Embed Size (px)
Citation preview
Mobile Commerce Security: Legal & Technological Perspectives
Michael Triguboff
2
Table of Contents
EXECUTIVE SUMMARY 4
INTRODUCTION 7
The Need for Security 11
PART I TECHNOLOGY 12
Client-Side Vulnerabilities 12 Browser Software 13 Java Applets 14 ActiveX controls 16 JavaScript 18 Plug-Ins and Graphic Files 18 Push technology 18
Web Server Security 19 Front-end 20 Firewalls 22
Back-end Database vulnerabilities 23 Server- Side Middleware 24
Operating System Problems 25 Hardened versions of Operating Systems 36 Distributed systems 37
Software Testing 38
Mobile Commerce Issues 43 Device Properties 43 Wireless Communication 45
Wireless Communication Protocols 47 Ad Hoc Networks 49
Ad Hoc Networks and Key Management 51 Network Protection in Ad Hoc Networks 54
Location Dependent Information and Mobile Computing 55
Mobile Agents 56 Protecting the Host from the Mobile Agent 59
Safe Code Interpretation 61 Digital Signatures 63 Proof Carrying Code 63 Path Histories 64 Software-Based Fault Isolation [“Sandboxing”] 64
Protecting the Agent From the Host and Other Agents 64 Secure Control of Remote Agents 65 Read-Only/Append-Only 65 Partial Results Encapsulation 66 Code Obfuscation 67 Computing with Encrypted Functions 67 Environmental Key Generation 68 Execution Tracing 68 Itinerary Recording 69 Security Through Shared Secrets and Interlocking 69 Other Approaches 69
Attacks Based on Device Limitations 71
3
Prevention, Detection and Reaction 71 Intrusion Detection 72
Intrusion Detection and Mobile Agents 75
Part I Conclusion 76
PART 11 THE LEGAL PERSPECTIVE 80
The Debate: A Confluence of Two Streams 81
Uniform Electronic Transactions Act 85
Article 2B of the Uniform Commercial Code 85
The Electronic Signatures in Global and National Commerce Act [“E-Sign Act”] 88 Jurisdiction Selection 90
Reaction- Criminal Law 96 Convention on Cyber-Crime 97 Evidentiary or Procedural Law 99
Practical Considerations 100
Part II Conclusion 101
APPENDIX 103
Digital Millennium Copyright Act 103
BIBLIOGRAPHY 107
4
EXECUTIVE SUMMARY The objectives of this project are twofold. The first objective is to remedy what the author perceives to be a failure in his IT education to adequately address security issues. In the author’s experience, a common pattern in all the IT courses undertaken, in a number of universities, is to relegate security aspects to the end of the course timetable. Frequently, if time does not permit, the security aspect is not covered or not examined. The second goal is to attempt to analyse computer security issues from both a technical and a legal perspective. Security cannot be guaranteed by technology or law alone. Security must be based on a total infrastructure – technical, legal, social, economic and political. As with our homes, security does not necessarily flow from the existence of technological devices to deter unwanted intruders, though these devices help. Security comes from the knowledge that there are social, political, economic and legal systems that protect us and recognize our rights. It is the overall structure, and not any technology or law that creates the feeling of security. And for electronic commerce, that sense of security must be ‘felt’ by the end users; the fact that the computer professionals believe the system is secure is necessary but not sufficient to allow the development of electronic commerce, as witnessed by the reluctance of consumers to expose their credit card details on the Internet, even though there is less danger than exposing the credit card details to a waiter in a restaurant1. The author believes that few, if any, academics or practitioners have focused on both the technological and legal aspects of security to date. Interest in computer security has increased over the last year as a result of two factors. The events of September 11 ignited fears of a cyber-terrorist attack. Though many security experts are sceptical of the likelihood of a successful cyber-offensive, the fears have raised awareness as to the issue of computer security generally. The terrorist attacks of September 11 forced entities to acknowledge their dependence on, and vulnerability to, computer networks. A survey of information technology managers and chief information officers, conducted by Morgan Stanley shortly after the terrorist attacks of September 11, 2001, found that security software had jumped from fifth priority or lower to become their top priority2. The level of awareness of the importance of computer security has been further augmented by recent compliance concerns. As a result of recent changes to U.S. audit standards, companies are now required to ensure that information used to prepare public accounts is adequately secured. This has been widely interpreted to mean that a company’s entire network must be secure3. Schneier4 prophesises that just as chief executives are legally required to attest on a quarterly basis that the company’s financial accounts are correct, in certain publicly listed companies at least, chief information officers will soon be required to attest similar security declarations. A security system needs to encompass prevention, detection and reaction. If any of these three aspects are neglected, the security system will be inadequate. To date, most attention has been paid to preventive methods, with somewhat less attention to intrusion detection. Reaction requires a technical, legal and economic infrastructure which will be addressed below. The focus of this project has been on the security aspects of electronic commerce, and particularly on mobile electronic commerce.
1 Such reluctance is not logical, in that most credit card issuers around the world explicitly or implicitly limit liability for unauthorised purchases, if detected, to a relatively small amount. In Australia, for instance, the limit is about USD25. 2 as reported in The Economist, October 26 , 2004. 3 as reported in the Financial Times, September 28, 2002 4 Bruce Schneier, <http://www.counterpane.com/crypto-gram.html>.
5
Part 1 is an overview of some of the technological aspects of security. Since many of the security issues concerning mobile commerce security are inherited from traditional fixed line systems, the issues confronting these systems are first addressed. The client software, network server and back end databases are examined for vulnerabilities. The analysis of client software includes an examination of Java and ActiveX controls. Since operating system bugs are among the most common security flaws, some of the operating system protection mechanisms are focused upon. Part 1 also addresses mobile commerce issues including the limitations imposed by mobile devices and wireless communication. Ad hoc networks are analysed in some detail. Much of the envisaged mobile commerce will utilise ad hoc networks, which because of performance limitations, such as available bandwidth, memory and CPU power constraints is vulnerable. The requirement that certain authorisation and access control tasks be performed off-line, and the fact that there may be no centralised authority introduces new challenges which are addressed. The issue of ad hoc networks and key management without a certifying authority is also discussed. Mobile agents, compared to RPCs and message passing, are especially suited to mobile commerce. Mobile agent security issues are discussed, both in terms of protecting the host from a malicious agent, and protecting the agent from a malicious host or other agents. The incremental security issues of mobile agents compared to Java applets is examined. Intrusion detection is next examined. The deficiencies of current commercial intrusion detection systems are noted, both for traditional and for ad hoc networks. An interesting area has been the discussion of using mobile agents in intrusion detection schemes. Part 11 focuses on the reaction aspect from the legal perspective. The dichotomy and convergence of two distinct streams of law reform is analysed. These two separate movements, one with its origins in law, and the other with its origins in technology, represent two philosophies. One stream, labelled the ‘law revisionist’ , ‘minimalist’ or ‘technology neutral’ stream, focused on maintaining commercial laws to be generic and supportive, by seeking to eliminate distinctions between traditional transactions, evidenced by writing and signatures, and electronic transactions. This stream strove to maintain both technological neutrality and implementation neutrality, relying on the marketplace to make the appropriate choices. The express goal of the second stream , the ‘technological movement’, was to support and promote specific technologies, in particular the Public Key Infrastructure model. This stream is more paternalistic in nature, and does not rely on the marketplace to make the choice, believing that the market requires certainty more than choice. The divergence, often not as stark as presented above, is being discussed on many simultaneous fronts- at the U.S. state level, at the federal level in the U.S. Congress, at the ECU, and at the international level, all of which are examined. A perplexing issue in Internet law has been jurisdiction selection. Jurists, on the one hand, do not want to allow the possibility of ‘jurisdiction shopping’ for the most favourable forum, nor of abdicating national rights to protect its citizens, whilst promoting certainty and electronic commerce. Various approaches to determining the appropriate jurisdiction are examined. The criminal law system is examined in the context of its ability to guard against cybercrime. The issue of treating cybercrime as different from ‘traditional’ crime, and whether the existing legal infrastructure is inadequate for these new concepts is discussed. Finally, some of the practical implications of the potential liabilities resulting from electronic commerce security violations are examined.
6
In Appendix 1, the Digital Millennium Copyright Act [DMCA] is analysed, as an example of a law specifically introduced to enhance traditional property rights [copyright] from the threat of the Internet. The DMCA is an example of the juxtaposition between protection of property and civil rights when such laws are extended. Though the original mandate of this project called for an examination of the DMCA, the author believes that the DMCA is somewhat tangential to the underlying theme of this project. To satisfy the competing objectives of fulfilling the project brief, whilst not detracting from the underlying theme, the analysis of the DMCA was appendixed.
7
INTRODUCTION Security violations in Internet-based systems have received much notoriety in the popular press, which, in turn, feeds the media frenzy over every new Internet security violation. As a result, a general paranoia of insecurity in e-commerce transactions has gripped the consumer public. Aside from perception, there are several technical reasons why electronic commerce must have stronger requirements on security than traditional forms of commerce. - First, and most importantly, the potential damage caused by unauthorised intrusion into one
computer is exponentially increased by the networking of computer systems. - Second, the storage of sensitive data in repositories or databases makes e-commerce systems
ideal targets. For instance, hacking an on-line firm's database that holds all its customers' credit card numbers is more profitable than checking through garbage for credit card receipts.
- Third, the lack of forensic evidence in computer crimes makes detection, capture, and prosecution more difficult. An individual can hack into a computer network and transmit a message with the address of another party. Regular and rigorous auditing of computer usage is rarely practiced. Legal cases against computer crimes depend on auditing practices, audit trails, and the ability to demonstrate malice.
- Fourth, the ability to write programs to automate computer crimes provides a higher return on investment for computer criminals than physically committing the crime on site. Once written, hacking tools are distributed widely among "underground" networks and used by junior hackers that often do not know how the exploitive scripts work, let alone how to write them.
- digital information is very malleable. Alterations to the text of paper based communication can be obvious to the naked eye, but the text of an authentic electronic communication, if carefully managed5, contains no inherently distinctive characteristics that would distinguish it from the text of an altered version of that electronic communication.
Finally, computer crimes can be committed with no almost no geographic dependence in almost complete anonymity. Electronic communication is readily transmissible, and can be stored , altered or retrieved along its journey between sender and recipient. The lack of a physical evidence trail at the scene of the crime makes detection and prosecution of computer crimes more difficult than ordinary white-collar crime and reduces the risks for perpetrators of computer crime. Part of the problem of electronic commerce security concerns is relative neglect. With the notable exception of banks, health-care groups and other regulated bodies, most businesses spend a miniscule amount – usually no more than 0.15% of sales – on computer security6. Laura Koetzle of Forrester Research estimates that this amount is less than many of the businesses spend on staff refreshments7! Computer security expenditure increased by 28% in 20018, and is expected to continue growing strongly, often at the expense of other technology spending. But this increase is from a very low base. One of the problems is that the majority of firms do not realize the cost of security breaches. There is an understandable reluctance to report security breaches which could result in liability for the entity whose system was breached, as well as loss of stakeholder trust in the integrity of the system.
5 that is, if care was taken to mask any changes so as not to be detected by a HEX editor or similar tool. 6 The Economist, July 18, 2002. However, some consultants, such as IDC [ reported in the Financial Review, as of September 9, 2002] have reported an increased awareness of IT security issues “despite the period of apathy.. after last year’s terrorist attacks”. 7 ibid 8 Jordan Klein, UBS Warburg.
8
A further complication is that the vast majority of unauthorised intrusions are initiated from within the corporate firewall, which are less easy to detect. Another problem is that senior management often are concerned about issues such as virus attacks and malicious hackers and neglect the problems of internal security, from which the majority of security issues emanate. Internal security issues includes disgruntled employees, customers, suppliers and other stakeholders. This is not surprising: viruses and hackers are sensational and receive a lot of publicity, whilst internal security breaches are hushed up. Viruses are a nuisance, but the press coverage they receive is disproportionate to the dangers posed. Some vendors of anti-virus software fuel the hysteria by transmitting warnings by e-mail at every opportunity. Often security is no more than an afterthought which typically results in security having to be shoehorned into a pre-existing design. This results in material design challenges for the enforcement mechanism and for the rest of the system. Often, security is not initially considered, not as a result of poor planning, but because of the requirement to utilise legacy systems which previously may have operated within secure intranets but today need to be exposed to the internet. In such cases, there is no alternative to adding security to a system after the fact. However, the result may be a lack of accord between the security of the legacy system and that of the target standard protocol. For example, UNIX systems and CORBA have different security policies and enforcement mechanisms. UNIX authentication is based on user-password authorization. CORBA uses Kerberos-based authentication. The UNIX file system uses access control based on user, group and everyone else. CORBA access control is more flexible, based on credentials that are owned by a CORBA client, and service controls which encapsulate the access control policy of the related CORBA server. These differences complicate systems where principals can authenticate themselves with either mechanism and use either CORBA or UNIX services9. Though it is widely believed that computer security is the sine qua non of electronic commerce, the commercial firms generally have not focussed as much on security as on other issues. Microsoft relatively neglected security until the last few years10, because, in CEO Steve Ballmer’s words, security wasn’t on its customers’ ‘hit lists’11. Security needs to be viewed as a business enabler, as an aspect of business continuity and contingency planning rather than as a costly overhead. Management often view computer security costs as a tax for risk management. Viewed in this context, no enterprise wants to pay more tax than its competitors unless it can gain an advantage. A set of regulations could provide a ‘level playing field’ by stipulating the minimum acceptable standards for computer security. Although computer systems are increasingly global, there are currently no accepted international industry standards for computer security12. ISO 17799 does not specify particular technological or procedural approaches to security, but concentrates on broadly defined ends. Though better than no attempted standard at all, the standard’s flexibility and lack of transparency has been criticised. Bill Caelli concludes that government, by the introduction of industry standards , should take the initiative in security. Caelli points to the fact that the marketplace has never been a leader in security, as evidenced by the governments, not commerce, demanding seat belts, fire detectors etc13. However, part of the problem is that there is no single universal benchmark for computer security – what is appropriate for one risk environment is not necessarily appropriate for another risk
9 Souder & Mancoridis [ A Tool for securely integrating legacy systems into a distributed environment, in Working Conference on Reverse Engineering [WCRE], Atlanta, GA, October, 1999] suggest the use of wrappers and sandboxes that enforce UNIX-style policies. 10 Priorities may have recently changed. Bill Gates, in an internal email to his Microsoft employees in January 2002 wrote:” When we face a choice between adding features and resolving security issues, we need to choose security”. [ The Economist, October 26, 2002] 11 as reported in the Sydney Morning Herald , September 24, 2002 at pp. 12 12 The UK uses BSI 7799 whilst the US does not have an industry standard at all. 13 ibid
9
environment. A corporate entity will not trust a competitor to develop a standard, and may not trust the industry peer group14. The current paradigm of computer systems has moved away form the more easily secured mainframe model towards more distributed, web-based, agent-based paradigms. The truth is there is no panacea to electronic commerce security. Securing the data transaction via encryption protocols provides privacy for data sent over the Internet. It does not protect a company's e-commerce server system from attack. It does not provide end users protection against malicious mobile code downloaded from rogue Web sites . Any electronic commerce transaction is processed by a number of different components, any of which may be a weak link in the security of the transaction. The security of the system is only as strong as its weakest link. Computer criminals are unlikely to attempt to attack even weak encryption protocols (e.g., 48-bit encryption) when breaking into network servers is so much easier. Thus, the security of the components executing electronic commerce transactions should be relatively uniform in strength. If one component is significantly stronger than others, then the weaker components are more likely to be attacked and the system compromised. The question of what constitutes a secure system is often seen as standardised and binary. Little attention is paid to the parameters of ‘security’. A common security fallacy is that the objective of security is to eliminate all risk and vulnerabilities from a system. No system will be secure if the administrator is tortured and interrogated and forced to allow his captors to access the system. Security is not black or white, and context matters as much as technology. A system might be secure against the average criminal, but would not be secure against an attack from an industrial spy, or a national intelligence agency. A system might also be secure as long as mathematical or technological advances do not occur over a period of time. A totally secure system is not possible or desirable because of conflicting priorities in terms of security and control on the one hand and privacy, freedom and productivity on the other hand. The compromises entities make between this dichotomy results in system vulnerabilities. Being aware of what those vulnerabilities are, the major types and sources of attack, as well as possible motivation for the attack are the first steps in creating a secure computer system. Effective security policy is dynamic and involves continually re-examining and reinforcing security mechanisms and policies by training and periodically adapting to account for new threats. There are costs associated with all security policies and these costs must be weighed against the value of the assets to be protected and the potential harm which would be caused by loss of that asset. The potential harm can also not be viewed in isolation. If each competitor suffered the same damage, the cost of the harm to each single competitor might be less than if only one competitor were attacked15. Without such an analysis, it is difficult for the decision makers to allocate sufficient capital to the development and maintenance of an adequate security policy. The issue is compounded in many of the security costs are hidden in other budget items- for example, employee training in security issues is often not included as an item in the Security budget. To such extent, these ‘hidden’ budget items may be neglected. 14 The author witnessed a parallel lack of trust in the genesis of Swift, an online authentication communication system for the banking industry. No bank was willing to trust a competitor, in this case Chase Manhattan Bank, to control the communication channel. An attempt by the trade organisation to establish such a system also failed. Finally, an organisation was set up, owned by all the participants, and it is this entity which owns and manages the Swift communication system. 15 For example, in the anxiety surrounding the Y2K issue at the turn of the century, the author, who practices in the financial services industry, often dichotomised the risks to his company if the New York Stock Exchange ceased to function for a limited period of time, in which case, there would be no stock trades and no single competitor could profit from the hiatus; to the situation where a single company could not function, but the rest of the industry could function, in which case its competitors would take advantage of its impotence and the injured company’s portfolio would suffer.
10
Some of the issues which explicitly or implicitly impact on mobile security but will not be addressed in this paper include: - various security models. A security model captures policies for confidentiality and integrity. - the security features of various languages. For instance, with respect to Java, the security
aspects of garbage collection, no pointers, and strict compile-time checking will not be discussed except in relation to Java applets.
- cache coherence; - internet working of fixed and mobile networks; - naming, locating and load balancing techniques for mobile networks; - traffic monitoring and control mechanisms to maintain quality of service and power
management; - cryptographic modifications for mobile networks in the absence of a centralized online ticket-
granting server required for the Needham-Schroeder and Kerberos systems; - physical hardware security – mobile security implies that often the various components of the
mobile system are more accessible to physical intrusion and violation; - data backup and redundancy; - human security risks – the majority of unauthorised intrusions are internally generated. Very
little attention in the literature surveyed seems to have focussed on the need to adequately screen personnel and users of the instant system and its supporting infrastructure. Further, it is important that the security aspects are psychologically acceptable- the users should believe that the security risk is worth the security 'hurdles';
- specific program threats, such as Trojan horses and trap doors; and system threats, such as worms and viruses;
- anonymity protection and location awareness aspects of mobile agents, both aspects impinging on potential privacy right violation;
- the relationship between authentication and privacy. Excessive authentication attempts may result in potential privacy rights violations. The stronger the authentication system, the more privacy issues are likely to be raised.
- various protection mechanisms16, such as access control lists, capability lists, and role based access models, discretionary access control models, mandatory access control models [ though the latter two are briefly mentioned], and domain based access control models.
- applicability and modifications of TCP to wireless networks. - some of the administrative functions inherent in security. For example, it is important to
protect the audit log. The audit log can be protected by setting the logical protection so that only privileged users have write access; by storing the audit log on another computer where the superuser on the audited machine has no superuser privilege; by sending the audit log to a dedicated audit machine where superfluous utilities like compilers, editors, and some network utilities have been removed; etc. The security relevant events to be audited needs to be considered as does the amount of time that the log must be maintained. None of these ‘practical’ issues will be specifically addressed.
- database security. - the Uniform Computer Information Transactions Act [UCITA], already approved in Virginia
and Maryland17. 16 The dichotomy between ‘protection’ and ‘security’ of Silberschatz and Galvin is used. Protection refers to a mechanism for controlling the access or programs, processes or users to the network’s resources. Security, on the other hand, is ensuring the integrity of a system and its data. Security requires not only an adequate protection system, but also a control of the external environment in which the system operates. Internal protection is not effective if there is no means to restrict or detect unauthorized access. 17 except for a brief mention
11
- mandatory security requirements under such legislation as Health Insurance Portability & Accountability Act, Gramm-Leach-Bliley Act, European Union Data Privacy Directive, Council of European Cybercrime Convention, the Patriot Act, Basel Accords etc.
Security is a process with many components, not a product. Like any other process, some components are stronger and some are weaker. The components need to complement each other, and it is often the interaction between the components which is the weakest link. Recognizing that the security of the data transport in e-commerce systems is significantly stronger than other components in e-commerce systems, the weak links in e-commerce security are highlighted in the rest of this paper including client software such as Web browsers, server software including network services and the operating system, and CGI scripts.
The Need for Security Concerns about security, whether real or perceived, need to be put into perspective. Security cannot be ‘legislated’. It is a combination of factors: the technology utilised, its business implementation and state of development, and the legal structure. Doing business ‘securely’ on the information highway is not a simple matter of developing the right technologies to ‘lock up’ information sent electronically to protect against theft or alteration, nor is it a simple matter of developing authentication techniques that allow us to determine with extreme accuracy the actual originator or creator of a given message. ‘Secure’ electronic commerce cannot be achieved merely by legislating those circumstances when requisite ‘security’ is present. Rather, the ‘security’ which business people seek when they begin doing business electronically requires the creation of an entire infrastructure – technical, legal, social, economic, and political – one that is based on practice which recognises, validates and supports electronic commerce. By comparison, many of us feel secure in our homes. This security does not necessarily flow from the existence of technological devices to keep out unwarranted intrusions: fences, burglar alarms, bolts, locks or caller identification on the telephone. To a great degree, the availability of those devices does contribute to our sense of security, but the relationship is not necessarily a direct correlation. Indeed, the more such technological security devices there are in a home, the less likely it is that the inhabitant feels ‘secure.’ While some locks or keys may be necessary, the strongest feelings of security flow from the knowledge that locks and bolts are not needed, that one can leave the house unlocked with the expectation that upon return, things will be as they were upon departure. Security flows in large part from the ability to predict, with a fair degree of certainty, what lies ahead in our daily lives, the ability to control it, and the ability to identify, again with a fair degree of certainty, the risks that we may face so that we can take protective measures. It also comes from the knowledge that there are social, political, economic and legal systems that protects us and recognises our rights. It is the overall structure, not any particular technology or law, that creates that security. Security flows from the knowledge that the economic, social and legal systems recognise these rights, and that redress is available from those who violate or infringe them. Similarly, for businesses involved in electronic commerce, ‘doing business securely’ means an entire complex of things. It encompasses the ability to enter into a commercial transaction that proposes an exchange on terms beneficial to each party, whether a sales, services, or commodities agreement, with the reasonable expectation that it will be performed. Contracts are performed because our economic, social and legal structures support these types of transactions and provide incentives for performance as well as disincentives for breach.
12
In the electronic environment, what is arguably lacking at the moment is a discernable legal and social structure that allows the parties to adequately assess the risks of electronic commerce and to respond by making intelligent choices concerning their own rights and liabilities, including allocation of risks in transactions with others. For example, without an appropriate legal structure that recognises and validates electronic commerce, the presence of all the encryption or authentication devices in the world will not give businesses the security they need to conduct business in the electronic environment. The legal structure must include laws recognising the ability to contract electronically, enforcing deals entered into electronically, and setting forth the rules applicable to the transaction while recognising the power of the parties, within reason, to set the terms as between themselves and choose the applicable law. The desire for ‘security’ has manifested itself in online commerce in somewhat traditional ways. Early on, in the absence of legislative and judicial recognition and validation of electronic commerce and the corresponding lack of industry-wide standards, customs or standards to guide conduct, attempts were made to set the rules for electronic data interchange [“EDI”] through ‘trading partner agreements’ between the parties doing business electronically. Although there are differences between the various proposed interparty agreements, a key ingredient of virtually all of them was the parties’ articulation of the technological security measures to be employed in transacting business electronically, and delineation of the circumstances under which each party would be bound by messages purportedly originated by that party. In situations where the parties were not in prior contact or direct contact, or where the transactions were such that prior negotiation of such agreements was impossible or impractical, alternative contractual models were adopted. One tactic is the articulation by one of the parties to the contract of the applicable terms eg: by posting of the terms on the relevant website18 or by postings stating that any transactions were to be governed by a given set of practices19. PART I TECHNOLOGY Electronic commerce systems are often implemented as a three-tiered architecture consisting of client software, network server software, and back-end databases. In addition, a middleware layer exists between network servers and the back-end databases that processes e-commerce transactions and updates the databases. Vulnerabilities in any of these software components can compromise the security of the entire enterprise. Before analysing these components, it is important to note that security cannot be regarded piecemeal and has to be thought of a system within a larger system.
Client-Side Vulnerabilities
18 The attempt to govern electronic commerce by posting, or having available on a website, the terms and conditions that govern the transactions have led to the use of what have been called ‘click-wrap’ or ‘shrink-wrap’ licences. Questions as to the enforceability of such terms and conditions has resulted in litigation. See Symposium, Intellectual Property and Contract Law in the Information Age: The Impact of Article 2B of the Uniform Commercial Code on the Future of Transactions in Information and Electronic Commerce, 13 Berkeley Tech. L.J. 809 (1998) and at 87 Cal. L. Rev. 1 (1999). Also, Thomas Finkelstein & Douglas C. Wyatt, Note, Shrinkwrap Licences: Consequences of Breaking the Seal, 71 St. John’s L. Rev. (1997) 19 With respect to the providers of specified services, there were statements of practice, such as the certification practice statements used by certifying authorities with digital signatures.
13
Two main risks exist on the client side: vulnerabilities in browser software and the risks of active content on the Web. The latter concern is growing with the popularity of Java applets, ActiveX controls, and push technology; the former remains more obscure but is still highly relevant.20 Browser Software The vast majority of all electronic commerce transactions are performed using Web browsers as the front-end. Web browsers today pose risks to end users' security . The greatest threat to end users' security is simply lack of knowledge about the risks of using Web browsers to visit untrusted sites21. Hazards imposed by executable content can be addressed by disabling their execution from untrusted Web sites by configuring the browser appropriately. Flaws in Web browsers themselves can cause security problems for end users. Employees who use browsers to "surf the Net" may potentially compromise the security of the corporate systems. The first issue companies must wrestle with is whether or not to trust the Web browser itself. Most browsers are given the privilege to execute programs locally, to write to user disks, to upload and download files and programs from the Internet. The consumer must trust that the browser software is not performing any malicious actions such as corporate espionage on a file system and is not vulnerable to exploitation through back doors etc. Before executable content, Web pages were mainly static displays of information coded in HTML. Most Web pages using HTML serve the function of billboards, with Web forms, search engines, and graphic animation brightening an otherwise boring interface. Executable content provides the ability for users to interact during Web sessions. Executable content refers to a program or programs that are embedded in the Web page. These files execute on plug-ins – special purpose interpreters. Browser plug-ins are software modules that can be integrated with the Web browser. When the Web browser begins to download a file of the plug-in’s format, the plug-in will execute the set of instructions included in the file. Plug-ins are often required to view graphic file formats or play audio files22. Executable content transfers some intelligence from the server to the client. An intelligent client is more able to process data locally, decreasing bandwidth requirements and decreasing response time. Executable content poses privacy and security risks to end users, too. Java applets, ActiveX controls, Javascripts, and VBscripts are all examples of executable content. Others include Postscript files, multi-media files for browser plug-ins (e.g., .avi and .wav files), and mail attachments such as MS Word files. All of these forms of executable content are often downloaded or shared in electronic commerce activities.
20 Anup K. Ghosh, E-Commerce Security: Weak Links, Best Defenses, Wiley Computer Publishing, New York, 1998 at pp. 22 21 In fact, it is often difficult to determine whether a site can be trusted. The URL may be of a trusted name , but there is no means of determining if that trusted name owns the URL. Schneier points to an example of Northwest Airlines with a web site to purchase tickets: www.nwa.com. But, for some time a travel agent had the web site www.northwest-airlines.com. Schneier mused that there would be many users who bought airline tickets from the latter, thinking that they were buying from the former. Some companies also embed their competitors’ names in their Web site in an attempt to redirect search engines to point to their site rather than the sites of its competitors. [ Bruce Schneier, Secrets & Lies at pp. 71]. 22 The capability to execute instructions embedded in Web pages and email attachments has narrowed the difference between data and programs. Although graphic files can be considered input to a plug-in, many graphic files are programs in and of themselves. For example a Postscript file is actually a set of instructions to a Postscript interpreter that renders the specified image.
14
Java Applets
Java applets are mobile Java programs. That is, Java applets can be automatically downloaded from any Web page and run within the user's Web browser. Because the browser runs with the privilege of the user, the potential exists for Java applets to gain access to sensitive files on the user's desktop or to even execute commands with the user's full privileges.
Because Java applets automatically download and execute on the user's machine when its hosting Web site is hit, Java applets are considered untrusted code that must be carefully constrained. For this reason, the inventors of Java created a "sandbox" for Java applets in which Java applets may safely execute without posing risks to the user's security or privacy. The Java sandbox poses a technological solution to constraining potentially malicious applet behaviour. This method assigns a constrained region of memory [ the ‘sandbox’] for use by the applet, and was introduced by Wahbe et al23. For instance, Java applets are not permitted to access the local file system. Also, Java applets are not allowed to make network connections except back to the originating site, nor can they listen to network connections made to the user's machine. In the first releases of the Java platform, all programs downloaded from the Internet were assumed to be untrusted, and were prevented by the Java security manager from accessing confidential information, or interacting with the local file system. Even in the first releases, not all programs were untrusted. Programs loaded from the local system [ that is, applications, rather than applets] were not restricted to the sandbox. Release 1.1. of the Sun JDK24 and subsequent releases allowed an applet, if packaged into a ‘JAR25’ file, signed with a digital signature to operate outside the sandbox. These JDK enhancements were never embraced by the Microsoft and Netscape browsers, and the command-line tools were burdensome to the average user. Both the Netscape and Microsoft browsers present the potential user of the digitally signed applet with a prompt, indicating the signatory of the package, the identity of the certifying authority, and the nature of the privileges sought. If an applet has the correct signature to access the file system, for instance, it may be allowed to read or write files. Unsigned applets will still be restricted by the sandbox model. The problems the code signing model introduces are that every site must create, implement, and administer its own security policy for applets. Requiring sites to develop and administer their own security policies has proven to be impractical to date. The Java sandbox is enforced by three technologies: the byte code verifier, the applet class loader, and the security manager . The three technologies work in concert to prevent an applet from abusing its restricted privileges. Because each provides a different function, a flaw in any one application can break the whole sandbox. For this reason, not only must their design be solid, but their implementations must be correct. The complexity of the functions that each technology provides makes correct implementations a difficult goal to attain in practice. The bytecode verifier performs a number of static26 checks when the applets are downloaded from Web sites to ensure that they do not violate type-safety or cause run-time errors that result in security vulnerabilities. The bytecode verifier examines the applets to ensure that there are no attempts to manufacture pointers, execute instructions or call methods with invalid parameters or use variables before they are initiated etc. Static checks examine the structure of the code rather than its behaviour. Applets are downloaded as a series of class files in a platform-independent form called bytecode. The bytecode is checked to be in a proper class file format, ensuring that the class
23 R. Wahbe, S. Lucco, T. Anderson, & S. Graham, , Efficient Software-Based Fault Isolation’, Proceedings of the Fourteenth Symposium on Operating System Principles, pp. 203-216, Asheville, NC, 1993 24 Java Development Kit 25 Java Archive file – a ZIP archive containing a few special files. 26 The checks are labelled ‘static’ because they can be performed without executing the applet.
15
files begin with a ‘magic’ number27, are not truncated and do not have extra bytes appended to the end, and do not contain any unrecognised information. Though a material portion of Java is in the form of native methods which are implemented as object code and are not subject to the bytecode checks, the object code is part of the Java standard library and should therefore be trustworthy.. The Applet Class Loader downloads each of the classes necessary for a Java applet to run that do not exist already on the client machine. Each class is loaded by its own class loader, thus preventing accidental or deliberate name-clashes that can result in security breaches. Since classes can be loaded at run time, there is a danger that an applet can load one of its own classes to replace a system class, thus bypassing that class’ security verification. When an applet is downloaded, the Applet Class Loader will create its own namespace. The risk of Trojan horse attack has been nullified by virtue of providing each class with its own namespace, and searching for system classes before user classes28. Class loaders for built-in classes are specifically marked as trusted. Defining a namespace unique to each applet is important to separate untrusted classes downloaded form the network from local classes residing on the client’s machine. The separation prevents untrusted applets from replacing trusted classes that are part of the standard Java library, as well as isolating classes belonging to one applet from referencing classes belonging to another applet’s namespace. The security task of the Applet Class Loader is to ensure that fundamentals parts of the Java environment are not replaced by any classes that the applet may reference remotely. The bytcode verifier and the applet class loader together provide a base level security for every downloaded applet, before being interpreted by the Java Virtual Machine [“JVM”]. Once the applet executes, the security manager then examines the applet, using dynamic checks while the applet is executing, for security access violations. The security manager is consulted before every access request to enforce the boundaries between classes and to prevent one class from accessing private variables and methods outside its class. The security manager can be customized, and is different for each browser29. The classpath in Java is a list of directories on the local file system which contains compiled Java bytecode. All classes loaded from the classpath are considered to be trusted, and are allowed unrestricted access to system resources. The security manager acts as a reference monitor for resource access. The Java security problems found to date have been a direct result of flaws in the implementations of the three components of the Java sandbox. Despite the efforts of JavaSoft in creating a sandbox, the Java security model has been broken on more than one occasion. The JVM will accept byte code which violates the language semantics and can lead to security violations. A material portion of the Java system is in the form of native methods which are implemented as object code and are not subject to the JVM’s type-safety checks. The Java security model depends on the enforcement of type safety in the language. Dynamic class loading in Java applets makes static type checking infeasible. Hence, the necessity for the three-pronged approach to the sandbox. One of the dangers is the confusion resulting from the potential for many different Java engines to coexist on a single machine. For example, a Windows machine installed with Internet Explorer, Netscape Navigator, and a recent release of Lotus Notes may be running the Java 1.2 install program supplied by Sun. In this case, there would be a JVM developed by Microsoft inside Internet Explorer, a JVM developed by Netscape inside Navigator, a JVM developed by Sun inside Lotus Notes, and the Java plug-ins from Sun inside both browsers. Thus there would be four different JVMs in five different locations using four different signature databases and four different
27 An attribute of all Java class files 28 Thus, if the user loads a malicious version of println, it will not be invoked because the official println will always be loaded first. 29 Currently, the Netscape Navigator and Microsoft IE implement the same security policies for Java applets.
16
sets of security settings. Security related issues becomes a problem of coordinating the various security configurations. Recent work has revealed security exploits that are made possible by certain features or bugs in the Java interpreter. One such exploit was the ability to obtain a complete stack trace by throwing an exception that revealed information about some of the classes of which the underlying mobile code environment comprised.30 Applets can also be used to exploit DNS weaknesses. An applet can open a TCP/IP connection back to the server it was loaded from. The applet may undertake the following functions: - procure all the IP addresses of the hostname from which the applet was sourced. - procure all the IP addresses of the hostname that the applet is attempting to connect to. - if any addresses match, allow the connection. The problem is in the second function: the applet can connect to any hostname so it can control which DNS supplies the second list of IP addresses; information from this untrusted DNS server is used to make an access control decision. An attacker can create a malicious DNS which would allow unauthorised access to any machine on the Internet. ActiveX controls
In contrast to the Java security model, ActiveX controls rely on a trust-based model for preventing malicious controls from executing. An ActiveX control is simply a program wrapped in a pre-specified interface that the Internet Explorer browser can execute. The program executes with the full rights and privileges of the browser. As such any ActiveX control can access any files on the user's machine, can delete, steal, or modify these files, and can execute commands on the user's machine. There are no constraints on the behaviour of ActiveX controls31. The ActiveX control automatically downloaded, installed, and executed from this site will shut down a Windows machine. The only technology imposed on ActiveX controls to prevent potentially malicious behaviour is the control that requires user approval before installing the control. Prior to downloading and installing a new ActiveX control, a dialog box is popped up in the user interface. If the ActiveX control has a signed certificate, the certificate can be displayed to show which organization or individual is endorsing the control. If the user trusts the endorser, then the control will be downloaded and execution will begin. However, there is no technology to prevent a malicious control at this point to violate the security or privacy of the end user. As a result, the security model is totally trust-based. Users must make their own decisions on whether the control is trustworthy or not. ActiveX is an all-or-nothing proposition – the user cannot constrain a native ActiveX control to a limited security domain. Caution must be executed before agreeing to install and execute an ActiveX control, but this is rarely the case. Most users, when confronted with a dialog box warning them of the dangers of a certain application, blindly agree to opt-in, and use the relevant application. Security measures designed to prevent trusted ActiveX controls from damaging a system are non-existent. Microsoft’s response to addressing security issues in using ActiveX is Authenticode. Authenticode does not prevent trusted ActiveX controls form being used maliciously, but it does prevent automatic execution of untrusted ActiveX controls. Authenticode can provide two checks using public keys before executing ActiveX controls: 30 S. Fischmeister, G. Vigna and R. A. Kemmerer. Evaluating the Security of Three Java-Based Mobile Agent Systems. In Proceedings of the 5th IEEE International Conference on Mobile Agents. Lecture Notes in Computer Science 2240. Springer-Verlag 2001. 31 The ActiveX Exploder site: (www.halcyon.com/mclain/ActiveX) illustrates this property well.
17
- verification of signature of code. - verification that code has not been altered since it was signed. The Software Publishing Certificate [SPC] , received from a Certifying Authority [CA] is a prerequisite for signing ActiveX code. Upon receipt, the browser will examine the SPC to determine if it has been signed by a trusted CA. The browsers have a list of trusted CAs , and if the signature matches the corresponding CA public key signature stored in the browser, then the browser will accept the ActiveX control. Authenticode 2.0 provides two new features: - software publisher signatures will be timestamped to determine if the SPC had expired. SPCs
require renewal, the timestamping can be used to ensure renewal, and to continue to meet certain minimum requirements.
- CAs now have ability to revoke SPCs if the publisher violates the agreement with the CA – such as deliberately distributing malicious code. If a certificate is revoked by a CA, the CA will inform the browser the next time the browser updates their list of revoked certificates.
