1 / 26

Mobile Code Security Evaluation

Mobile Code Security Evaluation. Presented by: Chan Hing Wing, Anthony April 26, 1999 Room 1027, SHB, CUHK. Introduction. Problems of the client/server paradigm The mobile code paradigm (MCP) and supporting implementation technologies

janae
Download Presentation

Mobile Code Security Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Code Security Evaluation Presented by: Chan Hing Wing, Anthony April 26, 1999 Room 1027, SHB, CUHK

  2. Introduction • Problems of the client/server paradigm • The mobile code paradigm (MCP) and supporting implementation technologies • Security evaluation of mobile code paradigms and technologies • A security model for mobile agents • Conclusion and future work

  3. The Client/Server Paradigm • The conventional design paradigm (i.e., example or pattern, Webster) of distributed applications • Two processes (client and server) running on two different hosts; communicate by message exchange • Example: a simple network file server • handle only one file per client request (I.e., no mput / mget) • file listing service also provided • How to delete all files starting with “f”?

  4. Problems, Client/Server • The only way: • list all files on server • figure out files starting with “f” • delete files one by one • Problems: • large number of exchanged messages • requirement of user-computer interactivity • Solution: • upgrade the server and client (to provide mdelete) • inflexible: how about next time I want mput/mget? • any other solution?

  5. The Mobile Code Paradigm • It would be great if I could send a self-executing code fragment (instead of a single instruction) to the server side, that decides which file to delete for me dynamically! • Advantages • reduced network traffic (only code sending, and perhaps an acknowledgement) • no need for user-computer interactivity

  6. Mobile Code Paradigm (MCP) • Three forms of MCP (Ghezzi & Vigna): • remote evaluation (REV), code on demand (COD), mobile agent (MA) • Common examples of mobile code: • rsh in Unix (REV) • SQL queries (REV) • downloading Java applets (COD) • Other possible applications (MA): • mobile computing • electronic commerce, etc.

  7. Mobile Agents • The most interesting form of mobile code; one form of “Intelligent Agents”, which is a hot topic in the AI field • Mobility: programs can move across different machines and platforms, and run on different host machines • Agency: programs act autonomously for the their users / owners • Agents can move with different execution states, therefore, they can roam around the network to perform complex tasks

  8. Why Mobile Agents? • “Seven Good Reasons for Mobile Agents” (in CACM, March, 1999): • They reduce the network load • They overcome network latency • They encapsulate protocols • They execute asynchronously and autonomously • They adapt dynamically • They are naturally heterogeneous • They are robust and fault-tolerant

  9. Supporting Technologies • Client/Server: Sockets / RPC / CORBA • Remote evaluation: rsh, SQL, etc. • Code on demand: Java applets • Mobile Agents? • Many Mobile Agent Systems (MAS) being developed, e.g., Aglets from IBM, Odyssey from General Magic, and Objectspace’s Voyager (ORB) • OMG is drafting the Mobile Agent System Interoperability Facility (MASIF) to allow for cross-MAS agents under CORBA

  10. Security Evaluation of MCP • Before we adopt MCP, we should evaluate the security “cost” and “benefit” of MCP, compared with the client/server paradigm • Two criteria for accepting MCP in application development: • no extra security attacks without corresponding security mechanisms • easy-to-use, reliable security services provided by supporting technologies

  11. Client/Server Security • Client/Server security: • usually adopt the “security fortress” model • each particular “computing base” forms a “security fortress”, everything (code, data, users, computers) in the same fortress are trusted • major challenges: • client/server authentication (establishing trust with another side) • data/request confidentiality across insecure channel (by encryption) • already well developed

  12. Mobile Code Security Concerns • Remote evaluation: • fortress model also applicable • challenges: • code sender/receiver authentication • code encryption across the channel • Code on demand: • can also apply the fortress model • challenges: • client: building trust on downloaded code (sandboxing, applet signing) • server: verifying the correct client (authentication)

  13. Mobile Agent Security • More complex/challenging because of: • roaming agents • co-operating agents • Two aspects: • host security: • protecting the host against malicious agents • fortress model applies • agent security • protecting the agents against malicious host • fortress model does not apply!

  14. Host security • Agent Integrity • sandboxing, run-time verification, proof-carrying code • Agent Authentication • digital signatures (analogy: signed applets) • Authorization • access control lists • Allocation (against denial-of-service attack) • market-based mechanism

  15. Agent Security • Example: • An agent roams around the Internet to look for the lowest price of an air ticket; it remembers the lowest price it finds most recently • Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers) • Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)

  16. Agent Protection • Some proposed approaches: • Agent tampering detection • range verification, timing information • addition of dummy items and functions • state appraisal functions, cryptographic watermarks • Agent tampering prevention • time-limited black-box [Hohl] • shared secrets, interlocking of agents • a fault-tolerance approach • execution of encrypted functions [Sander & Tschudin] • Not very well developed

  17. Security Services, RPC • Sockets: no security services at all! • Sun RPC: • secure RPC services for authentication (man secure_rpc) with four options • Kerberos v5: authentication, per-session key generation • ssleay: free library functions implementing SSLv3, for authentication and encryption • Proposed standard: Generic Security Services Application Program Interface version 2 (GSS-API v.2) (RFC2078)

  18. Security Services, CORBA • CORBA Security Services specification • required implementation of objects Credentials, Principal Authenticator, Security Context, Access Control, etc. • support authentication, authorization, security auditing, etc. • however, existing implementation of the specification is unknown • some vendors add their own security add-on for their ORB product (e.g., SSL pack for Visibroker)

  19. Security Services of MAS • Aglets and Odyssey: • Host protection based on Java security model (sandboxing and signed applets) • No information about agent protection • Voyager: • SSL for communication security • No details available about host and agent security

  20. Summary of Evaluation Intuitively speaking, Client/server REV/COD Mobile agents More possible attacks, mechanisms less developed RPC CORBA MAS Higher level of abstraction, services less developed

  21. Security Model for Mobile Agents Host 2 Host n Host 1 Agent … The agent stay at host i for a time period ti Assume independent, exponential, distribution of time-to-breach (Jonsson’s experiment) at each host i, i.e., P(breach at host i) = 1 - exp(-iti), for i = 1 to n where i = vki is a constant; v: index of vulnerability; ki: index of malice

  22. Proposed Security Model (cont’d) Security of system = P(no breach at all hosts) = exp(-1t1)exp(-2t2)...exp(-ntn), A Possible Application of the model: Assume we can estimate i for each i from 1 to n, then we can determine the upper limits of time to stay on each host i (a set of values of ti) for the agent to become free of breach at a certain probability (ref: time-limited black-box)

  23. Conclusion • Mobile agents as an emerging paradigm to substitute/complement client/server • Mobile agent systems being developed worldwide • Security concerns as a major factor • Mobile agent security needs particular attention • A model is proposed for evaluating security of mobile agent systems

  24. Future Work • Derive new security mechanisms to protect mobile agents • Implement security services for mobile agents • Conduct experiment to verify the proposed model • Evaluate different security mechanisms and services based on the proposed model

  25. Questions and Answers

  26. The End

More Related