Embed Size (px)
Citation preview
Mobile Agent Security
Dan Gaudette
Graduate Seminar Class
November 25, 2003
Overview
Review of what I did last time What is an agent again?
Benefits Drawbacks
Security Issues Different types of attacks
Server to server, server to agent, agent to server, agent to agent How they do the attack – masquerading, etc.
Aglets Malicious Hosts
Classification of threats Security Goals Malicious Host Detection Countermeasures
Mobile Agent [5]
Agents typically possess several (or all) of the following characteristics: Small in size Goal oriented CommunicativeCooperativeFlexible
Mobile Agent [5]
Mobile Agents can travel across the heterogeneous network in order to perform an assigned task.
Mobile Agents are one of the popular and simpler ways of retrieving information from the Internet.
Aglets are fundamentally Java-based autonomous software mobile agents. An aglet carries its state and as well as data along with it while traveling across the network.
Basic idea: Create once, go anywhere.
Mobile Agent
They are often used in information searching, filtering and retrieving applications, low-level network maintenance, testing, fault-diagnosis and for dynamically upgrading existing services [13].
Mobile Agent Benefits [5]
Reduce human work Handle information overload Provide automated help Reduction of network traffic Adaptive Negotiation capabilities Learning capabilities
Mobile Agent Drawbacks [5]
Security is a huge issueMain reason why agents aren’t as popular as they
could be Lack of mobile agent standards
Each implementation has it’s own specific benefits and drawbacks
No coordination, cooperation, or communication between agentsespecially between different kinds of agents
Aglets
Aglet – Implementation of an Agent
Why study Aglets?clear and simple structuregood GUI (Tahiti server)very accessible usegood documentationhigh user acceptanceopen source / freewareworks on Java2
A Little More on Aglets [8]
Implemented standards: MASIF - Mobile Agent System Interoperability Facility works with CORBA
Communication: Sockets message-passing between agents ATP (support HTTP tunneling) problems with firewalls
Mobility: weak mobility Java serialization (byte code)
A Little More on Aglets [8]
Security policy: built-in security mechanism through Tahiti server three roles (aglet, manufacturer, owner) context and server security network domain agents are shielded using proxy object standard Java security (JDK keytool)
Practical uses: TabiCan – electronic marketplace for air tickets in Japan
(thousand machines)
Developing Aglets [8]
Aglets Software Development Kit (ASDK) developed by IBM is a Java-based framework for implementing mobile agents called aglets.
It provides a network agent class loader that enables mobility of agent code, data and state information.
Aglets package can be downloaded from the Sourceforge.net or the IBM website.
Aglets [8]
Aglets are Java objects that can move from one host on the Internet to another.An aglet that executes on one host can
suddenly halt execution, dispatch itself to a remote host, and resume execution there.
When the aglet moves, it takes along its program code as well as its data.
Aglet Architecture [7]
Aglets architecture consists of two APIs and two implementation layers. Java Aglet API Aglets Runtime Layer – The implementation of Aglet API Agent Transport and Communication Interface (ATCI with ATP as an
application-level protocol) Transport Layer
Aglet API [7]
Internet agent developers can develop platform independent aglets writtenin Java programming language and expect them to run on any host that supports Aglet API. Aglet: Provides methods that control the mobility and lifecycle of an aglet. Aglet Context: Provides the execution environment at the remote site. Aglet Proxy: Provides a handle that is used to access the aglet. Message: An object exchanged between aglets.
Aglet Life Cycle [7]
Different stages in an aglet execution are shown in the figure.
Aglets can be: created, cloned, dispatched, retracted, deactivated, activated, disposed
Aglets Security and Communication [7] Security in Aglets
Security is a prime concern for mobile agent technology, and aglets provide an extensible security model in the form of an AgletSecurityManager, as a subclass of the Java Security Manager.
Aglets Communication Messaging between aglets involves sending, receiving,
and handling messages synchronously as well as asynchronously. Aglets communicate with each other by exchanging Message objects.
Malicious Hosts
Malicious Hosts [2]
Goals: to analyze the different security threats that
can possibly be imposed on agents by malicious hosts
to provide a classification of these threats to describe the current solution approaches
that are implemented to address the identified problems
Malicious Hosts
A malicious hosting node can launch several types of security attacks on the mobile agent and divert its intended execution towards a malicious goal or alter it’s data or other information in order to benefit from the agent’s mission [10].