Authenticode works solely on the trust model and does not prevent trusted ActiveX controls from behaving maliciously. If you trust the SPC, the ActiveX control has full rights; if you do not trust the SPC, the ActiveX control has no rights. There is no middle ground to allow the code to execute in a constrained environment, such as the Java sandbox. The problem is that most vulnerabilities today are not caused by malicious behaviour, but by flawed software often sourced from respectable software providers32. The major difference between ActiveX controls and Java applets with respect to security is that ActiveX is based solely on trust placed in code signer, and the Java applet security is based on restricting the behaviour of the applet. This distinction has blurred with the signing of Java applets. Rather than being constrained in a sandbox, signed Java applets will have the ability to access system resources based on trust, similar to the ActiveX security model. But untrusted Java applets can still operate in the sandbox. Future releases of Java will allow fine-grained access control to system resources based on varying degrees of trust, confirmed by digital signatures33. Also, Ghosh expects that the Java applet signing model will be developed to allow different levels of trust as opposed to the binary choice with ActiveX controls34. The Internet Explorer 6.0x Web browser incorporates the concept of security zones for handling active content, based on a similar trust model that permits ActiveX controls to execute. The security zone organizes Web sites into different categories: Internet, Local Intranet, Trusted sites, and Restricted Sites. The idea is to divide the Internet up into zones of trust. The level of trust in each zone is categorised as high, medium, medium-low and low, with varying levels of granularity of access, such as enabling, disabling or prompting on the downloading of ActiveX controls. But the binary decision is still whether the source site is trusted or not. With both Java applets and ActiveX controls, various covert channels exist in browsers which allow applets/ ActiveX controls to establish two way communication with arbitrary third parties. A two party attack requires that the Web server the applet resides on participates in the attack. A three party attack35 can originate from anywhere on the Internet, and may spread if hidden in a desired
32 Browsing through the incident response notices from organizations such as CERT Coordination Centre [ www.cert.org] reveals that many of the notices are initiated by the software vendors themselves. 33 Anuk P. Ghosh, E-Commerce Security: Weak Links, Best Defences at pp. 45 34 ibid at pp. 77 35 As an example of a three party attack, Charles produces a Trojan horse applet, which Bob uses in his Web page. Alice
18
applet that is used by many Web pages. Three party attacks are more dangerous that two party attacks because they do not require the collusion or even knowledge of the Web server on which the applet resides. JavaScript36 JavaScript is a scripting language37 – Microsoft’s version of JavaScript is called Jscript. When a user connects to a Web page that has JavaScript embedded, the user’s browser will automatically download and execute the JavaScript code, unless this browser option has been disabled by the user. JavaScript is generally used to enhance the appearance of the browser interface and the Web page38. Plug-Ins and Graphic Files Plug-ins are software programs that are integrated with Web browsers, used to execute data of special formats that are downloaded from the Web or attached to an email. For a user to view the content embedded in certain Web pages, the particular plug-in must either be downloaded and installed in the browser or have been pre-installed. Many plug-ins are special purpose interpreters, implying that the particular formatted files are programs in themselves that provide both instructions and data to the plug-in. But this is also a security risk39 The plug-in may contain instructions that when executed, surreptitiously perform other operations40. Push technology
Push technology is a form of executable content that turns the Web paradigm on its head. Web surfers are used to finding a Web site and requesting information. The information is pulled into the user's browser. With push technology, users still have to determine which Web sites they want information from, but once selected, the Web sites take matters into their own hands and push information to the browser without the user's request. Web sites who push active content are similar to their counterparts in the TV and radio industry. Essentially, these sites broadcast their content. Users need only "tune" their browsers to their channel. Hence, the concept of "active channels", being pushed by Microsoft. The idea is to get the latest updates on information without having to request it, since presumably you will not know when to request updated information. The first well-known adopters of push technology came in the form of PointCast and Marimba. Point Cast Network is a program that exploits push technology to distribute news over the Internet.
views Bob’s Web page and Charles’ applet establishes a covert channel between Charles and Alice. No collusion with Bob is required. Although Netscape and Internet Explorer allow network connections only to the host from which the applet was loaded, it is not enforced adequately through a number of implementation errors. For example, the accept() system call, used to receive a network connection initiated on another host, is not adequately protected. Thus, an arbitrary host could connect to the browser as long as the location of the browser is known. Third-party channels are also available through the URL redirect feature- normally an applet can instruct the browser to load any page on the Web. An attacker’s server could record the URL as a message, then redirect the browser to the original destination. 36 Other than the name, JavaScript has little in common with the Java programming language. 37 Unlike other programming languages, scripting does not require compilation. Script execution is interactive through the use of command interpreters. This means that arbitrary commands can be sent from any Web site and be executed by ActiveX controls on the desktop. 38 For example, JavaScript is used to display stock quotes or banners, and can also be used to check fields of data submitted via Web pages for accuracy. 39 T he most famous plug-in security violation was the Shockwave flaw. Shockwave is a plug-in that allows users to download and view movies over the Internet. The breach was that Shockwave plug-in also allowed a Web site to read the user’s email if the user’s browser was Netscape Navigator and the Netscape Mailer was used for email. [ S. Markowitz, , Shockwave Security Hole Exposes E-Mail, RISKS Digest 18:91, March 1997.] 40 The practice of covertly inserting code in digital images is called steganography. Viruses can also be delivered in this manner.[ Currie D.L. and C.E. Irvine, Surmounting the Effects of Lossy Compression on Steganography, Proceedings of the 19th National Information Systems Security Conference, Baltimore, Oct, 22- 26, 1996, pp. 194-201]
19
PointCast broadcasts news, stock updates, sports scores, weather, and other dynamic content on a seemingly continuous basis. Unlike the prevalent pull paradigm of the Web, push technology works on the principle of passive acceptance of data. That is, the client always accepts data pushed from the content provider, without control over what data is being sent. In the pull model, a client actively requests data from a Web site. Push technology, on the other hand, requires this decision to be made once. That is, the user subscribes to a channel (Web site) once and from that point on any and all content that matches your personal filter is downloaded. The customisations are not focussed upon filtering out viruses. For example, a Web site can send not only updates of news, but also active content, digital images, plug-ins, and even software patches to update the network client on-the-fly. Since the client often belongs to one of the subscribers (e.g., Point Cast and Microsoft), the client can be programmed to serve any number of functions. The client can be an interpreter to execute commands sent from broadcasters. For the more paranoid, the network client can be used to spy on the user's networked drives and send this data back over a network socket. This is not difficult in that the networked client has the same system privileges as any other application, and client approval has already been granted. Other security concerns over push technology centre around the updates of software. Network clients that support push technology can immediately update themselves with each new patch or each new release version of the software. This technique by itself can go a long way towards making networked machines more secure. Every time a software flaw is found in the network client, the network client can reach back to the vendor, download the patch, install it, and fortify itself against known attacks. One downside of the technique is the fact that the network client is downloading executables that can alter its functionality. The question is how safe are these executables? It is possible that they could be downloaded from a rogue organization posing as the vendor. Domain name spoofing is a well-known Internet attack. The attack works by fooling a DNS server to resolve a network address to an incorrect IP address belonging to the perpetrator. The perpetrator could then download its own version of the software modified to perform its objectives, such as spying on your hard drive. This form of attack can be prevented. Using digital signatures, all executables can be signed to provide proof positive of the identity of the software publisher and to determine if the software has been corrupted in transit. This system is not perfect, however. The system is based on trust. You must trust each of your content providers to not download any malicious content. Even with digital signatures, a "trusted" organization can still exploit the push technology for its own gain at the expense of selected targets. Since downloading of content occurs at scheduled intervals, rather than at the behest of the end user, this malicious content can be downloaded and executed while the user is asleep at night or on a coffee break. This leaves the end user unaware of what happened and the content can erase all traces of any nefarious activity since it is given full access to the system.
Web Server Security
In Spafford’s analogy, users live in an environment as secure as a cardboard box, while the network servers are as secure as a park bench in the physical world. Clearly, if someone really wanted to steal a credit card number, it would be foolish to attack the armoured car rather than either the cardboard box or the park bench. But to date, attention has been focussed on strong encryption, user account authentication, and non-repudiation of identity. Host-side security has been neglected. One reason might be the public mollification of their concerns, which can be addressed by encryption protocols, and the false sense of security created by the existence of firewalls. But it needs to be re-emphasised that the security of a system is only as strong as its weakest link.
20
The three main components of the Web server are: front-end software, back-end databases and internet software. Front-end The front-end software consists of the HTTP network daemon, and other network servers such as mail, FTP, news and remote login services. Vulnerabilities on any of these components or in the interaction between these components allows the possibility of unauthorised access. The most visible defence to end users is the access control or authentication mechanism. Security controls are at different levels. The files read by the Web server are either in the server root or the document root. The server root consists of files installed with the Web server and used for configuration and administration, including configuration files, log files, CGI program sources, CGI program executables etc. The document root consists of the Web pages, usually written in HTML, that are served by the Web server following a client request. The server root files are usually sub-grouped in their own directories with their own access permissions, which should be strictly enforced and limited. One of the most common security breaches is negligent assignment of access rights, resulting in inadvertent privilege escalation. Privilege escalation occurs when an unauthorized user is able to obtain higher privilege in accessing, creating, modifying or deleting files on the server file system than was intended. In relation to Web access, there are generally three methods of restricting access – based on client hostname and IP address restrictions, user and password authentication, and / or digital certificates, each of which is briefly analysed below: - client hostname and IP address restrictions- the simplest and least secure access control
mechanism, which can be easily thwarted by spoofing, wherein crackers conceal their real identity. Ghosh recommends that the IP address and host names be verified by the ‘double-reverse-lookup’41.
- user and password authentication- this access control mechanism suffers from the traditional problems of selection and secure retention of passwords, which can be easily compromised. Often, the user and password authentication are transmitted in the clear – that is, they are not encrypted prior to transmission, allowing any ‘sniffer’ to capture the relevant information. Also, many Web servers do not require users to reauthenticate themselves during the same terminal session every time another Web page in the same authentication realm42 is accessed, this being one of the rationales for the existence of cookies. In many authentication systems, the cookie is not encrypted, allowing sniffers to capture the cookie. Once the cookie is captured, the intruder can use the cookie to access the Web page himself and possibly change the password. Some Web servers require the cookie to be combined with the IP address of the client, requiring that the cookie be presented from a specific IP address. The server would then authenticate not only the user ID and password, but also the IP address from where the request was made. This defence renders unauthorised intrusion more difficult, but it is again surmountable.
- digital certificates – using the Secure Socket Layer [SSL] protocol
41 Anup K. Ghosh, E-Commerce Security, at pp. 169. The server queries the DNS with the IP address sent with the web request and receives the name of the host making the request in response. The server then queries the DNS with this name and receives the corresponding IP address. The connection is accepted only if the IP address returned from the second lookup matches the IP address sent with the request. 42 An authentication realm is the region of the Web file server system that is protected by an access control list. It may consist of a single Web page or a whole Web site.
21
The communication between a web browser and a web server is secured by the SSL protocol. Within the protocol stack, SSL is situated underneath the application layer. SSL provides entity authentication using public keys, data authentication using private keys, and data confidentiality using Message Authentication Codes. SSL depends on a Public Key Infrastructure. Participants in the communication must have a public/private key pair and a certificate. Root certificates [ the certifying authorities’ certificates that are needed to verify the entities’ certificates] should be securely distributed in advance, such as being shipped with the browsers. Private keys obviously must be adequately protected. SSL only protects data whilst it is in transit. Exchanged messages are not digitally signed. Thus, SSL does not provide non-repudiation43. The concept of digitally signing messages has not been integrated in current web browsers. Netscape though allows the content of forms to be digitally signed using the Javascript signtext() function. As XML will become increasingly popular, consideration should be given to implementing Signed XML into browsers. Signed XML specifies how XML document should be digitally signed44. The alternative protocol to secure Internet communication has been S-HTTP, but S-HTTP has been supplanted by SSL as the de facto Web standard, and the use of S-HTTP has been neglected45. Although numerous electronic payment systems have been proposed for use on the Internet, including Digicash, Cybercash, NetCash American Express ‘ one-time credit card systems’46, and micro-payment systems, most transactions on the Web are still conducted using credit cards. Generally, customers transmit their credit card details to the merchant’s web server on the firt transaction, after which the merchant merely verifies the credit card details with the customer. This information exchange is generally conducted securely using SSL. Secure Electronic Transactions [SET] is a more advanced standard for credit card payments47. One of the core features of SET is that merchants only see encrypted credit card numbers, which can only be decrypted by the credit card issuers. SET is conceptually sound, but has not been widely implemented due to its complexity. It is common that only web servers have certificates with which they are authenticated. When user authentication is needed, it is hardly ever doen with SSL48. Users are often authenticated via their IP addresses, which is vulnerable to IP spoofing, does not obviously provide mobility, and is not usable in an open system. Fixed passwords are sometimes used, which provide mobility, but are vunerable to sniffing and guessing. Root certificates are needed when verifying a web server certificate. A user needs an authentic copy of these certificates and these root certificates can be modified once installed with the web browser. Also, the browser trust model results in a server certificate being trusted if verified by any of the root certificates and, since there is no central authority for security policy management, this might easily include an attacker’s root certificate.
43 Repudiation allows either party to deny that he was a participant in the transaction. Without digital signatures, both customers and merchants can later deny having sent or received requests or confirmations from the other party. 44 D. Eastlake, J. Reagle, & D. Solo, XML-Signature Syntax and Processing, IETF Request for Comments, RFC 3075, March 2001 in John Claessens, Bart Preneel, & Jaos Vandewalle, Combining World Wide Web Security and Wireless Security, Proceedings of IFIP I-NetSec 2001, November 26-27, 2001, Leuven, Belgium 45 ibid. 46 American Express, Private Payments at http://www.americanexpress.com/privatepayments/ 47 Secure Electronic Transactions (SET)47 is based on the RSA public key model. The SET standard replaces the Secure Transaction Technology (STT), jointly developed by Microsoft and Visa. In SET, message data is encrypted using a randomly generated symmetric encryption key. This key is in turn encrypted using the message recipient’s public key - the digital envelope - and is sent to the recipient along with the encrypted message. After receiving the digital envelope, the recipient decrypts it with his private key and then uses the symmetric key to unlock the original message. Cardholders must register with a Certifying Authority before they can send SET messages to merchants. 48 John Claessens, Bart Preneel, & Jaos Vandewalle, Combining World Wide Web Security and Wireless Security, Proceedings of IFIP I-NetSec 2001, November 26-27, 2001, Leuven, Belgium
22
If the user has a public/private key pair, for SSL, SET or for digital signatures, the private key is likely to reside on the hard disk. This storing on the hard disk is potentially vulnerable, for example due to Trojan horses. Users with such a software token are not mobile. Smart cards are a solution but they may be inconvenient and are clearly not installed on every machine. Firewalls Firewalls are ineffective at thwarting data-driven types of attacks through legitimate network service requests49. One class of attacks exploits weaknesses in network applications running on a server. For example, sendmail is one of the most commonly used mail servers used on Unix machines. Throughout its long history (sendmail is now on version 8 approaching version 9) sendmail has been rife with errors that have resulted in security vulnerabilities. For example, in the past when sendmail was compiled in "debug" mode, it allowed untrusted outside users unrestricted access to the system. Firewalls can do little to prevent program errors in an application server from being exploited through legitimate requests to the server. A firewall is also vulnerable to malicious software executed by benign insiders. Typically, firewalls do not require that insiders strongly authenticate themselves to the firewall in order to access external services through the firewall. Firewalls can, however, limit the extent of the damage. A firewall proxy can create an artificially small file system around an executing application server. By creating this "jail cell" around a server, if the server program is compromised by an outside request, then the extent of damage that can be caused by the intrusion is limited to the scope of the jail cell. In the case of sendmail, a data-driven attack that is able to obtain shell access on the server through a bug in sendmail will only be able to access files and/or programs in the file system that is defined by the jail cell. Of course, any mail that is within the scope of the jail cell may be vulnerable to eavesdropping by a subverted sendmail program. The key to addressing the firewall's vulnerability to data-driven attacks is to stay on top of the latest holes found in server-side software and to patch the software as fixes are released. Networks often have multiple firewalls. Entities may have a number of separate links to the Internet, and may want to partition part of their internal network. Jerry Ungerman of Check Point Software opined that many of Check Point’s customers have multiple firewalls, some with as many as one thousand firewalls. The advent of broadband connections from home requires home users to link securely to the Internet and thus require firewalls. The firewalls need to be integrated correctly to prevent a potential breach. Network servers are vulnerable to external threats due to errors in configuration, flaws in the server software and interface scripts, inappropriate access controls to the back-end databases, and security holes in the operating system that underlies the network server. The setup and configuration of a network server can be complex and, similar to firewalls, simple errors in configuring the network server may have drastic security implication. Most network servers consist of network services such as a Web server, a mail server, and sometimes other network services such as file transfer protocol (FTP), and news (NNTP). Configuring these services securely is a formidable task even for experienced administrators. Most of the problems in security of corporate systems are a direct result of errors in configuration50. Software is mostly configured to meet the functional requirements of the organization, e.g., providing access to corporate intranets from remote logins, rather than configured to meet the 49 Some believe that the security of Web servers is so weak that all Web servers should be placed outside of firewalls, essentially as a realisation that they cannot be protected from malicious predators. S. Garfinkel & G. Spafford, Practical UNIX and Internet Security. O’Reilly & Associates Inc., 2nd edition, 1996 50 Ghosh cites an example of a system administrator installing and configuring a Web server, setting the execution privileges of the Web server to root, thereby allowing the server to have the same privileges as the superuser. So, if an attacker subverts the server, it will then gain super user privileges
23
requirements of corporate security policy. Most network software that is installed out-of-the-box is configured by default to provide maximum functionality, rather than security. Unless configured to meet a company's own security policy, the network services will probably be vulnerable to attack.
Back-end Database vulnerabilities Security mechanism such as access control lists and passwords can be provided to restrict access to different portions of the database. Security assurance methods can range from simple access controls to encryption channels from the Web server to the database as well as encrypted storage of data in the database. Different portions of the database, called table spaces, may have different access control policies. Depending on the origin of a request to access the database, different access control mechanisms can be used. Access control may differ if access is sought from the Web as opposed to access being sourced from local database programs. Often the Web access is from unknown and untrusted Web clients.
24
Server- Side Middleware Aside from the network server, perhaps a more dangerous form of software that has emerged in on-line applications is the Common Gateway Interface (CGI) script. CGI scripts and other middleware are server-side programs that execute when called by the Web server in response to a Web request and are often used for retrieving information from forms on Web sites and performing online Web searches. Simple CGI scripts may increment a counter each time a Web page is accessed. Others may support customer feedback via mail. More sophisticated CGI scripts perform online transaction processing tasks required of on-line commercial transactions. For example, a CGI script may submit a customer query to an on-line database to find out the customer's investment portfolio balance. Because CGI scripts execute in response to a remote user's request and typically process user input directly, the danger exists for a user to be able to manipulate the CGI script into giving system privileges to the untrusted user. CGI scripts have the ability to allow remote Web clients to execute system commands to perform any of the following: - read, replace, modify or delete files. - mail files over the Internet. - execute programs downloaded on the server such as a password sniffer or a network daemon
that may allow unauthorized telnet access to the server. - launch a denial of service attack by overloading the CPU with a computer-intensive task. This is particularly true for electronic commerce, where in order for any transaction to occur, user input is necessary, an application must be executed, and files must be updated. It is the sheer power of CGI to execute interesting applications that makes it so dangerous to corporate security. Several steps can be taken to mitigate the dangers of CGI scripts: - users should not be allowed to place their own CGI scripts on the Web server. Users are much
less likely to test and verify that their scripts do not pose a security hazard, especially if they do not have the technology to perform security analysis. System administrators must be aware of stray CGI scripts that get placed on the server. These scripts can often be a backdoor that hackers (or potentially malicious internal users) leave behind to allow unauthorized entry into a system. The Web server should be configured such that a CGI program can only be executed from a single directory (with appropriate access control) If configured successfully, this measure can reduce the threat of users creating CGI scripts in their home directories. Even CGI scripts that are distributed with Web servers, downloaded from the Internet, or purchased commercially, should be viewed with suspicion. All CGI scripts should be tested rigorously for security holes.
- Scripting or interpreted languages such as Perl should be avoided. While compiled languages such as C can be equally hazardous, the scripting languages make it easier for users to unintentionally code dangerous constructs. Even if the system administrator decides that a CGI script is safe, it is wise to keep the source code for the CGI scripts hidden from the outside world. If a person outside the organization can download the source, then the source can be analysed for vulnerabilities and potentially exploited later. Finally, every CGI program on the server must be accounted for in terms of its purpose, origin, and modification. Once a stable set of CGI programs is established, a digital hash of the program (using MD5, for example) executables should be made. This will allow any modifications of the programs to be detected in the future by comparing subsequent hashes with the original digital hash.
25
- limiting where possible the executing privilege of the Web server because CGI scripts are executed by the Web server with all the privileges of the Web server. If the Web server executes under superuser privilege, there will be no barrier to potential malicious damage.
- restricting the directories from which CGI scripts can execute. Some servers will execute any program ending with a .cgi or.pl from anywhere under the server root, which is dangerous. CGI scripts that have not been validated for security could be potentially dangerous for the server. Preferably, a single directory under the server root should be established from which approved CGI scripts can execute. This directory is often called the cgi-bin and is used to store the CGI binary executables and the cgi- src, which stores the software source code for many of the CGI scripts. The server can be configured so that when any script or program in this directory is requested for a Web request, the program will execute locally rather than having the source downloaded.
- most CGI-related security issues arise from the failure to remove meta characters and commands from user input sent to the CGI scripts. The result is that an untrusted user may execute commands on the server machine if they are embedded in an HTTP request. The potential vulnerability increases if the HTTP server invokes the CGI script whilst executing under a privileged userID. All input to a CGI script should be stripped of all meta characters before being passed to a command interpreter.
- checksums or hashes should be created of the executable images of each CGI program51. The checksum should be regenerated and periodically checked to ensure that the CGI scripts have not been altered or corrupted, or that no new CGI programs have been added to the CGI binary directory.
Operating System Problems Over the last decade, there has been debate as to what role operating systems [“OS”] should play in secure systems52. The debate has arisen because of the increasing importance of networking to the computer system, with many of the security risks now emanating from network activity. The critical role to computer security of the OS has not been universally accepted. The threats posed by unauthorised access cannot be addressed without support from secure OSs, and, any security efforts which ignores this fact can only result in a “fortress built upon sand”53. A polemic which has been the subject of much debate is whether language-based or OS-based protection is better suited for efficiently implementing fine grained security programs. Language based protection is performed at the virtual machine level, as opposed to OS protection at the kernel level. Operating system protection has several advantages over language protection from a security perspective, but the cost of domain crossings makes it questionable whether efficient OS protection for fine-grained processes is feasible. On the other hand, language protection can be implemented efficiently, but some security measures are adversely impacted such that effective security may be lost. Traditionally, OSs have been the preferred choice because hardware-based protection is advantageous in the areas of economy of mechanisms54, fail-safe defaults55 and complete
51 using a package such as Tripwire [ www.cs.purdue.edu/coast/coast-tools.html] 52 B. Blakley, The Emperor’s Old Armor, Proceedings of the New Security Paradigms Workshop, 1996. 53 D. Baker, Fortresses Built Upon Sand, Proceedings of the New Security Paradigms Workshop, 1996. 54 One of the design principles of security systems is to use small and simple mechanisms whenever possible. In other words, the acronym “KISS” – keep it simple and stupid, is effective. This is called ‘economy of mechanism’ and produces fewer errors in implementation. It is better to have no more functionality than necessary. 55 The design principle of ‘failsafe defaults’ means that access decisions should be based on the explicit presence of permissions rather than the absence of explicit exclusions. The safest means is to assume lack of access until explicit authorization is provided.
26
mediation56. The OS’s Trusted Computing Base [“TCB] can protect processes by restricting them to their own address spaces which can be easily enforced. Since only the program request is placed in the address space, other programs are not affected by its behaviour. Also, since the OS can intercept any interprocess communication [IPC] between processes, complete mediation is possible. Language-based protection has become popular in recent times due to a number of factors, including: - improvements in the development of ‘safe’ languages, such as Java and Safe-Tcl; - the belief that programs will become increasingly fine-grained, which are prohibitively
expensive to implement and enforce in terms of potential TLB misses upon domain changes; - the lack of flexibility in current OS models in dynamically assigning permissions to user
processes or permitting controlled sharing of memory among processes. - the performance problems in terms of performance and flexibility in using OS protection for
fine-grained programs. Jaeger et al57 believe that the concern of inadequate flexibility has been resolved, but the systems for which it was resolve are no longer in wide use58. Fine-grained programs have different protection domains and may interact often in the course of a transaction, resulting in potential performance degradation. While some OSs do efficiently control processes in dynamically defined protection domains, these systems have only been applied to traditional applications such as PostScript interpreters59.
But language-based protection also suffers from the following weaknesses: - the TCB of a system depending on language protection is larger because compilers and code
verifiers must also be included. This is contrary to the design principle of ‘economy of mechanisms’ referred to above;
- since all programs run within a single address space, fail-safe defaults are not assured. This is in contrast to OS protection where each process has an address space that defines a set of memory segments and the process’s access rights are limited to its own address space. The implication is that a security breach may result in the attacker gaining all the privileges that the virtual machine has;
- language-based protection is language-specific and does not apply to compiled code. Thus complete mediation depends on a homogeneous system which in the current environment of increased networking, is unrealistic.
- both OS-based protection and language-based protection have performance problems. For example, in the JDK 1.2 specification60, authorisations on every method invocation are required since there may be many real domains within a single protection domain, are prevented by using the call stack to determine the current authorisation context. But the current call stack may not represent the actual context since classes that have been evicted from the stack may still be part of the execution61.
56 ‘Complete mediation’ means that every access to every object should be authorised. Access should be checked, for example, not only when a file is opened, but also on each subsequent read or write to that file. 57 Trent Jaeger, Jochen Liedtke, & Nayeem Islam, Operating System Protection for Fine-Grained Programs, 7th USENIX Security Symposium, San Antonio, Texas, January 1998 58 Several experimental OSs have been developed that use capabilities to attach flexible protection domains to processes securely, including Hydra and PSOS. 59 ibid. 60 L. Gong. New security architectural directions for Java. In IEEE COMPCON '97, February 1997 61 The stack may not contain a complete picture of the execution history since the frames placed on the stack on each method invocation can be removed for a number of reasons. For instance, on completion of the method the stack frame is removed, so a complete list of the methods used is not maintained. Alternatively, malicious or faulty code could execute instructions which effectively remove frames from the stack.
27
The use of language-based and OS protection should be seen as complimentary. Jaeger et al62 has shown that an OS can be designed with minimum additional overhead for fine-grained programs using fast IPC and an efficient authorisation mechanism. Jaeger expects that the synergy between OS protection and language-based protection will be explored to determine the best tradeoff between security and performance. Vulnerabilities in the OS can undermine other security arrangements. Even if the Web server software is secure, faults in the underlying operating system foundation can result in malicious intruders, who can infiltrate the rest of the network. The need for secure OSs is especially critical in today’s computing environment, where the dichotomy between data and code is vanishing, and malicious code may be introduced without a conscious decision on the part of a user to install executable code, whenever data is imported into the system. For example, malicious code could be introduced with a Java applet or by viewing apparently benign data that, in actuality, contains executable code63. Bugs with the OS are the most common security concern64. Securing the OS is often effective- the best place to emphasise security is at the lower system layers – the hardware layer or the OS layer for a number of reasons: - it is often possible to compromise security at a given layer by undermining the layer below.
For example, the built-in encryption functions of a laptop word processor are not relevant if the underlying OS is compromised. Further, the logical access controls of an OS can be bypassed by direct access to the physical memory devices below.
- it is simpler to secure a lower layer than a higher layer. - it is faster to secure a lower layer than a higher layer and reduces the performance overhead
caused by security mechanisms. - the restrictions at the OS layer cannot be overridden by any application, but at the expense that
the restrictions may be too broad. OS are traditionally designed with a layered approach65. An OS layer is an implementation of an abstract object that is the encapsulation of data and operations to manipulate data. Higher layers can invoke operations at lower layers. Each layer is implemented using only those operations provided by lower level layers. A layer does not need to know how these operations are implemented, it needs to know only what these operations do. Hence each layer hides the existence of certain data structures, operations and hardware from higher level layers. The lowest level layer is the kernel, which normally includes process creation, destruction, communication, memory management and some basic I/O. The middle layer(s) include file management and higher level I/O. The highest level includes editors, user interfaces, mail systems, and other utilities. Utilities are often the weakest parts of the OS. Some systems also employ the concept of a microkernel. A microkernel includes only the most basic of services, typically functions such as process creation/deletion, process communication, and some basic operations. 62 Trent Jaeger, Jochen Liedtke, & Nayeem Islam, Operating System Protection for Fine-Grained Programs, 7th USENIX Security Symposium, San Antonio, Texas, January 1998 63 As an example, Postscript documents are actually programs with potential access to the local file system. Helper applications operating on untrustworthy data, such as Postscript viewers, must be executed in a less flexible and open mode, or be confined by the OS. 64 Information Week, May 2002 65 There are some problems with the layered approach, including how to define and delineate the various layers, and the fact that the layered approach is at the expense of some efficiency. For instance, for a user program to execute an I/O operation, it executes a system call which is trapped to the I/O layer , which calls the memory management layer, through to the CPU scheduling layer and finally to the hardware. At each layer, the parameters may be modified, and data may need to be passed. Each layer adds overhead to the system call and system calls thus takes longer than in a nonlayered system. As a result, OS are increasingly being designed with fewer layers, with each layer having more functionality.
28
Additional functionality is decoupled into internal servers. External servers implement their view of the microkernel as seen through its interfaces. This decoupling allows the microkernel to be reusable and the OS using it is highly extensible. Isolation is also implemented through the use of virtual machines [VMs]. Each VM runs in a virtual copy of the hardware and is separated from other VMs. Thus each VM could run a different OS. A Virtual Machine Monitor [VMM] acts as a kernel for the system and accesses the real hardware. The VMM creates multiple replicas [ virtual machines] on an instruction set architecture on one real system. The layered approach is a form of security protection. Many older OSs do not have a well defined layered structure. Some OSs began as small and simple systems and then grew beyond their limited scope. For example, DOS was written to provide the most functionality in the least space because of the limited hardware at the time, and the modules were not delineated carefully. The UNIX OS is dichotomised into system programs and the kernel. The kernel consists of everything below the system-call interface and above the physical hardware. The kernel provides the file system, the CPU scheduling, memory management, and other OS functions. There are two types of operating mode – user mode and kernel mode66, which differ in the amount of privilege granted. User mode cannot directly access the hardware whereas the kernel mode can. User mode67 must call upon the operating system to deal directly with the hardware. The kernel mode must translate calls from the user mode before the hardware can be accessed and must pass the data back to the user mode. The Hardware Abstraction Layer [ HAL] separates the kernel from the hardware. If a user wants to execute an operation requiring the kernel mode, such as writing to hard disk, the processor has to switch between modes by way of an interrupt. The system only performs a predefined set of operations in kernel mode and then returns to user mode – this process is known as controlled invocation. A bit called the mode bit is added to the hardware to indicate the current mode - kernel (0) or user (1). With the mode bit, the system is able to distinguish between an execution done on behalf of the OS and one done on behalf of user. At system boot time, the hardware starts in kernel mode. The OS is then loaded and the user processes in user mode. When an interrupt occurs, the hardware switches from user to the kernel mode. Thus, when the OS is in control, the system is in kernel mode, otherwise the system is in user mode. This protects the OS from errant users. Another aspect of system architecture also impacts on security- the policy of containment or isolation. Each application should be protected from attack as much as possible by constraining access to system resources; the exposed interfaces to the application should be as narrow as possible, such as read-only; and access to those interfaces should be controlled. An OS includes both a public [exported] interface and a private [ internal] interface; the public interface is for the use of clients [ applications and extensions], the private interface is solely for the use of the OS itself. An isolation or containment mechanism ensures that private operations and state remain private. Isolation can be implemented in hardware or software. Hardware techniques include virtual memory protection, or segregating clients and servers to different machines, allowing communication only through a remote procedure call mechanism. Software techniques can be classified by how the code is rendered safe. Safe languages, such as Java, do not allow illegal operations to be expressed in the source language. Software Fault Isolation [SFI ] transforms code generated by a compiler for an otherwise unsafe language, augmenting it with additional instructions to guarantee safety. Interpreters check the behaviour of the code as it runs, and do not allow the code to violate the kernel’s private interface.
66 also known as privileged or supervisor mode. 67 also known as non-privileged processor mode.
29
When using a software method, the system must verify that the software transformation has in fact occurred. This can be achieved in two ways: the OS can perform the transformation itself when the application is loaded, or the application can be packaged with verification that the transformation has been applied. The verification can take a number of forms including digital signatures or formal proofs, such as Necula’s proof-carrying code68. The proof is generated as a side product of the compilation process, and is used as an indicator by the OS that the code performs no unsafe actions. Though proof generation is computationally expensive, Necula’s work places the burden of proof on the compiler. When two pieces of code are fault isolated from one another, they are described as being in different domains. The domain crossing cost is the cost of moving or communicating from one domain to another. Hardware protection methods generally have a higher domain crossing cost than software techniques69. The decision to use hardware or software methods is prima facie driven by the amount of code run between domain crossings. If little code is run between domain crossings, a software technique, with its lower domain crossing cost, can be more efficient. If much code is run between domain crossings, a hardware technique, which can better amortise the domain crossing cost, is preferable70Hardware protection has the advantage that, since it is built into the hardware, overhead is incurred only when the system changes fault domains. Unlike with software techniques, there is no per-instruction overhead associated with hardware protection. The high cost of switching between domains motivated the current generation of microkernels71, which link server code directly into the kernel address space, which eliminates the safety offered by isolation. There are three basic software protection schemes: safe programming languages, software fault isolation [sandboxing], and interpretation. The three can be dichotomised into static [safe programming languages] and dynamic run-time methods [SFI and interpreters]. In the former case, most or all checking is performed at compile time; in the latter, an intrinsic run-time overhead is the cost. A safe language is one which guarantees that a pointer to an object of type A will always point to an instance of type A. To ensure this, the language must do several things, including: supporting garbage collection so that dangling references can be eliminated; checking array bounds on accesses so that a program does not index outside the bounds of an array; and ensuring that when assigning a value to a variable, the value is of an appropriate type. Java is a safe language. Software Fault Isolation [SFI] in the context of Java is known as sandboxing, has already been referred to above. Instead of loading compiled, native code directly, an interpreter takes source code or code in some intermediate form and processes it directly, The code given to the interpreter can be thought of as instructions for an abstract virtual machine, and the interpreter implements that machine. The advantage is that the interpreter can ensure the safety of each command as it is processed, but at the expense of greater overhead than with compiled languages. Intuitively, the interpreter can be thought of as performing the functions of the compiler by converting source or intermediate code
68 George Necula & Peter Lee, Safe Kernel Extensions without Run-time Checking’, Proceedings of the Second USENIX Symposium on Operating System Design and Implementation, pp. 229-243, Seattle, October, 1996 at http://citeseer.nj.nec.com/necula96safe.html 69 Though there has been progress in reducing domain crossing costs, by reducing the amount of hardware and system state changed on a context switch. 70 For some systems, the choice may be irrelevant, the per invocation cost may be low enough to be immaterial or there are so few crossings. 71 such as Chorus and Windows/NT.
30
into executable code; the safety mechanism, by ensuring the safety of each instruction as it is interpreted; and of the hardware itself, by evaluating the instructions. To reduce the overhead of interpretation, an interpreter can generate native code, either when the extension is loaded or when run. A ‘just-in-time’ [JIT] compiler is an interpreter that generates native code rather than interpreting code directly. Code compiled by a JIT compiler is much faster than interpreted code72. Kernel-enforced containment in OSs has been available for some years, often in those designed for processing military information73. These types of OSs are called ‘trusted’ OSs. The containment method is usually achieved through a combination of mandatory access control74 [“MAC”] and privileges. MAC schemes enforce a policy of access control to system resources such as files, processes and network connections. This policy is enforced by the kernel and cannot be overridden by applications. Most current trusted OSs use the Bell-LaPadua multi-level policy model75, a formal model developed on behalf of military organisations in which the flow of information around the system is predictable and restricted. MAC policies often confine an application to a unique security domain that is strongly separated from other domains in the system. Applications may still misbehave, but the resulting damage is restricted to a single security domain76. Confinement, or sandboxing, Trusted77 OSs have not been widely used outside of the military78, for three reasons. First, it is widely regarded as ‘overkill’ in being unduly restrictive79; second, the imposition of MAC results in the loss of some underlying OS standard applications; and third, they are much more complex to implement and maintain. An OS’s mandatory security policy may be divided into such sub-policies as access control policy, authentication usage policy, and a cryptographic usage policy. Other subsystems of the OS may have their own mechanism usage policies. If the mandatory security mechanisms are too coarse-grained, then the security of the whole system may devolve to the security of the trusted applications of the system, which would be ineffective. To reduce the dependency on trusted applications, the mandatory security policy should support the principle of least privilege, such as type enforcement. But even with mandatory security policies, OSs may still suffer from high bandwidth covert channels, though this is not a reason not to implement mandatory access controls.
72 Holze showed that a JIT compiler for the Self programming language generated code that ran only 2 – 10 times slower than conventionally compiled code, as compared to interpreted code which runs 10 – 100 times slower than conventionally compiled code. [ U. Holze, D. Ungar, Optimizing Dynamically Dispatched Calls with Run-Time Feedback, Proceedings of the 1994 SIGPAN Conference on Programming Language Design and Implementation, Orlando, Florida, 1994] 73 Sun Microsystems Corporation, Trusted Solaris Operating System at www.sun.com/trustedsolaris 74 There are various definitions of ‘mandatory security’. The narrow definition of mandatory security which is connected to the multi-level security policy of the US Department of Defence is a common definition. But Loscocco et al state that this definition is insufficient because it ignores properties such as intransitivity and dynamic separation of duty. [Peter A. Loscocco, Stephen D. Smalley, Patric A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environment, 21st National Information Systems Security Conference (NISS), 1998 at http://www.nsa.gov/selinux/inevit-abs.html] Loscocco uses a more general definition in which a mandatory security policy is any security policy where the definition of the policy logic and assignment of security attributes is tightly controlled by a system administrator. This is also known as non-discretionary security. 75 D. Bell & L. LaPadula, Secure Computer System unified exposition and multics interpretation, Technical Report MTR-2997, MITRE, Bedford, MA, 1975. The central innovation of this model was that in addition to being well defined and implementable, the policy allowed one to show that information never ‘trickled down’. If the policy were implemented correctly, information at a higher level classification could not leak down to a lower level channel. 76 B. Lampson, A Note on the Confinement Problem, Communications of the ACM 16(10), 1973. 77 Such OSs are often called ‘trusted’ because they are trusted to perform correctly a security related function and not misuse privileges. 78 except in highly hostile commercial environments. 79 Casey Schauffler stated [ ACM, May 2001] that: “The commercial facility.. isn’t going to have Marine guards at the front desk stamping documents with big imposing words done up in an intimidating font. It’s a kinder, friendlier world outside the U.S. DoD.”
31
Current mainstream OSs provide discretionary access control [“DAC”] and place the onus of security on the end users, partly because those systems supporting MAC have relied on a narrow, rigid definition80. DAC is used on all UNIX systems as well as the Windows NT family of OSs. DAC provides granularity down to a group of users. Carelessness by any user may lead to a violation of the security policy in DAC, as opposed to MAC where only negligence on the part of the system administrator can result in a secuirty breach. Most systems only provide a weak form of discretionary policy which can be changed by any application, regardless of the trustworthiness of the code. The separation of information based on confidentiality and integrity cannot be maintained. As noted by Loscocco et al, the absence of OS mandatory access controls leaves application security mechanisms vulnerable to tampering, and malicious or flawed applications can cause failures in system security when only DAC are available81. Further, the failure of most mainstream OSs82 to support a trusted path mechanism83 allows malicious software to access the system. MAC is most often thought of in connection with the control of information flow in a multilevel secure system [MLS]84. MLS is when multiple categories or levels of data are defined. Generally, a user at a higher level may not convey information to a user at a lower or non -comparable level unless authorized. Under the Bell-LaPadua model the following is enforced: - No read up: a user can only read an object of less or equal security level. This has been
referred to as the ‘simple security property’; - No write down: a user can only write to an object of greater or equal level security85. This is
referred to as the *-property86. MAC requires a sensitivity label to be on both objects and subjects. Access is allowed or denied based on the relationship between the label of the subject and the object. Unlike DAC, under a MAC policy the creator and owner of an object does not have control over its security label, and thus cannot modify the system security policy. There are three fundamental concepts in OS security which are distinct but interrelated, being: - Reference monitor which regulates access. - Security kernel which refers to the hardware and software elements of a trusted computing
base that implements the reference monitor concept. - Trusted Computing Base [TCB] which is the totality of protection mechanisms within a
computer system- including hardware and software- the combination of which is responsible for enforcing a security policy.
