180 likes | 286 Views
Self-Protecting Mobile Agents. Funded by both OASIS and Active Networks Programs NAI Labs 24 July 2001. Lee Badger Doug Kilpatrick Larry D’Anna Brian Matt. Not for Public Release. Web Server. Code Red. Problem and Objective. Running Agent.
E N D
Self-Protecting Mobile Agents Funded by both OASIS and Active Networks Programs NAI Labs 24 July 2001 Lee Badger Doug Kilpatrick Larry D’Anna Brian Matt Not for Public Release
Web Server Code Red Problem and Objective Running Agent • Problem: Mobile programs are vulnerable to tampering by hosts on which they run. • Objective: Protect mobile agents from tampering while allowing: Code Data Agent Execution Server Attack Attack Host Operating System • High mobility. • Detached operation. • Extended deployment periods. • Realistic infrastructure requirements.
agent Host Traditional Agent Technical Approach (in a nutshell) agentlet 1 agentlet 2 agentlet 3 agentlet N ... Host Host Host Host Self-Protecting Agent • Distribution: replicate agents across multiple, unrelated hosts. • Present a moving target • Monitoring/Recovery: regenerate corrupted “agentlets.” • Code/data Obfuscation: prevent host-based analysis • Refresh obfuscation before analysis can be completed
Source Code Obfuscation Transform Obfuscated Source code Run for n seconds Stop. Policy A Time-limited Black Box Hohl, Fritz, “An Approach to Solve the Problem of Malicious Hosts” • A host can deny execution, or lie, but it can’t disrupt the programs’ internal consistency for n seconds.
a a a a b b b b S c c c c d d d d Bird’s Eye View time Protected period 1 Protected period 2 ... ... ... a a ... ... ... b b ... ... ... c c ... ... ... d d Agentlets Useful work Agentlets Migration dispatched re-obfuscate each other First Host Set Originator Host Second Host Set
Strategy • New features and policy for existing agents. • No source code required. • Goal: automatic no manual per-agent work required. Distribution Functions Monitor/Recovery Functions Obfuscating transform policy new binary agent (self-protecting) Original (binary) agent transform tool
Status as of Norfolk PI Meeting • Demonstrated testbed of aglet daemons. • Demonstrated binary editing. • Demonstrated addition of empty clone agents via binary editing of a simple agent.
What We’ve Done Lately • “Generic” agent distribution of Aglets via binary transform. • Simple distributed data management. • Distributed agent recovery from “simple” attacks. • Improvement of JBET • jbi • jbmod • SPMA Architecture Report.
Aglet Server dispatch() onCreation() onArrival() * * handleMessage() handleMessage() run() run() Aglet Aglet An Agent’s Life (simplified) Aglet Server dispatch()
* * Distribute_field() State _save/restore() Distribute_field() State _save/restore() “Generic” Binary Editing Strategy Aglet Server dispatch() Aglet Server dispatch() onArrival() onArrival() onArrival() run() run() handleMessage() handleMessage() heartbeat() heartbeat() “tick” “tick” Sleep move run() Aglet Slave Aglet Master
master slave slave Generic Distribution: Master/Slave Messages: “tick” “locking” “get/set distributed fields” “resurrection” Global State: address_list who_is_master • Master performs agent’s work. • Slaves hold copies of master’s state, travel randomly. • Agent state easy to catch. other host itinerary host other host
original bytecodes RPC to random slave. Receive reply. Push reply on stack. GETFIELD Generic Distribution: Distribute Field Master Slave handleMessage() getfield msg • Transparent addition of replication to specific agent state variables. • Increased integrity (m/n threshold scheme). • Reduce opportunities to spy on agent.
slave slave slave slave slave slave slave slave slave Other Host Other Host Other Host master master master Generic Distribution: Recovery Other Host Other Host master master Itinerary Host Itinerary Host Itinerary Host Itinerary Host Itinerary Host Other Host Other Host Other Host Other Host Other Host (C) (D) (E) (A) (B)
What “Policy” Means Here • Number of slaves. • Speed of slaves. • Replication of master’s state. • Which data fields to distribute. • Reaction to hostility. • Persistence. • Obfuscation potency, resilience, stealth, cost. • Self-monitoring granularity. • Replication level. • Non-collusion itinerary rules. • Obfuscation refresh rate. • Distribution of sensitive state. • and more...
2000 2001 2002 2003 March 14, 2000 Start Date March 15, 2003 End Date Administrative Info (Milestones) a April 30, 2001 Prototype Distributed Agent Generation Tool Nov. 15, 2001 Obfuscation Techniques Evaluation Report Jan. 15, 2003 Final Report a Feb. 28, 2001 Policy Specification and Architecture Report March 15, 2002 Obfuscated Agentlet Prototype Dec. 15, 2002 Distributed, Self-Healing Obfuscated Agentlet Prototype
Technology Transfer • DARPA programs: Active Networks, systems such as Ultra Log. • Open Source distribution. • Java. • Tool-based approach on binary files: no source needed! • Explore application to NAI products that employ agents. • E.g., binary translating boundary controllers.