Malicious Hosts Example
For example: A Mobile Travel Agent is sent out by a user to visit several airlines, find the best offer and book and pay the best flight [11].
A malicious host might spy out the price limits set by the user and the offers by competitors. [9]
It might tamper the agent to change the competitors prices.
Malicious Hosts Example
It could advance the agents program counter to the preferred branch of conditional code. [3]
It might steal the mobile agent’s electronic money, credit card number or cryptographic keys.
It might hoodwink the competition by modifying the agent to want to reserve 100 tickets from the competitor so the flight appears full. [3]
Classification of Malicious Host Security Threats [2] Base the classification of threats on the five
fundamental concerns of users gaining access of computer network services [12]: Integrity Availability Confidentiality Authentication Non-Repudiation
Using these fundamental security requirements we identify the following security classes that mobile agents can possibly encounter from their executing hosts.
Class 1: Integrity attacks [2]
Tampering with the agent’s code, state or data implies that the integrity of the mobile agent has been violated.
The motive may be malicious or accidental. There are two subclasses of integrity attacks:
integrity interference information modification
1.1: Integrity interference [2]
Occurs when the executing host interferes with the mobile agent’s execution mission, but does not alter any information related to the agent.
Examples include the cases where the executing host transmits the mobile agent incorrectly does not execute the mobile agent completely transmits the agent to a host that is not specified in the
itinerary executes the agent arbitrarily
1.2: Information modification [2]
Occurs when the executing host takes actions against a mobile agent in an unauthorized way.
Examples include altering, corrupting, manipulating, deleting, misinterpreting
agents incorrect execution of the agent’s Code, data, control flow,
status interfering with the interaction between different agents,
and alters the communication between them for its own benefit.
Class 2: Availability refusal [2]
When a mobile agent arrives at a host it must be given privileges and access to resources that are necessary to carry out the task.
Availability refusal occurs if an authorized mobile agent is prevented from accessing objects or resources to which it should have legitimate access.
Mostly deliberate actions performed by the executing nodes in order to obstruct the agent.
There are three subclasses: denial-of-service delay-of-service transmission-refusal
2.1: Denial of service [2]
Occurs when the requested resources that the agent needs to accomplish its mission are denied.
Examples include A malicious host bombards the agent with so much
irrelevant information that the agent finds it impossible to complete its goals
A malicious host refuses an agent a specific service
2.2: Delay of service [2]
Occurs when the host lets the mobile agent wait for the service and only provide the service or provide access to the required resources after a certain amount of time.
Examples include:A host keeps an agent deactivated until after it is
too late to buy air tickets from a competitor
2.3: Transmission refusal [2]
Occurs when a malicious host disregards the itinerary of the mobile agent and refuses to transmit the agent to the next host that is specified by the agent.
Class 3: Confidentiality attacks [2]
When the assets of the mobile agent are illegally accessed or disposed by its host, the privacy of the mobile agent is not respected and comes under attack.
There are three subclasses of confidentiality attacks:EavesdroppingTheftReverse Engineering
3.1: Eavesdropping [2]
Occurs when the host spies on the agent and gathers information about the mobile agent’s information or about the intercommunication between agents.
Although the host may not attempt to alter the agent, it can use this information for it’s own benefits.
3.2: Theft [2]
Occurs when the malicious host not only spies on the agent, but also removes information from the agent.
Theft and eavesdropping are closely related.
The malicious host may also “steal” the agent itself, use it for its own purposes, or simply kill it.
3.3: Reverse Engineering [2]
Occurs when the malicious host captures the mobile agent, analyzes its data and state in order to manipulate future or existing agents.
Different to a theft attack, a reverse engineering attack enables the host to construct its own similar agents, or update the profile of information to which the agent gets access.
Class 4: Authentication risks [2]
In the case of the malicious host problem, the agent must be able to correctly identify and authenticate its executing host.
The host may hide it’s own identity or refuse to present it’s own credentials which may jeopardize the intended goal of the agent.
There are two subclasses of authentication attacks: Masquerading Cloning
4.1: Masquerading [2]
Occurs when an executing host masks itself as one of the hosts on the agent’s itinerary when it is actually not on it.
4.2: Cloning [2]
Occurs when a host creates an exact copy of the mobile agent.
Each agent carries its own credentials in order to gain authorized access to the services of its executing hosts.