80 Peter A. Loscocco, Stephen D. Smalley, Patric A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environment, 21st National Information Systems Security Conference (NISS), 1998 81 Peter A. Loscocco, Stephen D. Smalley, Patric A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environment, 21st National Information Systems Security Conference (NISS), 1998 at http://www.nsa.gov/selinux/inevit-abs.html 82 Windows NT does provide a trusted path for a small set of functions such as login authentication and password changing but lacks support for extending the trusted path mechanism to other trusted applications. 83 A trusted path is a mechanism by which a user can directly interact with trusted software, which can only be activated by the user or the trusted software and may not be imitated by other software. 84 Bell-LaPadua model. 85 There are some practical problems with this model, which will not be elaborated upon further, including blind writes that can violate the integrity of the data, difficulty of remote reads, and the need to have trusted subjects, which are not subject to the ‘read up’ and ‘write down’ rules. For example, some processes must be allowed to ‘read up’ and ‘write down’. For example, an encryption program, by definition, converts secret information into encrypted unclassified information. This allows the system to be vulnerable, allowing the possibility of Trojan horses. 86 More specifically, this is termed the liberal *-property. Some systems use the strict *-property in which a user can only write to an object at the same security level.
32
The reference monitor is an abstract concept, the security kernel its implementation and the TCB contains the security kernel among other protection mechanisms. The reference monitor accesses a file known as the ‘security kernel database’ which lists the access privileges of each user and the protection attributes of each object. The reference monitor adheres to the following requirements: - complete mediation: the security rules are enforced on every access, not only on the initial
access87; - isolation: the reference monitor and database are protected from unauthorised modification; - verifiability: the efficacy of the reference monitor enforcing the security rules must be
provable. A system that can provide such verification is referred to as a ‘trusted system’. The reference monitor must be tamperproof, always invoked and small enough to be subject to analysis and testing. The reference monitor enforces the dichotomy between the Trusted Computing Base[ TCB]88 and the non-Trusted Computing Base89. TCB code must be run in a protected state, whereas applications outside the TCB can be modified in an unprotected state. This logical separation of TCB and non-TCB can take place at two levels: - file management dealing with logical memory objects, and - memory management dealing with physical memory objects.
The distinction is relevant and involves the dichotomy between segmentation and paging. Segmentation divides data into logical units. Because each segment table entry includes a length as well as a base address, an application cannot inadvertently access a memory location outside the bounds of a segment. Paging divides memory into pages of equal size. Paging does not divide data into logical units and one page may contain different objects requiring different protection levels. In the case of paging, the page structure is not visible, rendering protection more cumbersome. Paging is thus not as effective as segmentation for access control90. The OS must confine each process to a separate address space, which includes the access control of data objects in memory. There are three options for controlling access to memory locations by the OS: - the OS modifies the addresses it receives from user processes, as exampled by what is known
as ‘address sandboxing’. - the OS constructs the effective address from relative addresses it receives from user processes,
referred to asrelative addressing91.
87 In practice, there is a tradeoff between performance and complete mediation, with performance often winning at the expense of mediation. 88 The TCP contains Primitive I/O, Basic Operations, Clocks, Interrupt handling, Hardware registers, and capability lists. 89 The non-TCB contains user applications, utilities, user request interpreter, user process coordination, user environment: objects, user processes, directories, extended types, segmentation, GUIs, paging and memory management. 90 Further, paging may open a covert channel. Logical objects can be stored across page boundaries. When an object is accessed, the OS will at some stage require a new page and a page fault will result. If page faults can be tracked, a user may be provided with information which could allow him unauthorised access. 91 The OS achieves relative addressing by using two registers - a base and a limit. The base register holds the smallest legal physical memory address; the limit register contains the size of the range. E.g. if the base register holds 3000040 and limit register is 120900, then the program can legally access all addresses from 300040 to 420940 inclusive. The address requested is first compared to a base register, and once found, then to a base and limit register. If a memory
33
- the OS determines whether the addresses it receives from user processes are within given bounds.
It is instructive to examine some of the security procedures of an OS. For purposes of this discussion, we will focus on only two of the most popular operating systems – Windows NT92 and a vanilla UNIX. Viega and Voas93 found that neither Windows or UNIX is clearly superior in terms of security. Based on the actual history of security breaches Windows appears somewhat weak, though it seems that most of the problems are a result of poor implementation and unnecessary complexity94. Linux appears to be more security conscious, possibly because its open source code has been publicly scrutinised and because of its relative simplicity. In UNIX every user is provided a unique identifier [UID]. If a user creates a file, his UID is associated with the file and the user becomes the file’s owner. Users are divided into groups and each group has a group identifier [GID]. A set of 12 bits [ a file permission] defines the access to the file by the owner and by the group to which the owner belongs. There is no way to specify access for specific users – that is the access matrix is restrictive. A permission defines only three types of access for files: read, write and execute. A permission is a four digit octal number: three bits defines the owner’s rights in terms of read, write and execute, three bits define the group rights and three bits define everybody else’s rights. The permission also includes three bits with the following functions: - a setuid [set user ID] bit, that lets the process run with the id and associated rights of another
process. - a setguid [set group ID] bit that does the same with respect to group rights. - a sticky bit used for memory management. UNIX files use descriptors, called inodes [ index nodes], to hold access permissions. Each file is controlled by a unique inode. The information in an inode includes – protection mode, owner UID, GID, file size and address, last accessed and last modified etc. Some UNIX systems have different layouts, but a directory entry always only contains an ASCII string and an inode number. UNIX uses a mixture of user and role to assign rights. Its file system uses users and groups as subjects but some system functions are special roles with their own rights, such as superuser, daemon, agent, guest, ftp. Windows has a more elaborate access control structure than UNIX and allows more types of access to files than UNIX. Users and groups are recognised as subjects and have unique identities. In Windows NT, the username and password are gathered by the login process and passed onto the local security authority [LSA]. The LSA is a user mode component which checks the user account against the values stored in the account database. When a match is found, the Security Account Manager [SAM] returns the user’s security ID [SID] and the SID of any group that the user belongs to. Every user, group and machine account has a unique SID, which is used for discretionary access
address is outside the legal limit of the base or limit is requested, a trap results. This approach can be further refined by introducing base and limit registers for a user’s program space and data space respectively. But the processor, in this case, must be able to determine whether a given memory location contains data or program code. Most instruction sets have no means for instructions to check the type of their operands. An alternative could be ‘tagged architecture’. 92 Windows 2000 introduces dome improvements over Windows NT but the author could find little research on comparing Windows 2000 to other OSs. 93 J. Viega & J. Voas, The pros and cons of UNIX and Windows security policies, IT Professional, Sept/Oct 2000 pp. 40-45 94 Windows 2000 has in excess of 60 million lines of code, and with the updates, this size is only increasing. This comparison may also be unfair in that there are purportedly many more installations of Windows OSs than of UNIX. It would be interesting to compare the breach rate as a percentage of the population base of particular OSs.
34
control. The LSA then creates a system access token [SAT] containing the user’s SID and user rights. The SAT is then attached by the login process to a process for access control for the particular session. There is also a mechanism similar to setuid in UNIX, the impersonation token, where a subject can use another subject’s access rights95. Windows has a finer granularity of file rights than UNIX, with four modes: read access; no-access right; change access that allows file modification and deletion; full control access that allows the ability to modify file permissions and to transfer ownership of the file. UNIX has only two privilege levels : ‘superuser’ and ‘any user’. UNIX thus violates the principle of least privilege which states that a process should have access to the smallest number of objects necessary to accomplish a given task. To overcome this shortcoming, UNIX can grant temporary privileges, namely setuid and setgid. These commands allow a program’s user to gain the access rights of the program’s owner. Experience has shown that these primitives are not always exercised as cautiously as they should be96. Another technique is to change the apparent root of the file system using the chroot causing the root of a file system hierarchy visible to a process to be replaced by a subdirectory. These mechanisms are often inadequate to handle the complex security needs of current applications, resulting in a lot of access control and validity decisions to user-level software that runs with the full privileges of the invoking user. Applications such as mailers, Web browsers, word processors etc. become responsible for accepting requests, granting permissions and resource management – the traditional functions of the OS. These applications possess a number of security flaws, including macros in Microsoft Word, JavaScript, malicious Postscript, PDF documents etc. In every UNIX system, there is a user with special privileges, called a ‘superuser’. This superuser often has the user name ‘root’. The root account is used by the OS for essential tasks like login, recording the audit log or access to I/O devices, as well as for certain administrative tasks. Almost all security checks are turned off for the superuser. Though not advisable, many system managers use the root account as their own personal account. The seeming omnipotence of the superuser is a security weakness of UNIX. An attacker achieving superuser status can effectively control the whole system. In addition to the risk that someone will abuse their superuser status, the superuser account creates another problem: when someone logs in as superuser using the superuser password, it is impossible to trace an act of misconduct based on who logged into the computer. The root account is a shared account. The greater the number of people who have access to the root account, the more anonymity any one person has to abuse the system. Windows NT uses four roles for administrative privileges: standard, administrator, guest and operator. A User Manager has procedures for managing user accounts, groups and authorization roles. Windows NT follows the object-oriented paradigm. Processes, user accounts, resources, files, directories etc. are all objects of a certain type. Discretionary access control on an object is predicated on the type of object. For example, access control to a file differs from access control to a print queue. Access to objects is controlled through permissions given to subjects. Each object has a security descriptor, providing the SID of the owner; an access control list; and a system access control list which controls the audit messages to be generated. When a subject requests access to an object, the security reference monitor compares the SAT and the object’s access control list to determine whether the requested access should be granted.
95 If the setuid bit is turned on in UNIX, or the impersonation token in Windows, , the program executing that program acquires the rights of the file owner. This violates the security principle of accountability. 96 R. Kaplan, SUID and SGID Based Attacks on UNIX: A Look at one form of the Use and Abuse of Privileges, Computer Security Journal, 9(1):73-7, 1993
35
Both UNIX and Windows use passwords for authentication. Microsoft, in designing its Windows NT password system to be backwards compatible, has divided its nominally 14 character passwords into two independent 7 character parts, padded if necessary, and with all letters forced to upper case before it is hashed. The result is that Microsoft has effectively limited the number of password choices by a factor of 1000 compared to UNIX systems that allow 8 character mixed case passwords. Further, Windows does not use the ‘salt’ concept employed by UNIX, where each unique password can be hashed to one of 4096 different values. Thus NT password storage is about four million times weaker than traditional UNIX password storage. This problem is compounded in that both Linux and OpenBSD allow much longer passwords than eight characters97. On the other hand, UNIX keeps passwords encrypted but the password file is readable by all users. This allows a user to make a copy and use dictionaries to guess passwords. The file used to store passwords [/etc/passwd] includes user information, readable through the finger command, which allows hackers to better guess the passwords98. Some vulnerabilities apply across platforms; others are specific. Any listing of OS vulnerabilities is only at a snapshot of time, since there are continuous patches to resolve identified flaws99. Most of the OS vulnerabilities arise as a result of faulty configuration, including: - execution privilege – the Web server should execute with the minimum privilege necessary to
serve document retrieval requests and execute CGI script. The best policy is to create a new user account with minimal privileges under which the Web server can run. On UNIX systems, this account does not require access to a shell. On Windows NT systems, the user should not have administrator status.
- automatic directory listing – many servers are pre-configured with automatic directory listing. Automatic directory listing means that if a Web browser points to a directory in which no index.html file exists, the Web server will by default return the listing of the directory. This is dangerous for server-side program directories, where CGI programs sources and executables reside. If the directories can be listed remotely, the program sources can be downloaded and allow an examination of flaws.
- server side includes [SSIs] – SSIs allow commands to be embedded in HTML documents. When the HTML document with the embedded command is requested, the command executes on the Web host with the privileges of the Web server.
- CGI directories – unless otherwise specified, many Web servers will execute a program file suffixed with cgi regardless of authorship or where it is located, with obvious security ramifications.
- access control and file permissions- Errors in configuring either the OS-level access controls or the Web server access controls can compromise the files on server machines.
- ‘execution bloat100’. Bloat is defined to address the problem of much software being written inside the kernel rather than outside. When UNIX was first written, the objective was to place nonessential code outside the kernel. But over time, more and more code was actually placed inside the kernel. Schneier argues that Windows NT is materially worse than UNIX in that it often indiscriminately places code inside the kernel, ‘completely ignoring security lessons..”101. Schneier hypothesise that Microsoft assumes that if code is in the kernel it is secure, so everything should be placed inside the kernel, including printer drivers. To the
97 Kevin Novak & Patrick Mueller, Linux, OpenBSD, Windows Server Comparison: Windows Security, Network Computing, November 26, 2001 98 Some modern Unix systems use a system called the shadow password suite which moves the encrypted passwords from /etc/passwd to /etc/shadow. The shadow file is not globally readable, thus reducing the risk of dictionary attacks. 99 For daily updates, see the Bugtraq newsgroup at http://www.securityfocus.com/popups/forums/bugtraq/intro.shtml 100 Bruce Schneier, Secrets & Lies, at pp, 129. 101 ibid at pp. 129
36
extent that users download printer drivers from the Internet and install them, there is little protection from a rogue or faulty printer driver. It would be safer to place the driver outside the kernel so as not to breach a relationship of trust.
- inheritance of rights. Most systems allow forked processes to inherit the rights of their parents, and this can be exploited. If the hacker tricks a program in superuser mode to execute a Trojan Horse, this inherits the rights of that program and also runs in superuser mode.
Because of its design history, UNIX does not have a strong reputation for security102, but it does provide a set of security features which are effective if utilised correctly. While most secure OSs have a security architecture explaining how security is enforced and where security relevant data is stored, UNIX has not such a disciplined approach, reflecting the fact that security features were added onto UNIX whenever the need arose, rather than being an original design objective. There have obviously been attempts to compare the intrinsic security capabilities of Windows versus UNIX systems. Though this argument has been at times passionate and clearly motivated in part by commercial interests, there does not appear to be a conclusive answer. Each system has limited relative advantages and disadvantages in certain areas. The discussion seems to ignore which group of administrators [UNIX or Microsoft], who are responsible for the majority of the security breaches caused by faulty configuration, are better trained. The more functions performed by the computer, the harder it is to secure. It is generally easier to disengage functions on a UNIX computer than on a Windows computer, and to install specific capabilities on a UNIX computer without needing other, indirectly related, services to be enabled. To the extent that the primary objective of Microsoft has been functionality, not security, one could argue that this would argue for UNIX security. It seems that another objective of Microsoft has been to make Windows OSs different from other OSs to impede the porting of Windows applications to other operating systems. This must have an adverse effect on both reliability and security. The polemic of ‘open source code review’ which is the foundation of UNIX systems compared to the proprietary code of Microsoft, whilst allowing UNIX security flaws to be more easily discovered and resolved, also allows the flaws to be more easily discovered by malicious users who can exploit this window103 of vulnerability. Hardened versions of Operating Systems Hardened versions of commercial OS are an attempt to improve security by reducing the known exposures of standard OSs. Some examples of hardening a system include: - removing all privilege and access provisions and then selectively granting them on a ‘need to
know’ basis104. - enabling as much system logging as possible. - maintaining up to date operating systems and applications. - removing unnecessary network services. For example, OpenBSD, the open-source version of
Berkeley UNIX, features a default installation that requires the installer to explicitly opt-in before installing services, forcing administrators to be aware of every service installed.
- limiting execution privileges of most system related tools to system administrators. - configuring authentication for all users who attempt access – that is, complete mediation.
102 B.F. Miller, L. Frederiksen, & B. So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, 33(12) pp. 32-44, December, 1990. 103 no pun was intended here! 104 Microsoft, in its latest version of web-server software, is shipped with most options switched off by default. Customers need to make a conscious decision of the options which they want to choose. This modification to enhance security apparently has not gone without complaint.
37
- containment of information, both of files and network objects, wherever possible. COTS OSs typically provide a single superuser account with complete access to the entire system. A hardened OS isolates the services into individual compartments, providing separate administrative accounts for each compartment. For example, an administrator may have the requisite access to perform backups but may not be able to delete or add users of modify applications. A form of mandatory access control can be applied to some or all of these compartments105.
- file system lockdown. The file system can be locked through the removal of SUID/ SGID bits, changing some permission bits to disallow specific access and setting sticky bits on directories.
- renaming the Administrator or superuser account. For example, the author’s IT Administrator renamed the Administrator account on a Windows NT OS to another name, and set up a ‘dummy’ Administrator account with zero privileges. Hacker entries will thus be fooled and logged as they ‘sniff’ the network, this technique being called the ‘honeypot’ decoy.106
Distributed systems Distributed system security adds another dimension in that different components in a distributed system will not necessarily use the same operating systems, hardware architecture or security mechanisms. A middleware layer is utilised with application program interfaces [“API”] allowing an application in one layer to call a service in a lower layer. By hiding implementation details, the API can relieve the programmer from security specific tasks. The Generic Security Services API [GSS-API] provides a simple interface to security services for connection-oriented applications. The objectives of the GSS-API are to provide security mechanism [public or private keys etc.] independence, protocol environment independence, and suitability to a range of implementation placements. A typical GSS-API caller is itself a communications protocol, calling on GSS-API services to protect its communication with authentication, integrity and/or confidentiality. The interface resides on the local system and provides access to GSS-API calls through a library. The interface performs the role of data conversion and call interfacing with each mechanism, hiding the implementation details. The basic security elements of GSS-API are credentials, tokens, security contexts, and status codes. An object request broker [ORB] handles the interaction between users and objects, and between objects themselves in a distributed system. An ORB is located between client and server objects handling all communication between objects. The Common Object Request Broker Architecture [CORBA] is the specification for the industry standard for such an architecture. CORBA’s claim of guaranteed security must be tested. Within CORBA, security is not dependent on the applications; all requests have to pass through the ORB, and the ORB applies the security controls. If all the security services have been installed properly and if users have no means of bypassing the ORB, such as by direct calls to the OS, then CORBA does guarantee security. But CORBA does not guarantee that the ORB cannot be bypassed and that the data used by CORBA’s security services are adequately protected. If access to the ORB is compromised, then CORBA is ineffective. OSs have been designed to date on the assumption that their environment is relatively stable over a significant period of time. Previous generations of bespoke applications were designed around assumptions of computer speed, memory, network bandwidth, communications latency and user 105 Argus Systems Group, Trusted OS Security: Principles and Practice, at http://www. argus-systems.com/products/white_paper/pitbull. PitBull, which labels the compartments as domains has a proprietary form of MAC which it calls Domain-Based Access Control., which cannot be overwritten even by a superuser. 106 In a case cited by The Economist, a financial firm discovered its payroll system had been compromised. A number of honeypots were set up, which caught the offender ‘red-handed’.
38
interface. Current shrink-wrapped applications usually interrogate their environment when initialised, with the assumption that conditions do not change until termination107. The problem with OS and mobile computing is that many attributes of the application environment, as will be discussed below, may vary enormously during the course of a connection. For example, applications may make security decisions based on network topology. If, for example, a local subnetwork is considered secure, a remote login program might elect not to use encryption between nodes within the same IP subnet. But with the advent of Mobile IP, a host can retain its IP address, as it is detached from a secure subnetwork and reconnect to a more remote subnet, requiring traversing an insecure Internet connection. There would be a similar insecure link when switching from a secure fixed wire connection to a wireless connection. Current OSs cannot handle this. In the past, operating systems were far smaller and more tightly coded than today’s suites. The software written for bigger machines was also more reliable. Before IBM ‘unbundled’ its software and hardware, computer manufacturers controlled both the program code and the underlying hardware – and thus could better integrate them. The complexity was increased by two factors: − the practice of re-using large amounts of old software. Such code re-use often led to very
complex and large software programs and analysing such programs “ was more like archaeology than computer science108”.
− software companies, in an attempt to stimulate sales, rushed to add extra features to their programs to encourage buyers to upgrade. So, programs to a large extent have become more unreliable and more bloated.
There has been a trend to introduce more functionality into the OS. Jim Allchin of Microsoft stated that there will be a blurring of the distinction between a utility, OS and application109. Ingram of Solaris agrees, stating: “You don’t want to own a washer and a dryer, what you really want is clean clothes.110” Some see Microsoft’s objective in increasing OS functionality as insidious – making the OS more Microsoft dependent, and are thus attempting to focus only on the basic requirement of the OS. deRaadt of OpenBSD states that increased OS functionality is at the expense of security111. There is also debate whether there will be a tiering of OSs – whether there will be a separate OS for the client and the server, or for the desktop and the network.
Software Testing Software testing, like security in academic networking courses, is often the last activity performed before the software [or student] is released. As a result, when deadlines are approaching, security analysis is often sacrificed. Some companies have now established a practice of displacing testing to alpha and beta releases, with the appropriate legal qualifications. Most software testing is also geared towards ensuring that the required functionality is achieved, and testing to ensure that the software does not perform unspecified functions is often overlooked. Malicious intruders will try to exploit these weaknesses. There are two primary methods of software testing:
107 For example, some OSs ascertain at boot time which network devices are available, and initialise the appropriate drivers. It is difficult to change these at a later point of time. 108 The Economist Technology Quarterly, June 22, 2002 at pp. 10 109 Steven J. Vaughan-Nichols, Operating System 2010, November 5, 2001, Byte.com 110 ibid 111 ibid.
39
- independent verification and validation – one team of software engineers designs and builds the system, and another team evaluates the design, sometimes even building an identical system as a benchmark. This method is very expensive and only used in critical systems.
- evaluation against an independent set of criteria. The Orange Book in the mid 1980s was the first commonly accepted set of evaluation criteria, but it has been rendered largely obsolete. The Orange Book espoused a series of security levels ranging from minimal security to verified design. But there was no validation of the security levels – the only assurance was that the manufacturer input the required level of access controls, and included the required documentation112. Obtaining various levels of higher evaluation proved more time-consuming in terms of development and documentation effort than vendors had originally anticipated113. The Orange Book did not consider networked systems- it focussed on stand-alone systems. And finally, the Orange Book ratings were restrictive – systems would receive ratings only in particular configurations, with only certain types of software installed. After much infighting between the EU and USA, an ISO standard114 was developed called the ‘Common Criteria. The Common Criteria provides a catalogue of security concepts that users can include in a ‘protection profile’ which is a statement of users’ security needs. Individual products can then be tested against this protection profile. The Common Criteria includes a Mutual Recognition Agreement whereby different countries recognise each others’ certifications.
Secure program design is impeded by: - the security aspect is considered as the last step in software design. Many designers believe
the security aspect is a problem solely for security analysts and system administrators. - time pressure. The increasingly short deployment cycle results in the burden of software
testing being increasingly placed on the consumer, who receive beta versions. These pre-production versions are often distributed free in return for bug reports.
- software design is focussed on the objectives of the software functionality, rather than those aspects which the particular software package should not attempt without specific authority. Functional testing may not detect security flaws, because security is independent of functionality.
- no comprehensive security checklist. This statement is almost tautological –if all the attacks and potential vulnerabilities were known, they could, at least in theory, be remedied. Testing for all possible vulnerabilities would include testing for unknown vulnerabilities complexity of modern software – especially operating systems and suites.
- user demand that there be a linkage between various security mechanisms of numerous applications installed on the system. Users demand ‘ single sign-on’ whereby a user authenticates herself once using a specific mechanism and then gains access in a uniform manner to different services, perhaps on different platforms.
Software analysis can be static or dynamic. Static methods examine source code for flaws, usually during a design review. Static software analysis is largely manual, and labour intensive. The quality of the process is dependent on the disciplined rigor with which it is conducted. Static analysis can be partially automated to search for constructs that are known to be unsafe. Most text editors have the ability to search on regular expressions, but the issue is to determine the search parameters115. 112 Vendors found that evaluation of any version allowed them to sell all succeeding version of the particular software as if they had been evaluated. 113 The Orange Book evaluations, as opposed to the Common Criteria evaluations were conducted, at least initially, by the Government, rather than commercial laboratories subsidised by the vendors. The commercial laboratories were more likely to respond to vendors’ schedules and priorities. 114 15408, version 2.1 115 For example, if the program is reading a birth date, then the only range of acceptable characters is possibly [0,9]. The length of the variable should be restricted to prevent buffer overflow.
40
Dynamic analysis involves executing programs to detect flaws. Dynamic analysis studies the behaviour of the application rather than the structure. Whereas static analysis may reveal potential vulnerabilities, dynamic analysis confirms the existence of program flaws. Dynamic analysis, at least in theory, involves the testing of a program for functional correctness, comparing the resulting outputs with the expected outputs116. Start-up companies such as Company 51, Okena and Intru-Vert Networks are designing intrusion-detection systems that borrow ideas from the body’s immune system. Others, such as IBM, are developing autonomous computing systems that have in built intrusion detection systems. Because of the complexities of predicting output, Ghosh recommends an alternative – rather than checking the output of a program, checking the program for secure behaviour117. It is clearly easier to confirm there is no malicious behaviour than to validate all output. This alternative is based on the assumption that it is easier to articulate what constitutes a security violation than to define correct behaviour. Dynamic analysis can detect security-critical flaws in software development using white-box analysis techniques. White-box analysis can take advantage of two types of source-code level instrumentation techniques: assertions and fault injection. Instrumentation is the process of inserting more program code into a program to study the effect. Assertions are statements that check the state of the program after the execution of an instruction, to determine if the state is insecure. The violation of an assertion implies that the security policy of the application has been compromised. Fault injection simulates anomalous program behaviour – for example, if a fault is injected into the evaluation of a branch condition, the program will take a different branch for an input than it would have without the injected fault. Even after the software has been shipped, security flaws continue to be discovered by hackers, researchers and customers. There have been two approaches – the partial disclosure approach typified by CERT, and the full disclosure approach, exampled by Bugtraq. In 1988 the Defense Advanced Research Projects Agency [DARPA] funded a group to coordinate security response, including security awareness, known as CERT118. CERT acts as a clearinghouse for security vulnerabilities. There are a number of problems with CERT: - CERT’s response time was slow, and a backlog of vulnerabilities soon developed. - once CERT informed the vendors of the vulnerability, the vendors were tardy in their response
time. - CERT did not publish the vulnerabilities until the issue was resolved, thereby allowing the
vendors to avoid embarrassment for some period of time. - even when the vulnerability was resolved, CERT was slow in publishing the report. As a result, a number of internet mailing lists developed like Bugtraq [begun in 1993] and NT Bugtraq [begun in 1997]. Many researchers publish vulnerabilities immediately on these mailing lists, sometimes accompanied by press releases. The vendors are embarrassed into a speedy response, and providing patches. But the hackers can also use these mailing lists to discover vulnerabilities and exploit them119. The vulnerability often remains once the patch has been issued because many administrators fail to download the appropriate patch in a timely manner.
116 It is often difficult to determine the expected output without a program oracle, which defines what the correct output for every input should be. Oracles really only exist for trivial applications. 117 E-Commerce Security at pp. 148 118 or more formally, the Computer Emergency Response Team, centred at Carnegie Mellon University. 119 The author has heard of some web sites being attacked within forty minutes of the publication of a new vulnerability.
41
Downloading and installing the software ‘patches’ for fixing security breaches has been estimated to cost the average organisation around USD700 per PC per annum and about USD900 per server per annum. Even modest-sized firms can easily spend in excess of USD1 million every time a bug is found that threatens the organisation’s security. Furthermore, issuing a separate patch for every discovered vulnerability is cumbersome. Microsoft, for example, prefers to group several patches together, at the obvious expense of a delayed response time. A number of solutions have been proposed, including the following: - The National Academy of Sciences proposed in January 2002 an extension of product-liability
laws to cover the software industry for losses sustained as a result of ‘buggy’ software120, as opposed to the Uniform Computer Information Transactions Act, already enacted in Maryland and Virginia, which allows software developers to avoid liability. The problem is in the definition of the product and its capabilities. Understandably, though without justification, the ACM Task Force argues against computer malpractice torts121, analogous to product liability laws. The task force argued that to establish professional negligence, the courts must determine a material variance from industry standards. Since there are no industry standards for software engineering, and since the ACM has rejected licensing requirements which would impose industry standards, the Task Force concludes that it would be possibly detrimental for courts to impose a benchmark against which to judge malpractice. With respect, this argument is both circular and arrogant. If the software ‘industry’ cannot determine its own standards, it is unfair to deny the judicial system the ability to impose a set of standards so as to better protect the public. Determining whether or not computer technology is a service or product is material in assessing liabilities. If programs are viewed as a product, then strict liability may be applicable in certain circumstances, and no negligence need be proved. If computer technology is viewed as a service, the professional negligence principles such as those covering the medical industry may be applicable. If viewed as a service, the plaintiff would need to establish negligence before penalties could be assessed.
- The Economist122 prefers a revision of the terms of the software licence such that copyright protection will only be applied according to published specifications – that is, if the software has too many bugs, it will not be afforded copyright protection. Some may consider this proposal somewhat draconian.
- an alternative would be for software publishers to post a ‘health warning’ on their products, guaranteeing that no more than a certain number of bugs would be found within a certain period after the product’s release. If the reported bugs exceeded the warranty, then the publisher would bear some pecuniary liability.
- The ACM has examined whether software engineers working on mission critical systems should be licensed as Professional Engineers. The ACM task force determined that such a proposal was not practical or effective and might have adverse consequences123. The author respectfully disagrees with the determination of the recent study. Rather than considering whether the concept of licensing was appropriate, Knight & Leveson focused on the inappropriateness of the current PE examination for software engineers. For example, they argued that examining the fundamentals of engineering, such as chemistry, dynamics and materials science is not beneficial for software engineers. And if a different body of knowledge was tested, Knight & Leveson argue that there is no generally agreed upon comprehensive body of knowledge for software engineering of critical systems. Further, the
120 Business Week, March 18, 2002. 121 John C. Knight & Nancy G. Leveson, Should Software Engineers be Licensed? Communications of the ACM, November 2002, vol. 45 no. 11 122 The Economist, June 22, 2002 at pp. 10 123 John C. Knight & Nancy G. Leveson, Should Software Engineers be Licensed? Communications of the ACM, November 2002, vol. 45 no. 11
42
current PE licence is state mandated, and a software engineer might be faced with the prospect of being required to be licensed in every state where the software is sold. It seems that the ACM task force were not desirous of mission critical software engineers being certified and thus found reasons to reject the proposal. The examination could have tested a body of knowledge which was appropriate once that body was determined. The requirement of state by state certification could be modified for software engineers who, by dealing in intangible products, rather than bridges and utility plants, will nearly in each case be sold nationally or multinationally.
Much software development today is primarily a matter of integrating off-the-shelf components; rarely are new systems built entirely from scratch. Middleware technologies such as COM and CORBA have given rise to a wide range of components, frameworks, libraries etc. Increasingly, systems are complex assemblies comprised of commercial off-the-shelf [COTS] elements and mobile code. COTS is much cheaper than custom written software . The use of COTS entails certain security risks. Traditionally, software vendors have been required to disclose enough details of the software to allow the potential purchasers to evaluate the software processes and products for safety. But these polices are not compatible with the fears of current component vendors, who are threatened with the risk of intellectual property loss. The result is that the potential user is presented with a ‘black box’, leaving potential users with a dilemma: either forego the use of the relevant component or live with the risk of using a ‘black box’ component. To address this issue, Voas124 proposes two complimentary approaches: first, testing the component in situ to ensure that it is functioning in accord with its specifications; and second, testing the system to ensure that it still functions even if the component misbehaves. Whilst this has the advantage of not requiring the COTS vendor to disclose any further confidential information, the testing effort is expensive. Devanbu and Stubblebine125 suggest a compromise, which they refer to as a ‘grey box’ approach, in which the COTS vendor discloses enough details of its verification practices to convince the potential COTS user, whilst maintaining the protection of its intellectual property. The use of component software within applications has become very popular. Consider a particular component, say C, produced by a vendor V. This component C may be used in any application: a word processor, spread sheet, email program etc. These applications may be created by different vendors, who package and ship their applications with the constituent components. As time passes, vendor V will update the component software C to improve functionality and correct defects, thus creating versions C1, C2 etc. It could thus transpire that two applications require different incompatible versions of the same component: one using C, one using C1 etc. Thus, a common problem may be confronted: installing one application may cause another , apparently unrelated, application to fail. The task of maintaining a correct, current configuration of software at a particular machine has been called ‘post-deployment configuration management’ [PDCM]126. PDCM management also has security implications which need to be addressed. One of the most common software design flaws is buffer overflow. The length of the input as well as the range should always be checked and limited before it is read into a program buffer127. Overflowing the buffer results in overwriting memory that is not assigned to the buffer. The consequences of overflowing the buffer can range from no discernible effect to an abortion of the program execution to execution of unauthorised instructions contained in the input. If no adverse effects result from an overflowed input buffer, the program is tolerant to or robust to the particular type of attack. Software testing may not be able to verify the robustness of a particular program because programs will behave different for different input systems and also depend on the 124 J. M. Voas, Certifying off-the-shelf software components, IEEE Computer, 31(6), 1998 125 Premkumar T. Devanbu & Stuart Stubblebine, Software Engineering for Security: A Roadmap, in The Future of Software Engineering, pp. 227-239, Special Volume, ICSE 2000. 126 ibid, at pp. 235 127 A buffer is a contiguous portion of memory that stores data used by a program. A buffer is overflowed when more data is read into it than space allocated for the buffer in memory.
43
interaction of other programs already installed. The effect also depends on where the buffer is located in memory. During program execution, when a call is made to a function, the current state of the program, including the address of the next instruction to be executed after return, known as the instruction pointer, is saved on the stack. The buffer overflow can alter the instruction pointer, so that upon returning to the calling function, the next instruction to be executed is located at an erroneous address. This technique is known as ‘smashing the stack’. Besides trying to exploit features of code for alternative purposes, another common form of malicious attack is assaulting the application with garbage. To provide some assurance of security, testing for correctness may not be as important as testing for vulnerabilities which can be exploited into intrusions. This form of testing can provide statistical confidence that an application is relatively secure from malicious attack. It is also important that security analysis must be performed on software installed at the customer site in relation to configuration problems. The software itself may be relatively secure, but may be misconfigured in such a way as to potentially cause a security breach.
Mobile Commerce Issues A mobile e-commerce transaction is any transaction of an economic value that is conducted through a mobile terminal that uses a wireless telecommunications network for communication with the e-commerce infrastructure. Mobile electronic commerce (MEC) operates partially in a different environment than e-commerce conducted in fixed Internet, due to the special characteristics and constraints of mobile terminals and wireless networks and the context in which people use mobile, including hand-held, terminals. Within the notion of mobile computing, there is considerable latitude regarding the role of the portable computer. Is it a terminal or an independent stand-alone computer? Is it a general purpose workstation or something more restrictive in capability like a PDA? What purposes is the device intended to serve? These design choice have a material effect on a number of the following issues, which in turn have an effect on the security of the wireless network system. Device Properties Mobile devices will always be resource poor in terms of power, processor speed, memory size and disk capacity. Mobile devices used in MEC can be divided into four categories based on their processor, memory and battery capacity, application capabilities [SMS, WAP, Web], as well as physical size and weight. These categories are, from weakest to strongest, traditional voice handsets with SMS capability, WAP phones, PDAs with wireless communication capabilities, and laptops with wireless communication capability. In wireless mobile computing, to be portable, devices must be small, light and operational under wide environmental conditions. Also, in the context of ubiquitous or pervasive computing, computational power is embedded in numerous small devices. In particular: - Portable devices have small screens and small, multifunction keypads; a fact that necessitates
the development of appropriate user interfaces. The physical size is constrained by weight on the one hand and the limit on how small the keypad can be to remain effective on the other hand.
- Portable or embedded devices have less resources, including memory, disk capacity and computational power than traditional computing devices. The processor capacity of the current PDAs is at the level of a PC five years earlier, and it is likely that the clock speeds of
44
handsets will also only be a few years behind that of current PCs. The same can be said of memory. The problem is that the faster the processor, the more energy it needs to consume.
- Portable devices rely for their operation on the finite energy provided by batteries. Even with advances in battery technology, this energy concern will not cease to exist. The concern for power consumption spans various levels in hardware and software design. The need to conserve energy limits processing power; and as a result, many security concepts have not been implemented on mobile devices. For instance, WML script – the mobile version of JavaScript – does not implement the sandbox model, allowing mobile code unlimited access to all local resources128. Also, most PDAs lack memory protection mechanisms and support only basic access control.
- There are higher risks to data in mobile devices, since it is easier for mobile devices to be accidentally damaged, stolen, or lost. In addition to the possibility that the data on the stolen device has not been recently backed up, there is also the risk that the thief will be able to access secure systems. One of the problems with the current generation of PDAs is the lack of an effective mechanism to authenticate a particular user to a particular device.
As a result of the mobile device limitations, many basic operating system features have been eliminated, including: - memory protection for processes- one process can thus intrude on another; - protected kernel rings; - file access control; - authentication of principals to resources; - differentiated user and process privileges; - sandboxes for untrusted code.
128 K.A. Ghosh & T.M. Swaminatha, Software security and privacy risks in mobile e-commerce, Communications of the ACM, Volume 44 (2), February 2001, pp. 51 – 57.
45
Wireless Communication Mobile computers require wireless network access, though sometimes they may physically attach to the network by non-wireless means when they remain stationary. Wireless communication is more difficult than wired communication because the surrounding environment interacts with the signal, blocking signal paths and introducing noise. As a result wireless connections are of lower quality than wired connections: lower bandwidth, higher error rates and more frequent involuntary disconnections. These factors in turn increase communication latency due to retransmissions, retransmission timeout delays, error control protocol processing and disconnections. Mobile systems thus need the ability to operate in a disconnected state, including prefetching files, lazy write-back , prioritising tasks, and asynchronous communication. Wireless connection can be lost or degraded by mobility. Users may physically move out of the coverage of network transceivers or enter areas of high interference. Unlike wired networks, the number of devices in a cell may vary dramatically, and large concentrations of mobile users, such as at a convention, may overload network capacity. Wireless communication is more susceptible to network failure. As a result of the normality of disconnection in wireless environments, the mobile computer needs to be more autonomous, have the ability to prefetch files, replicate by lazy write-back, and engage in asynchronous communication. The alternatives are to spend more resources on the network in an attempt to reduce the incidence of disconnection, or spend more resources enabling the system to cope with the disconnection more gracefully. These alternatives are obviously not mutually expensive, but do compete for resource allocation. By adding more cells, the mobile device has the ability to overlap cells on different wavelengths. This has the advantage of a flexible use of software and less interrupts but there are only a finite number of cells which can be added because public spectrum is limited. A related alternative is to make each cell smaller, which in turn reduces power consumption, allows the possibility of a better signal, and more bandwidth. The more autonomous a mobile computer, the better network disconnection can be tolerated. For example, some applications can reduce communication by running entirely locally on the mobile unit, rather than bifurcating the application and the user interface across the network. In environments with frequent disconnections, it is more important for the mobile computer to operate as a stand alone computer, rather than a portable terminal. Wireless networks have lower bandwidth than wired networks, and though wireless bandwidth is expected to increase, the divergence of bandwidth capabilities is likely to remain constant129. Network bandwidth is divided among those users sharing a cell. The deliverable bandwidth per user is the better measure of network capacity than raw transmission bandwidth. Mobile computing must contend with much greater variation in bandwidth, including the lack of bandwidth in a disconnection, than traditional computing. But this measure is variable in that it depends on the size and distribution of the user population. An application can handle bandwidth variability130 in three ways: it can assume high bandwidth connections and operate only whilst connected; it can assume low bandwidth connections and not take advantage of higher bandwidth when it is available; or it can dynamically adapt to the currently available resources, providing the user with a variable level of data and quality. In contrast to most stationary computers, which remain connected to a single network, mobile computers encounter more heterogeneous network connections. As they leave the range of one
129 Infrared wireless networks have bandwidth of 1 Mbps; radio wireless networks have bandwidth of 2 Mbps; and cellular networks have bandwidth of 9 – 19 Kbps. In contrast, Ethernet wired networks have a 10 Mbps bandwidth, and FDDI networks have 100 Mbps bandwidth, and ATM networks have 144 Mbps bandwidth. 130 except for a disconnection.
