180 likes | 307 Views
Self-Protecting Mobile Agents. Funded by both ITS and Active Networks Programs NAI Labs, Network Associates, Inc. 17 July 2000. Lee Badger Brian Matt Steven Kiernan. Mobile Program. Mobile Program. Host. Host. Trusted Bases and Itinerant Programs.
E N D
Self-Protecting Mobile Agents Funded by both ITS and Active Networks Programs NAI Labs, Network Associates, Inc. 17 July 2000 Lee Badger Brian Matt Steven Kiernan
Mobile Program Mobile Program Host Host Trusted Bases and Itinerant Programs • Protect the host: enforce least privilege • Type-safety, SFI, access control, Wrappers, IRM, PCC. • (BTW: policy definition is the hardest part) • Protect the mobile program
Malicious Hosts Problem • Mobile agents will need to execute on unfriendly hosts, but a host may: • non-randomly modify an agent’s behavior • steal an agent’s secrets (if any) • deny execution • execute improperly • crash the agent • lie to an agent
Technical Objectives • Protect software agents from tampering while allowing: • High mobility. • Detached operation. • Extended deployment periods. • Realistic infrastructure requirements.
Existing Practice • Limit Mobility to Trusted Places • hardware peripherals, trusted hosts • Detect Malicious Execution After it Happens • state appraisal (Farmer), detection objects (Meadows), cryptographic traces (Vigna) , partial result authentication codes (Yee), fault-tolerance techniques (Schneider) • Prevent Malicious Execution • encrypted functions (Sander, Bazzi), code/data obfuscation (Collberg, Low, Hohl)
Technical Approach (in a Nutshell) • Spread agents across multiple, unrelated hosts. • Force hosts to collude for their attacks to be effective.
Applications of Obfuscation • “Security through obscurity.” NOT! • Long-lived resistance to analysis. NOT! • 1999 DVD copy protection break. • Protection of algorithms from theft. • DashO-Pro (www.preemptive.com) • Jcloak (www.force5.com) • Elixir (www.elixirtech.com) • RetroGuard (www.retrologic.com) • Temporary resistance to analysis. • E.g., IA experiment 9907 (dynamic IP numbers)
Obfuscation (trivial to not-so-trivial) Kinds of Obfuscation Layout Obfuscation Preventive Obfuscation Data Obfuscation Control Obfuscation Language- Breaking Obfuscation
Data Obfuscation variable splitting scalar/object conversion static data to procedure change variable lifetime add variable distance split/fold/merge arrays change encoding merge scalar variables Control Obfuscation break basic blocks inline methods outline statements unroll loops reorder statements reorder loops reducible to non-reducible flow graphs table interpretation Obfuscation
Opaque Predicates • Opaque predicate: A fact about a program’s state known at obfuscation time that is hard to determine from the code. • Two basic manufacture techniques • Exploit difficulty in alias analysis. • E.g., embed graph operations • Exploit difficulty in concurrency. • E.g., embed threading
Obfuscation “Strength” • Potency: Difficulty for a human to reverse engineer. !(software engineering practices) • Resilience: Difficulty of writing a tool to reverse the obfuscation. • Cost: Space/time costs. • Stealth: Ease of spotting obfuscation mechanisms. Ease of spying out the policy. From Douglas Low’s thesis.
Source Code Obfuscation Transform Obfuscated Source code Run for n seconds Stop. Policy A Time-limited Black Box Hohl, Fritz, “An Approach to Solve the Problem of Malicious Hosts” • A host can deny execution, or lie, but it can’t disrupt the programs’ internal consistency for n seconds. • Can this temporary protection be leveraged into ongoing protection?
What “Policy” Means Here • Obfuscation potency, resilience, stealth, cost. • Self-monitoring granularity. • Replication level. • Non-collusion itinerary rules. • Obfuscation refresh rate. • Distribution of sensitive state. • Phone-home flee-home thresholds. • And More!
Threats (Evaluation, too) • (Quickly) defeat obfuscation. • Track down sibling agents and implement coordinated attack. • Black-box testing revealing secrets. • Deny execution. • Inject bogus agents. • Analysis of long-lived agents. • Prohibitive cost.
What We’ve Done So Far • Surveyed obfuscation tools. • Surveyed agent systems. • Choose a system (Kaariboga, ANTS) • Weak mobility • Java • Multi-hop • Open source • Created a build environment. • Formulated a technology transfer strategy.
Task Schedule 01 02 03 Architecture Report Distributed Agents Prototype Obfuscation Agents Report Obfuscation Prototype Self-healing Agents Prototype Final Report
Technology Transfer • Active Networks, systems such as ALP. • Open Source distribution. • Java. • Tool-based approach. • Start with Kaariboga, move to other systems. • Explore application to NAI products that employ agents.