Examples include:When a host creates a clone of the mobile
agent this causes unique agent authentication problems.
Malicious Host Detection
Malicious Host Detection [9]
Threat diagnostic, using AND/OR tree and risk analysis, is a mechanism to protect mobile agents against malicious host attacks.
The method is based on analyzing the probable causes of mobile agent failure to perform its intended function.
It uses the symptoms of different types of malicious host attacks and arranges them in a logical order depending on the expected outcomes.
Malicious Host Detection [9]
Mobile agents consist of three parts: code, a data state and an execution state that allows them to continue their program on the next platform [6].
Mobile agents transport sensitive information such as secret keys, electronic money, and other private data.
We need to have a program that actively protects itself against an execution environment that possibly may divert the intended execution towards a malicious goal [11].
Threat Diagnostic AND/OR Tree [9]
One analytical threat derivation technique is the threat tree approach [1] who’s goal is to prevent mobile agent failures due to malicious host attacks. Need to determine some symptoms for every attack
class. Need to develop a threat tree using a relationship
between the attacks and symptoms of these attacks based on the logical AND/OR relation in which attack can occur only if one the symptoms could occur.
Then one can identify the attack type based on the symptoms it produces
Protecting mobile agents from malicious hosts [9] Attacks against mobile agents are classified as
active and passive attacks [4]. In a passive attack, the attacker does not interfere
with the mobile agent, but only attempts to extract useful information from it.
In active attacks, the attacker can arbitrarily intercept and modify code and data of the mobile agent.
In the next table, we see the malicious host known attacks and the attack symptoms.
Malicious host attacks Symptoms Spying out code Long execution time
Temporary storage Open source code
Spying out data Open source code Long time before visit next host
Spying out control flow Deterioration in performance Alter agent Determine next execution step Watching the control flow
Manipulation of code
Temporary storage Break code Update or change code, state Change behavior of agent
Manipulation of data
Temporary storage Damaged or modification of data
Manipulation of control flow Open source code Break code Update or change code, state
Incorrect execution of code Long execution time Open source code Determine next execution step
Masquerading of the host Temporary storage Open source code
Denial of execution
Watching the control flow Non-executable or delay execution
Spying out interaction with other agents
Change behavior of agent Wrong results
Manipulation of interaction with other agents
Open source code Break code
Returning wrong results of system calls issued by the agent
Watching the control flow Wrong results
Malicious Host Detection [9]
The objective is to allow an agent to execute security-sensitive computations even in an un-trusted execution environment.
If this objective is not met due to the nature of an attack, then the agent will self-destruct.
Figure 1: symptoms for every malicious hosts attack classes
Ranking of Critical Malicious Host Attacks [9] Experiments were carried out with Java
code to create a 1000 random malicious host generator (RMH).
The RMH provided six malicious host attack classes with fourteen attack symptoms.
Probability of Malicious HostAttack Cases
Rank
Malicious Host
Attack Case
Probable Attack
1 Spying 0.538
2 Manipulation 0.451
3 Incorrect Execution of Code
0.270
4 Denial of Execution 0.264
5 Wrong Results 0.263
6 Masquerading 0.121
Countermeasures
Countermeasures To Mobile Agent Security Threats [2] Countermeasures reduce the vulnerability of the
mobile agent against malicious hosts. Mobile agent computing allows for both prevention
and detection mechanisms. Prevention mechanisms aim to protect the mobile agent to
such an extent that it becomes difficult, or at least very expensive to attack the agent
detection mechanisms perform checks to discover possible security breaches
We discuss four types of countermeasures based on trust, recording and tracking, cryptography and time techniques.