46
network transceiver, they switch to another in a different place, they may experience different network qualities. There may be areas where they can access multiple transceivers or different frequencies. The mobile device may also need to switch interfaces when moving from indoors to outdoors131. This heterogeneity of the networks compounds the problems for mobile computing. Wired networks have low error rates; as a result when packet loss occurs, it is usually caused by congestion, that is, overflow of a buffer somewhere on the network. TCP132, as a result, reduces the transmission flow through the ‘sliding window’ protocol, on the end-nodes. TCP was specifically designed to provide a reliable end to end (connection oriented) byte stream over an unreliable internetwork. But on wireless networks, where packet loss is far more frequent and most often not caused by corruption and not by congestion, the sliding window protocol is not effective. In a wireless network , if a packet is lost, the optimal response is to re-transmit. The model of a ‘dumb’ network with ‘smart’ end-nodes is appropriate only for wired networks. End-to-end control of congestion and reliability is a logical result of that model133 It is unclear whether the end-to-end networking model can survive as networks become increasingly heterogeneous. In networks of the future, packets will be lost for a plethora of causes, and adopting a single approach to such packet loss will not suffice. Further information will be required as to the cause of the loss, and it may be appropriate to undertake this action at the link-level, where the information will be available, than to propagate this information to the end-nodes at higher layers. The same problem is experienced with security. Link-layer encryption and authentication may be required on heterogenous networks. PGP and SSH currently provide security mechanisms at the application level. Wireless devices form ad hoc networks where a collection of nodes communicate with each other without the benefit of a fixed infrastructure134. One implication of ad hoc networks is that network decision-making is decentralized. As a result, network protocols rely more on cooperation among participating nodes. This level of trust can be exploited. For instance, an unauthorised user that compromises a single node can distribute false routing information to cripple the ad hoc network, or alternatively, instruct all routing to pass though the compromised node135. Mobile users will roam through many different cells, ad hoc networks and security domains. As the communication is handed off from one domain to the next, a malicious or compromised domain can compromise mobile devices through malicious downloads and misinformation or simple denial of service. Most websites are not equipped to manage intermittent service failures, which is a common occurrence with wireless connections. The majority of vendor implementations of the Secure Socket Layer [SSL] or the wireless equivalent [WTLS] do not reauthenticate principals when a connection is re-established after a service failure. This failure is potentially hazardous because requests can be redirected and malicious code can be downloaded if the principals are not reauthenticated. The wireless medium makes it more difficult to detect the source of the malicious code, because the user can roam in and out of wireless zones with no fixed geographical point. As a result, hackers are likely to prefer the wireless medium to launch attacks against fixed networks. In the case of many wireless networks, such as in cellular or satellite networks, communication is asymmetric. In particular, server machines are provided with a relative high-bandwidth wireless broadcast channel to all clients located inside a specific geographical region. Furthermore, in
131 For instance, infrared techniques cannot be used in the outside environment because sunlight drowns out the signal. Or for example, the interface may need to change access protocols for different networks, such as when switching from cellular coverage in a city to satellite coverage in the country. 132 Transmission Control Protocol 133 It is interesting to note that telephony has adopted the reverse model: dumb end-nodes connected by an intelligent network. 134 Y. Zhang & W. Lee, Intrusion Detection in wireless ad hoc networks in Proceedings of the ACM/IEEE Mobile Computing, August 2000 135 ibid
47
general, it costs less to a client in terms of power consumption to receive than to send. These considerations favor push-based delivery. Issues in terms of broadcast push unique to the resource limitations of mobile and wireless computing include: - Creating and broadcasting an index for the data on the broadcast, so that clients can estimate
from the index when the item of interest will appear and tune in at the appropriate time instance, thus minimizing listening to the broadcast and conserving power.
- Determining the broadcast content so that frequently accessed data items are broadcast more often than less frequently accessed ones.
- Maintaining a local cache at the client and deriving appropriate cache replacement policies; handling updates of the broadcast data.
- Query processing that involves data on the broadcast channel. The security of a wireless communication is more easy to compromise than non-wireless design, especially if the transmission range encompasses a wide area. Security is further compromised if users are to be allowed to cross security domains, such as when the untrusted mobile computers of hospital patients are allowed to use nearby printers whilst disallowing access to distant resources which require authorised access. Wireless Communication Protocols GSM and WAP are the two currently most popular and widely used wireless technologies136. GSM, the Global System for Mobile Communications, is the currently popular digital cellular telecommunications system specified by the European Telecommunications Standards Institute [ETSI]. GSM provides three security services: temporary identities for the confidentiality of the user identity; entity authentication that is to verify the identity of the user; and encryption for the confidentiality of user-related data137. The Subscriber Identity Module [SIM] is a smart card which contains all the necessary information and algorithms to authenticate the subscriber to the network. It is a removable module and can be used in any mobile equipment. A new protocol was also developed specifically for wireless communication, Wireless Application Protocol [WAP], developed by the Wapforum founded in 1997. WAP was designed as a ‘thin Web’ due to its simple Wireless Markup Language [WML] and simple browsers, as well as a special protocol stack [WAP stack] that better suits the wireless environment than the standard TCP/IP +HTTP stack. At this stage, the nexus between the success of WAP138 and mobile commerce is unclear. WAP is bearer independent; the most common bearer is currently GSM. There are handsets like the Nokia 9110 Communicator that can be used effectively without WAP capabilities to perform mobile e-commerce transactions. WAP addresses both the low bandwidth, high latency and limited connection availability of wireless networks and the resource constraints of the mobile devices. The network issues are addressed in both the transport and application layers of the protocol. In the transport level, a WAP gateway is inserted between the wireless network and the client that acts as a proxy: encodes the WAP data into compact formats to reduce the size and number of packets travelling over the wireless network. In addition, the WAP gateway typically takes over most of the computing tasks from the mobile device, permitting the device to be simple and inexpensive. The device-constraints issues are also dealt with directly by WML. WML provides a small (telephony aware) set of 136 It has been argued that a strong competitor of WAP is NTT DoCoMo’s i-mode information is at http://www.nttdocomo.co.jp/i/. Bluetooth is a wireless protocol for communication between devices that are in close proximity. The Internet is also creating alternatives with Mobile IP. 137 The encryption algorithms are integrated into the mobile equipment as dedicated hardware. GSM does not use public key cryptography. 138 or i--mode.
48
markup tags. WML documents are divided into a set of well-defined units of user interactions, called cards. A card is usually defined by a single action or operation, usually able to be displayed on a small screen. Services, called decks, are created by letting the user navigate back and forth between cards from one or several WML documents. A deck of cards providing a complete service is downloaded at the mobile device at one time, eliminating the need for a constant network connection. Similar to SSL, WTLS is WAP’s communications security solution. It also relies on a Public Key Infrastructure. The main difference between SSL and WTLS is that WTLS was modified to ensure suitability in an environment where there are bandwidth, memory and processing limitations. WTLS, as opposed to SSL, supports by default algorithms, is suitable for datagram communication, instead of connection; and supports its own certificate format. WAP has been criticised for its lack of relative security. Whilst the security problems of the Internet are currently more related to the secure management of the end-points, the security problems in WAP are still more with the protocols and algorithms themselves. For example, algorithms used by many GSM providers have been broken and real time eavesdropping has been shown to be feasible139. Most of the security problems are due to the closed design of the algorithms and their protocols, leaking and/or publishing details of the system’s weaknesses, and discovery of flaws by the cryptographic community. Neither GSM nor WAP offer end- to- end security. GSM security only applies on the wireless link – that is, from mobile phone to base station, but not from peer-to-peer – mobile phone to mobile phone. GSM considers the fixed SSL network to be secure, and GSM intends to offer the same level of security level as the fixed network. WTLS is only used between the mobile device and the gateway, whilst SSL is used between the gateway and server. Part of the rationale for the focus of the security problems of the Internet on the end-points is due to the complexity of the end-points: multi-user operating systems, data with executable content etc. Because of some of the device limitations of mobile devices, they are relatively simple and do not require much functionality, and thus end-point security is not as much of a problem. The WML Script specification does not differentiate between trusted local code and untrusted JavaScript downloaded from the Internet140. Further, WML Script is not a type-safe language, and there is no sandboxing mechanism to prevent WML Script from accessing persistent memory or completing an unauthorised access. Critics have pointed to what has been called the “WAP gap141” where wireless requests to Internet resources are translated at the WAP gateway from Wireless Transport Security Layer [WTLS] to the standard SSL protocol. In the process of translating protocols, the data is decrypted and then again encrypted, and in the interim the data can be captured in an unprotected state. WAP fails to provide end-to-end security, and the privacy of the transmitted data thus depends on the internal security policies of the mobile service provider [MSP]. The WAP gap was not an accidental design error – rather it was considered a necessary disadvantage, outweighed by the advantages of compression and compilation of embedded source code142. Juul and Jorgensen 143outline three possible remedies to the WAP gap: - placing the web gateway at the web server end of the connection – that is, inside the firewall
of the web server. But Juul et al believe this proposal conflicts with one of the objectives of the WAP gateway, namely to convert between two distinct protocols, one for wireless and one for the traditional wired network[ the Internet protocol suite, including HTTP and TCP].
139 Bruce Schneier, European Cellular Encryption Algorithms, Crypto-Gram, December, 1999. 140 WAP Forum, Technical Reports WAP-193-WMLScript, WAP-170-WTAL, WAP 169-WTA, July 2000 at http://www.wapforum.org 141 A.K. Ghosh & T.M. Swaminatha, Software Security and Privacy Risks in Mobile E-Commerce at pp. 3 142 to relieve the mobile phone of the task of parsing the data. 143 Niels C. Juul & Niels Jorgensen, WAP May Stumble over the Gateway, Proceedings of the SSGRR, June 2001 at http://www.dnafinland.fi/oopsla/wap.pdf
49
- placing an application level security on top of WAP. This recognises WAP to be potentially insecure, but by placing a layer above WAP, the compression benefits of WAP to accommodate the limited bandwidth of the wireless network, are lost.
- redesigning the WAP protocol to not use a gateway, but rather employ the existing Internet standards for the entire connection. The optimisation benefits of the gateway are obviously lost. Further, there is a business rationale to the gateway as an MSP which ties its mobile customers to a portal-like access point to the Internet, which would be lost by not using a gateway. A mobile portal has two advantages over a traditional ISP: first, WAP services may be combined with traditional phone services; and second, the MSP may have access to location-dependent data of the user.
The WAP Forum has released a proposal for version 2.0 of the WAP standard, which advocates two standards – the first in line with version 1.2.1 of WAP which contains the WAP Gap, and an alternative which discards the gateway144. This would allow the same level of security for a mobile commerce transaction as for a fixed wire commerce transaction. Discarding the WAP gateway implies a loss of the optimisation that it provides, and acknowledges that wireless transmissions will continue to have a higher latency than wired transmissions. Ghosh believes that this ‘WAP gap’ is distractive from the more fundamental security flaws at both the client and server systems145. WAP offers a more general model than GSM, which is rather limited. WAP’s devices offer more Internet functionality. But, at the moment, little focus has been paid to combining the concepts of wireless communication, be it GSM or WAP or another alternative, and the Internet security protocols such as SSL146. This is unfortunate in that most wireless networks also rely on fixed communication as part of their network. The WAP Gap is evidence of this neglect. Ad Hoc Networks An ad hoc network is a collection of nodes that do not need to rely on a predefined infrastructure. Instead, nodes rely on each other to keep the network connected. Ad hoc networks can be formed, merged together or partitioned into separate networks dynamically, without necessarily relying on a fixed infrastructure to manage the operation. Mobility is not a requirement of ad hoc networks, in that ad hoc networks may contain static and wired nodes, but mobile networks are largely ad hoc. The security aspects of traditional networks are not fully applicable in ad hoc networks. The specific security challenges of ad hoc networks are: - Whilst the basic security requirements such as confidentiality and authenticity remain, the ad
hoc network restricts the level of security mechanisms by its performance limitations. The performance of nodes in an ad hoc network is critical, since the amount of available power for redundant radio transmission and excessive calculation is constrained. As discussed above, the available bandwidth is likely to be restricted and bursty. And the amount of available memory and CPU power is relatively small compared to fixed networks.
144 WAP Forum, “WAP TLS Profile and Tunneling WAP-219-TLS:Wireless Application Protocol TLS Profile and Tunneling Specification”, Proposed Version at http://www.wapforum.org. WAP 2.0 does not require a WAP gateway, because the communication between client and server can be conducted using HTTP/1.1. But, the Protocol continues to state that a WAP gateway cam ‘optimize the communications process and may offer mobile service enhancements, such as location, privacy and presence based services. In addition, a WAP proxy [ gateway] is necessary to offer Push functionality”. 145 ibid. 146 A combined approach has been suggested by Claessens et al. [John Claessens, Bart Preneel, & Jaos Vandewalle, Combining World Wide Web Security and Wireless Security, Proceedings of IFIP I-NetSec 2001, November 26-27, 2001, Leuven, Belgium]
50
- The use of wireless links renders an ad hoc network vulnerable to link attacks ranging from passive eavesdropping to active impersonation. Eavesdropping could result in confidentiality breaches. Active attacks could allow the intruder to delete, modify or inject messages, or impersonate a node, thereby violating integrity, authentication and non-repudiation.
- Routing protocols in ad hoc networks are also constrained. Whereas in traditional networks, proactive protocols147 are more common, the continual and heavy traffic requirements between the nodes required for the periodic refreshing of the routing tables does not suit ad hoc networks. Also ad hoc networks frequently require additional redundancy in alternate paths for reliability reasons. Ad hoc networks typically utilise reactive [ source-initiated on-demand ] protocols or hybrid protocols. Reactive protocols do not periodically update the routing information – it is forwarded to the nodes only when necessary, at the expense of additional overhead and delays when the route is determined. The hybrid approaches make use of both reactive and proactive protocols – for example, proactive protocols could be used in an internetwork and reactive protocols could be used inside a particular network or vice versa.
- Routing mechanisms are also more vulnerable in ad hoc networks than in fixed networks because in ad hoc networks each device acts as a relay148. This means, for example, that an adversary who hijacks an ad hoc node could paralyse the whole network by disseminating false routing information. A less dramatic form of malicious behaviour is node selfishness: some nodes may not bother to relay packets, to conserve battery power.
- Physical protection of the nodes is a greater issue than with fixed networks. To the extent that an ad hoc network has a distributed architecture with no centralized entity, vulnerability is reduced.
- An ad hoc network may consist of hundreds or even thousands of nodes. Security mechanisms need to be scalable to handle such a large, and dynamic network.
- A problem arises when one considers that certain authorisation and access control tasks need to function off-line, that is, without necessarily contacting an authorisation or access control server to mediate access, but rather to perform the authentication and determine access privileges based solely on information available at the time access is requested. Both public and secret key protocols have been proposed for solving this problem.149
The identification of the appropriate security mechanisms for an ad hoc network depend on a number of issues including: - the expected security functions to be implemented, such as confidentiality, authentication,
integrity. - whether there is a single centralised authority, or several authority domains, or none. - if there is an authority, what is its role in the initialisation phase. For example, can the
authority install appropriate cryptographic programs in each node prior to usage. - if there are several authorities , what is the level of trust between them, and how is a
relationship of trust developed. - is there an upper bound on the number of users, and if so, is it known a priori. - what is the key life cycle, and when is key revocation considered. 147 Proactive protocols are usually table driven and distance vector protocols, with the routing information in the tables being periodically refreshed. 148 J. Hubaux et al. The Quest for Security in Mobile Ad Hoc Networks in Proceedings of the 2001 ACM International Symposium on Mobile ad hoc networking & computing October 2001; A. Ghosh and T. Swaminatha Software Security and Privacy Risks in Mobile E-Commerce in Communications of the ACM 44(2), pp 51-57, February 2001. 149 K. Zhang and T. Kindberg, An Authorization Infrastructure for Nomadic Computing. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies.
51
Ad Hoc Networks and Key Management Ad hoc networks cannot rely on any centralized services. Network management such as the routing of packets and key management have to be distributed so that all nodes have some responsibility in providing the service. As there are no dedicated server nodes, any node may be able to provide the service to any other node. Service availability should be maintained if a tolerable amount of nodes in the ad hoc network crash or leave the network. Communication redundancies should be provided to protect against service disruption. But these approaches produce more overhead both in computing resources and network traffic. As ad hoc networks vary significantly from each other, an environment-specific and efficient public or shared secret key management system is required. In some applications, such as military operations, network nodes belong to a single authority domain and security can be bootstrapped by the authority which can install keys into the nodes prior to operation. For rapidly changing ad hoc networks the exchange of keys may need to be addressed on-demand, without assumptions about a priori secret keys. In less dynamic environments, the keys may be mutually agreed proactively. If public key cryptography is used, the protection mechanism relies on the security of the private key. As the physical security of the nodes may be poor, private keys have to be stored in the nodes confidentially, for instance encrypted with a system key. For dynamic ad hoc networks, this is not desirable and the security of the private key must be maintained with hardware protection, such as smart cards, or by distributing the key in part to several nodes. Hardware protection is not an adequate protection by itself. In ad hoc networks a centralized approach in key management may not be a viable approach, as there may not be any centralized resources. Moreover, centralized approaches are vulnerable as a single point of failure, from both the security and performance perspectives. The mechanical replication of the private keys is also inadequate, since, for example, the private keys of the nodes then have a multiple possibility of being compromised. A distributed approach in key management is required. Security is often dependent on effective key management, but the problem of authentication in ad hoc networks cannot be solved in the traditional manner. The symmetric cryptographic solutions in the tradition of Needham-Schroeder and Kerberos explicitly require an online ticket-granting server, and even the solutions based on public key cryptography and certifying authorities fail if the certification is not online, because of the difficulty of timely revocation and the need for keys to be refreshed periodically to reduce the chance of a successful brute-force attack on the private key. These solutions are not effective for ad hoc networks for the following reasons: - ad hoc networks have no infrastructure support, including no centralized authority; - the certifying authority servers are vulnerable as single points of compromise and failure.; - multi-hop communications over the error-prone wireless medium expose transmission to a
high loss rate and higher average latency. Variations such as hierarchical certifying authorities and certifying authority delegations can ameliorate the problem, but do not address issues like service availability and robustness150. There are two approaches for eliminating the requirement of a centralized certifying authority, they being: - establishing a totally distributed solution, where nodes have to authenticate each other by
establishing an appropriate context;
150 J. Kong, P. Zerfos,, H. Luo, S. Lu & L. Zhang, Providing Robust and Ubiquitous Security support for MANET, IEEE ICNP 2001, 2001
52
- establishing a self-organized151 public key infrastructure. With respect to the first approach, when nodes have authenticated each other prior to usage, the nodes by definition have to have shared a prior context152. The scenario considered is a small group of users meeting in a room for an ad hoc meeting and willing to set up a wireless network session amongst their laptop computers for a set time. It is assumed that they do not have access to a public key infrastructure or third party key management service. A fresh password is chosen and shared among the group. However, it would be a mistake to use the password directly as a key, as the password would then be vulnerable to dictionary attacks. Thus, a password-authenticated key exchange should be conducted by which a strong shared key is derived starting from a weak shared key. But this proposal can only work if the parties can share a password a priori. In relation to the second approach, a scheme has been proposed whereby a subset of nodes, which are called key servers , share the centralized authority’s private key153. The functionality of the certifying authority is distributed to a number of nodes, with the assumption that these nodes continue to remain part of the ad hoc network. This principle is what Zhou and Haas call the ‘distribution of trust’154 – even though no single node in an ad hoc network can be trusted because of low physical security and availability, trust can be bestowed upon an aggregate of nodes155. The distribution of trust is accomplished via ‘threshold cryptography’156. Threshold cryptography allows the distribution of certain information among several nodes such that: (1) no group of corrupt nodes (smaller than a given threshold) can determine what the secret is, even if they cooperate; (2) when it becomes necessary that the secret information be reconstructed, a large enough number of nodes (a number larger than the above threshold) have such an ability. The private key is divided into a number of pieces, determined by the number of nodes which have the ability to sign certificates. Each node generates a partial signature for the certificate using its private key and submits the partial signature to a combiner157. However, there are a number of issues involved in the implementation of threshold cryptography, including:
- The size of the threshold: What fraction of the servers can be corrupted by the attacker without any harm to the service (e.g. signature or decryption) that these nodes implement?
- Efficiency considerations: How much communication, storage, power, and computation do these fault-tolerant protocols require?
- Model of communication: Is synchronous or partially synchronous communication, authenticated broadcast and secure links between nodes required?
To thwart attacks where there is progressive compromising of the nodes, proactive schemes are required, which make use of share refreshing. Share refreshing enables nodes to compute new shares from old ones in collaboration, without disclosing the server’s private key to any node. However, share refreshing requires that a subset of the nodes play a specific role at a specific time,
151 Self-organization is the ability of a mobile ad hoc network to work without any external management or configuration. 152 N. Asokan and P. Ginzboorg, Key agreement in ad hoc networks, Computer Communications, 23:1627-1637, 2000 153 Lidong Zhou and Zygmunt J. Haas. Securing ad hoc networks. IEEE Network Magazine, 13(6):24-30, November/December 1999. 21 154 ibid. 155 ibid. Assuming that any t+1 nodes will be unlikely to be compromised at any one time, consensus of at least t+1 nodes is trustworthy. 156 Y. Desmelt, Threshold Cryptography, European Transactions on Telecommunication, 5(4):449-457, July-August, 1994 157 Any node can function as a combiner. To ensure that a compromised combiner cannot prevent a signature from being computed, t+1 combiners can be used to ensure that at least one combiner is correct and is able to compute the signature. t is such that it is infeasible for more than t nodes to be compromised, even by collusion.
53
which is not always possible in self-organized networks, in which each node is expected to behave selfishly. This concept is somewhat similar to PGP [Pretty Good Privacy] which does not rely on a centralized certifying authority. In PGP, certificates are issued by the users themselves based on their knowledge of their colleagues – a so- called ‘web of trust’158. This scheme relies on nodes that have specific functions and assumes that the keys are distributed to the nodes before operation. PGP does not scale well beyond a small community of trusted users159. Capkun et al. propose a key-management system similar to PGP in the sense that public-key certificates are not issued by a certifying authority but by the users themselves160. But, unlike PGP, Capkun does not interpose the use of on-line certificate directories that reside on centrally managed servers. Instead, certificates are stored and distributed by the users and each user maintains a local certificate directory containing a limited number of certificates selected by the user. Capkun proposes an algorithm for the construction of local certificate repositories such that any pair of users can find, with a high level of probability, certificate chains to each other in their merged directory, even if the size of the local directory is small compared to the total number of potential users in the network161. Before such a key authentication method can be implemented, a local certificate directory has to be constructed at each node, which is expensive in terms of bandwidth, but needs to be performed only rarely. If the ad hoc network is very dynamic such that large number of certificates are continually revoked or a large number of users join the system, then the local directory has to be re-initiated. This approach only provides probabilistic guarantees – not certainty.
158 However, when used in large domains, PGP still relies on centrally managed on-line certificate directories for the distribution of certificates. 159 Also, the members of a network may not even reach consensus on who is trusted and who is not. since independent ‘ webs of trust’ may be formed. 160 S. Capkun, L. Buttyan & Jean-Pierre Hubaux, Self-Organized Public-Key Management for Mobile Ad Hoc Networks, 2002 161 When a user A wants to verify the authenticity of the public key of user B, the two users merge their local certificate directories, and A tries to find an appropriate certificate chain from A to B in the merged directory.
54
Network Protection in Ad Hoc Networks Routing information must be securely maintained so that the identity or location of the communicating parties is not revealed162. Routing information must also be protected from attacks against authentication and non-repudiation. Routing protocols proposed for ad hoc networks are able to handle the dynamically changing topology, but do not protect the network against malicious attacks163. Routing protocols can be attacked by external intruders or by compromised nodes. External attacks can inject erroneous routing information, and thus partition a network or introduce excessive traffic into the network by causing retransmission and inefficient routing. Compromised nodes could advertise incorrect routing information to other nodes. Detection of such incorrect information is difficult, partly because of the dynamically changing topology of network – when a piece of routing information is found invalid, the information could have been generated by a compromised node, or it could have become invalid as a result of topology changes. One approach to solving this problem is to attempt to detect compromised nodes and construct new routes that avoid them.164 Interestingly, this solution does nothing to punish a misbehaving node(s).165 Other solutions have focussed on cooperative intrusion detection methods that exclude compromised nodes.166 Unfortunately, excluding the compromised nodes could itself be exploited to implement denial of service attacks.167 The inherent redundancy of ad hoc networks allows the possibility of secure routing. As long as there are sufficiently many correct nodes, the routing protocol should be able to find routes that go around the compromised nodes. If routing protocols can discover multiple routes, which has been achieved by ZRP168, DSR169, TORA170 and AODV171 algorithms, the nodes can switch to an alternative route when the primary route has failed. Another possible attack on a network of mobile devices does not involve compromising any particular device, but rather it relies upon compromising the domain into which devices dynamically enter, such as the base station. From this vantage point, one could initiate attacks against any devices that enter the domain. A specific example of this form of attack is the potential compromise of the Domain Name Service (DNS) used in a particular domain. The DNS maps names such as ‘www.lazard.com’ to numeric addresses that are used for direct communication. It is a hierarchical database and a node will typically forward all DNS requests to the local domain’s name server that is responsible for querying other name servers in the hierarchy. If the local name server is compromised, it can be configured to return an arbitrary address in response to a given query. An attacker could easily set
162 J. Hubaux et al. The Quest for Security in Mobile Ad Hoc Networks in Proceedings of the 2001 ACM International Symposium on Mobile ad hoc networking & computing October 2001; A. Ghosh and T. Swaminatha Software Security and Privacy Risks in Mobile E-Commerce in Communications of the ACM 44(2), pp 51-57, February 2001. 163 Lidong Zhou and Zygmunt J. Haas. Securing ad hoc networks. IEEE Network Magazine, 13(6):24-30, November/December 1999. 21 164 S. Marti et al. Mitigating routing misbehavior in Mobile Ad Hoc Networks in Proceedings of the 6th Annual International Conference on Mobile Computing and Networking 2000. 165 See Hubaux et al. section 3.2. 166 Zhang, Y. and Lee, W. Intrusion detection in wireless ad-hoc networks. In Proceedings of the ACM/IEEE MobiCom, (Aug. 2000). 167 Hubaux et al. section 3.2. 168 Z.J. Haas & M. Perlman, The performance of query control schemes for zone routing protocol. In SIGCOMM ’98, June 1998 169 D.B. Johnson & D.A. Maltz, Dynamic source routing in ad hoc networks, Mobile Computing , 1996 170 V.D. Park & M.S. Corson. A highly adaptable distributed routing algorithm for mobile wireless networks . In IEEE INFOCOMM’97, Japan, 1997 171 G.E. Perkins & E.M. Royer, Ad hoc on-demand distance vector routing. In IEEE WMCSA ’99, New Orleans, LA, February, 1999
55
up a website that mimics the look and feel of a legitimate site and trick users into divulging confidential information to the illegitimate site.172 The reason such an attack is feasible is that the most commonly used DNS servers do not contain the necessary security features. The most recent versions of the DNS server software now include security features that form the basis for a protection mechanism against such attacks and recent research has produced both public and secret key solutions for securing the DNS.173 This mechanism introduces two new resource record types, SIG and KEY that contain a digital signature and the public key used to create the signature respectively. One drawback of this solution is the increase in size of the network messages. Recent work has aimed at using secret key technology with the added bonus that network message size is reduced.174 Location Dependent Information and Mobile Computing Traditional computer configurations are stationary, and location dependent information, such as the local name server and available printers, can be configured statically. Mobile computing however requires mechanisms to obtain configuration data to determine the present location of such resources. Solutions to the problem of locating or tracking mobile objects vary depending on the application domain. In general, such solutions rely on a combination of storing some information about the location of the objects at selected sites and on performing some form of searching. To locate a mobile object, the stored information about its location is retrieved. Such information may be unavailable, out-of-date or approximate, thus to track the object, its actual location must be found by searching or performing appropriate estimations. Searching may take the form of selective broadcasting at all potential sites or gradually contacting sites from the one most possible to currently host the mobile object to the less possible one. Several data structures have been proposed for storing the location of moving objects: - One approach is to store the location of all moving objects in a single centralized spatial
database. Every time the location of an object changes, this central database needs to be updated. To handle the high update rate in such databases, the location attribute is often represented as a function of time and thus is automatically updated with time without an explicit database update operation. Representing location as a function of time is possible, when objects follow pre-defined routes as is the case of vehicles moving in a highway. Such representations may also provide estimations for the future location of the objects. The disadvantage of this approach is the potential for bottlenecks in terms of resource availability.
- The home base approach adds a degree of distribution. With this approach, a specific database is associated with each object called the home base of the object. The current location of the object is stored at its home base. To locate an object, the home base associated with the object is contacted. When the object moves, its home base is updated. An enhancement of the home base approach is to store the location of all objects currently located at a site in a database residing at the site, called the visitor database. In this case, an object x that wants to contact another mobile object y, first contacts the visitor database at its current location, to find out whether object y is in the same site. If so, x avoids contacting y’s home base that possibly resides at a remote site. As an extension of the visitor database approach, a hierarchy of visitor databases may be built. In this approach, space is divided into regions. Each database at
172 Ghosh and Swaminatha, page 52. 173 See D. Eastlake, Domain Name System Security Extensions. RFC 2535, March 1999; D. Eastlake, DNS Request and Transaction Signatures (SIG(0)s). RFC 2931, September 2000. 174 G. Ateniese and S. Mangard, A New Approach to DNS Security (DNSSEC) in Proceedings of the 8th ACM Conference on Computer and Communications Security. November 2001.
56
the lower level of the hierarchy stores the location of all objects at a single region. Databases at internal levels store information for all objects covered by the databases at their children nodes.
- Finally, with the forwarding pointer approach, each time a mobile object changes location, a pointer to its new location is deposited at its old location. Thus to contact the object a chain of pointers is followed until the object is reached. Caching and replication can be used in all cases to improve performance and availability. This approach is clearly not fault tolerant, in that a broken link can cripple the network.
Besides tracking mobile objects, there are several other interesting queries that relate to location. Examples of such queries include finding the nearest service when the service or the user is mobile, or geographical multicasting - sending a message to all objects within a specified geographical area for instance to support geographically targeted advertising. Changing location also has important implications in distributed system design. Distributed systems have configurations that are no longer static. Thus, distributed algorithms and protocols can not rely on a fixed topology. Moreover, the centre of activity, the system load, and locality change dynamically. These queries require knowledge of the location of the mobile user, which potentially constitutes a security and privacy violation. To deal with the characteristics of mobile computing, especially with wireless connectivity and small devices, various extensions of the client/server model have been proposed. Such extensions advocate the use of proxies or middleware components. Proxies of the mobile host residing at the fixed network, called server-side proxies, perform various optimisations to alleviate the effects of wireless connectivity such as message compression and re-ordering. Server-side proxies may also perform computations in lieu of their mobile client. Proxies at the mobile client undertake the part of the client protocol that relates to mobile computing thus providing transparent adaptation to mobility. They also support client caching and communication optimisations for the messages sent from the client to the fixed server. Finally, mobile agents have been used with client/server models and their extensions. Such agents are initiated at the mobile host, launched at the fixed network to perform a specified task, and return to the mobile host with the results. Mobile agents, in the context of mobile e-commerce, will next be considered
Mobile Agents A mobile agent is a software application that may dynamically and autonomously migrate between hosts on a network. Mobile agents are, in fact, a specific example of the more general concept of mobile code. The term ‘mobile code’ refers to software that may be dynamically installed and executed on a remote host.175 Typical examples of mobile code include Java applets or JavaScript embedded in HTML documents. The chief factor differentiating a mobile agent from mere mobile code is the former’s ability to request its own migration to another host. Mobile agents are capable of migrating autonomously from node to node in the network. Its tasks are determined by the agent application. Agents are able to operate autonomously without direct intervention of humans or other agents, and have control over their own actions and internal state. Agents do not simply respond to their environment; they
175 See P. W. L. Fong, Viewer’s Discretion: Host Security in Mobile Code Systems. Technical Report TR 1998-19, School of Computing Science, Simon Fraser University 1998.
57
are able to perform goal-oriented behaviour by taking the initiative. Agents are further able to adapt their behaviour on the basis of past experience. Historically, in the traditional client-server paradigm, clients and servers communicated either through message-passing or remote procedure calls [RPC]. This communications model is basically synchronous, that is, the client suspends itself after sending a request to the server, waiting for the response. A more generic concept is a mobile object or mobile code, which encapsulates data as well as the code to perform the operations on that data. Mobile code is moved at the discretion either of the client, using an architecture called ‘remote evaluation’ [REV]176, or of the server using the ‘code-on-demand’ architecture, or variations177 thereof.. Mobile agents, however, are already executing on the client, and their execution state, in addition to their code and data, is transferred to the server, which then resumes execution from where it left off. Mobile agents can be distinguished from RPCs and REVs thus: - in an RPC, data is transmitted between the client and server in both directions. The parameters
are passed from the client to the server, which then returns the results. - In REV, code is sent from the client to the server, and data is returned. - A mobile agent is a program, encapsulating data, code and execution state178, sent by a client
to a server. Unlike a RPC, it does not have to return its results to the originating client. It could migrate to other servers, transmit information back to the originating client or to any node in between. When migrating to other servers, the agent can specify either an absolute destination, that is, the name of the server to which it needs to migrate, or a relative destination, which is the name of another agent or resource that the agent needs to co-locate with179.
A mobile agent can also be distinguished by the number of autonomous ‘hops’ between hosts. A single hop agent is somewhat analogous to a client/server security system. The agent’s home platform authenticates a second host before any transaction occurs. The agent’s itinerary is restricted to a trusted host, reached via a single hop, and by the home platform encrypting the agent before it migrates. The receiving host is also protected, because the agent comes directly from an authenticated source. The weakness in applying conventional security concepts to multiple hops is that bilateral trust relationships are, in general, not transitive180. Furthermore, trust relationships are not necessarily reciprocal181. Thus, multi-hop mobility introduces a new level of security complexity.
176 Remote Evaluation (REV) was proposed by Stamos and Gifford, In REV, the client, instead of invoking a remote procedure call (RPC), sends its own procedure call to the server, and requests the server to execute it and return the results. 177 There are basically three possibilities for agents carrying code. One possibility is for the agent to carry all the code as it migrates, allowing the agent to run on any server which can execute the code. Another possibility is for the agent to carry no code, but that the code needs to be pre-installed on the destination server. This is advantageous from a security perspective, since no foreign code is allowed to execute, but it limits the functionality of mobile agents to closed, local networks. Another alternative is that the agent does not carry any code, but contains a reference to its code base – a server that provides the code upon request, or demand – called ‘code-on-demand’. During the agent’s execution, if it needs some code that is not installed on its current server, the server contacts the code base to download the required code. This is of advantage f the destination server already has the classes that the agent intends to use stored locally. However, this approach is slow, consumes more network bandwidth than the other approaches, and is not suitable when an agent has to operate in a disconnected environment. 178 also referred to as its thread-level context. 179 Arnand R. Tripathi, Neeran M. Karnik, Manish K. Vora, & Tanvir Ahmed, Ajanta – A System for Mobile Agent Programming. Technical Report TR98-016, Department of Computer Science, University of Minnesota,, April 1998 180 If Bob trusts Alice and Alice trusts Fred, it does not necessarily mean that Bob trusts Fred. 181 If Bob trusts Alice, it does not necessarily follow that Alice trusts Bob.
58
The advantages of mobile agents in comparison to RPCs and message passing182, and the rationale for their appeal in relation to mobile e-commerce are: - reduction in network usage. Web searching often requires downloading large amounts of
server-based information, processing it, and generating comparatively small amounts of result data. If mobile agents are used, the agents can execute on server machines and access server based data without downloading it to the client. Only the result data is transmitted back. This is particularly useful for applications such as data mining.
- increased autonomy. Instead of using computers as an interactive tool requiring user interface, a mobile agent is able to achieve a given goal without the interference of its owner. Users may dispatch autonomous mobile agents over a network connection which then crashes - the agent will continue to function and will be ready to return results at a later point of time. The fact that the network link may be brought down during the transaction does not deter the mobile agent which has off-line processing capability. Off-line capability is especially important for mobile networks with their low bandwidth and relatively high cost.
- increasing asynchrony between servers and clients. Some applications also involve repeated invocations, requiring either the maintenance of a network connection over an extended period, or multiple invocations for a single transaction. If mobile agents are used, the client does not need to maintain a network connection for the duration of the transaction or make repeated connections. This allows asynchrony between the client and server, which is especially useful for mobile computers which often have low bandwidth, unreliable connections and low power.
- adding client-specific functionality to server In client server applications, servers provide a public interface with a fixed set of primitives. Clients may need higher level functionality composed of these primitives, and their requirements may change over time. Rather than modifying the server interface to support these changing requirements for each client, a client can maintain its own interface at the server node, using mobile agents. This again results in a reduction of network usage.
- client customisation – With RPCs, clients are confined to a set of services offered, and if a client wants a new service , it must be installed on the server.
- dynamically updating server interfaces. By adding client-specific functionality to the server, the server capabilities can be dynamically enhanced, without any disruption to other clients. Mobile agents allow parallelism in the application, since they can execute concurrently in a distributed system.
- enhancing load balancing properties. By encapsulating the execution state in the mobile agent, the server can reactivate the thread at precisely the point where it requested the migration. This can be useful for transparent load balancing, since it allows the system to migrate processes at any time to equalize the load on different servers. It may also be useful in some types of fault-tolerant programs, allowing checkpoint-restart schemes for recovering from crashes.
- ease of software distribution- agents enable applications to distribute themselves amongst nodes on which they must execute. A mobile agent network is an ‘open’ platform for application developers.
There are two models of agent mobility – weak mobility and strong mobility. In the weak mobility model, the agent state essentially consists of the agent’s program defined data structures, whereas the agent’s strong mobility model captures the agent’s state at the level of the underlying thread or process183. With weak mobility, an agent’s migration is possible only at specific points in the
182 Danny B. Lange and Mitsuru Oshima. Seven Good Reasons for Mobile Agents, Communications of the ACM, 42(3):88-89, March 1999 183 Robert S. Gray, Agent Tcl: A Flexible and Secure Mobile Agent System, Proceedings of the 4th Annual Tcl/Tk
59
agent’s code, and typically a migration is explicitly requested in the agent’s code. The strong mobility model allows an agent to be migrated at any point in its execution. The strong mobility model is useful if agents need to be moved at unpredictable points of time for fault tolerance or load balancing. A few systems support strong mobility, including Agent Tcl, Ara and Nomad. In the context of Java based systems, this support has required the development of specialized virtual machines for mobile code, which is an arduous task. For this reason, most agent systems are based on the weak mobility model, including Ajanata, Mole, Concordia and Voyager. An agent’s parent application may need to monitor the agent’s status whilst it executes on a remote host. If exceptions or errors occur during the agent’s execution, the application may need to terminate or recall the agent. This involves tracking the current location of the agent and requesting the host server to kill it, or alternatively, executing a migrate call to the home site184. The capability of remotely terminating and recalling agents raises some security concerns such as limiting the ability of termination / recall to the owner. Thus, some authentication functions need to be built into the primitives. Many of the security issues with mobile agents have counterparts in classical client-server systems and have existed for some time, as exampled by the security risk of executing any code from an unknown source. Mobile agents simply offer a greater opportunity for abuse and misuse, broadening the potential for threats significantly. New threats arising from the mobile agent paradigm result primarily from the fact that, contrary to the traditional systems where the owner of the application and the operator of the computer are one and the same, the agent’s owner and system’s operator are different. Mobile code introduces a range of security issues not commonly encountered by standard (immobile) applications. Most mobile agent systems were designed without security as a primary focus185; even though some models provide ad hoc security mechanisms, such as encryption or basic access control, they are not well integrated with the agent programme. These issues may be conveniently grouped into the following categories:186
1. Determining the level of trust to afford some newly arrived mobile agent, including instances of an agent attacking another agent187, and an agent attacking the host; and
2. Determining the level of trust to afford the host to which some mobile agent is sent for
execution. These categories are examined in greater depth in the following sections. Protecting the Host from the Mobile Agent A host participating in a mobile agent system runs an agent server process. The agent server in turn allows the execution of agent programs. If there is no differentiation between mobile agents and local [trusted] software, the host is exposed to various forms of attack. The threats include: Workshop (TCL 96) , July 1996 184 Also, checkpoint primitives are required, as well as the ability to determine the cause of the malfunction. 185 Neeran Karnik ,Security in Mobile Agent Systems, Ph.D. dissertation at http://www.cs.umn.edu/Ajanta/publications.html 186 See V. Varadharajan, Security Enhanced Mobile Agents in Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 200-209; W. Jansen, Countermeasures for Mobile Agent Security in Computer Communications, Special Issue on Advances in Research and Application of Network Security, November 2000. 187 For example, an agent may attempt to disguise its identity to deceive the party with which it is communicating. An agent can launch a denial-of-service attack by repeatedly sending messages to another agent to deprive it of available resources. This is called ‘live-locked’ when the critical stage of the mobile agent is unable to finish because it is continuously overloaded with work.
