our intent. • The agent might be modified (sabotaged) in some way, without the owner’s knowledge or approval.
Security for Agents 2 • Some possibilities for protection: • Data integrity - an agent can be protected in transit by using conventional encryption techniques, (e.g. PGP). • In order to ensure that an agent is not tampered with, it is possible to use digital watermarks. • Origin authentication – certification. • Access itenary control – restriction on visiting some environments.
Proposed Advantages of Mobile Agents • Efficiency – mobile agents consume less network resources • Asynchronous autonomous interaction • Interaction with real-time entities • Support for heterogeneous environment • Support for electronic commerce • Convenient development paradigm
General Requirements to Mobile Agent Environments • Expressiveness as a programming language • Ability to execute remotely or to transport state • Support for agent communication language • Security support • Management support
Typology of Mobile Agents 1 • Mobile agents can be divided into atleat 3 types: • Autonomous • On-demand • ”Active-mail” type
Typology 2Autonomous Mobile Agents • Autonomous mobile means that the agents are able to decide for themselves where to go, when and what to do when they get there (subject to certain resource constraints, e.g. how much emoney they can spend). • Such agents are generally programmed in a special language that provides a go instruction (e.g. Telescript).
Typology 3On-demand Mobility • The idea here is that a host is only required to execute an agent when it explicitly demands the agent. • The best known example of such functionality is that provided by the JAVA language, as embedded within HTML. • A user with a JAVA-compatible browser can request HTML pages that contain applets. • These applets are downloaded along with all other images, text, forms, etc. and once downloaded, are executed on the user’s machine.
Typology 4Active-mail Agents • The idea here is to ”piggy-back” agent programs onto mail. • The best known example of this work is the mime extension to email.
Mobile Agent Implementation • Java • Contains no mobile agents. It’s simply an enabling technology for mobile agents. Most important are Remote Method Invocation and Object Serialisation. • e.g. Aglets • Telescript • Language-based environment for constructing MAS. • Tcl/TK and other scripting languages
Telescript 1 • Telescript was a language-based environment for constructing mobile agent systems. • 2 key concepts: agents and places. • Telescript Technology is focussed towards an electronic marketplace, where agents are the providers and consumers of goods in the electronic market place. • Agents are mobile – they are able to move from one place to another, in which case their program and state are encided and transmitted across the network to another place, where execution recommences.
Telescript 2 - Concepts • Implements the concepts places, agents, travel, go, meeting, connections, authorities and permits. • The network is a collection of places. The application consists of agents, each occupying a place. • Agents can travel from one place to another to have a meeting with another agents.
Telescript 3 - Concepts Shopping agent Network Directory Tickets Florist PC Shopping Centre • Places: Shopping centre, with a Directory service, a ticket office and a florist. • Agents: Agents reside in Places and can move from one place to another. e.g. The shopping agent can go to the florist. • Travel: Lets an agent obtain a service offered remotely and return to its starting place.
meeting go Shopping agent Network Directory Tickets Florist PC Shopping Centre Telescript 4 - Concepts • Travel is achieved by executing go. • Go requires a ticket - specifies the agent’s destination and the terms of the trip. • Meetings let agents in the same computer call one another’s procedures.
connection Shopping agent Network Directory Tickets Florist PC Shopping Centre Telescript 5 - Concepts • Connections let two agents on different computers communicate. • A connection requires a target - specifies the distance agent and the terms of the connection. • One agent or place can discern the authority of another.
authority Shopping agent Network Directory Tickets Florist PC Shopping Centre Telescript 6 - Concepts • Authority is associated with regions - verifies the authority when the agent travels from one region to another. • Permits grant capabilities. They let authorities limit what agents and places can do. 2 kinds: • Grant the right to execute a certain instruction. e.g. create another agent. • Grant the right to use a certain resource in a certain amount - allowance.
Tcl/TK and Scripting Languages 1 • TCL was primarily intended as a standard command language. But every time a new application is developed, a new command language must be as well. TCL provides the facilities to easily implement your own command language. • It provides facilities for making GUI features such as buttons, labels, text and graphic windows. • It provides powerful facilities for interprocess communication, via the exchange of Tcl scripts.
Tcl/TK 2 • TCL is an interpreted language. • It is extendable: it provides a core set of primitives implemented in C/C++ and allows the user to build on these, as required. • It can be embedded – the interpreter itself is available as C++ code, which can be embedded in an application, and can itself be extended.
Tcl/TK 2 • So, where does the idea of an agent come in? • It’s easy to build operations where Tcl scripts are exchanged across a network, and executed on remote machines. • A key issue is safety. You don’t want to provide someone elses script with the full access rights to your computer that an ordinary scripting language provides. • Safe TCL: provides mechanisms for limiting the access provided to a script. • It was not intended as an agent programming environment.
Summary • Efficient use of bandwidth! • Main issue is that of security, both for the host and the mobile agent. • Mobile agents can be implemented in Java, agent programming environment (e.g. Telescript) and some scripting languages (e.g. Tcl/TK).
Next Lecture:Agent Architectures • Wooldridge: ”Introduction to MAS”, • Chapters 4 and 5