Type 1: Trust-based computing [2]
Prevention Tamper Resistant HardwareTrusted execution environment
Detection Detection objects
Type 2: Countermeasures based on Recording and Tracking [2] Prevention
Anonymous itinerary Phone home Using a mobile agent system
Detection Path histories Itinerary recording with replication and voting Mutual itinerary recording Server replication Reference states
Type 3: Countermeasures based on cryptographic techniques [2] Prevention
Sliding encryption Computing with encrypted functions Environmental key generation Digital signatures
Detection Cryptographic Tracing Partial result encapsulation Partial result authentication codes
Type 4: Countermeasures based on time techniques [2] Prevention
Time sensitive agents
DetectionTime sensitive agents
Threat Classes and Corresponding Suitable Countermeasures Table
Threat Class
Threat Subclass Suitable Countermeasures
Integrity Attack
Integrity interference Trusted execution environment
Encryption
Reference states
Information modification
Tamper resistant hardware
Trusted execution environment
Detection objects
Itinerary recording8
Anonymous itinerary
Reference states
Phone home
Encryption
Environmental key generation
Partial result encapsulation & authentication
Cryptographic tracing
Threat Class
Threat Subclass Suitable Countermeasures
Availability Refusal
Denial of service Trusted execution environment
Server replication
Path histories
Cryptographic tracing
Delay of service Trusted execution environment
Path histories
Server replication
Transmission refusal Trusted execution environment
Server Replication
Threat Class Threat Subclass Suitable Countermeasures
Confidentiality Attack
Eavesdropping Trusted execution environment
Using a mobile agent system
Encryption
Environmental key generation
Theft Tamper resistant hardware
Trusted execution environment
Itinerary recording
Using a mobile agent system
Sliding encryption
Reverse Engineering Trusted execution environment
Encryption
Using a mobile agent system
Time sensitive agent
Threat Class Threat Subclass Suitable Countermeasures
Authentication Risk
Masquerading Trusted execution environment
Digital signatures with recording & tracking methods
Cloning Trusted execution environment
Using a mobile agent system
Encryption
Time sensitive agents
Conclusions
We have described classes of security threats being imposed on mobile agents by malicious hosts integrity attacks, availability refusals, confidentiality attacks and
authentication risks It appears that most of the available countermeasures
focus on integrity attacks, while very few exist to counter the others.
The creation of a trusted execution environment is the one measure that covers all the threats.
Whether it is feasible to construct a trusted execution environment under Internet conditions remains to be seen. The malicious host problem is intriguing and offers many opportunities for further research.
Conclusions
One alternative to a trusted execution environment is to have protective measures added to the mobile agent code itself.
In this case, the agent will self-destruct when an attack has taken place. The overhead encountered with this alternative approach is the main problem of applying it in all types of mobile agents. [9]
Future Work
Multi-Layer Protection of Mobile CodeComplete ObfuscationEncrypted ExecutionCode Watermarking
Encrypting Java Archives and its Application to Mobile Agent Security
References:
[1]: Edward G. Amoroso. Fundamentals of Computer Security Technology. Prentice-Hall International, Inc. 1994.
[2]: Elmarie Bierman and Elsabe Cloete. Classification of Malicious Host Threats in Mobile Agent Computing. Technikon Pretoria and University of South Africa. 2002.
[3]: William M. Farmer, Joshua D. Guttman and Vipin Swarup. Security for Mobile Agents: Issues and Requirements. MITRE. 1997.
[4]: Warwick Ford. Computer Communications Security – Principles, Standard Protocols and Techniques. Prentice Hall,1994.
[5]: Dan Gaudette. Mobile Agents: An Introduction. Lakehead University. October 28, 2003.
References:
[6]: Fritz Hohl. A framework to protect mobile agent by using reference states. University of Stuttgart, Germany. March 2000.
[7]: Geetha .N. Kapse. Airline Ticket Information Retrieval Using Mobile Agents. California State University, Sacramento. April 29, 2003.
[8]: Giang Nguyen, Tung Dang. Agent Platform Evaluation And Comparison. June 2002.
[9]: Magdy Saeb, Meer Hamza, and Ashraf Soliman. Protecting Mobile Agents against Malicious Host Attacks Using Threat Diagnostic AND/OR Tree. Arab Academy for Science, Technology & Maritime Transport Computer Engineering Department, Alexandria, Egypt.
References:
[10]: T. Sander and C. Tschudin. Protecting Mobile Agents against Malicious Hosts. Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science. No. 1419, pp.44-60. 1998.
[11]:Toms Sander and Christian F. Tschudin. Protecting Mobile Agent Against Malicious Hosts. International Computer Science Institute pp. 92-97, 1998.
[12]: B. Schneier. 2000 Secrets and Lies. Digital Security in a Networked World. John Wiley & Sons, Inc.
[13]: A.R. Tripathi, N.M. Karnik, T. Ahmed, R.D. Singh, A. Prakash, V. Kakani, and M.K. Vora. Design of the Ajanta System for Mobile Agent Programming. The Journal of Systems and Software. 2001.