60
− Malicious code acquiring access to confidential data on the host. A malicious agent can transmit confidential information from the host server back to its owner.
− Malicious or poorly programmed code corrupting data on the host. − Malicious or poorly programmed code disrupting the services provided by the host, such as
denial of service attacks. − Malicious code corrupting another agent on the host. However, the fear of the threats should not interfere with the requirement that legitimate agents be able to access the server’s resources. The primary issues which need to be addressed in this regard are: − binding of agents to the local environment. − authorization. Typically a server will attempt to authenticate the source of a piece of mobile
code before executing it. The most common methods for authentication use digital signatures and trusted certificate authorities to guarantee that the client providing the mobile code is who it claims to be. Nevertheless, authentication of the source is insufficient by itself to ensure the security of the host, since the mobile code may contain bugs or the source may have been compromised.
− enforcement of access controls. Host security is a well researched area with a number of protection techniques. These include mechanisms such as sandbox security in Java, software fault isolation, proof carrying code and type safe languages. Code security is more problematic, in that it is somewhat unique to mobile code. Some of the better known code security techniques which will be discussed below include: cod obfuscation, encrypted functions, tamper-proof hardware and execution tracing. There are several ways for the agent server to provide a language-level binding between the agent and the server’s resources: - The agent can be supplied with a reference to the resource, and the security manager would
then screen all resource access requests, but at the expense of the security manager becoming unmanageable, raising the potential for further security errors. Karnik argues that the security manager should be limited to generic protection of system resources, with no involvement in protecting application-level resources188.
- Shapiro189 recommends the use of proxy objects, with a resource proxy being created when an agent first requests access to a resource. The resource proxy allows a safe interface to the particular resource. The agent only has a reference to the proxy. Proxy objects can be tailored to specific agents and dynamically generated.
- As used in the Amoeba application, Tannenbaum190 suggested capabilities. If an agent needs to access a resource, it must first be granted a capability from the server controlling the resource. After the server authenticates the agent, it provides the agent with a digitally signed capability, which contains the agent’s access restrictions, if any. When the agent requires access to the instant resource, it must first present the capability for authorization. Capability lists are attractive for similar reasons to proxies- security policy checks are only performed
188 Neeran Karnik ,Security in Mobile Agent Systems, Ph.D. dissertation at http://www.cs.umn.edu/Ajanta/publications.html 189 Marc Shapiro, Structure and Encapsulation in Distributed Systems: The Proxy Principle, in Proceedings of the 6th International Conference on Distributed Computing Systems, IEEE, 1986, pp 198-204, 190 Andrew S. Tannenbaum, Sape J. Mullender and Robbert van Rebesse, Using Sparse Capabilities in a Distributed Operating System, Proceedings of the 6th International Conference on Distributed Computing Systems, IEEE, 1986, pp. 558-563.
61
once at the time of the issuance of the capability. But this could be at the expense of the lack of control of a capability being assigned to another agent, which is not authorized to use the particular object. There is also the problem of the need to be able to revoke granted capabilities.
- the resource may be encapsulated in a wrapper object, which protects the resource from the agent. The wrapper accepts requests for the resource and determines whether the agent has authorized access, using an access control list. From the server’s stance, it may not have a priori knowledge of all the potential users, but, on the other hand, the list of potential users of any resource is likely to be small. The wrapper approach is attractive because it is relatively simple to implement and is transparent to the agent. Only one wrapper exists for each resource, as opposed to a proxy, which must be created for each agent that access a resource. But the wrapper approach is inflexible in that all clients must be subject to the same access control mechanism, which is invoked on every access to the resource.
Further mechanisms for protecting the host are discussed below. One approach of protecting agents from each other is to establish separate isolated domains for each agent and the host, and control all inter-domain access. In traditional systems this concept, as it applies to a trusted computing base, is referred to as a reference monitor, and has the following characteristics: - it is always invoked and is non-bypassable, mediating all accesses. - it is resistant to tamper. - it is small enough to be analysed and tested. Safe Code Interpretation The objective of Safe Code Interpretation is to render potentially harmful commands safe or, in the alternative, to deny the agent access to the code. For example, a command to execute an arbitrary string of data as a program segment could be denied. Since an agent may execute on heterogeneous machines with varying operating systems, the portability of agent code is essential. Thus, most agent systems are based on interpreted programming languages, which provide portable virtual machines for executing agent code. The choice of language also has a security component – the specified language should support type checking, encapsulation and restricted memory access. The languages not only differ in the functions they provide, but also differ in their forms to distribute agents. There are three variants of distribution: source code, intermediate code, and compiled native binary code: - Agents distributed in source code are easily compromised, since it is the most primitive and
easily readable form. The source code can be manually analysed by program comprehension tolls like program slicers. But the advantages of source code are that it requires only a small amount of code to accomplish a given task, and only an interpreter is required for execution. Tcl and Ara use source code distribution for their mobile agents.
- agents distributed in intermediate or compiled code are vulnerable to the same attacks after reverse engineering, but the attack requires more skills. Aglets and Telescript dispatch agents in intermediate code whilst Omniware191 sends agents in Just-In-Time compiled code. There are tools to decompile the binary code. Once the source code is revealed partially, it is as
191 Steven Lucco, Oliver Sharp, Robert Wahbe, Omniware: A Universal Substrate for Web Programming (1995), World Wide Web Journal, at http://citeseer.nj.nec.com/lucco95omniware.html
62
vulnerable as source code.Many agent systems use Java, with agents defined as objects192. Java virtual machines are available on a wide range of hardware platforms. Java provides strong support for distributed programming in the form of remote method invocation, and object serialization193. Java includes a basic security infrastructure that can assist in providing security for mobile agents, such as digitally signed classes which can be used to verify the integrity of agent code, as well as the identity of creator and sender. The security aspects of mobile agents are entwined with the security controls inherent in Java.
The Java security model is designed for applets. Applets resemble mobile agents in that they are transported to remote hosts prior to execution, but are neither autonomous nor mobile. The security problems surrounding applets also apply to mobile agents, but mobile agents have additional problems which are not satisfied by Java, including: - Since each applet instance "visits" only one machine, the major security issue is protecting
machines from applets which could be malicious. Although there are several open issues, such as protecting the machine without imposing artificial restrictions on the applet, this problem has largely been solved with a combination of cryptographic authentication and "safe" execution environments [such as the Java virtual machine]. A mobile agent can be viewed as an applet that visits autonomously a sequence of machines. Such sequential behaviour complicates the security issues in two ways. First, an agent might perform an action that is harmless to each host server, but detrimental to the network as a whole (such as simply migrating forever). Second, the agent's state changes on each server. There needs to be a means to verify the integrity of this state information. A malicious machine can examine the information that an agent obtained from previous machines and then use that information to mount an attack against the agent or against the previous servers.
- the granularity of access control is coarse in the applet model. Applets signed by a trusted entity have unfettered access to system resources. Mobile agents need greater flexibility of access control
- mobile agents can provide or access application-level resources, such as database services. Access control must be provided for such resources, in addition to the system-level resources. The security policies of such resources may need to be dynamically modified by their owners, and often cannot be centralized in a security manager.
- agent owners may impose restrictions on the rights delegated to the agent, which must be enforced in addition to access controls applied by the agent servers themselves.
- applets do not usually communicate with each other as opposed to agents. Thus, there is no provision for the elimination of the risk of applets tampering with another applet.
- agents should not be able to consume unlimited network resources194, even if it is continuously moving from one administrative domain to another. An agent should be limited from migrating forever or from creating unlimited child agents. Only few agent systems even address the problem195; of those that do196, most proposed solutions involve some form of electronic cash197. Each agent is given a finite supply of electronic cash from its owner's finite
192 The systems using Java include Aglets, Mole, Ajanta and Voyager. 193 Serialization allows the conversion of an object instance into a machine-independent array of bytes. The byte array can be transmitted over the network and de-serialized there – that is, converted back into an identical Java object. 194 including CPU access, network and disk interface, data storage and databases. 195 One extreme case found is MarketNet, where currency-resource exchange is the exclusive form of security. Different levels of security access are available for sale. Sites may discount access to certain areas by setting a lower price. [Y. Yemini, A. Delianis. D. Florissi & G.Huberman, Market Based Protection of Information Systems, Proceedings of the First International Conference on Information and Computation Economics, pp. 181-190, 1998 196 To the author’s knowledge, only Agent Tcl and Telescript address the resource issue. 197 Jonathan Bredin, David Kotz, and Daniela Rus, Economic markets as a means of open mobile-agent systems, Proceedings of the Workshop ``Mobile Agents in the Context of Competition and Cooperation (MAC3)'' at Autonomous Agents '99, pages 43-49, May 1999
63
supply. As the agent migrates, it spends the cash to access needed resources198. In addition, its splits its cash with any children that it creates. Eventually, the agent and its children will run out of cash and terminate. The danger of denial of service is limited by the agent’s cash levels. Conversely, idle or underutilised resources may be sold to users from other sites. Such a system also allows a more efficient balance network load. Although electronic cash seemingly provides the best solution199, several problems must be addressed. For instance, if a machine must contact a central bank every time that an agent arrives (to verify the validity of the agent's electronic cash), the migration overhead would be burdensome. In addition, if a server steals electronic cash from a visiting agent, the theft must be capable of detection.
The best known of the safe interpreters for script-based languages is Safe Tcl, which was used in the development of the Agent Tcl system. Safe Tcl supports strong mobility200 by providing an extended Tcl interpreter. Safe Tcl employs a padded cell concept, whereby a second ‘safe’ interpreter pre-screens any potentially harmful commands from being executed by the primary Tcl interpreter201. The term ‘padded cell’ refers to the isolation and access control method, which provides the foundation for implementing the reference monitor concept. More than one safe interpreter can implement different security policies. In general, current script-based languages relegate security to that of a secondary concern, and rely mainly on decisions taken during implementation. Digital Signatures A digital signature serves as a means of confirming the authenticity of an object, its origin and its integrity. Because the agent operates on behalf of an end-user or organisation, mobile agent systems often use the signature of the user as an indication of the authority under which the agent operates. The problem is defining a mechanism to verify that a certain public key really belongs to the person it purports to. The most common solution is to use a Certifying Authority verifying the owner of the key, but as noted above this poses a problem with the lack of any centralized approach in ad hoc networks. Proof Carrying Code With Proof Carrying Code [PCC], each piece of mobile code is accompanied by a proof (or guarantee) of its safety according to the security policy of the host on which it is intended to run. The host can verify that the proof is valid, and, if the mobile code is modified this verification step will fail202. The aim of this method is to prevent the execution of unsafe code, and to shift the computational effort of constructing a proof from the interpreter at the host to the mobile agent creator. The code and proof are sent together to the host or agent consumer where the proof can be verified. A safety predicate, representing the semantics of the program, is generated directly from the native code to ensure that the proof does in fact relate to the code. The proof is structured in a 198 Bredin et al [Jonathan Bredin, David Kotz, and Daniela Rus. . Economic markets as a means of open mobile-agent systems, Proceedings of the Workshop ``Mobile Agents in the Context of Competition and Cooperation (MAC3)'' at Autonomous Agents '99, pages 43-49, May 1999 at http://agent.cs.dartmouth.edu/papers/bredin:position.pdf] have proposed a resource allocation policy where hosts take bids from agents for prioritised access to resources, such as CPU time. The priority of access to a resource an agent receives is proportional to its bid relative to the other current bids. 199 in that there has been no better solution offered in real world commercial applications. 200 Strong mobility refers to the transfer of both code and extension state whilst weak mobility means the transfer of code and initialisation data only. IN contrast, Mole and Java Aglets support weak mobility. In Aglet and Mole, each mobile agent is a thread in a Java interpreter. The Java Aglets API provides a set of basic services to mobile agent threads on the interpreter. 201 Robert S. Gray, Agent Tcl: A Flexible and Secure Mobile-Agent System, Proceedings of the 4th Annual Tcl/Tk Workshop (TCL 96), July 1996, pp 9-23. 202 G. Necula and P. Lee. Safe kernel extensions without run-time checking. In Proceedings of the 2nd Symposium on Operating System Design and Implementation (OSDI ’96), Washington, October 1996;
64
way that no cryptography or trusted third parties are required because PCC is checking intrinsic properties of the code and not its origin. In this sense, PCC programs are ``self-certifying.'' Since the untrusted code is verified statically prior to execution, execution time for non-proved code is saved, and potentially hazardous operations are detected early, thus avoiding the situations when the host must kill the untrusted process after it has acquired resources or modified state. Though initial research has demonstrated the applicability of PCC for fine-grained memory safety, with the promise that PCC could be used as an alternative to Software-Based Fault Isolation in some applications, there are some issues203, such as a standard formalism for establishing security policy, automated assistance for the proof generation, and techniques for limiting the large size of proofs that can be generated. PCC is also hardware and operating system specific, which limits its portability. Path Histories This technique involves maintaining an authenticatable log of the hosts through which a certain mobile agent has passed204. When the agent arrives at a new host, the logs can be examined for anomalies and the host can use this information to decide whether to trust the agent. Mechanisms must exist to ensure that each host securely adds itself to the log, that the host cannot repudiate an entry in the log and that the logs are securely transmitted to the next host. A mechanism must also exist for the new host to determine whether the previous hosts are, in fact, trustworthy, either by simply reviewing the list of identities provided or by individually authenticating the signatures of each entry in the path history. Whilst Path Histories does not prevent a host from behaving maliciously, it serves as a deterrent, since the host’s signed path entry is non-repudiatable. This method does not scale well, and is dependent on the ability of a host to determine whether to trust the previous hosts visited in the path. Software-Based Fault Isolation [“Sandboxing”] This technique involves implementing in software features that are normally provided by the operating system, including memory protection among threads and controlling device access205. Software-Based Fault Isolation allows untrusted programs written in potentially unsafe languages to be executed within the single virtual address space of an application. Access to system resources can be controlled through a unique identifier associated with each domain. The method is efficient compared with using hardware page tables to maintain separate address spaces for modules, when the modules communicate often among fault domains. It is best suited for situations where most of the code falls into one domain which is trusted, since modules in trusted domains incur no execution overhead. Protecting the Agent From the Host and Other Agents When an agent executes on a host server, it is completely exposed to the host. An agent server must have access to the agent’s code and state in order to execute it. Parts of state must change, in order to store the results of computations or queries. The problem is compounded in that different parts of an agent may be intended for different hosts, and some parts may need to be protected until the agent arrives at the intended host. The hosts may not be trusted equally. Further, protecting the agents against the host is counter to what has traditionally been the focus of security policies- protecting the host from the application. 203 Wayne A. Jansen, Countermeasures for Mobile Agent Security, Special Issue on Advances in Research and Application of Network Security, November 2000 204 Joann J. Ordille, When agents roam, who can you trust? First Conference on Emerging Technologies and Applications in Communications (etaCOM) (1996) at http://citeseer.nj.nec.com/ordille96when.html 205 R. Wahbe, S. Lucco, T. Anderson, Efficient Software-Based Fault Isolation, Proceedings of the 14th ACM Symposium on Operating System Principles, ACM SIGOPS Operating System Review, Dec. 1993, pp. 203 –216
65
A widely used example illustrates the vulnerability of mobile agents from malicious hosts. A mobile agent has to shop for the cheapest air travel ticket. It will visit the servers of various carriers, check for seat availability and compare prices. At the conclusion of this search process, the agent should purchase the ticket that it found to best match the user’s specifications. A host can behave maliciously in a number of ways: it can increase prices on flights of other carriers that the agent has already investigated; it could decrease availability on flights of other carriers, or increase availability requirements such that there will not be sufficient seating at other carriers; the server can also find the price charged by its competitors and adjust its price accordingly etc. The most secure approach is to ensure secure circuits inside a closed system – a trusted computing base. All communication between hosts are encrypted and digitally signed by the transmitting host, and mobile agents cannot leave this closed system. The trusted computing base would protect agents and hosts from external attackers but would not protect either from the potentially malicious acts of internal hosts and agents. This closed system, however, has little applicability to the environment in which it is contemplated that mobile agents will interact. It is not possible to provide a general guarantee that the agent will not be maliciously modified206.The threats to mobile agents from malicious hosts include − A malicious host acquiring access to confidential data in the mobile code, perhaps the result of
calculations from a previous host; − A malicious or poorly programmed host corrupting the mobile code; and − A malicious or poorly programmed host failing to properly execute the mobile code. The parent application must have some mechanism for detecting such modifications. If it determines that the agent has been corrupted, it can take the appropriate measures, such as executing in a restricted environment or discarding the mobile agent. Agent security methods can be dichotomised into detection [execution tracing, forward integrity, and state appraisal] and prevention [code obfuscation, encrypted functions]. Prevention mechanisms seek to prevent violation of agent code and hence are more reliable, though usually more complex. Prevention mechanisms generally assume a simple trust model: no entity is trusted and maximal measures are undertaken to prevent any possible security breach. On the other hand, detection mechanisms are more easily deployable, and can be gradated depending on the level of intrusion detected. Typical mechanisms for protecting the code are discussed below. Secure Control of Remote Agents A mobile agent application needs to periodically monitor the progress of the mobile agents which it has dispatched and issue control commands to the agents ‘ in the field’. The application may decide to recall its agents back to the home site, or terminate them midway through their tasks if necessary. Agent servers must provide remotely invocable primitive operations for this purpose. But these operations are vulnerable to malicious users, and must be restricted. Authentication is required, and the server must establish and enforce rules as to which entities can terminate an agent. Read-Only/Append-Only
206 William M. Farmer, Joshua D. Guttman & Vipin Swarup, Security for Mobile Agents: Issues and Requirements. In Proceedings of the 19th National Information Systems Security Conference, pages 591-597, October,1996
66
This technique involves declaring parts of the agent as read-only. Any tampering with the read-only objects can be detected. For instance, an agent’s credentials should only be modifiable by the owner. The associated Java objects could be declared as constants, using the ‘final’ keyword. But this is not sufficient, because a malicious server could have corrupted the Java virtual machine so that it allowed modifications to final objects. Thus, a cryptographic solution is proposed by Karnik207. This approach is obviously limited to those parts of the state that remain constant throughout the agent’s sojourn at the particular server. Sometimes, the agent needs to collect data from the servers visited, as well as preventing any subsequent modification to that data. An alternative lets the agent create an append-only container- a container into which the agent can place data as it executes. Data stored in the container cannot be modified or deleted without detection by the agent’s owner. Partial Results Encapsulation Partial Results Encapsulation [PRE] detects tampering by malicious hosts by encapsulating the results of an agent’s actions, at each host visited, for later verification, either when the agent returns to the originating host or at intermediate hops. Encapsulation by digital signatures can provide confidentiality, integrity and accountability. There are three alternatives to encapsulate partial results: - provide the agent with the means for encapsulating the partial results. - rely on the encapsulation capabilities of the host. - rely on a trusted third party to timestamp a digital fingerprint of the results. One method for encapsulation is Partial Result Authentication Code [PRAC], which are cryptographic checksums formed using secret keys208. PRAC requires the agent and its originator to maintain or generate a list of secret keys, which once applied to encapsulate the desired data, is destroyed before the agent moves onto the next platform, guaranteeing forward integrity209. Once a host in the path is untrusted, further computation integrity cannot be ensured. Only the originator can verify the results since no other copies of the secret key remain. Through the signed partial results, the first malicious host can be identified, and only the results obtained prior to arrival at that particular host can be identified. As an alternative, public keys and digital signatures can be used in lieu of secret keys, with the benefit that result authentication can be made into a publicly verifiable process at any host along the way, whilst maintaining forward integrity210. However, the PRAC method suffers from some deficiencies. A malicious host could retain copies of the keys or key generating functions of the agent. If the agent revisits the host or visits another host conspiring with the malicious host, a previous partial result could be modified without detection211. Since PRAC is oriented towards integrity and not confidentiality, the accumulated set of results can also be viewed by any platform visited, though this can be resolved by applying other forms of encryption, albeit at the expense of performance.
207 Neeran Karnik ,Security in Mobile Agent Systems, Ph.D. dissertation at http://www.cs.umn.edu/Ajanta/publications.html 208 B.S. Yee, A Sanctuary for Mobile Agents, Technical Report CS97-537, University for California in San Diego, April 1997 209 Forward integrity means that the results obtained from previous hosts cannot be modified. 210 Wayne A. Jansen, Countermeasures for Mobile Agent Security, Special Issue on Advances in Research and Application of Network Security, November 2000 211 Sa-Koon Ng, Protecting Mobile Agnets Against Malicious Hosts, Thesis of Degree of Master of Philosophy, 2000, Chinese University of Hong Kong at pp. 29
67
Rather than the agent encapsulating the partial information, the host can perform that task. Karjoth et al.212 devised a host-oriented method for encapsulating partial results, by constructing a chain of encapsulated results that binds each result entry to all previous entries and to the identity of the subsequent host to be visited. Each host digitally signs its entry using its private key, and uses a secure hash to link results and identities within an entry. Besides forward integrity, the encapsulation technique also provides confidentiality by encrypting each piece of accumulated information with the public key of the originating host. The forward integrity is strengthened by this proposal, since a host is unable to modify its entry in the chain if it is revisited by the agent, or to collude with another host to modify entries without invalidating the chain. Code Obfuscation This technique involves obscuring the mobile code in such a way that, while still executable, it becomes very difficult to understand and to modify without detection.213 Unfortunately, no algorithm for securely achieving this effect is known214. Further, the obfuscation process cannot be automated, and cannot be provably measured215. A less ambitious approach merely relies upon the obfuscation guaranteeing that the code cannot be read for a certain minimum period of time. In this way, certain forms of confidential data that expire after a certain amount of time can be protected. Unfortunately, there isn’t an adequate mechanism for determining how long it will take an untrusted host to de-obfuscate the code, making it difficult to guarantee how long confidential data will be secure. An associated method is the Crowd technique216. Crowds is an anonymity system based on the idea that people can be anonymous when they blend into a crowd. Crowds is a distributed and chained Anonymizer, with encrypted links between crowd members. The user’s initial request of a Web server is first passed to a random member of a crowd. That member can either submit the request directly to the destination server or forward it to another randomly chosen member, and depending on the outcome, continues the path to another randomly chosen crowd member or terminates the path and forwards this (and any future traffic on the path) to the ultimate destination. Neither the host server nor any mobile agent can determine the origin of the request. Computing with Encrypted Functions A related idea to code obfuscation is to send a modified version of a certain piece of code that produces a useable result without giving an untrusted host the ability to see the algorithm being used217. The objective is to produce a mobile agent that remotely computes a result that can only be properly interpreted by the originating host of the agent. This agent can then be sent to a remote host for execution, and this host, while producing the desired results, is unable to interpret them properly. The results are then returned to the originator of the agent who can interpret them. This approach is different from traditional encryption which encrypts passive data, in which data after the encryption is meaningless until decrypted. In this case, the functions after encryption are still usable. Unfortunately, while algorithms exist for performing the necessary modifications to code in
212 G. Karjoth, N. Asokan, and G. Gülcü. Protecting the computation results of free-roaming agents. In K. Rothermel and F. Hohl, editors, Second International Workshop on Mobile Agents (MA '98), Springer-Verlag, Lecture Notes in Computer Science 1477 pages 195-207, 1998. 213 F. Hohl, Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts, in G. Vinga (Ed.), Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science No. 1419, 1998, pp. 92-113. 214 ibid. Hohl however notes that Computing with Encrypted Functions as an example of an approach that falls within the Blackbox category, albeit with some reservations concerning the limited range of input specifications that apply. 215 Sa-Koon Ng, Protecting Mobile Agnets Against Malicious Hosts, Thesis of Degree of Master of Philosophy, 2000, Chinese University of Hong Kong at pp. 32 216 M.K. Reiter & A.D. Rubin, Crowds: Anonymity for Web Transactions, ACM Transactions on Information and System Security, vol. 1, no. 1, Nov. 1998, pp. 66-92 217 T. Sander & C. Tschudin, Protecting Mobile Agents Against Malicious Hosts, in G. Vigna (ed.) Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science no. 1419, 1998, pp. 44-60.
68
some restricted domains, a general algorithm has yet to be developed218. This method also does not prevent denial of service, replay, and other forms of attack against the agent. Environmental Key Generation Yet another idea related to code obfuscation is environmental key generation. In Environmental Key Generation219, the mobile agent uses information from its environment220 to generate a decryption key that can then be used to decrypt and execute the static portion of the agent221.. The environmental condition is hidden through either a one-way hash or public key encryption. Since the decryption key is not stored in the agent, it is not possible to decrypt the code segment simply by viewing the code. Rather, the decryption key is generated from the environment, such as from the results of a search, or the combination of certain properties of the system. The only way to determine if the key is correct is to attempt to decrypt the code segment. This approach, however, is not without its drawbacks. One problem is that at some point the encrypted code segment must be decrypted and can then be viewed by a malicious host. Even if the code is decrypted piecemeal, with each piece executed and discarded, it is still possible to modify the agent’s code to store the decrypted pieces at some other location before discarding them. Another problem with this approach is that executing dynamically generated code is generally considered unsafe and not allowed, rendering this technique unusable. Execution Tracing In this approach, each host on which a mobile application executes maintains a log of the operations performed by the mobile code that can later be retrieved and analysed in the event that a security violation is suspected222. Execution Tracing requires each host visited to create and retain a non-repudiatable log of the operations performed by that agent whist a resident on the host, and to submit a hash of the trace upon conclusion as a trace summary or fingerprint. A trusted third party is used to store the sequence of trace summaries for the agent’s itinerary, preventing the execution tracing from being erased. Unfortunately this technique requires a large amount of storage for the log files223 that are not actually examined unless a problem is suspected. The originating host must actively intercede to verify the execution trace, which may result in a bottleneck224. The lack of accommodating multi-threaded agents and dynamic optimisation techniques is also a drawback. Further, the fact that the detection process is triggered sporadically, based on possibly suspicious results, does not allow real time intrusion detection. If a violation is detected, the assumption has been that uniform punitive action will be taken against all perpetrators, regardless of intent or damage. Tan and Moreau believe that this inability to
218 Currently, this approach can only encrypt functions with polynomials and rational functions only. 219 J. Riordan, B. Schneir, Environmental Key Generation Towards Clueless Agents, in G. Vigna (ed.) Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science no. 1419, 1998 220 For example, an agent asking for a string match in the database, and the decrypting key will be generated if the string matches. 221 The static portion of the agent refers to that part of the mobile agent that involves no further participation in future agent execution. The non-static portion refers to that part of the mobile agent which is involved in future agent execution. 222 G. Vigna, Protecting Mobile Agents Through Tracing, Proceedings of the 3rd ECOOP Workshop on Mobile Object Systems, Jyvälskylä, Finland, June 1997; and G. Vigna. Cryptographic traces for mobile agents. In Mobile Agents and Security, number 1419 in LNCS. Springer-Verlag, 1998. 223 Biehl et al has suggested an approach to shorten the execution tracing, using holographic proofs [ Ingrid Biehl, Bernd Meyer, & Suzanne Wetzel, Ensuring the Integrity of Agent-Based Computations by Short Proofs, in Kurt Rothermel, Fritz Hohl (eds) Mobile Agents, pp. 183-194, 1998, mentioned in Sa-Koon Ng, Protecting Mobile Agnets Against Malicious Hosts, Thesis for Degree of Master of Philosophy, 2000, Chinese University of Hong Kong at pp. 31 224 To effectively scale, the originating host must be able to delegate some verification activities, which requires a notion of trust.
69
differentiate is not always desirable225, and suggest that responses could be tailored to the situation with escalating levels of restriction to a host which has violated an agent’s integrity. Itinerary Recording Another approach with links to path histories is to use a cooperating process to trace the movements of a mobile agent. When the agent moves between hosts it communicates with the cooperating process through a secure channel The cooperating process maintains a record of the itinerary and when an inconsistency is noted, can take action226. An interesting facet of this approach is the possibility of using another agent as the cooperating process with both agents verifying each other’s movements. This approach is based on the assumption that a minority of agent hosts are malicious, and even if an agent encounters a malicious host, the host is unlikely to collaborate with another malicious host being visited by the cooperating process. Thus, by dividing the operations of the application between two agents227, certain host malicious behaviour can be detected. A variation of this technique is to replicate agents in a similar manner to data replication, which is used for dealing with data loss or corruption. Numerous mobile agents may be dispatched to perform the same calculation. While this replication is redundant, a malicious or faulty host can only affect the agents that pass through it. Assuming that less than half the hosts through which the agents pass have problems, the majority of agents will produce identical results and the originating host can use the majority version as the result of the computation. With computational power and network bandwidth increasing, the redundancy of this approach should not create too many problems. However, a deficiency of itinerary recording is the cost of setting up the secure channel and the inability of the cooperating process to determine which of the hosts is responsible if the agent is killed. Security Through Shared Secrets and Interlocking By introducing asymmetries, some attacks by a host are rendered less feasible228. Two or more agents are configured such that each performs only part of the transaction. No agent would possess all the elements to conclude a transaction. For instance, a negotiating agent A could find the best price for a particular product, but could not conclude the purchase without contacting agent B which carries the e-money in encrypted form. Similarly, it is not possible for agent B to proceed with the purchase of the good because A has the decryption key. This separation of duties can be further strengthened by dividing the tasks with more than two agents. Other Approaches Recent approaches to security in mobile code and mobile agent systems have focussed on incorporating the notion of trust, and certain trust models into these systems.229 Typical security systems use public and private key cryptography to protect code and data from tampering and exposure. These systems assume a very simple trust model in which no one is trusted and so all 225 H. Tan and L. Moreau, Trust Relationships in a Mobile Agent System, Proceedings of the 5th IEEE International Conference on Mobile Agents. Lecture Notes in Computer Science 2240 226 V. Roth, Secure Recording of Itineraries through Cooperating Agents, Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, INRIA, France, 1998, pp. 147-154. 227 Itinerary Recording can be generalised to more than two cooperating processes. 228 T. Sander and C. Tschudin, Protecting Mobile Agents Against Malicious Hosts, in the Proceedings of the 1998 IEEE Symposium of Research in Security and Privacy, Oakland, 1998. 229 H. Tan and L. Moreau, Trust Relationships in a Mobile Agent System, Proceedings of the 5th IEEE International Conference on Mobile Agents. Lecture Notes in Computer Science 2240. Springer-Verlag 2001; P. Lamsal, Understanding Trust and Security, 2001.
70
transactions involve high levels of security. An alternative approach is to somehow determine the level of trust to associate with nodes on the system. Tan and Moreau have proposed an approach that uses execution tracing, described above, as a detection mechanism for determining which hosts may be trusted. The system can then use less stringent security mechanisms when communicating with these trusted hosts230. Some agent protection can be gained through continual contact with the originating host. Jumping Beans231 uses a client/server architecture where an agent returns to a secure central host before every migration so it can be checked for violation. This approach is impractical and eliminates many of the benefits of mobile agents. Aglets is less restrictive, but limits hosts accepting or dispatching agents to remote hosts which are untrusted. These examples may be useful in controlled or closed situations, but are not practical when applied to open public networks like the Internet. Little work was found on combining the various techniques detailed above into a single framework, or on having a host assign less restrictive access permissions to a mobile agent that has been protected in certain ways. The ability to differentiate in terms of security is important, since if a host can confidently identify certain types of malicious modification, it will not have to treat the mobile agent with the same level of suspicion just because the agent travelled in an untrusted environment. However, some security issues remain unresolved, and often unexamined, including the following: - prevention, rather than detection, of unauthorised intrusions. - assurance that the application is executed to completion by the host. - assurance that an agent can be distinguished from its clone. - confidentiality in relation to the non-static part of the agent. There has been little focus on
preserving the confidentiality of the non-static portion of the mobile agent232. In traditional data security, the data is revealed as long as the two end parties are recognized as trusted. In mobile agent security, end-to-end
- trust relationship is not assumed. - availability issues- security issues are linked to performance issues. To better quantify the
viability of security schemes, metrics must be developed to determine performance degradation resulting therefrom. There seems to have been little focus on contrasting the effect of security schemes between these two factors233.
- the ability for mobile agents to broadcast secretly with a large, anonymous group of agent platforms234.
- inter-agent communication. - robustness, fault tolerance, recovery and agent control by originating host. There are few commercial mobile agent systems and fewer standards. There are few large-scale agent-based applications. Most of the existing mobile agent applications are generally relatively small in size, requiring at most 100 agents. Most examples of mobile agent applications operate in closed environments. In most of the current mobile agent platforms, support for managing and coordinating agent groups is not present, but is critical for the development of large scale applications.
230 ibid. 231 http://www.jumpingbeans.com/ 232 Sa-Koon Ng, Protecting Mobile Agnets Against Malicious Hosts, Thesis of Degree of Master of Philosophy, 2000, Chinese University of Hong Kong at pp. 42 onwards 233 ibid 234 Gunther Karjoth, Danny B. Lange, & Mitsuru Oshima, A Security Model for Aglets, Internet Computing, July 1997
71
If mobile agents are to fulfil their promise, the key features of mobile agents need to be identified and extracted into a coherent, flexible set of composable software standard interfaces. The mobile agent research has focussed on a monolithic system, one in which large, completely autonomous mobile agents ‘roam’. David Kotz et al believe that this focus is misguided, and that mobile code should instead be applied to specific applications using whatever form of mobile code the application demands in a modular approach235. As Gian Pietro Picco stated: “Most mobile agent systems try to solve ten problems at the same time. They tend to be monolithic. People who want to use only one little slice of the system have to install the whole thing.236” As part of this monochromatic approach, most mobile agent systems provide only one form of mobility, such as applets, servlets, mobile agents with weak mobility, and mobile agents with strong mobility. If modular, one component could provide mobility, another security etc. Nearly all mobile-agent systems allow a program to move freely among heterogeneous machines, e.g., the code is compiled into some platform-independent representation such as Java bytecodes, and then either compiled into native code upon its arrival at the target machine or executed inside an interpreter. For mobile agents to be widely used, however, the code must be portable across mobile-code systems, since it is unreasonable to expect that the computing community will settle on a single mobile-code system. There is a plethora of frameworks and infrastructures for mobile agents, with over 60 paradigms currently being discussed237. Making code portable across systems will require a significant standardization effort. Prior approaches to interoperability were a futile attempt to force agent creators to use a common API238. The OMG MASIF standard is an initial step, but addresses only cross-system communication and administration, leading to a situation in which an agent can not migrate to the desired machine, but instead only to a nearby machine that is running the ``right'' agent system239. The MASIF standard, to date, has not gained widespread support, partially due to its reliance on many OMG specifications, such as CORBA and IDL240. The mobile-agent community must take the next step of standardizing on some specific execution environment(s) (such as a particular virtual machine), as well as on the format in which the code and state of a migrating agent are encoded.
Attacks Based on Device Limitations Another problem arises when one considers that certain authorisation and access control tasks need to function off-line, that is, without necessarily contacting an authorisation or access control server to mediate access, but rather to perform the authentication and determine access privileges based solely on information available at the time access is requested. Both public and secret key protocols have been proposed for solving this problem.241
Prevention, Detection and Reaction 235 David Kotz, Robert Gray & Daniela Rus, Future Directions for Mobile-Agent Research, 2002, Technical Report TR2002-415, Dartmouth College. 236 Architecture and Components, in David Kotz, Robert Gray & Daniela Rus, Future Directions for Mobile-Agent Research, 2002, Technical Report TR2002-415, Dartmouth College 237 The Mobile Agents List , a repository of mobile agent systems, at http://mole.informatik.uni-stuttgart.de/mal/preview/preview.html 238 Arne Grimstrup, Robert Gray & David Kotz, Write Once, Move Anywhere: Toward Dynamic Interoperability of Mobile Agent Systems, Dartmouth College Computer Science Technical Report TR2001- 411 239 D. Milojicic, M. Breugst, I. Busse, J. Campbell, S. Covaci, B. Friedman, K. Kosaka, D. Lange, K. Ono, M. Oshima, C. Tham, S. Virdhagriswaran, and J. White. MASIF: The OMG Mobile Agent System Interoperability Facility., Proceedings of the Second International Workshop on Mobile Agents, volume 1477 of Lecture Notes in Computer Science, pages 50-67, Stuttgart, September 1998. Springer-Verlag. 240 Todd Papaioannou, Mobile Information Agents for Cyberspace – State of the Art and Visions at http://citeseer.nj.nec.com/387777.html 241 K. Zhang and T. Kindberg, An Authorization Infrastructure for Nomadic Computing. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies.
72
A security system needs to encompass all three elements – prevention, detection and reaction. To use Schneier’s vernacular – a vault is needed to store the gold; alarms are needed to detect burglars trying to access the vault; and police need to respond to the alarms and arrest the burglars242. Digital security, including cryptography etc. relies on prevention – the vault in the above analogy. Little focus is placed on detection; and almost none on response and auditing. Schneier continues to state that a prevention-only strategy is effective only if the prevention mechanisms are perfect. It is not enough merely to establish a firewall defence. Attacks against the network need to be detected and analysed, reading and understanding the audit logs in real time. A real-time monitoring system is required , either human or artificially intelligent. The US military breaks down the detection process into four main steps243: - detection – the ability to distinguish between a malicious attack and a system failure; - localization – determining the locus of the attack. The mere knowledge of an attack does not
necessarily mean that there is knowledge of which computers or ports are being accessed. - identification – determining the identity and location of the attacker. This may be very
difficult. - assessment – understanding the attacker – his capabilities and his vulnerabilities. A script
‘kiddie’ is a very different threat to an industrial or government spy. Each step is incrementally difficult, and each requires more detailed information and more depth of analysis. Unfortunately, few administrators can proceed past the second step – localization, and even this may be difficult. Without the last two steps, it is difficult to envisage an adequate and individualised reaction. Intrusion Detection Intrusion detection is motivated by a number of factors, including the following: - if an intrusion is detected quickly, the intruder can be identified and expelled from the system
prior to any damage resulting from such unauthorised access. The sooner the intrusion is detected, the less likely is the severity of the damage resulting from the intrusion.
- an effective intrusion detection system can serve as a deterrent. - intrusion detection enables the intrusion technology to be identified, studied, and combated. The primary assumptions of intrusion detection are: user and program activities are observable and predictably distinctive. Intrusion detection involves identifying normal activities of users and programs as opposed to aberrant behaviour. Intrusion detection systems [IDS] can be categorized as network-based or host-based. A network-based IDS normally runs at the network gateway and examines network packets that pass through the network hardware interface. A host-based IDS relies on operating system audit data to monitor and analyse the events generated by users and programs on the host. Intrusion detection can further be categorized into misuse detection and anomaly detection. Misuse detection systems244 use patterns of well-known attacks or vulnerabilities of the system to identify intrusions. For example, a misuse could be if a password is unsuccessfully attempted more than a certain number of times within a set time period. The advantage of misuse detection is that it can efficiently detect instances of known attacks, but is unable to detect innovative attacks. Anomaly detection systems245 flag observed behaviour that deviate materially from established usage patterns
242 Bruce Schneier, Secrets and Lies , at pp. 9 243 ibid at pp. 376 244 such as IDIOT and STAT. 245 such as IDES.
73
– for example, the normal profile of a user may contain the averaged frequencies of some system commands in his login sessions, and if the frequencies are substantially different, an anomaly alarm will be raised. The advantage of anomaly detection systems is that there is no prior knowledge of intrusion required, and thus new intrusions can be detected, but the disadvantages is that the user or program pattern must be known beforehand and the anomaly detection system may have a high false positive246 rate247. Neither anomaly detection nor misuse detection approaches are highly accurate outside small event domains when used individually, and to achieve a high level of accuracy, a combination of the two approaches is required. Additional research is required to handle the large volumes of logged data without deteriorating operating system performance and user privacy. A first step would be to determine what events to search for, since some events, such as examining all covert channel events, do not contribute to intrusion detection. Most commercial IDS systems have a hierarchical structure, with information gathering at leaf nodes, network based or host based collection points. Information is then aggregated from multiple leaf nodes, with consequent abstraction and data reduction occurring at higher levels until the root node is reached. The root evaluates the purported detection and issues response commands. The hierarchical structure is efficient and scalable, but rigid because of the tight binding between functionality and the lines of communication that tend to evolve248. It is clearly not appropriate for ad hoc networks. Intrusion detection systems available commercially have a number of defects249. Current intrusion detection system shortcomings include: - lack of efficiency. IDS often need to evaluate events in real time, which may be difficult when
confronted with a large number of events simultaneously. This problem is compounded by the increase in frequency and speed of high speed communication. Also, as new types of attack are discovered, the IDS must be updated to detect them and must then analyse each packet for the new type of attack. But the possibility of old attacks must still be examined. Typically, the greater the attack coverage, the more processing time required by the intrusion detection algorithm.
- high number of false positives. The incidence of false alarms is frustrating to system administrators, who, as a result, often disable parts of the IDS. Lowering thresholds to reduce false alarms raises the potential for attacks to remain undetected as false negatives.
- expensive development and maintenance. The cost of building an IDS is considerable, due in part to the lack of agreement on the intrusion detection methods and the tailoring of the IDS to the particular environment. Maintaining an IDS requires highly specialised knowledge and entails substantial effort.
- limited flexibility. IDS have often been written for a specific environment and have proved difficult to adapt to other environments. The detection mechanisms can also be difficult to adapt to different patterns of usage.
246 A false positive is when an authorised user is classified as an intruder. An attempt to limit false positives by strictly interpreting intruder behaviour may lead to an increase in false negatives, when intruders are not identified as intruders. 247 As The Economist recently reported [June 22, 2002] frequent false alarms have made intrusion detection the bane of system administrators. The Economist reported that administrators have thus reduced the sensitivity of such systems or simply turned them off. 248 W. Jansen, P. Mell, & D. Marks, Applying Mobile Agents to Intrusion Detection and Response, Interim Report(IR) 6416, NIST, October, 1999. Jansen states that communication does not have to strictly adhere to the hierarchy, and to improve communication, a node may directly communicate a critical event to a root node. 249 W. Jansen, P. Mell, & D. Marks, Applying Mobile Agents to Intrusion Detection and Response, Interim Report(IR) 6416, NIST, October, 1999
74
- vulnerability to direct attack. Because of the reliance on hierarchical structures, IDSs are susceptible to attack at either the node or the root level.
- vulnerability to deception. A network based IDS evaluates network packets using a generic network protocol stack to model the behaviour of the protocol stack of the hosts that it is protecting. Attackers may take advantage of this discrepancy by sending adapted packets to a host, which are interpreted differently by the IDS and the target host This can be done in various ways such as altering fragmentation, sequence number, and packet flags.
- limited response capability. The focus of an IDS has been on detecting attacks. There may be a time delay between the detection of an attack and the system administrator initiating a response, allowing the attacker an opportunity to freely operate in the interim. Many IDSs are now implementing automated response capabilities to reduce this potential time delay, but they are limited in their flexibility of response.
- inability to function when the traffic is end-to-end encrypted. - many of the intrusion detection methods developed for a fixed wire network are not applicable
to ad hoc networks. Unlike wired networks where an intruder must gain physical access to the network wires or pass through several lines of defence at firewalls and gateways, attacks on a wireless ad hoc network can come from all directions and target any node. A wireless ad hoc network will thus not have a clear line of defence and every node must at first instance be considered vulnerable and be protected. Since mobile nodes are autonomous units which are capable of roaming, attacks by a compromised mobile node are more damaging and much harder to detect. Finally, to the extent that decision-making in ad hoc networks is usually decentralized, relying on the cooperation of all nodes, this vulnerability can be exploited250. Unlike a wired network, where extra protection can be placed on routers and gateways, an intruder who hijacks an ad hoc network could paralyse the entire network by disseminating false routing information.
Ad hoc networks, lacking a fixed infrastructure, are not conducive to real-time traffic analysis. Compared with wired networks where network-based detection and monitoring is usually performed at switches, routers and gateways, an ad hoc network does not have such traffic concentration points for audit data to be collected. At any one time, the only available audit trace will be limited to communications taking place within wireless range. Further, the communication pattern in wireless networks is affected by the restraints of the network – limited bandwidth, higher cost, and battery power constraints. Disconnected operations are normal, and some techniques such as location-dependent computing are designed solely for wireless networks. This suggests that anomaly detection models for wired networks are less effective for ad hoc networks. Further, there may not be a clear demarcation between normality and anomaly in wireless ad hoc networks. A node emitting false routing information could be compromised, or it could be relying on outdated information due to the dynamics of the ad hoc network environment. Zhang and Lee argue that intrusion detection systems in ad hoc networks need to be both distributed and cooperative, with every node participating in intrusion detection and response251. Each node should independently be responsible for detecting intrusion locally, but neighbouring nodes can cooperate. If an anomaly is detected in the local data, or if the evidence is inconclusive and a broader search is required, neighbouring nodes can participate in the intrusion detection252. 250 Though to the extent that a central server is compromised, the whole system could thereby be tainted. 251 Y. Zhang & W. Lee, Intrusion Detection in Wireless Ad-Hoc Networks, in Proceedings of MOBICOM, 2000 252 It should be noted that audit data from neighbouring nodes could be compromised and thus should not be trusted. But the compromised nodes do not have the incentive to send reports of intrusion because it might result in their being detected and thus ‘expelled’ from the network. Thus, unless the majority of the nodes are compromised, in which case one of the non-compromised nodes will hopefully detect the intrusion with sufficient confidence that it does not need the support of neighbouring nodes, the cooperative method should be able to detect intrusion when the evidence at individual nodes is weak.
75
Mobile agents may also be analysed for behaviour anomalies253.Li and Lam found that a majority of mobile agents follow regular movement patterns, and considered two features of mobile agents in their intrusion detection model: the agent’s movement patterns and the variety of the mobile agent’s Host Residence Time [HRT]. Though the research is only at a preliminary stage, and recently reported, it may prove fruitful. Intrusion Detection and Mobile Agents Mobile agents offer a number of potential advantages when used in intrusion detection systems including the following254: - reducing network load. Instead of transmitting large amounts of data, such as the audit logs, to
the data processing host, it may be simpler to move the processing agent to the data. - overcoming network latency. When agents operate directly on the host where the suspected
intrusion has occurred, the response can be faster than a hierarchical intrusion detection system that has to communicate with a central coordinator located elsewhere.
- greater resistance. An intrusion detection system with a single CPU has to deal with the weaknesses of a single point of failure, as well as potential performance and scalability problems.
- autonomous and asynchronous execution. When a portion of the intrusion detection system is partitioned for whatever reason, it is essential that the other components remain functional. Mobile agents are, by definition, autonomous of their originating hosts. The fault tolerance of the system is thereby increased.
- platform independence. The agents can perform in heterogeneous environments, allowing data to be shared across different intrusion detection systems, resulting in a potential common knowledge base. This independence is beneficial both for intrusion detection and response, in that remedies can be initiated or applied from nearly any place in the network.
- dynamic adaptation. The mobility of agents can be used to configure the system at run-time using special agents relocate to the point of attack to collect data.
- static adaptation. The attack signature database and the detection algorithms must be current. Instead of upgrading and restarting all sensors when new signatures are available and known, it is easier for updated agents to transmit the changes while the intrusion detection system remains in operation.
- scalability. When a central processing unit is replaced by mobile agents, the load is balanced between different machines and different agents, and the network load is reduced.
- ability to detect multi-point attacks. Agents can work cooperatively to collect and analyse a multi-point attack.
Jansen believes that the greatest potential for mobile agents is with respect to the response to an intrusion rather than its detection255. Because responses can be initiated from nearly anywhere in the network, mobile agents can deal with attacks faster than conventional IDSs at the target host. Responding at the attacker’s host allows an IDS much greater power to resist, and minimises the damage caused by the intrusion. Without using mobile agents, it is unlikely that an IDS would have sufficient access to the targeted host to defend against the attack.
253 Tie-Yan Li & Kwok-Yan Lam, Detecting Anonymous Agents in Mobile Agent Systems, AAMAS July,2002 ACM 254 W. Jansen, P. Mell, & D. Marks, Applying Mobile Agents to Intrusion Detection and Response, Interim Report(IR) 6416, NIST, October, 1999; David Chess, Benjamim Grosof, Colin Harrison, Devid Levine, Colin Parris, Gene Tsudik, Itinerant Agents for Mobile Computing, IEEE Personal Communications, 2(5), pp 34-49, October, 1995. 255 ibid.
76
On the other hand, mobile agents have a number of potential limitations in their utulisation in intrusion detection systems256: - security. As discussed above, the introduction of mobile agents introduces incremental
security risks, both at the agent code and host levels. - code size. An intrusion detection system is complex and large. Transferring the agent’s code
over the network may result in a material latency, but it is only needed once, after which the host will store it locally, and be aware of any malicious activity.
- performance. Agents are often written in script or interpreted languages to be easily ported between different platforms. This mode of execution is slow compared to native code. Performance could thus be degraded.
Though the theory is well developed, to date there have been few attempts made to implement intrusion detection systems using mobile agents257. Some of the related work includes the NIST with Mobile Agent Security 258,Universite Claude Bernard Lyon with a mobile agent framework known as ANT ( Artificial Network Termite Colony)259, the Intrusion Detection Agent system developed at the Information-Technology Promotion Agency in Japan260, and the Autonomous Agents for Intrusion Detection effort at Purdue University261. Response is compounded by jurisdictional difficulties which will be discussed hereunder.
Part I Conclusion No current technology, whether used in isolation or in collaboration with other measures, fully addresses the problems of insecure computing systems for the following reasons: - the rapidity and complexity of change in computer technology has increased the number of
system vulnerabilities. Not only are individual components increasingly complex, but the exponential growth in their interconnection increases the complexity of the entire infrastructure. Today’s users have a growing number of points of weakness from which an attack can be launched. An increase in network size implies more users, thus increasing the risk of attack. If unauthorised access is achieved, more information from more users is now available to be compromised.
- the increasing penetration of omnipresent and ubiquitous computing has resulted in exponentially increased rewards for unauthorised access, be they political [ terrorist etc.], mischievous or pecuniary. The result is an increased demand for skilful hackers262. One of the consequences has been that the hacking community itself has become more organised, and individuals are sharing increasingly their latest skills and tools with others on the Web.
256 Chrisotpher Krugel, & Thomas Toth, Applying Mobile Agent Technology to Intrusion Detection, http://www.elet.polimi.it/Users/DEI/Sections/CompEng/GianPietro.Picco/ICSE01mobility/papers/krugel.pdf 257 ibid. 258 Peter Mell, Donald Marks, & Mark McLarnon, A Denial of Service Resistant Intrusion Detection Architecture, Computer Networks Journal, October 2000 259 Serge Fenet & Salima Hassas, A Distributed Intrusion Detection and Response System Based on Mobile Autonomous Agents Using Social Insects Communication Paradigm, First International Workshop on Security of Mobile Management Systems, Autonomous Agents Conference, May 2001 260 Midori Asaka, Shunji Okazawa, Atsushi Taguchi, & Shigeki Goto, A Method of Tracing Intruders by Use of Mobile Agents, INET Conference, June 1999. 261 Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E.H. Spafford, and Diego Zamboni, An Architecture for Intrusion Detection using Autonomous Agents, Department of Computer Science, Purdue University, Coast TR 98-05, 1998 262 In the 1980s, hackers had to be highly skilled computer experts. By the mid to late 1990s, virtually anyone could attack a network. ‘Script kiddies’ could use ‘war dialers’, intrusion scripts and other prefabricated hacking tools.
77
- often computer security is no more than an afterthought shoehorned into a pre-existing design. This relative neglect may be the result of a requirement to utilise legacy systems which in the past may have operated within secure intranets, but today are exposed to the Internet.
- security training of employees of corporate or government entities is woefully inadequate or non-existent. The author, who has worked in the financial industry for over twenty years, has rarely heard mention of the concept of computer security training of investment bank employees.
- generally, computer professionals do not adequately understand the totality of the business of the corporate or government entity. The business operators and decision makers, at the managerial and Board of Directors level, in turn do not adequately appreciate the ramifications of computer security flaws. The result is often an inadequate ability to prioritise activities relating to computer security263.
- since computing platforms have become omnipresent, the task of system administration has become more decentralised. Security is often neglected because of lack of time resources or skill. Often, end users, with little knowledge of security ramifications, install software on their own systems leaving security holes that are vulnerable.
- the system cannot be protected from every conceivable attack, including those that have not been even considered at the current time. The trend in a number of organisations has been to make their systems more open. Many believe that their systems should be accessible both to their on-site and off-site employees and to certain customers. This can only result in an increase in network vulnerabilities. The supposed panacea, firewalls, often do little more than offer false comfort. Many firewalls are vulnerable and provide little protection against malicious code camouflaged in a Trojan Horse. Further, firewalls provide no protection against malicious insiders264. Firewalls often only provide protection from the ‘casual attacker’.
- the popularity of push technology which involves the passive acceptance of data, as opposed to the pull model, results in a lesser degree of certainty as to the safety of the downloaded executables.
- the lack of underlying security support from the operating system is fatal to providing overall system security.
- the inherhent limitation of using passwords. Because users need to remember multiple passwords, and because of the abovementioned dearth of computer security training, a password is often chosen which can be easily guessed by the hacker. This is compounded by some of the architectural limitations imposed by Windows NT on password selection, and by the fact that UNIX maintains its encrypted password file such that it is readable, in its encrypted form, by all users.
- the increasing use of commercial off-the-shelf [ COTS] software and hardware increases the system’s vulnerabilities because the discovery of a security flaw can result in the compromise of numerous unrelated systems with similar COTS software and hardware. COTS software is often sold as a ‘black box’ with no ability for the software purchaser to examine and validate the source code. The popularity of COTS also compounds the problem of post-deployment configuation management.
263 The author believes that the same problem is reflected in the widely publicised current failure of Compliance Officers in the financial industry. Most compliance officers are lawyers who understand legal compliance but do not understand the underlying business which is supposed to comply with the pertinent laws and regulations. The result is that compliance officers generally focus on the technical aspects of the business rather than seeking to understand the structural and systemic flaws of the underlying business model. 264 An insider has a relationship with the user and usually has some form of trusted authorised access to the computing resources.
78
- the tendency for ‘execution bloat’ in placing non-essentail code in the OS kernel increases the security risks to OSs. This may be deliberate on the part of Microsoft, but it clearly has an adverse effect on both reliability and security.
- OSs were designed on the basis that their environment in terms of computer speed, memory, network bandwidth etc. is relatively stable. Often applications implement security decisions on the basis of the environment when the application has first been installed. With mobile computing, wireless networks and mobile code, this assumption is no longer necessarily valid, resulting in often incorrect assumptions underlying the implementation of the security system.
- the reticence/laziness of some administrators to often promptly download and install software ‘patches’ for fixing security breaches allows hackers to exploit publicised vulnerabilities on a system which has not been upgraded.
- the requirement of introducing new products in an expeditious and not fully tested environment on the market will not abate, and results in flawed software penetrating the networks. Often, the security weaknesses are not discovered until after the product has been installed and is in use. Likewise, technological advances and the pervasive drive to greater efficiency has led many organisations to purchase, install and integrate these new products into their systems with little thought to security. Buggy software has been a perennial problem, which is unlikely to be resolved anytime in the future. Systems, increasingly the amalgamation of COTS elements and mobile code, much of which is often ‘black boxed’ will continue to be field tested because of time and monetary constraints. The problem is compounded by post deployment configuration management.
- the inadequacies of intrusion detection systems when combined with the exponentially increasing complexity of systems results in an overwhelming volume of information which the intrusion detection system is increasingly less able to monitor. Current commercially available intrusion detection systems suffer from a lack of efficiency, large number of false positives, expensive deployment and maintenance, vulnerability of deception, limited response capabilities, and limited applicability to ad hoc networks. Few intrusion detection systems are able to formulate an appropriate real-time response to perceived attacks, thus reducing many of them to mere burglar alarms.
- though not addressed here, the majority of unauthorised access is perpetrated by insiders. “A system that is secure when the operators are trusted and the computers are completely under the control of the company using the system may not be secure when the operators are temps hired at just over the minimum wage and the computers are untrusted.265” Insiders, including system administrators, can also unwittingly compromise the system.
- the lack of resources for a mobile computing environment augments the security issues. For example, as a result of limited power consumption, some of the security features of fixed systems, such as sandboxing, memory protection, some advanced forms of access control, protection kernel rings etc. are not implemented for portable devices.
- the inherent decentralized decision making in ad hoc networks relies on the ‘distribution of trust’ of participating nodes. Certain authorization and access control tasks need to function off-line in ad hoc networks, based on potentially stale information. Threshold cryptography, an example of this distribution of trust, requires a number of not easily verified assumptions including the size of the threshold.
- incremental threats arising from the use of the mobile agent paradigm. The mobile agent can attack its host or other agents with malicious code acquiring access to the host’s confidential data or disrupting the host’s services. Similarly, the host can attack the mobile agent. The fact that a mobile agent can autonomously visit a number of computers complicates security in two ways. First, an agent might perform an action that is harmless to each individual host server, but detrimental to the network as a whole. Second, the agent’s state changes on each server,
265 B. Schneier, Security Pitfalls in Cryptography, at http:// www.counterpane.com/pitfalls.html April 1999
79
and the integrity of this state information needs to be verified. Many of the security aspects of mobile agents have yet to be adequately explored.
The litany of security lacunae above does not imply that the quest for secure systems is futile. As Bellovin266 points out, the inability to achieve complete security requires an adjustment in attitudes and expectations. “ The most important change is to realize and accept that our software will be buggy, will have holes, and will be insecure. Saying this is no different than saying that California will experience earthquakes. We don’t know precisely where or when they will strike, but we know what to do in advance: build quake-resistant structures, plan for disaster relief – and then go about our business”267. A system needs to be able to withstand failure, just as a city needs to be able to withstand crime.
266 Steven M. Bellovin, Computer Security- An End State? Communications of the ACM, vol. 44, no. 3, March 2001, pp. 131-132. 267 ibid at pp. 131.
80
PART 11 THE LEGAL PERSPECTIVE One of the principal uses of mobile technology is for electronic commerce, which by its very nature, is dependent on an agreed to level of security. Since there is no difference between the security requirements for mobile electronic interchange and stationary electronic interchange, the examination of the legal aspects of mobile security may be broadened to electronic commerce security268 with no ill effect. Electronic commerce is fundamentally different from either telephonic or paper-based commerce. First, there is no tangible piece of paper that one can treat as the final expression of the parties’ intent; reliance must be placed upon electronic messages, which are stored in an electronic medium. Second, the electronic message is often generated by a computer and may not provide the typical indicia of trustworthiness. For example, with paper, we can recognise the handwriting, identify the stationery, check the postmark and address, and check for visible changes to the writing. On the telephone, we can recognise the voice and verify the number we are calling. Third, commercial transactions have traditionally required time and, frequently, additional verifiable information for completion. For example, in the sale of goods, the time between the execution of the sales agreement and the ultimate shipment or delivery of goods allows for verification of creditworthiness and of other information such as shipment details. Electronic transactions, on the other hand, are often executed online instantaneously between computers, and the ability to verify the identity of the parties and other information is radically reduced. Indeed, one emerging characteristic of much of electronic commerce, such as the web-based transaction, is the transitory nature of the relationship between the parties. Last, the tangible nature of the transaction, eg: the sale of goods, has allowed for security measures such as the creation and potential enforcement of security interests in the property that was sold. By contrast, the subject matter of electronic commerce is increasingly intangible, reducing the ability to monitor and enforce the obligations of the other party269. The emergence of electronic commerce has raised a host of questions about our existing rules and the legal system. One frequent plea is to remove the barriers to electronic commerce, barriers that are, to a great degree, the vestiges of a commercial law system based on paper. Legal requirements, such as those for a ‘writing,’ a ‘signature,’ and an ‘original’ need to be reconsidered in the context of electronic commerce. Efforts are progressing to respond to these pleas. In the US, the Uniform Commercial Code270 and the Uniform Electronic Transactions Act [“UETA”]271, and on the global forum, the formulation of the United Nations Commission on International Trade Law[“UNICTRAL”] Model Law on Electronic Commerce272 have all considered the unique requirements of electronic commerce.
268 Electronic commerce can be divided between Electronic Data Interchange [EDI] and open electronic commerce transactions. EDI can be differentiated from other forms of electronic messaging because its messages are structured and coded in accord with some agreed to standards. EDI transactions are designed to allow a receiving computer to automatically transfer the data into other application programs, rendering human interface unnecessary. EDI transactions are limited to businesses and require some prior agreement between the parties to establish the standards. EDI transactions often do not pose many of the same problems as less structured electronic commerce transactions – which are called ‘open electronic commerce transactions’. 269 Traditional means of conflict resolution in commercial transactions such as ongoing relationships between the parties, sufficient time to structure the transaction, and collateral arrangements in loans etc. are often absent in electronic transactions. 270 Revisions to Article 2 of the UCC, as well as the proposal to include computer information transactions in a new Article 2B. Also, Article 5 adopts terms such as ‘record’ in place of ‘writing’ and contemplates presentation of non-paper documents. Article 8 eliminates any statute of frauds writing requirement for contracts transferring interests in securities. 271 http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm 272 http://www.uncitral.org/
81
Many legislators want to be seen as at the cutting edge of technology and have introduced legislation at both the state and federal levels. State legislators, in particular, want to be the first to enact ‘electronic commerce’ statutes, thereby attracting businesses into their region and appearing to be global leaders to their constituents. There might be, however, a problematic result: the passage of ‘technology’ legislation that is premature and potentially counterproductive273.
The Debate: A Confluence of Two Streams The advent of electronic communications technologies and electronic commerce has, over the years, given rise to two distinct movements with regard to law reform, each with its own set of adherents. Initially, concerns about electronic commerce focused on existing legal structures and principles. The main concern was the application of existing law to transactions entered into electronically. Attempts were made to identify existing barriers to electronic commerce and to determine the extent to which modification of these and other general transactional rules were required in an electronic environment. Attempts to accommodate electronic commerce focused on the adaptation of the traditional transactional rules. The goal was to ensure that electronic commerce was not discriminated against solely because of the medium in which it occurred. For example, the law has traditionally required ‘writings’ and ‘signatures’ as a prerequisite for the enforcement of many transactions274, and the application of those requirements to electronic commerce has been problematic. The legislative response, at least with the context of commercial law, was twofold: either to eschew the terms ‘writing’ and ‘signature’ in new legislation in favour of terms such as ‘record’ and ‘authentication,’ or to provide affirmatively that existing writing and signature requirements could be met by electronic messages275. By contrast, a second movement started not with a focus on existing law, but rather with a focus on technological solution to providing security to electronic commerce participants. Three issues were identified as ‘security’ risks: 1) authenticity – the problem of identifying the source or sender of a message and authenticating that it did indeed come from that sender; 2) integrity – the problem of proving that the message is complete and has not been altered since it was sent; and 3) non-repudiation – the risk that the sender may repudiate it after receipt. The suggested solution has been an implementation of public key encryption which involves the creation of a ‘public key infrastructure,’ or PKI, under which a third party, known as a certification authority, has the task of verifying the identity of the holder of a key. To encourage use of PKI, supporters began to advance the notion that a new legal structure was necessary to promote and facilitate the development of public key infrastructures. As a result, the proponents, concerned primarily with advancing the technology and its business implementations, are now advancing a legal construct to support and promote their specific implementation models. In 1995, Utah276, followed by Minnesota277 and Washington278, became the first states to enact a digital signature statute setting forth specific rules governing digital signatures and public key infrastructures. The main characteristic of this legislation is its regulatory nature, providing for a 273 “There is the risk, particularly given the lack of any internationally uniform legislative approach, that an inappropriate legislative regime may be adopted without regard to market-oriented solutions.” [ Australian Electronic Commerce Expert Group, Electronic Commerce : Building the Legal Framework http://www.law.gov.au/aghome/advisory/eceg/eceg.html] 274 For example, the Statute of Frauds, which dates back to 1677 [U.K], basically states that no action may be instituted under certain categories of contract unless that contract is written and signed by the party accused. 275 For example, the Uniform Electronic Transactions Act s. 106(c ) states that “If a rule of law requires a record to be in writing… an electronic record satisfies the rule of law.” 276 Utah Code Ann. tit. 46, ch. 3 (1996) 277 Minnesota Electronic Authentications Act, Minn. Stat. Ann. 225 278 Washington Electronic Authentications Act, Wash. Rev. Code Ann. 19
82
licensing scheme for certification authorities. Licensed certificate authorities under the statutes are given significant limitation on their liability to other parties within the public key infrastructure, this being one of the main objectives of the legislation. The certifying authorities’ liability had to be constrained to allow the concept to be commercially viable279. The rights of other participants in the PKI, whilst addressed, were not the focus of the legislation. These laws provided that where a digital signature was accompanied by a valid certificate from a certifying authority license under the statute, the parties were entitled to rely on the digital signature. In effect, these two separate movements, one with its origins in the law, the other with its origins in the technology, represent two philosophies. The first, which began with a concentration on commercial law issues, focused on keeping commercial laws generic and supportive. The goals have been to remove barriers to electronic commerce, treat electronic communications on a par with paper communications, and not to favour one technology over another (technology neutrality) nor one business model over another (implementation neutrality). As between different technologies or implementation schemes, the choice was to be that of the parties. This approach exhibits a degree of confidence in the marketplace to make suitable options available to parties, allowing them to make intelligent choices. No particular technology is specified; rather certain authentication attributes are required for an electronic signature. Though the attributes differ among the individual statutes, the attributes commonly require the electronic signature to be : unique to the person using it, capable of verification, under the control of the person using it, and linked to data in such a manner that if the data is changed, the digital signature is invalidated. The second movement has the philosophy – and the express goal – of supporting and promoting specific technologies, or, more correctly, the PKI model. The theory is that the technology and implementation offer such benefits to the users of the Internet that legislation should recognise those benefits and enshrine them in the law. At the outset, the two movements were relatively separate; those revising the commercial laws and those building PKI infrastructures represented two different constituencies: law revisionists and technology supporters. To a large extent, however, the ‘digital signature’ [ often labelled as ‘mandatory’ or ‘prescriptive’] movement was the more visible of the two. Commercial law does not tend to have inherent appeal to either the public or to legislators. On the other hand, mere mention of certain buzzwords, such as ‘Internet,’ ‘security,’ or ‘technology,’ immediately piques the interest of both the public and the legislature. Among the public, the digital signature movement quickly gained two distinct bodies of followers. The first group, which has been labelled the ‘technology movement’280 believed the digital signature and PKI to be the solution for electronic security, and thus this group’s focus was in the creation of a business and legal infrastructure. The second group, called the ‘law revision movement’281 [ also labelled as ‘minimalist’ or ‘technology neutral’] were less enamoured by PKI, but still believe the current state of the law would impede electronic commerce. The dichotomy between the two groups has waxed and waned, and often the end result has been the same. The divergence between the two movements is being discussed on many simultaneous fronts: within the individual states, at the federal level in Congress, at the uniform law level within the US, at the US national level abroad, and on the international level as well. On the individual state level, state legislatures have acted in a variety of ways to accommodate electronic commerce, but four patterns of statutes have emerged over time, reflecting the influence of the two movements. Initially, Utah was the first state to adopt a full-fledged digital signature statute supporting a public
279 Jane Kaufmann Winn, Open Systems, Free Markets, and Regulation of Internet Commerce, 72 Tul. L. Rev. 1177 at 1241 ( 1998) 280 Amelia H. Boss, The Internet and the Law, Nova L. Rev. 585 at 592 281 ibid
83
key infrastructure, legislation which was based on efforts of the American Bar Association’s Information Security Committee, which published a set of Digital Signature Guidelines282. The Utah approach requires a level of reliability for electronic messages far beyond the traditional concepts of writing. This requirement could have stifled electronic commerce by requiring formalities inconsistent with participant expectations. The Utah statute is so narrow that even a person using software creating a digital signature might fail to satisfy the statute because of its narrow definitions relating to the use of digital signatures283. The Utah statute discourages the development and adoption of other forms of security procedures – it leaves other forms of electronic message security in limbo. By specifying digital signatures as the sole form of security procedure gives rise to evidentiary presumptions as to the source and content of the electronic message. Also, the Utah statute is premised on the assumption that the only presently available and commercially reasonable form of electronic security is digital signatures. But a substantial amount of electronic commerce is engaged between parties who have multiple dealings with each other. In such cases, the parties should be free to adopt their own form of security procedure. If the procedure is commercially reasonable, then their agreement should be encouraged by providing enhanced evidentiary effect to the method of message verification chosen by the parties. The Utah statutes also treats all digital signatures alike, regardless of the level of security afforded by the underlying algorithms. There is no distinction made between various levels of digital signature or between the RSA284 and DSA285 algorithms. The Utah statute implements extensive regulation of certification authorities [‘CA’]. The Utah Department of Commerce can both act as a CA itself and to license other CAs. CAs must satisfy detailed licensing requirements and provide a ‘suitable guaranty’ in the form of a surety bond or Letter of Credit. Typically, the ‘digital signature’ approach to legislation sets out an elaborate legal framework defining the rights and liabilities of the parties to an electronic transaction, including CAs. Critics have argued that this approach overly limits the liability of CAs and imposes excessive liability risk on consumers286. The policy reason for such lenience towards certifying authorities is to insulate CAs from liability where the CA could not be expected to prevent such harm or insure against it287. The approach used by Utah and the Digital Signature Guidelines, however, of setting forth a highly structured, prescriptive, regulatory environment only for digital signatures, has not been widely followed by other states. California, for example, enacted legislation that did not follow the Utah statute in its adhesion to public key cryptography. Rather, it drafted a technology-neutral law288. It provided that an electronic signature, as opposed to a digital signature, would have the same legal effect as a manual signature if it has these attributes: it is unique to the person using it, it is capable of verification, it is under the sole control of the person using it, it is linked to the data in such a manner that, if the data are changed, the electronic signature is invalidated, and it conforms to regulations adopted by the Secretary of State. Later regulations permitted either digital signature using a certification authority or signature dynamics289. The California approach has proven to be more popular in the US than the Utah focus on digital signatures alone290.
282 ABA Committee on Information Security, Digital Security Guidelines (1996) 283 R. J. Robertson, Electronic Commerce on the Internet 49 SCLR 787 at pp 805 284 Rivest-Shamir-Adelman algorithm 285 Digital Signature Algorithm 286 C. Bradford Biddle, Legislating Market Winners: Digital Signature Laws in the Electronic Commerce Marketplace, 34 San Diego L. Rev. 1225, 1233-37 [ 1997] 287 For instance, the legislation usually states that if a private key is lost or stolen due to the user’s failure to exercise reasonable care, the user will bear unlimited liability for consequential loss or damage. 288 Cal. Gov’t Code 16.6. California used the term ‘digital signature’ to encompass more than PKI digital signatures. 289 Signature dynamics is associated with PenOp, a system of manually signing using computer-recorded strokes. <http://www.penop.com> 290 Survey of State Electronic & Digital Signature Legislative Initiatives at http://www.ilpf.org/digsig
84
Proponents of the minimalist California approach argue that the market should determine what technology will succeed. Also, they contend , a minimalist approach encourages the use of more than one type of technology. Different technologies may be preferable for different purposes. But critics contend that the minimalist approach is too vague and creates too much legal uncertainty. They fear that failure to endorse PKI may deny it sufficient support to allow PKI to develop and be accepted. Florida followed a third approach, when, in 1996, it enacted the Electronic Signature Act291. Florida represents the enabling approach, emphasising the elimination of artificial barriers to electronic commerce. Under the Act, the term ‘writing’ is defined to include information created or stored in any electronic medium that is also retrievable. Any such writing containing an electronic signature, defined to include any letters, characters, or symbols, manifested by electronic or similar means, with intent to authenticate a writing, may be used to sign a writing and is given the same force and effect as a written signature. Thus the Florida Act treats electronic messages identically to written messages for purposes of satisfying the ‘writing’ requirement. This enabling approach has become increasingly popular among the states that have considered the question292. It does not require an extensive set of regulations, does not set forth specific technologies and implementations that it sanctions, nor does it set forth ‘criteria’ for judging whether electronic signatures will be given legal effect. A fourth approach developed in Illinois293 as a ‘hybrid approach’ between digital specific statutes and mere enabling statutes: the concept of a hybrid statute that enable the use of electronic signatures by validating their use, but at the same time recognised a category of ‘secure electronic signatures.’ The hybrid model is expressed to be technologically neutral, but provides PKI with the benefit of helpful legal presumptions. Anyone may use an electronic signature in electronic commerce and be assured that legal writing and signature requirements are no obstacle. However, if a signature qualifies as a secure electronic signature by meeting criteria similar to that found in the California statute, rebuttable evidentiary presumptions arise as to the authenticity and integrity of the signature. Proponents of hybrid schemes contend that they are preferable to other models because they are more flexible and adaptable to technological advances, but that they also ensure a level of legal certainty that is necessary to build and maintain sufficient public trust in electronic signatures. But critics of hybrid legislation argue that this approach overprotects certain technologies at the expense of innovation, and amounts to excessive government regulation294. State legislation can also be distinguished based on the limitations imposed on the type of transactions covered. These limitations can be categorised by the type of parties involved and by the type of transactions conducted. Several states authorize the use of electronic signatures only for certain parties295. For example, a number of states authorize the use of electronic signatures only for transactions involving governmental entities, whereas other states authorise the use of electronic signature only for transactions involving a specific private entity, such as a financial institution296. Several states authorize the use of electronic signatures only for a certain category of transactions, such as tax returns297, UCCC filings, or medical records. 291 1996 Fla. Laws ch. 96-224 - codified as Fla. Stat. 282.72 (1996) 292 ILPF Survey, supra 293 205 Ill. Comp. Stat. 705/10 (West 1998) 294 For example, Internet Law & Policy Forum, Survey of International Electronic and Digital Signature Initiatives 1(b)(2) at <http://www.ilpf.org/digsig/survey.htm> 295 For example, the Idaho Electronic Signature and Filing Act, 1998 limits the use of electronic signature to filing and issuing documents by and with state and local authorities. 296 such as the Illinois Financial Institutions Digital Signature Act, 1997, Ill. House Bill 597, which is limited to communication between financial institutions and their customers.. 297 For example, the Alabama Electronic Tax Return Filing Act, Code of Ala. 40-30-5 (1998) is limited to electronic filing of tax returns or other documents with the Department of Revenue.
85
The lack of uniformity among the various state enactments has led to activity on two fronts. Pressure is being placed on Congress to take action, both from the fear that states will delay in responding to the needs of electronic commerce and from the fear that their responses will be non-uniform in character. Thus, the push is on to: 1) develop standards for use of electronic and digital signatures in transactions with the government; 2) develop a federal standard for recognition of electronic and digital signatures; and 3) preempt state law. Several bills have been introduced over the past few years to deal with electronic commerce, although none have yet been enacted. The scope and approach of the proposed legislation has differed drastically. At one end of the spectrum is proposed legislation merely giving effect to ‘electronic signatures’ as a method of signing; this type of legislation would best be characterised as enabling legislation. Other proposed legislation, within the banking context, proposed to validate ‘secure’ electronic techniques of authentication adopted pursuant to agreement or system rules; to the extent this legislation would merely reinforce the ability of the parties to govern their transactions by agreement, it would be consistent with an enabling and validating approach. To the extent that legislation begins to set additional hurdles for electronic commerce, it begins to move from merely enabling and starts to introduce a channelling function – that of telling businesses what technologies they should adopt.
In August of 1999, the National Conference of Commissioners on Uniform State Laws was presented with two pieces of proposed uniform legislation, a new Uniform Electronic Transactions Act298 (“UETA”) and an addition to the Uniform Commercial Code, Article 2B, that deals with computer information transactions. Despite the objective of uniformity and the original mandate to the drafting committees to be consistent, these two products are not uniform in their treatment of security procedures and their use. Indeed, their lack of uniformity exemplifies the tension between those dedicated to removing barriers to electronic commerce and those wishing to support and promote by creating confidence in the systems themselves.
Uniform Electronic Transactions Act In response to the conflicting state electronic signature legislation, the National Conference of Commissioner on Uniform State Laws [“NCCUSL”] drafted and adopted the UETA in July, 1999 for adoption by the states. The UETA is an overlay statute that leaves existing state law in place whilst not denying the enforceability of a record or signature solely because it is in electronic form299. If a state law requires a record to be in writing, the UETA states that an electronic record satisfies the law.. The UETA treats attribution in a very simple, straightforward manner. An electronic message is attributed to a person ‘if the electronic record resulted from the act of the person, or its electronic agent.300’ Once it is found that a message or record is attributable to a person, attribution ‘has the effect provided for by law, regulation, or agreement regarding the security procedure.’ Under this approach, attribution clearly is a factual matter; no preference is given to any particular method of authentication or any particular security procedures, and at the same time, freedom of contract is recognised. Thus, at least within the context of the UETA, the view that there should not be any rule which would provide a specific effect for any security procedure, whether it be an identified security procedure, eg: digital signatures, a security procedure agreed to by the parties, or a security procedure which meets some predefined criteria, has carried the day with regards to attribution.
Article 2B of the Uniform Commercial Code
298 http://ww.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.html 299 Section 7 300 UETA s. 109(a)
86
The proposed new Article 2B to the Uniform Commercial Code, whose scope is limited to computer information transactions, was intended to forge the rules for electronic contracting that would provide the base for the remaining articles of the Code. Article 2B begins with the traditional rule that the person asserting that a record is that of another person has the burden of proof. Special legal effect is given, however, to the implementation of security procedures, or what Article 2B calls an ‘attribution procedure.’301 If the parties agree to an attribution procedure which is used by the parties, the attribution procedure is commercially reasonable, and the recipient ‘relies on or accepts’ the message, then the recipient has met its burden of attributing the message to the sender. The only way the purported sender may avoid attribution is to prove the message was not caused by: 1) someone entrusted by the sender with the right to act on its behalf; 2) someone who gained access to the transmitting facilities of the sender; or 3) someone who obtained, from a source controlled by the purported sender, information facilitating breach of the attribution procedure. Even if the purported sender is able to overcome this hurdle, it might still be held liable under negligence-type principles. The foundation of Article 2B’s rules is the presence of a ‘commercially reasonable’ attribution procedure. Once the presence of such a procedure is established, then the recipient of the message has carried its burden of establishing that the message originated with the identified sender. The theory is that such a standard makes it easier for recipients of messages to ‘prove’ those messages in court, and as a result, more people will implement commercially reasonable security procedures, and confidence in the systems will increase. Perhaps the most significant difference between the UETA and Article 2B relates to the creation of presumptions when security procedures are employed by parties to an agreement. Although it is true that Article 2B has a narrower scope than the UETA in that it applies only to certain informational contracts while the UETA potentially applies to any contracts entered into online, the reality is that under both, there is a wide range of sophistication in the parties potentially subject to their provisions, and under both, identical arguments may be made about the need to support electronic commerce. On one hand, the philosophy of the UETA is the minimalist approach: as long as the law recognises and enforces electronic transactions, businesses gain some ‘security’ in their commercial dealings. The role of law in technology is enabling, not promotional of certain technologies, nor channelling, encouraging certain procedures. This approach recognises that technological security is not monolithic: there are many technological methods of security, with different strengths and weaknesses, and technology is in a constant stage of development. It is important not to require a similar level of security for every transaction simply because that technology is available, as this would impede e-commerce more than enable it. Often legislators and policy planners lose sight of the fact that hand written signatures were not reliable and can be forged easily. Thus, promoting certain technologies or certain implementations would be counterproductive. This approach also recognises that the law is of limited utility in encouraging certain types of behaviour: people will use security procedures because it is good business, not because the law gives special legal effects if they are used. The marketplace, rather than the legislature, provides the incentives and support. The UETA does not view the law as the sole or even primary source of security; instead, it recognises that the entire technological, legal and social structure contributes to that security.
301 An attribution procedure is defined as a “procedure established by law, regulation, or agreement, or a procedure otherwise adopted by the parties, [ to verify] that an electronic message… is that of a specific person” at 2B-102(a)(3).
87
On the other hand is the view that the law has an important role in providing ‘security’ in electronic commerce; that the law can indeed ‘legislate’ security by providing certain benefits to those who use the available technology. Article 2B represents the position that statutory provisions that recognise those security procedures can encourage use of security procedures. Each approach has its critics. The minimalist approach, limited to the removal of barriers, has been criticised as not giving the user of technology the degree of assurance necessary. Critics emphasise that simply saying electronic message ‘may’ suffice or are equivalent to writings and signatures’ is insufficient; users want to know what will suffice. Consequently, it is asserted that the legislation must lay out the indicia of assurance and certainty necessary for the electronic messages to be deemed reliable. The question, however, is whether the Article 2B approach gives any greater certainty or any greater assurances than the minimalist approach. The factual determination of what constitutes a commercially reasonable standard makes it somewhat subjective. It is questionable whether, as currently articulated, Article 2B contributes to the certainty and predictability in the application of the law. Determining what is ‘commercially reasonable’ in an industry where there is a developed body of commercial practices, where the parties belong to a relatively closed community of players, and where the major participants are either large, sophisticated commercial parties subject to strict regulatory oversight is a different burden than proving what is ‘commercially reasonable’ when such factors are absent. In other words, although benefits are intended to flow from the use of ‘commercially reasonable’ security procedures, the introduction of notions of ‘commercial reasonableness’ is a serious qualification on the legal construct that weakens its usefulness as a guiding beacon for business. The goal of encouraging the use of security procedures is also troublesome, and the risk exists that the statutory scheme may actually operate as a disincentive. A rule placing the risk of loss on the person requiring use of a specified security procedure might indeed discourage people from designating certain procedures. The same question can be raised about the other provisions in Article 2B with regard to attribution; does adopting presumptions that make it easier for one party to prove a transaction in court, while at the same time making it difficult, if not impossible, for the other party to disprove the transaction, result in encouraging or discouraging the use of security procedures? No special proof rules exist, for example, in the context of phone orders of mail orders, yet those businesses thrive. Article 2B’s rule encourages recipients of messages to use ‘commercially reasonable attribution procedures’ by giving them statutory incentives, but it does not provide similar incentives to potential senders of electronic messages. Indeed, the rules may arguably discourage potential senders from adopting certain methods of communication for fear of having liability imposed, in actions with strangers, where the alleged sender did not send the message. If, indeed, part of the problem is that people are concerned about the ‘unknown’ and the potential of unintended liability, rules such as this feed rather than assuage their fears. Additionally, Article 2B takes the view that by providing those benefits, one in turn increases the confidence of those doing business electronically because they can now reasonably rely on receipt of electronic messages from strangers. This view of security and its relationship to the law assumes that the value and security added to electronic commerce in this manner is both appropriate and acceptable. As noted above, however, that security may be illusory. First, to the extent that potential users of the technology are discouraged from its use because of fear of potential liability, their confidence in the system is decreased. More importantly, however, whatever confidence flows from the use of security procedures in electronic commerce arguably comes not from the knowledge that the law gives the users benefits but from the knowledge that the technological implementations themselves are trustworthy.
88
The Electronic Signatures in Global and National Commerce Act302 [“E-Sign Act”] On the international front, a similar pattern is beginning to emerge, although developments internationally are lagging somewhat behind those in the US. Following the lead of Utah, and inspired in part by the Digital Signature Guidelines, several countries, including Germany303, Italy304, Malaysia305 and Argentina306, have enacted legislation relating to electronic authentication and adopting to some degree the approach engineered by Utah. Several other nations, however, have refused to legislate detailed standards for the use of different authentication techniques or one particular technique, urging instead for the minimalist approach. In March 1998, the Australian Electronic Commerce Expert Group issued its report on the laws of electronic commerce, in which it concluded: “It is our view that the enactment of legislation which creates a detailed legislative regime for electronic signatures needs to be considered with caution. There is the risk, particularly given the lack of any internationally uniform legislative approach, that an inappropriate legislative regime may be adopted without regard to market-oriented solutions. Given the pace of technological development and change in this area, it is more appropriate for the market to determine issues other than legal effect, such as the levels of security and reliability required for electronic signatures. Accordingly, we have recommended that legislation should deal simply with the legal effect of electronic signatures. While a number of articles in the Model Law deal with electronic signature issues that go beyond legal effect, it is our view that these issues should be left to the existing law in Australia. Whether the existing Australian law deals with these issues adequately or not, the same situation should apply to both paper based commerce and electronic commerce. At this stage we are not persuaded of the need to give a legislative advantage to electronic commerce not available to traditional means of communication. If a clear need to deal with these issues appears in the future the recommended legislation can be amended”307. Australia308 and the UK309 have adopted such minimalist legislation. No special presumptions are provided to PKI, or any other particular technology. No special rights or duties for parties to electronic signatures creation or verification are prescribed in minimalist legislation. By contrast, Singapore310 has adopted an approach loosely based on the Illinois hybrid approach, drawing a distinction between electronic signatures on the one hand, which it enables, and secure electronic records and signatures on the other, including digital signatures. Similarly taking a hybrid approach is the recently released EU Directive on Digital Signatures311 and several drafts considered by the United Nations Commission on International Trade Law312. The EU Directive came into force in early 2000, and was implemented by EU Member States by July 2001. The hybrid approach is founded on a policy of limited technological neutrality, typically providing, as does the EU Directive, that an electronic signature may not be denied legal effectiveness or
302 15 USC 7001 - 7006 303 German Digital Signature Law [Aug. 1, 1997] at <http://www.kuner.com/data/sig/digsig4.htm> 304 Italian Law N. 59, Art 15, c. 2 [Mar. 15, 1997] 305 Malaysia Digital Signature Act, Law No. 59 of 15 Mar. 1997 306 Argentina has adopted digital signature legislation by Presidential Decree No. 427/ 98 307 Australian Electronic Commerce Expert Group, Electronic Commerce: Building the Legal Framework, Executive Summary <http://www.law.gov.au/aghome/advisory/eceg/summary.html> 308 Electronic Transaction Act, 1999 309 Electronic Communications Act, 2000 310 Singapore Electronic Transaction Act [ June 29, 1998] 311 European Commission, Proposal for a European Parliament and Council Directive on a Common Framework for Electronic Signatures [ May 13, 1998] at <http://www.ispo.cec.be/eif/policy/com 9829.html> 312 Preparatory Documents for the UNICTRAL Working Group on Electronic Commerce at <http://www.un.or.at/unictral>
89
admissibility solely because it is electronic313. However, certain technologies are afforded special presumptions, such as a presumption of authenticity if the electronic signature is verified by a qualified certificate meeting certain requirements. Although the electronic signatures are not required to be associated with a certain technology, the only existing technology that appears to meet the requirements laid down by hybrid legislation like the EU Signatures Directive is PKI. Hybrid legislation typically addresses the rights of the various parties in an electronic transaction. For example, the EU Signatures Directive requires Member States to ensure, at a minimum, that CAs are liable in damages for harm caused to someone reasonably relying on a qualified certificate for the accuracy of the information contained in the certificate. However, CAs are permitted to limit their liability by specifying limitations on the use of a qualified certificate314, or the value of a transaction in which it may be used315. The lack of uniformity of approach is not conducive to establishing a platform for global electronic commerce. The lack of consensus has been described as “ a veritable Tower of Babel”316. The E-Sign Act took effect in October, 2000 and adopts the minimalist approach. The E-Sign Act preempts any state law that invalidates signatures, contracts or records relating to interstate or foreign commerce solely because it is in electronic form rather than being on paper317. All other substantive requirements of state contract law remain318. The E-Sign Act applies to any transaction in or affecting interstate or foreign commerce. It does not apply to a number of types of contracts, agreements, orders, notices and records that are the purview of other state and federal statutes. For example, it generally does not apply to contracts governed by the UCC. The E-Sign Act gives full effect to documents required to be “notarised, acknowledged, verified, or made under oath” if the “electronic signature of the person authorized to perform those acts… is attached to or logically associated with” the document319. The E-Sign Act defines ‘electronic signature’ as “an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record”320. The Act is technology neutral, not specifying any particular technology. Any form of an electronic signature, such as biometrics or a personal identification number, can be used and have legal effect. Since E-Sign does not mandate any specific type of electronic signature, security concerns may arise form the lack of technical uniformity among electronic signatures. The E-Sign Act is based on an ‘opt-in’ policy, which allows electronic signatures if the participants affirmatively consent to the use of electronic records or signatures. The Act, by the definition of ‘consumer’321, applies only to business-to-consumer transactions, not business-to-business transactions.
313 European Parliament & Council Directive 1999/93, 2000 O.J. (L 13) 12, at <http://www.fs.dk/uk/acts/eu/esign-uk.htm> 314 ibid, Article 6 315 ibid 316 B. P. Aalberts & S. van der Hof, Digital Signature Blindness: Analysis of Legislative Approaches Toward Electronic Authentication, The EDI Law Review 1- 55 [ 2000] 317 ibid, s. 7001(a) 318 ibid, s. 7006(13) 319 ibid, s. 7001(g) 320 ibid, s. 7006(5) 321 ibid, s. 7006 defines ‘consumer’ as “ an individual who obtains, through a transaction, products or services that are used primarily for personal, family or household purposes”.
90
The E-Sign Act does not directly address security and privacy concerns. If privacy and security were the primary concerns of the legislators, mandating digital signatures may have been more effective. But the E-Sign Act should achieve its objective of stimulating the development of e-commerce through the following three components: uniformity, technologically neutral allowing flexibility, and predictability. Though the UETA was drafted with the goal of uniformity among the states, the UETA is in the nature of a legislative proposal and needs to be enacted by the individual states. Uniformity cannot be achieved unless all 50 state legislatures adopt the UETA with no modifications. At the time of this project, only twenty-five states have adopted versions of the UETA, and some states have introduced non-uniform provisions322. Unlike the current state electronic legislation, the E-Sign Act will remove the barriers between the states that are caused by potentially conflicting legislation, because it explicitly preempts all state e-commerce laws that are inconsistent with its provisions323. However, as in the area of privacy law, the E.U. has taken a different approach to the US, albeit there are a plethora of approaches followed in the US alone324.
Jurisdiction Selection One of the issues underlying Internet law is an effective standard for determining when it is appropriate to assert jurisdiction in cases involving Internet-based contracts. The issue is exacerbated by changing technology and an environment where cross-border disputes are the norm. Since web sites are universally accessible, the prospect that a web site owner might be subject to some remote jurisdiction must be considered as a business risk, but these concerns extend beyond commercial risks. Public interest information-based websites on controversial topics may face the risk of prosecution in far-away jurisdictions despite their legality in their home jurisdiction325. Internet jurisdiction issues can be examined from three facets- the application layer, the substantive layer, and the enforcement layer326. The application facet determines whether the particular jurisdiction is entitled to apply its laws to a particular dispute. The substantive layer compares the divergent perspectives of different jurisdictions to the particular issue, such as freedom of speech. The enforcement layer determines the efficacy of a court order to be enforced. The first issue is when it is appropriate to assert jurisdiction over Internet based activities. In many jurisdictions, the test is whether asserting jurisdiction is reasonable in the circumstances, with U.S. courts relying on a standard of ‘reasonableness’, couched in terms of ‘minimum contacts’327. The threshold is whether the parties themselves think it reasonable that the jurisdiction should be asserted. A contact is sufficient to satisfy the ‘minimum contacts’ standard where they are ‘substantial’ or ‘continuous and systematic’ such that the defendant ‘purposefully avail[ed] itself of the privilege of conducting activities within the forum Sate, thus invoking the benefits and
322 California, for example, which was the first state to enact the UETA, made material amendments. California made an agreement to electronically transact inadequate to trigger the rules of the UETA if the agreement was contained in a standard form written contract whose primary purpose did not concern electronic transactions.- California Uniform Electronics Transactions Act, 1999 Cal. Senate Bill 820 (1999) 323 E-Sign Act, s. 7002(a) 324 It is also worthwhile to note, albeit in the footnotes, that much of the world is uninvolved in electronic transaction legislation. To my knowledge, no African country has yet enacted electronic signature legislation. In the Middle East, only Israel has electronic signature legislation. This digital divide must be addressed, or other socio-political problems will ensue. 325 For example, UEJF et LICRA v. Yahoo! Inc. et Yahoo France, T.G.I. Paris, May, 2000. 326 Michael Geist, Is There a There There? Toward Greater Certainty for Internet Jurisdiction, 16 Berkeley Tech Law Journal 1345 (2001) at 1368 327 International Shoe Co. v. Washington, 326 U.S. 310 at 316 ( 1945). The minimum contact standard was to protect defendants from vexatious litigants and ensure that states did not overextend beyond their jurisdictional limits.
91
protection of its laws”328. A defendant ‘purposefully avails’ himself of jurisdiction when ‘the contacts proximately result from actions by the defendant himself that create a ‘substantial connection’ with the forum State”329. But the test was not developed with the Internet in mind. The ‘borderless Internet’ impedes the certainty of jurisdictional issues, with some commentators advocating a separate cyberspace jurisdiction330. As in the Yahoo case discussed below the court may assert jurisdiction, even in the absence of evidence that there was any intent to direct the particular jurisdiction, if the perceived local harm is too great to ignore331. Whilst such a paternalistic approach is of little concern when it involves activities where global laws are relatively uniform, such as securities fraud, it is more contentious when applied to issues such as free speech which vary considerably between jurisdictions. Some countries view consumer protection as more important than the promotion of e-commerce growth and thus adopt a policy of aggressively asserting jurisdiction to protect local consumers. The test recently used has been referred to as the Zippo332 test, also referred to as the ‘passive versus active’ test. Prior to the Zippo case, there was precedent that jurisdictional determination depended on mere Internet use – the level of Internet activity test was a reflection by the courts that the Internet does offer a different complexion on jurisdictional analysis. In this test, courts gauge the relative interactivity of a website to determine whether assertion of a jurisdiction is appropriate. At one extreme lie passive websites – minimally interactive information-based websites. At the other extreme lie ‘active’ websites, which feature interactivity and end-user contacts. The Zippo test suggests that courts should refrain from asserting jurisdiction over ‘passive’ websites, while asserting jurisdiction over ‘active’ websites. This test, however, does not provide any measure of certainty to the parties, as can be seen in the analysis of two recent cases – the Yahoo.com France333 case and iCraveTV 334case. In the Yahoo.com France case, a French judge ordered Yahoo to implement access control measures blocking auctions featuring Nazi memorabilia from French residents. Yahoo! maintained that the French court lacked jurisdiction over the matter. Yahoo! noted that it maintained multiple company-specific websites, including one customized for France, that were free of Nazi-related content. These country-specific websites target the local population in their local language, and comply with local laws and regulations. Yahoo’s flagship site, targeting basically an American audience, did sell Nazi memorabilia, which actions was protected by U.S. free speech laws. Moreover, the Yahoo.com site featured a terms of use agreement, which stipulated that the site was governed by United States law. Since the Yahoo.com site was not intended for a French audience, and users implicitly agreed that the site was subject to U.S. law, Yahoo believed that the French court lacked jurisdiction. But the County Court of Paris disagreed, ruling that it had jurisdiction since the site was accessible to French residents and was unlawful under French law. Before issuing the final order, Judge Jean-Jacques Gomez, the presiding judge, determined that there was available technology to screen French residents, which, though imperfect, was accurate at least seventy percent of the time. Based on this report, Yahoo! was ordered to ensure that French residents could not access content that violated French law on the site. Yahoo! contested the decision in a U.S. court which found that the French judgement was unenforceable in the United States335.
328 Hanson v. Denckla, 357 U.S. 235 at 253 ( 1958) 329 Burger King v. Rudzewicz, 471 U.S. 462 at 475 (1985) 330 David R. Johnson & David G. Post, Law and Borders: The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367 (1996) 331 Yahoo! Inc. v. LICRA, C-00-21275 JF, 2001 US Dist. LEXIS 18278 (N.D. Cal. Nov. 7, 2001) 332 Zippo Mfg. Co. v. Zippo Dot Com, Inc, 952 F. Supp. 1119, 1122- 23 (W.D. Pa. 1997) 333 UEJF et LICRA v. Yahoo! Inc. et Yahoo France, T.G.I. Paris, May, 2000. 334 Twentieth Century Fox Film Corp. v. iCraveTV, No. 00-121, 2000 U.S. Dist. LEXIS 1013 (W.D. Pa. Jan. 28, 2000) 335 Yahoo! Inc. v. LICRA, C-00-21275 JF, 2001 US Dist. LEXIS 18278 (N.D. Cal. Nov. 7, 2001)
92
Despite the widespread acceptance of the Zippo doctrine over the years336, limitations of the test began to appear in 1999. By 2001, many courts were no longer applying the strict Zippo standard, and were introducing various levels of modification. The U.S. courts moved to a broader effects-based approach when deciding whether or not to assert jurisdiction in the Internet context. Rather than examining the specific characteristics of a website and its potential impact, courts focused on the effects that the website had in the particular jurisdiction. The effects doctrine holds that jurisdiction over a defendant is proper when: a) the defendant’s intentional tortious actions b) expressly aimed at the forum state c) cause harm to the plaintiff in the forum state, which the defendant knows is likely to be suffered337. In Calder, a California entertainer sued a Florida publisher for libel in a California district court. In ruling that personal jurisdiction was properly asserted, the Court focused on the Jones’ actions. Reasoning that the plaintiff lived and worked in California, and suffered injury to her professional reputation there, the Court concluded that the defendant had intentionally targeted a California resident and thus is was proper to sue the publisher in that state. The Calder test has been also applied, inter alia, in Blakey v. Continental Airlines, Inc338 and Nissan Motor Co. Ltd. v. Nissan Computer Corp.339. The shift away from the Zippo test was a result of a number of factors: - the Zippo test does not work well in every instance. The Zippo test does not distinguish, for
instance, between actual and potential sales within a jurisdiction as conclusive of whether the website is active or passive.
- the Zippo test discourages interactive website and thereby discourages e-commerce. An active website, under the Zippo test, exposes the entities responsible for that website to local jurisdictional risks.
- the Zippo test was purportedly initially popular because it provided legal certainty for Internet jurisdictional issues. But the majority of websites are neither entirely passive nor entirely active – rather they fall into a ‘middle zone’ that requires courts to measure all the relevant evidence340. Distinguishing between active and passive sites is further complicated by technological advances such as the prevalence of cookies. Sites that may seem to be passive are often using cookies or other data collection methods unbeknownst to the individual user. Given the value of personal data, this data collection could be characterised as active.
- standards for what constitutes an active or passive site are constantly evolving341. When the Zippo test was first promulgated in 1997, an active website was often little more than an email link and some basic functionality. Now, those sites would be viewed as ’passive’, since the level of interactive possibilities has increased exponentially. If the Zippo test evolves with the changing technological environment, it fails to provide the requisite level of legal certainty. But, if the test remains static to provide increased legal certainty, it risks becoming irrelevant, if, as has been seen, the majority of sites would now be classified as active.
One modification has been the so-called targeting approach – that the specific forum state must be targeted by the website to attract its jurisdiction. A website that permits no more than basic enquiries and that does not differentiate by targeting a particular location should not yield personal
336 For example, Am. Eyewear, Inc. v. Pepper’s Sunglasses and Accessories, Inc. 106 F. Supp. 2d 895 (N.D. Tex. 2000), Am. Online, Inc. v. Huang, 106 F. Supp. 2d 848 (E.D. Va. 2000), Citigroup v. City Holding Co., 97 F. Supp. 2d 549 ( S.D.N.Y 2000) et al 337 Calder v. Jones 465 U.S. 783 (1984) at 789 338 751 A. 2d 539 (N.J. 2000) 339 89 F. Supp. 2d 1154 (C.D. Cal 2000) 340 Michael Geist, Is There a There There? Toward Greater Certainty for Internet Jurisdiction, 16 Berkeley Tech Law Journal 1345 (2001) 341 ibid
93
jurisdiction342. Targeting-based analysis also seems to be popular amongst international organisations developing minimum global legal standards for e-commerce343. But the challenge, as noted by the American Bar Association344, is in identifying the criteria to be used in assessing whether a website has targeted a specific jurisdiction. The criteria must be both technologically neutral345 and content neutral. The criteria should be determinable and the result foreseeable. There are three factors in determining foreseeability – contracts, technology and actual or implied knowledge. The existence of a jurisdictional determination by contract is not necessarily determinative of whether a particular jurisdiction should be asserted, especially in relation to consumer contracts. In this regard, the nature of the method used to obtain consent- whether a passive or active opt-in or opt-out- will be considered. The U.S. has upheld the enforceability of an online contract, often referred to as a clickwrap agreement346. These agreements usually involve clicking an “I agree’ icon to indicate consent. But many jurisdictional determination clauses are not found in a clickwrap agreement, but are contained in the terms of use agreement on the website, where no positive consent is obtained. The user is unlikely to have read this agreement which has been called a browsewrap agreement, and U.S. courts have not necessarily enforced them347. The second targeting criterion is technology. There has been a presumption that the Internet is ‘borderless’ and insensitive to geographic distinctions. But providers of Internet content have increasingly become aware and concerned about the physical location of the user348. A number of companies have responded to this demand by targeting websites to particular geographic constituencies. Businesses want either to target their messages to consumers in a specific location or to engage in ‘jurisdictional avoidance349’. Regulators, on the other hand, are desirous of engaging in jurisdictional identification so that they can identify when their laws need to be enforced. There are three geographic identification techniques: - user identification, usually based on IP address identification. For example, to comply with
US regulation prohibiting the export of strong cryptographic tools, Microsoft used IP lookups which determine user locations by cross-checking their IP addresses against databases that list ISP locations. Although not perfectly accurate, the process sufficed the regulatory requirements. Recently, several companies have advertised that their geo-identification techniques using Trace Route and DNS Reverse Lookup algorithms, have become more accurate350.
- self-identification, usually through attribution certificates. This technique is differentiated from the user identification method in that the user’s consent and participation is required. It is expected that in the medium term, certifying authorities are likely to certify attributes other than identity, including location351. An authorizing certificate might indicate the domicile of
342 Bancroft & Masters, Inc. v. Augusta National, Inc. 223 F. 3d 1082 (9th Cir. 2000), American Information Corp. v. American Infometrics, Inc. 139 F. Supp 2d 696 (D. Md. 2001) 343 OECD, Recommendation of the OECD Council Concerning Guidelines for Consumer Protection in the Context of Electronic Commerce at http://www.oecd.org/dsti/sti/it/consumer/prod/CPGuidelines_final.pdf 344 ABA, Achieving Legal and Business Order in Cyberspace: A Report on Global Jurisdiction Issues Created by the Internet, referred to by Michael Geist, Is There a There There? Toward Greater Certainty for Internet Jurisdiction, 16 Berkeley Tech Law Journal 1345 (2001) 345 Technological neutrality allows the criteria to remain relevant when new technologies emerge. For instance, emerging technology allows a website to be automatically converted into a local language , but this may not necessarily indicated that the local jurisdiction has been targeted. 346 For example, Rudder v. Microsoft 2 C.P.R. (4th) at 2 347 Ticketmaster v. Tickets.com No. CV 99-7654 HLH, 2000 WL 525390 (C.D. Cal. Mar. 27, 2000) 348 Bob Tedeschi, E-commerce: Borders Returning to the Internet, New York Times, April 2, 2001 349 ibid 350 http://www.infosplit.com 351 A. Michael Froomkin, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 Or. L. Rev. 49 at 62 (1996)
94
the user, the user’s age, whether he is a member of a particular organisation etc. The danger with self-identification is that if they become popular, they may cease to become voluntary since businesses may require the supply of such data as a prerequisite of service.
- offline identification – offline identification combines an online presence with certain offline knowledge to form a geographic profile of the user. An example of offline identification is credit card data. Since credit cards continue to be the primary payment mechanism for most online transactions, the user in verifying his identity, is often asked to supply his address, which is then cross-checked with the address on file to confirm a match prior to authorization of the charge. This method does not address the jurisdictional issues since the card holder could be anywhere when conducting the transaction.
Notwithstanding the advantages of a targeting test, there are some potential drawbacks. First, the test accelerates the creation of a bordered Internet. Although a bordered Internet has some advantages, it is subject to abuse because states can thereby limit foreign influences and suppress free speech locally. Second, the targeting test has the clear potential of violating the privacy rights of the users. Third, the targeting test might result in less consumer choice since many businesses may stop selling to users in certain jurisdictions where the benefits may not be worth the potential risks. Some commentators have opined that the enforcement layer is the greatest challenge in the online environment352. Swire353 introduces the concept of ‘elephants’ and ‘mice’ in understanding when legal regulation of the Internet is effective. Elephants are large organizations that have major operations in a given jurisdiction, and are subject to the local country’s rules. Because they have a reputation and assets to maintain, a judgement is enforceable against elephants. By contrast, mice are small and mobile actors, such as pornography sites or copyright violators, that can re-open immediately after an infringement being identified, and are not burdened by reputation or asset preservation issues. The enforcement issues tend to involve business risk analysis, as well as legal risk analysis – because the ability to enforce a legal decision is dependent on whether the party has local assets or is willing to ignore an outstanding court order, no matter where it is located. Traditional legal enforcement is more difficult with mice than with elephants, and the legal enforcement is thus enforced against entities other than the mice themselves, such as ISPs, the financial intermediaries that facilitate the mice operations etc. One of the crucial changes wrought by the Internet is the appearance of many more mice at the expense of elephants. Individuals engage in international transactions on the Internet themselves rather than through import-export companies or other intermediaries. The greatest growth in e-commerce eventually will not be B2B but B2C354. Many commentators have ignored the issue of cost. Litigating in a foreign jurisdiction can be prohibitively expensive, especially when B2C commerce involves primarily small value transaction. Private regulation and arbitration such as a Uniform Dispute Resolution Procedure in relation to domain names, as approved by the Internet Corporation for Assigned Names and Numbers [ICANN] in 1999355. Private regulatory regimes can span national boundaries and are not subject to the traditional requirements of public and private international law with respect to jurisdiction. It is a low cost and high speed resolution procedure, and the parties must agree beforehand to implement the results of the dispute resolution. However, this proposal fails to recognise that jurisdictional issues are politically driven, not legally driven. A pure embrace of private regulation would displace the political power of the sovereign entity, which would not be acceptable to most states. A hybrid
352 Henry H. Perritt Jr. Will the Judgement-Proof Own Cyberspace?, 32 International Law, 1121. 353 Peter P. Swire, Of Elephants, Mice and Privacy: International Choice of Law and the Internet, (1998) 32 Int’l Lawyer. 991 354 B2B – business to business; B2C- business to consumer 355 http://www.icann.org/udrp/udrp-policy-24oct99.htm
95
regulatory approach may be an alternative, whereby the public law356 provides a general framework within which private regulation can address individual disputes357. Successful hybrid approaches can already be seen in the areas of the Privacy Safe Harbour Agreements, the ICANN mechanism of domain name dispute resolution, and credit card chargebacks. It has been suggested that the choice of law and the choice of forum may be usefully analysed sectorally – for instance financial services solutions, intellectual property rights and torts rather than attempting a universal solution358.
356 There are two kinds of public law framework. One type addresses the substance of the law – such as the Privacy Safe Harbour Agreement. Another approach is to focus on procedure – that only laws made in accord with due process and according to objective standards are acceptable. 357 Internet Law and Policy Forum , September 2001 358 Internet Law and Policy Forum 1999
96
Reaction- Criminal Law As detailed above, an effective security system requires three elements : prevention, detection and reaction. The third element – reaction- will be discussed here in the context of existing and proposed criminal and procedural law. As a whole, criminal law is often more consistent cross border than civil or procedural law. Much of the similarity can be explained by empirical necessity – to maintain a modicum of internal stability, each country must have penal laws that protect against crimes against persons, crimes against property and crimes against the administration of justice. There is a certain generic consistency in criminal laws. For instance, every nation will make it an offence to cause the death of another human being, because no modern state can survive if its citizens are allowed to commit murder without recourse359. An example of the inadequacy of the criminal legal system is the response to the ‘love bug’ In May 2000, a computer virus known as the ‘love bug’ emerged and spread rapidly globally. The love bug infected hundreds of thousands of computers worldwide within hours of release. The source of the virus was found to be in the Philippines, and then the problems began. It took days for investigators to obtain a warrant to search the home of the primary suspect – it was difficult to find a statute on which to base the warrant, and then difficult to find an accommodating judge. When the suspect was apprehended, it was found that there were no laws criminalizing what he had done360, so in desperation, the suspect was charged with theft and credit card fraud. These charges were eventually dropped in that they were not considered applicable. In sum, the suspect, who purportedly caused $10 billion in damage361, was not punished362. And the Philippines at that time was not unique. Over 100 countries do not have penal laws adequate to deal with cybercrime363. Thirty three countries of the 52 surveyed do not have updated laws to address cybercrime364. Cybercrime is not an amorphous mass- it consists of a variety of discrete conduct, some of which can be covered under traditional penal law, and some of which requires the adoption of new penal law. Cybercrime is often no more than the exploitation of a new technology to commit old fashioned criminal activity. However cybercrime can introduce new facets. For instance, theft in cyberspace is analogous to the traditional notion of theft except in one respect. Traditional theft is a zero-sum offence, that is, an offence in which the sole possession and use of the property is transferred from one person [ the rightful owner] to another [ the thief]. The same can be true of cyber-theft – if a cyberthief for example, hacks into a bank’s computer system and transfers funds into an account which he controls the thief now has control of the funds and the rightful owner does not. But a non-zero sum could be where the cyberthief merely copies certain sensitive information. This does not comprise theft in classical terms because the rightful owner maintains possession of the information. But it is theft since the rightful owner has been deprived of the value of exclusive possession of that 359 This statement could be argued. For instance, in Nazi Germany, when the Jews were considered a ‘pollutant’, the murder of a Jew was considered positive. The author recalls writing an essay in law school over two decades ago about the reconciliation of Kant’s Moral Imperative with the Holocaust. The reconciliation was ‘definitional’ – if a Jew was considered vermin, and not human, the Moral imperative was not confronted. 360 The Philippines had no statute making it a crime to access without authorization a computer system, to disseminate a virus or to use a computer in an attempt to commit theft. 361 David Noack, ‘Love Bug’ Damage Worldwide:$10 billion at apbnews.com May 8, 2000 362 As a result, the Philippines adopted a cybercrime law that established fines and prison sentences for hackers. 363 McConnell International , ‘Cybercrime and Punishment at http://www. mcconnellinternational.com/services/cybercrime.html 364 ibid.
97
information365. Traditional penal laws usually do not incorporate the concept of non-zero sum thefts, in which a portion of the value of the intangible property is taken but the rightful owner remains in possession of the information and is able to use it. This is not a flaw which requires the adoption of new, cybertheft specific penal laws. The lacuna can be addressed through amending existing theft laws so that they do envisage the concept of stealing intangible property by making multiple copies of it366. Because technology has allowed national borders to be permeable, cybercrime must be dealt with both at the national and international level. The perpetrator, whilst located in one country, can easily commit criminal activity in another country. For example, an offender working in country A may commit fraud in country B or steal trade secrets in country C, and to commit the crime, he may utilize computer systems in a number of other countries – D, E & F. If country A does not have penal laws in place that outlaw the perpetrator’s conduct, a ‘love bug’ scenario develops in that the perpetrator will not be prosecuted in his own country, and country A will not extradite him so he can be prosecuted elsewhere. Alternatively, if country A does have penal laws regulating cybercrime, it may allow the offender to be extradited to country B but not country C, but its procedural laws may not require it to allow those countries access to critical evidence that is in country A, without which the prosecution cannot proceed. The problem is clearly compounded if the criminal activity can be modularised such that a certain aspect of the activity took place in country D, and another part took place in country E. Cybercriminals could then begin to ‘shop’ for the ‘best’ jurisdiction367. Convention on Cyber-Crime A draft convention is being undertaken by the Council of Europe (COE), which is comprised of the Group of Eight ( G-8 – the seven major industrial countries plus Russia). The COE on September 19, 2001 approved a ‘Convention on Cyber-Crime’ [‘Convention’ or ‘Draft’], intended to be the first international treaty to address criminal behaviour directed against computer systems. The treaty will be enacted when five states, at least three of which are members of the COE, have ratified it. The treaty is not self-enforcing in that it requires each member nation to pass domestic implementing legislation to effectuate its purposes. To the extent that certain provisions of the treaty may be in contravention of local law, policy, or constitutional protections, the versions enacted in different states may differ. The Convention requires signing countries to adopt similar criminal laws on hacking, copyright infringement, computer-related fraud, and child pornography. The Convention also contains a series of powers and procedures such as the search of computer networks and interception. This proposal by the COE has generated much controversy. Some of the furore was generated by the allegation that 19 drafts of this agreement were generated before the U.S. Department of Justice ever admitted the document’s existence. The Draft Convention was described thus” “This treaty doesn’t attack crime. Indeed, it attacks privacy, the Fifth Amendment …- while giving the government awesome new powers to cybersnoop on innocent Americans”368. 365 Susan W. Brenner, Is There Such a Thing as Virtual Crime?, California Law Review, [2001] at http://boalt.org/CCLR/v4/index.htm 366 ibid. On the other hand, such cybercrimes as ‘denial of service’ attacks might not be captured by existing penal laws. In a denial of service attack, the attacker floods a site with data , in the process overwhelming its capacity to respond and effectively shutting down traffic to that site. But since no physical damage is caused to the site, denial of service attacks cannot be prosecuted as vandalism. Since the attacker does not obtain services from the attacked site, there has been no theft. Since there is no attempt to penetrate the web site, there could also be no prosecution for hacking, trespass etc. There needs to be a new cyberlaw dealing with this method of attack. 367 ‘Best’ in this context means the jurisdiction with the weakest level of relevant penal law or weakest level of enforceability. 368 International computer-crime treaty threatens computer privacy’, Privacy News Update at http://[email protected], November 3, 2000
98
Some of the Articles in the Draft of most concern include: - the rationale of the Convention is to allow for mutual sovereign assistance without dual-
criminality. Without dual criminality when investigating cross-border crimes, a scenario could be envisaged whereby the US would be required to intercept electronic communications of a US citizen at the request of another country, say France, even though the crime being investigated in the U.S. is not a crime in the US. The criminal legal system, at least with respect to the acts contemplated by the Convention, would decline to the lowest common denominator – the jurisdiction which had the most draconian laws, ignoring privacy and other rights, with the most rigorous enforcement procedures, would be the prevailing regime. Unless both states unequivocally classify a certain act as criminal, that act should not be the subject of the Convention.
- The rationale of the Draft calls on member states to subject part of their legal system to the ‘supranationality’ and doctrine of direct effects that is presently seen in Europe among nations who belong to the COE. The doctrine of direct effect calls upon allied nations to concede part of their sovereignty to the umbrella alliance or union. From a U.S. perspective, this stance would have negligible chance of implementation.
- No law enforcement agency within a particular jurisdiction should act on behalf of another nation without clear investigative procedures within its own jurisdiction. Though different countries admittedly have different procedures, an attempt should be made to harmonize them rather than act in accord with the most strident or convenient regulations. But Articles 14 and 15 of the Draft sought for consistency of investigative powers, including search and seizure, preservation of data, disclosure of traffic data, and interception, without considering the protection of privacy rights369. Nowhere in the draft are the words ‘substantive due process’ or ‘procedural due process’ used.
- Articles 17, 18 24, 25 require ISPs to retain records regarding the activities of their customers for an undefined minimum period of time. Nations would be able to issue ‘retention orders’ for electronic data stored by ISPs. These provisions are in conflict with the established principles of data protection such as the Data Protection Directive of the European Union and have the risk of allowing privacy violations. There is no differentiation between the varying types of data, and what are the criteria that determine the length of the retention period, nor of who will bear the costs of retention and possible later data production . From a commercial stance, there is also no financial discouragement for law enforcement agencies to inundate other jurisdictions with requests for assistance.
- Article 21 states that all crimes highlighted within the Draft are extraditable offences, subject to a state’s sovereignty. Subsection 4 of Article 21 requires extradition to conform to the legal standards of the requested nation, and Subsection 5 reserves the right of a requested nation to refuse extradition, provided that it carries out domestic prosecution of the suspect for the same offence. This proposal creates numerous problems for the U.S. First, it does not differentiate between a suspect as to whether he is a foreigner, a resident alien, an illegal resident, or a U.S. citizen, each category being treated differently with respect to extradition; second, whether the nature of the foreign warrant conforms to the principles of the Fourth Amendment; and finally, whether the warrant was ‘fairly’ obtained.
- Generally, one of the problems with the subject proposal and generally with legislation/ regulation concerning cyberactivities, is a definitional one. Computer related offences, moreso than other offences, are difficult to define statically. Even such mundane terms as ‘computer’ or ‘access’ or ‘virus’ resist the precise definition demanded in the formulation of criminal policy. Legislatures faced with this problem have erred both ways.
369 Currently the method of obtaining evidence cross-border is for the ‘competent authority’ [ say the Ministry of Justice] of one nation – usually the Ministry of Justice – to make a request under a ‘letters rogatory’ of the competent authority of the other nation [ often a court or quasi-judicial body] for assistance with subpoenas, interviews, documents etc. The process is arduous, slow and cumbersome.
99
The participation of the U.S. seems to be symbolic, since Congress is unlikely to ratify the treaty, and in any case the Supreme Court would likely invalidate many of the provisions as unconstitutional in that it impinges on constitutional individual liberties. There are three areas in which Congress will experience insurmountable problems: - the non-self-executing370 nature of the treaty will render it unenforceable371; - the treaty creates some constitutional conflicts; For instance, the Draft called upon member
states, including the U.S.A. to enact search and seizure methods that contradict existing Fourth and Fifth Amendment law.
- Supreme Court interpretation of treaties and international law will establish barriers that prevent the Draft from having the force and effect of law; The Draft violates a number of Constitutional principles
Article 23 allows a nation to refuse assistance with an investigation request when it is ‘incompatible with the law of the requested party’. The requested party has the power to refuse where it believes that compliance with the request ‘would prejudice its sovereignty, security, public or other essential interests’. With respect to the US potential participation, this begs the question of whether this agreement should be ratified if so much reliance has to be made of this exclusion clause that the intent of the draft would effectively be castrated. The existence of the Convention highlights the need to strengthen and coordinate the laws on a national and international basis relating to cybercrime. Evidentiary or Procedural Law As stated above, there is some generic consistency in international criminal law. But there is less consistency in evidentiary or procedural law, which is required to enforce criminal law. Traditionally, jurisdiction has been equated with territory, with the legal reach of a country being defined by the limits of its territorial boundaries. This is clearly problematic when dealing with cybercrime, as exampled above. For instance, when gathering files stored on a specific computer, the data may not be stored on the actual computer searched, but may be accessed from a computer in a different jurisdiction. The sought information could be stored on a computer on the same network or on a different network. This may or may not require new laws to allow an extension of the search to where the data is actually stored, or use traditional search powers in a more coordinated and collaborative approach across jurisdictions. There have been a number of suggestions made to solve this dilemma. One approach is to broaden the territorial notion of jurisdiction to allow a nation to prosecute whenever the offender’s conduct occurred in whole or in part in the prosecuting nation’s territory372. This would allow prosecution to proceed in a certain country when either the victim or the perpetrator were located in the country during the commission of the crime, or when any part of the crime was committed, planned or facilitated in a particular country. Countries must ensure that their criminal and procedural laws are adequate to permit the investigation and prosecution of cybercriminals. This is a central feature of two conventions that 370 A self-executing treaty is one whose provisions will become domestic law without the need for additional legislation or further executive or administrative action. George Slyz,’International Law in National Courts’, International Law Decisions in National Courts [ Thomas Frank and Gregory Fox (eds), Transnational Publ. 1996] at pp. 77 in Jay Fisher, The Draft Convention on Cybercrime: Potential Constitutional Conflicts and the Accused Confidential Defences to the Act’s Provisions 371 ibid 372 For example, Council of Europe, Draft Explanatory Memorandum to the Draft Convention on Cyber-Crime [ Feb. 14, 2001]. at http://conventions.coe.int/treaty/EN/cadreprojects.htm
100
have been drafted to deal with cybercrime. The Council for Europe’s Draft Convention on Cyber-Crime seeks “to improve the means to prevent and suppress computer- or computer – related crime by establishing a common minimum standard of relevant offences”373. Parties to the Convention have agreed to adopt procedural law sufficient to investigate cybercrime and apprehend potential cybercriminals. The convention proposed by the Center for International Security and Cooperation [CISAC] has similar provisions374. Both the Council and the CISAC Conventions consign the drafting of the particular legislation to the parties who execute the convention, and thus uniformity cannot be ensured.
Practical Considerations The budgetary constraints imposed on every entity, corporate or government, impacting on computer security purchases must be juxtaposed against the increased need for security, this being a risk management issue. There are four options to handle the risk of a computer security breach: - avoid the risk, which necessitates a closed network. In the current environment, this is not an
option. Any company which announced that it was forsaking the internet would be deserted by its stakeholders.
- minimise the risk, using firewalls, authentication methods, encryption, and many of the strategies discussed in Part 1. This option is not really an option – it is a prerequisite of each option. Even if the risk is transferred, there will be a requirement to miniise the risk and mitigate any directo or collateral damage.
- transfer the potential liabilities. Though this is effective, the weaknesses include that it may be difficult to transfer unforeseen vulnerabilities, and may not be of assistance where the party assuming the risk does not have the resources to indemnify the contracting entity375. To transfer liability, the contractual arrangements would need to include details of the manner of authorised access, security and corrective measures of the contracting party etc. It in no way obviates the need for any party to establish a security policy and to minimise risks376. In fact, if the transferor, the party assuming the liability, is an insurance company, the insurance premiums will be adjusted by the robustness of the security of the insured computer system, and the insurance policy will not be issued unless a minimum level of security is assured377. It is likely that insurance companies may begin to specify elements of the security policy; whether certain functions should be outsourced and if so, to whom; and may charge lower premiums for more robust security systems378. Cyber-insurance is still very much in its infancy, and the premiums are high. An issue is the very difficult and inaccurate quantification of the level of risk, to assess the cost/benefit analysis of transferring the risk The problem of liability transfer is compounded by many companies’ posted privacy policies which often contain statements that reasonable efforts are made to secure confidential information. There is also legislation, such as the Health Insurance Portability and Accountability Act in the USA, with mandatory requirements, the breach of which can result in civil and criminal penalties. It is difficult to transfer liability for such mandatory requirements.
373 Council of Europe, Draft Explanatory Memorandum to the Draft Convention on Cyber-Crime at http://conventions.coe.int/treaty/EN/cadreprojects 374 Center for International Security and Cooperation, A Proposal for an international Convention on CyberCrime and Terrorism, at http://www.oas.org/juridico/english/cyber10.htm 375 A ‘straw judgement’ is an ineffective transfer of liabilities. 376 Emily Freeman of AIG-E-Business Risk said:”There isn’t a viable insurer.. that wants to be involved in dealing with viruses and defacements and attacks .. without having clients take these security concerns very seriously”. 377 To draw on the home analogy above, an insurance company will be less likely to insure valuable art works or jewellery unless there is a burglar alarm with back-to-base capability etc. Richard Head, business development manager for AIG Financial Line stated :”In its simplest form, we’ll be asking : If we’re going to insure you, how good are your security systems?” Sydney Morning Herald, March 25, 2002. 378 Bruce Schneier, in some blatant marketing for his firm, Counterpane Internet Security, states that firms using Counterpane have cyber-insurance premiums reduced by 20-40%.
101
Transferring the risk may be able to protect the financial assets of the business, but there is no ability to transfer the risk of the loss of trust of the entity’s stakeholders if there is a material security violation. For example, customers would not bank online with a particular bank, if they thought that their financial information stored in the bank’s database was insecure.
- assume the risk, or in business parlance ‘self-insure’. Again, whether the risk is assumed or transferred, the risk must be minimised. From discussions with a number of internal legal officers and external law firms379, most electronic commerce participants are not seeking to transfer liability, and are reluctantly assuming the incremental risk. Most corporations have never heard of cyber-insurance though the insurance industry expects that it will become a growth area380. Part of the reluctance to transfer liability may arise from the reticence to publicise security breaches by the victim – if a third party had assumed the risk, the confidentiality may not be as well contained as if the victim had self-insured.
Part II Conclusion There will be an increasing focus on computer security as a result of the accounting scandals such as Enron and World Comm. “If you look at government, e-government, banking, financial services, financial information is increasingly the same as information assets and they’re merging. There is no distinction in my mind eventually between data about money and data about data and the value it has..381” In some sectors, such as health care and banking, there is legislatively mandated civil and criminal liability for failure to ensure the privacy and integrity and security of certain confidential information. For instance, the privacy rules in relation to the Health Insurance Portability and Accountability Act [ HIPPA] will become effective in the US in April 2003, and to ensure data confidentiality, a corresponding level of security will be required. A number of debates have raged in relation to the interaction between the legal system and electronic commerce, often characterised by polarised views which, upon reflection, are less dichotomised than might first appear. The polemics which have been examined in this paper are: - whether the existing legal structure could be adapted to electronic commerce, or whether any
modification would be ineffective, and a new set of laws specifically focused on e-commerce security issues is required. This issue is explored in relation to contractual, tortious, criminal and procedural law.
- whether the legal system should be technologically neutral or whether the choice of technology or implementation should be left to the contracting parties or the marketplace.
- whether there should be a differentiation between transactions between parties who have multiple dealings as opposed to those transactions characterised by an anonymous party on at least one side of the transaction. Should parties who are known to each other have the ability to agree to a common security standard or should the law adopt a paternalistic stance? Determining what is ‘commercially reasonable’ in terms of Article 2B of the Uniform Commercial Code may be different in an industry where there is a history of self-regulation, a developed body of commercial practices, and the participants are sophisticated commercial parties subject to strict regulatory oversight to a business-to-consumer transaction.
- whether electronic signatures should be limited to certain types of transactions. For example, a number of U.S. states authorise the use of electronic signatures for transactions involving only specified private entities such as financial institutions.
- whether electronic commerce should be subject to a higher security standard than traditional transactions. Often legislators forget that hand written signatures are not reliable and can be easily forged. It is generally agreed that there is less risk of transmitting credit card details as
379 principally, Baker & McKenzie and Coudert Brothers 380 Discussions with various insurance analysts including Dr. P. Hofflin at Lazard Asset Management Pacific.. 381 ibid
102
part of an electronic purchase than using a credit card at a restaurant with unknown personnel having the credit card details.
- whether the degree of protection afforded to certifying authorities and internet service e providers can be balanced between providing an incentive for these services to conduct a viable business as well as allow the consuming user the requisite degree of confidence. Should, for example, certifying authorities be able to limit their liability by the use of qualified certificates or the value of a transaction in which a digital signature may be used?
- whether the Internet can be considered ‘without borders’. The issues of jurisdiction selection in cross-border disputes is examined.
What type of ‘legal security’ is necessary? Should the law set forth a legal regime specific to certain technologies or implementations, providing certain benefits when that technology is used? While it may be true that certain technological security procedures are ‘uniquely suited to the needs of secure e-commerce’ two key points remain. First, while certain types of technology today may be considered sufficiently secure to merit special treatment, future technological advances raise the possibility that: 1) methods of security currently used may cease to be secure in the future; and 2) other methods of security and other modes of technological implementation will provide comparable or even better means of security. Given the time lags inherent in the updating of laws, drafting a technology-specific or implementation-specific body of rules may not be prudent. Drafting a more general body of rules that depend upon such concepts as ‘commercially reasonable security procedures’ or that set out criteria that security procedures must satisfy present a different problem: the creation of a legal regime lacking the certainty desired by many business people. The theory that these laws ‘encourage’ the use of security procedures is questionable. If indeed certain technological security techniques are uniquely situated to the needs of secure electronic commerce, they may well be implemented without the adoption of specific rules. That proposition, while asserted as evidence of the need for PKI specific legislation, arguably proves the opposite: if there is a good, secure method of doing electronic commerce, that method will be implemented as a matter of sound business practices, not as the result of PKI specific legislation. In other words, the technology implementation itself provides the necessary security and certainty necessary for electronic commerce without the need for legislative intervention. The difficulty with much of this debate over whether or not to recognise specific means of technological security is that the discussion is misplaced. If the technology provides reasonable means of security, people will implement the technology for that reason, not because the law says so. A person who installs locks on his or her door does not do so because greater legal protection is afforded those who use the technology; a person installs locks because experience has shown that locks are one means of stopping intruders. A business that requires cheques to be signed by more than one officer does so not because the law requires such a procedure but because it is a good business practice that reduces risks of fraud, and a bank which institutes the practice of manually examining the signatures on cheques over a given amount does so not because the law requires it but because it is a prudent banking practice to reduce risk of fraud. The economic and other benefits to be gained from implementation of secure systems is not disputed: what is disputed is the need for the law to enact legislation saying that these secure systems are secure and therefore are entitled to special treatment. Such legislation may be neither needed nor wise. As stated above, a security system has three aspects – prevention, detection and reaction. Many of the unauthorised access attempts originate from employees. In a significant percentage of cases, the victim, especially if a corporate or government entity, is embarrassed to prosecute the offender for fear of adverse publicity and exposure of some security flaws. Thus, the offender is often dealt with leniently with the worst consequence in reality often no more than being terminated from the employ of the entity. The ability of the legal system to act as a deterrent to criminal behaviour is often never brought into play.
103
APPENDIX
Digital Millennium Copyright Act In October 1998, Congress enacted the Digital Millennium Copyright Act (“DMCA”)382. Hailed as an effort “to begin updating national laws for the digital era383,” the DMCA seeks to advance two goals: protecting intellectual property rights in the modern digital environment and promoting continued growth and development of electronic commerce. The DMCA was designed “to make digital networks safe places to disseminate and exploit copyrighted materials”384. The DMCA prohibits circumventing technological measures in order to merely access, not just copy, digital copyrighted works. Yet certain provisions of the DMCA are under attack by those who claim that the provisions raise serious questions as to the balance between copyright law and the First Amendment. It has also been argued that the DMCA restricts the freedom to innovate - what has also been called the ‘freedom to tinker385’. To innovate requires a need to break down the code and, for instance , reverse engineer software. Critics have argued that by prohibiting technological circumvention to access a digital work, the defence of fair use has been effectively extinguished. ‘Fair use’ encompasses use “for purposes such as criticism, comment, news reporting, teaching, …scholarship or research”386. The DMCA is the product of the obligations of the US to implement two international treaties387 proposed by the World Intellectual Property Organisation (“WIPO”)388. Both treaties provide, in relevant part, that contracting states “shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by copyright owners with respect to their works.389” The DMCA, among other things, creates three new prohibitions against circumvention: - Sec. 1201(a)(1) prohibits the act of circumventing technology protection systems implemented
by copyright owners, such as music or film or book publishers or authors. - Sec. 1201(a)(2) forbids manufacturing, offering to the public or trafficking in technology or
products designed to circumvent such technological measures. - Sec. 1201(b) prohibits trafficking in technology designed to circumvent measures that protect
a copyright owner’s rights under the Copyright Act. The prohibitions are separate unlawful acts, regardless of whether they constitute an infringement of the underlying copyright. The DMCA makes it illegal not just to infringe upon a copyrighted work, but also to circumvent a technological measure in order to gain access. In fact, the device or service which circumvents the measure need not be designed or produced to do so. The DMCA prohibits any device that has only “limited commercially significant purpose or use other than to
382 Pub. L. No. 105-304, 112 Stat, 2860 (Oct. 26, 1998) 383 H.R. Rep. No. 105-551, pt. 2, at 21 (1998) 384 S. Rep. No. 105-190 at 2 (1998) as reported in Chrisitng Jeanneret, The Digital Millennium Copyright Act: Preserving the Traditional Copyright Balance, 12 Fordham Intell. Prop. Media & Ent. L.J. 157 385 E. Felten, The Economist, June 22 2002 at page 25 386 17 U.S.C. s. 107 387 The treaties are the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty, both adopted on Dec. 20, 1996 at a WIPO Diplomatic Conference on Certain Copyright and Neighbouring Rights Questions. The US signed the treaties on April 12, 1997 and the Senate ratified them on Oct. 21, 1998- 144 Cong. Rec. S12985-01 [ daily ed. Nov. 12, 1998] 388 The anti-circumvention provisions of the DMCA exceed those of the WIPO treaty. The US, according to a number of commentators, did not have to promulgate the DMCA to satisfy WIPO, but could have relied on existing intellectual property norms which were already encapsulated in US law. 389 WIPO Copyright Treaty, supra 1997 WL447232 at pp. 8
104
circumvent390”. A potential plaintiff need only demonstrate that the device is capable of circumvention, and there is no need to prove any instance of actual infringement. The legislation could thus be regarded as somewhat extreme, in that it punishes the users / manufacturers/ retailers of the circumvention device itself, rather than the individual bad acts. As a result, “[b]y outlawing the general distribution of post-access circumvention devices, Congress has.. adjusted the technological status quo in favour of copyright owners, and at least for now, set the copyright ‘balance’ against unauthorized convenience copying”391. In the analog world copyrighted works could not really be protected against convenience copying. But in the digital world, the dangers of convenience copying are much more serious, and thus warrant added protection. The increased risks of the digital world have been used an a justification for the increased protection offered by s. 1201 (a) of the DMCA. The DMCA contains a number of exemptions, including for non-profit libraries and educational institutions, law enforcement and intelligence activities, reverse engineering and security testing, if certain requirements are met. In addition, the DMCA exempts from the prohibition certain good faith activities of circumvention for encryption research when the person circumventing the protection system lawfully obtains the encrypted copy of the work; the circumvention is necessary to conduct the ‘encryption research’; the person circumventing the protection system made a good faith effort to obtain authorisation from the copyright owner of a work protected by a technological measure before the circumvention; and such circumvention did not constitute copyright infringement or a violation of any otherwise applicable law. Before the DMCA was enacted, manufacturers of devices that permitted one to copy works generally considered themselves protected by the ‘fair use’ provisions of the Copyright Act so long as their devices had substantial non-infringing uses. This line of reasoning arose out the US Supreme Court’s 1984 Sony decision392, in which the court held that neither Sony Corp nor consumers infringe the copyrights of video cassette publishers by manufacturing and distributing and using video cassette recorders. In Sony, the Supreme Court explored the effect of home videotape recorders on the rights of copyright owners. The Supreme Court held that recording of a television program to be watched at a later time constituted a ‘fair use’. The Court held that “the sale of copying equipment, like the sale of other articles of commerce, does not constitute contributory infringement if the product is widely used for legitimate, unobjectionable purposes. Indeed, it need merely be capable of substantial non-infringing uses”393. Two federal court decisions interpreting the DMCA have made it clear, however, that the Sony fair use defence may no longer be available to manufacturers and others who distribute technology that can be used to circumvent technological copyright-protection devices, even if the technology has substantial non-infringing uses. In January 2000, Judge Marsha J Pechman of the US District Court for the Western District of Washington394 preliminarily enjoined Streambox Inc from continuing to market certain products that circumvented access and copy-protection features found in RealNetworks’ RealPlayer and RealMedia products. Judge Pechman found that the Streambox VCR was designed primarily to circumvent the copy protection features included in the RealPlayer and RealAudio products. Streambox’s arguments that its products were protected under the Sony decision because they had legitimate uses were rejected, and it was found that a product could be immune from infringement liability under Sony but still run afoul of DMCA anti-circumvention prohibitions. Subsequently, Streambox reportedly
390 DMCA, s. 1201(a)2(B) 391 Jane C. Ginsburg, Copyright Legislation for the ‘Digital Millennium’, 23 Colum-VLA J.L. & Arts 137 at 143 (1999) 392 Sony Corp. of America v Universal City Studios Inc. , 464 U.S. 417 (1984) 393 Sony 446 US at 442 394 RealNetworks Inc. v. Steambox Inc. , No. 2:99CV02070, 2000 WL 127311 (W.D. Wash. Jan. 18, 2000).
105
redesigned its products to operate in conjunction with RealNetwork’s copy-protection scheme and to no longer transform RealMedia streams into other formats395. The Sony fair use defence has also been rejected in a case396 in which the DMCA has been used to enjoin a hacker magazine from publishing or linking to the details of a computer program that allegedly circumvents the encryption-protection technology commonly used on digital versatile disks (DVDs). In January 2000, the Motion Picture Association of America sued online hacker magazine 2600 and several other Web sites for publishing and linking to a programme called “DeCSS” that could theoretically be used to crack CSS, the security method commonly used in DVDs. It was found that the technology in question might have substantial non-infringing uses but that it nonetheless violates Section 1201 of the DMCA397. The court recognised that computer code is covered or protected by the First Amendment. In determining the level of scrutiny to be applied in reviewing the constitutionality of the DMCA’s provisions, the District Court found that the DMCA provisions are content-neutral, and are entitled to a less demanding level of scrutiny than they would be if they were found to be content-based restrictions. In upholding the provisions, it was concluded that the DMCA anti-circumvention provisions are content-neutral regulations in furtherance of important governmental interests that do not unduly restrict expressive activities. Aside from being used to stop the spread of circumvention technology, the DMCA also has been used to threaten researchers from publishing papers concerning possible weaknesses in encryption methods and to arrest and indict a Russian citizen for allegedly violating the DMCA’s anti-circumvention provisions, even though he was not on US soil as the time the alleged crime was committed. In July 2001, the criminal provisions of the DMCA were invoked for the first time to arrest and indict Dmitry Sklyarov after his Russian employer, Elcomsoft Co Ltd, posted a program on the Internet that breaks the encryption protecting the electronic book technology of Adobe Systems Inc. Elcomsoft removed the programme on Adobe’s request, but Sklyarov was arrested in July when he visited the US to deliver a speech on the weaknesses in e-book encryption methods at a hacker conference in Las Vegas. Although Adobe has reportedly dropped its claim, Sklyarov has been indicted and has criminal charges pending against him in California for violating the DMCA. If convicted, Sklyarov faces up to five years in prison and a fine of up to $500,000. After the arrest of Sklyarov, other computer security experts have reportedly removed their work from the Internet for fear of persecution under the DMCA. Another encryption expert, who reportedly found a hole in Microsoft Corp’s e-book format, reported it to the news media anonymously because he feared arrest. Both the proponents and critics of the DMCA rely on the same argument to advance their positions – that the objective should be to allow the public to benefit from the digital dissemination of copyrighted works. Proponents of the DMCA argue that without ensuring proper safeguards for copyright owners, there is no economic incentive for the owners to distribute works in a digital form. Critics of the DMCA argue that because section 1201 absolutely prohibits circumvention devices, the public will not have the necessary access to digital works to make fair use of such works. Thus, in a future where copyrighted works may be available only in encrypted digital, the public will benefit less form copyrighted works because access is a prerequisite to fair use, which section 1201 prohibits398. 395 See ‘Early DMCA Lawsuit settled, Steambox will Modify Products to prevent Digital Copying’, Electronic Commerce & Law (BNA) 1019 (Oct. 11, 2000) 396 Universal Studios Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000) 397 ibid at 323-324 398 Proponents of DMCA reply that no all copyrighted works will be encrypted, though the author does not know the
106
rationale for this. Further, copies will still be available for limited copying in places such as public libraries where, under certain circumstances, users are entitled to circumvent access and anti-copying regulations.
107
BIBLIOGRAPHY American Express, Private Payments at http://www.americanexpress.com/privatepayments/ Anon, Secure Computing with Java: Now and the Future (a whitepaper): http://www.javasoft.com/marketing/collateral/security.html B. P. Aalberts & S. van der Hof, Digital Signature Blindness: Analysis of Legislative Approaches Toward Electronic Authentication, The EDI Law Review 1- 55 [ 2000] Andrew W. Appel, Protection against untrusted Code, IBM Developer Works, September, 1999 at http://www-106.ibm.com/developerworks/library/untrusted-code/ Argus Systems Group, Trusted OS Security: Principles and Practice, at http://www/argus.com/products/white paper Australian Electronic Commerce Expert Group, Electronic Commerce: Building the Legal Framework http://www.law.gov.au/aghome/advisory/eceg/eceg.html N. Asokan and P. Ginzboorg, Key agreement in ad hoc networks, Computer Communications, 23:1627-1637, 2000 at www.semper.org/sirene/people/asokan/research/ccr.ps.gz G. Ateniese and S. Mangard, A New Approach to DNS Security (DNSSEC) in Proceedings of the 8th ACM Conference on Computer and Communications Security. November 2001. at http://www.cs.jhu.edu/~ateniese/papers/dnssec.pdf Robert M. Baird, Reagan Ramsower, & Stuart Rosenbaum, Cyberethics: Social and Moral Issues in the Computer Age, Prometheus Books, Amherst, 2001 Michael S. Baum, Linking Security and the Law of Computer-Based Commerce at http://www.verisign.com Steven M. Bellovin, Computer Security- An End State? Communications of the ACM, vol. 44, no. 3, March 2001, pp. 131-132. Amelia H. Boss, Searching for Security in the Law of Electronic Commerce, Nova Law Review, Winter 1999, 23 Nova L. Rev. 585 at http://agent.cs.dartmouth.edu/papers/bredin:position.pdf Jonathan Bredin, David Kotz, and Daniela Rus, Economic markets as a means of open mobile-agent systems, Proceedings of the Workshop ``Mobile Agents in the Context of Competition and Cooperation (MAC3)'' at Autonomous Agents '99, pages 43-49, May 1999 at http://agent.cs.dartmouth.edu/papers/bredin:position.pdf Susan W. Brenner, Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law, Murdoch University Electronic Journal of Law, vol 8, no. 2 [ June 2001] Susan W. Brenner, Is There Such a Thing as Virtual Crime?, California Law Review, [2001] at http://boalt.org/CCLR/v4/index.htm J. Dianne Brinson, Benay Dara-Abrams, Drew Dara-Abrams, Jennifer Masek, Ruth McDann & Bebo White, Analysing E-Commerce and Internet Law, Prentice Hall PTR, New Jersey , 2001. Ran Canetti & Shafi Goldwasser. "An efficient threshold public-key cryptosystem secure against adaptive chosen ciphertext attack." EUROCRYPT'99, pp.90-106
108
Brian Carter & Russell Shumway, Wireless Security: End to End, Wiley Publishing, Inc. , Indiana, 2002. David Chess, Benjamim Grosof, Colin Harrison, Devid Levine, Colin Parris, Gene Tsudik, Itinerant Agents for Mobile Computing, IEEE Personal Communications, 2(5), pp 34-49, October, 1995. Center for International Security and Cooperations, A Proposal for an international Convention on CyberCrime and Terrorism, at http://www.oas.org/juridico/english/cyber10.htm John Claessens, Bart Preneel, & Jaos Vandewalle, Combining World Wide Web Security and Wireless Security, Proceedings of IFIP I-NetSec 2001, November 26-27, 2001, Leuven, Belgium Chris Dalton & Tse Huong Choo, An Operating System Approach to Securing E-Services, Communications of thr ACM, vol. 44 no. 2, February 2001 Y. Desmelt, Threshold Cryptography, European Transactions on Telecommunication, 5(4):449-457, July-August, 1994 Premkumar T. Devanbu & Stuart Stubblebine, Software Engineering for Security: A Roadmap, in The Future of Software Engineering, pp. 227-239, Special Volume, ICSE 2000. William M. Farmer, Joshua D. Guttman & Vipin Swarup, Security for Mobile Agents: Issues and Requirements. In Proceedings of the 19th National Information Systems Security Conference, pages 591-597, October,1996 Jay Fisher, The Draft Convention on Cybercrime: Potential Constitutional Conflicts and the Accused Confidential Defences to the Act’s Provisions at http://gsulaw.gsu.edu/lawand/papers/fa00/fisher/ Philip W.L. Fong , Viewer’s Discretion: Host Security in Mobile Code Systems at ftp://fas.sfu.ca/pub/cs/techreports/1998/ George H. Forman & John Zahorjan, The Challenges of Mobile Computing, IEEE Computing, March 1994 T. Fraser, L. Badger & M. Feldman, Hardening COTS Software with Generic Software Wrappers, in Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 2- 16, May 1999 Susanna Frederick Fischer, Saving Rosencrantz and Guildenstern in a Virtual World? A Comparative Look at Recent Global Electronic Signature Legislation, Boston University Journal of Science and Technology Law, 2001, 7 B.U.J. Sci. & Tech, L, 229 Michael Geist, Is There a There There? Toward Greater Certainty for Internet Jurisdiction, 16 Berkeley Tech Law Journal 1345 (2001) Anup K. Ghosh, E-Commerce Security: Weak Links, Best Defenses, Wiley Computer Publishing, New York, 1998 Anup Ghosh & Tara M. Swaminatha , Software Security and Privacy Risks in MOBILE E-COMMERCE , Communications of the ACM, Feb 2001, vol. 44, No. 2 Jane C. Ginsburg, Copyright Legislation for the ‘Digital Millenium’, 23 Colum-VLA J.L. & Arts 137 (1999)
109
L. Gong. New security architectural directions for Java. In IEEE COMPCON '97, February 1997 J. Gosling, H. McGilton, The Java Language Environment: A White Paper, Sun Microsystems, May 1996. Dieter Gollman, Computer Security, John Wiley & Sons, West Sussex, England, 1999 Robert S. Gray, Agent Tcl: A Flexible and Secure Mobile Agent System, Proceedings of the 4th Annual Tcl/Tk Workshop (TCL 96) , July 1996 Arne Grimstrup, Robert Gray & David Kotz, Write Once, Move Anywhere: Toward Dynamic Interoperability of Mobile Agent Systems, Dartmouth College Computer Science Technical Report TR2001- 411 F. Hohl, Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts, in G. Vinga (Ed.), Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science No. 1419, 1998, pp. 92-113. Richard Allan Horning, Legal Recognition of Digital Signatures: A Global Status Report, Hastings Communications and Entertainment Law Journal , Winter 2000 191 Yih-Chun Hu, Adrian Perrig, David B. Johnson , Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks , Eighth ACM ACM International Conference on Mobile Computing and Networking, September, 2002 at http://citeseer.nj.nec.com/cache/papers/cs/26211/http:zSzzSzwww.perrig.netzSzprojectszSzsecure-routingzSzariadne.pdf/ariadne-a-secure-on.pdf Jean-Pierre Hubaux, Levenie Buttyan & S. Capkun, The Quest for Security in Mobile Ad Hoc Networks, ACM Symposium on Mobile Ad Hoc Networking and Computing [MobiHOC 2001] Internet Law & Policy Forum on Security and Privacy, Seattle, September, 2002 Sotiris Ioannidis, Steven M. Bellovin & Jonathan M. Smith, Sub-Operating Systems: A New Approach to Application Security, SIGOPS EW 2002 to appear. at www.research.att.com/~smb/papers/ Trent Jaeger, Jochen Liedtke, & Nayeem Islam, Operating System Protection for Fine-Grained Programs, 7th USENIX Security Symposium, San Antonio, Texas, January 1998 W. Jansen, Countermeasures for Mobile Agent Security in Computer Communications, Special Issue on Advances in Research and Application of Network Security, November 2000 W. Jansen, P. Mell, & D. Marks, Applying Mobile Agents to Intrusion Detection and Response, Interim Report(IR) 6416, NIST, October, 1999 David R. Johnson & David G. Post, Law and Borders: The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367 ( 1996) Christine Jeanneret, The Digital Millenium Copyright Act: Preserving the Tradtional Copyright Balance, Fordham Intellectual Property, Media and Entertainment Law Journal, Autumn 2001 , 12 Fordham Intell. Prop. Media & Ent. L.J. 157 Niels C. Juul & Niels Jorgensen, WAP May Stumble over the Gateway, Proceedings of the SSGRR, June 2001 at http://www.dnafinland.fi/oopsla/wap.pdf
110
R. Kaplan, SUID and SGID Based Attacks on UNIX: A Look at one form of the Use and Abuse of Privileges, Computer Security Journal, 9(1):73-7, 1993 Gunther Karjoth, Danny B. Lange, & Mitsuru Oshima, A Security Model for Aglets, Internet Computing, July 1997 Gunther Karjoth, N. Asokan, and G. Gülcü. Protecting the computation results of free-roaming agents. In K. Rothermel and F. Hohl, editors, Second International Workshop on Mobile Agents (MA '98), Springer-Verlag, Lecture Notes in Computer Science pages 195-207, 1998 at http://www.zurich.ibm.com/~gka/publications.html Neeran Karnik, Security in Mobile Agent Systems, Ph.D. dissertation at http://www.cs.umn.edu/Ajanta/publications.html Vesa Karpijoki, Security in Ad Hoc Networks, at http://www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/karpijoki.pdf Jane Kaufmann Winn, Open Systems, Free Markets, and Regulation of Internet Commerce, 72 Tul. L. Rev. 1177 ( 1998) John C. Knight & Nancy G. Leveson, Should Software Engineers be Licensed? Communications of the ACM, November 2002, vol. 45 no. 11 J. Kong, P. Zerfos,, H. Luo, S. Lu & L. Zhang, Providing Robust and Ubiquitous Security support for MANET, IEEE ICNP 2001, 2001 David Kotz, Robert Gray & Daniela Rus, Future Directions for Mobile-Agent Research, 2002, Technical Report TR2002-415, Dartmouth College. Chrisotpher Krugel, & Thomas Toth, Applying Mobile Agent Technology to Intrusion Detection, http://www.elet.polimi.it/Users/DEI/Sections/CompEng/GianPietro.Picco/ICSE01mobility/papers/krugel. Danny B. Lange and Mitsuru Oshima. Seven Good Reasons for Mobile Agents, Communications of the ACM, 42(3):88-89, March 1999 Tie-Yan Li & Kwok-Yan Lam, Detecting Anomaous Agents in Mobiel Agent Systems, AAMAS July,2002 ACM B. Lampson, A Note on the Confinement Problem, Communications of the ACM 16(10),1973. Jay Lepreau, Bryan Ford, & Mike Hibler, The Persistent Relevance of the Local Operating System to Global Applications, Proceedings of the Seventh Workshop on ACM Sigops European Workshop: Systems Support for Worldwide Applications, September, 1996 Robert E. Litan, Law and Policy in the Age of the Internet, [2001] 50 Duke L. J. 1045 at www.law.duke.edu/journals/dlj/articles/dlj50p1045.htm Peter A. Loscocco, Stephen D. Smalley, Patric A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environment, 21st National Information Systems Security Conference (NISS), 1998 at http://www.nsa.gov/selinux/inevit-abs.html
111
Haiyun Luo, Petros Zerfos, Jiejun Kong, Songwu Lu and Lixia Zhang ,Self-securing Ad Hoc Wireless Networks, Seventh IEEE Symposium on Computers and Communications (ISCC '02) at http://citeseer.nj.nec.com/cache/papers/cs/25885/http:zSzzSzwww.cs.ucla.eduzSz~jkongzSzpublicationszSzISCC02.pdf/self-securing-ad-hoc.pdf David Maude, R. Raghunath, A. Sahay, & P. Sands, Banking on the Device, McKinsey Quarterly , Number 3, 2000 David Mazieres & M. Frans Kaashoek, Secure Applications Need Flexible Operating Systems in Proceedings in the 6th Workshop on Hot Topics in Operating Systems [ HotOS-VI], pp. 56-61, Chatham, Cape Cod, 1997, IEEE Computer Society. Peter Mell, Donald Marks, & Mark McLarnon, A Denial of Service Resistant Intrusion Detection Architecture, Computer Networks Journal, October 2000 D. Milojicic, F. Douglis, & R. Wheeler, Mobility: Processes, Computers and Agents,Addison- Wesley Longman, Inc. 1999 V. Morgan, Liberty for Security, Duke Law and Technology Review, October, 2001, 2001 Duke L. & Tech. Rev. 0036 George Necula & Peter Lee, Safe Kernel Extensions without Run-time Checking’, Proceedings of the Second USENIX Symposium on Operating System Design and Implementation [OSDI ‘96] , pp. 229-243, Seattle, October, 1996 at http://citeseer.nj.nec.com/necula96safe.html Sa-Koon Ng, Protecting Mobile Agnets Against Malicious Hosts, Thesis ofr Degree of Master of Philosophy, 2000, Chinese University of Hong Kong Carrie A. O’Brien, E-Sign: Will the New Law Increase Internet Security Allowing Online Mortgage Lending To Become Routine? [April, 2001], 5 N.C. Banking Institute 523 Joann J. Ordille, When agents roam, who can you trust? First Conference on Emerging Technologies and Applications in Communications (etaCOM) (1996) at http://citeseer.nj.nec.com/ordille96when.html John E. Ottaviani, DCMA Faces Free Speech Challenges, National Law Journal, vol. 24, no. 9, October, 2001 Todd Papaioannou, Mobile Information Agents for Cyberspace – State of the Art and Visions at http://citeseer.nj.nec.com/387777.html J. Riordan, B. Schneier, Environmental Key Generation Towards Clueless Agents, in G. Vigna (ed.) Mobile Agents and Security, Springer-Verlag, Lecture Notes in Computer Science no. 1419, 1998 at http://citeseer.nj.nec.com/317271.html R.J. Robertson, Electronic Commerce on the Internet and the Statute of Frauds, South Carolina Law Review, 1998 , 49 S.C. L. Rev. 787 J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, September 1975. T. Sander and C. Tschudin, Protecting Mobile Agents Against Malicious Hosts, in the Proceedings of the 1998 IEEE Symposium of Research in Security and Privacy, Oakland, 1998.
112
Bruce Schneier, Security Pitfalls in Cryptography, April 1999, at http://www.counterpane.com/pitfalls Bruce Schneier, Secrets and Lies : Digital Security in a Networked World, Wiley Computer Publishing , New York, 2000. Scott M. Silver, Implementation and Analysis of Software Based Fault Isolation (1996) Senior Honors Thesis Dartmouth College June 1996 at http://citeseer.nj.nec.com/cache/papers/cs/3045/ftp:zSzzSzftp.cs.dartmouth.eduzSzTRzSzTR96-287.pdf/silver96implementation.pdf Frank Stajano, The Resurrecting Ducking- what next? 7th International Workshop on Security Protocols, Cambridge, 1999 at http://wwwlce.eng.cam.ac.uk/~fms27/papers/duckling.pdf William Stallings, Operating Systems: Internals and Design Principles, Third edition, Prentice-Hall, Inc. New Jersey, 1998 Symposium, Intellectual Property and Contract Law in the Information Age: The Impact of Artcile 2B of the Uniform Commercial Code on the Future of Transactions in Information and Electronic Commerce, 13 Berkely Tech. L.J. 809 (1998) H. Tan and L. Moreau, Trust Relationships in a Mobile Agent System, Proceedings of the 5th IEEE International Conference on Mobile Agents. Lecture Notes in Computer Science 2240 Bob Tedeschi, E-Commerce: Borders Returning to the Internet, New York Times, April 2, 2001 Holly K. Towle, E-Signatures – the Basics of the U.S. Strcuture, Houston Law Review, Fall, 2001, 38 Hous. L. Rev. 921 Anand Tripathi, Tanvir Ahmed, and Neeran Karnik ,Experiences and Future Challenges in Mobile Agent Programming, Microprocessor and Microsystems 2001 at http://www.cs.umn.edu/Ajanta/publications.html Arnand R. Tripathi, Neeran M. Karnik, Manish K. Vora, & Tanvir Ahmed, Ajanta – A System for Mobile Agent Programming. Technical Report TR98-016, Department of Computer Science, University of Minnesota,, April 1998 Aphrodite Tsalgatidou, Jari Veijanainen, & Evaggelia Pitoura, Challenges in Mobile Electronic Commerce, Proceedings of 3rd International Conference on Innovation Through Electronic Commerce, Manchester, November 14-16 2000 at http://cgi.di.uoa.gr/~afrodite/IeC_Manchester.PDF Upkar Varshney, Ronald J. Vetter, & Ravi Kalakota, Mobile Commerce: A New Frontier, IEEE Computer, October 2000 Jari Veijalainen & Aphrodite Tsalgatidou, Electronic Commerce Transactions in a Mobile Computing Environment, Proceedings of IS 2000 International Conference on Information Society in the 21st Century: Emerging Technologies and New Challenges, Fukushima, Japan, November 5-8, 2000. Also in Q.Jin, J. Li, N. Zhang, J. Cheng, C. Yu, S. Noguchi (eds), Enabling Society with Information Technology, Springer Verlag (Tokyo) at pp. 131-140.
113
V. Varadharajan, Security Enhanced Mobile Agents in Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 200-209, ACM Press, 2000. Steven J. Vaughan-Nichols, Operating System 2010, November 5, 2001, Byte.com G. Vigna. Cryptographic traces for mobile agents, Mobile Agents and Security, Lecture Notes in Computer Science no. 1419, Springer-Verlag, 1998. J. Viega & J. Voas, The pros and cons of UNIX and Windows security policies, IT Professional, Sept/Oct 2000 pp. 40-45 Russell Dean Vines, Wireless Security Essentials, Wiley Publishing Inc., Indiana, 2002. J. M. Voas, Certifying off-the-shelf software components, IEEE Computer, 31(6), 1998 D. Volpano and G. Smith. Language Issues in Mobile Program Security. In Mobile Agents and Security, number 1419 in LNCS. Springer-Verlag, 1998. R. Wahbe, S. Lucco, T. Anderson, Efficient Software-Based Fault Isolation, Proceedings of the 14th ACM Symposium on Operating System Principles, ACM SIGOPS Operating System Review, Dec. 1993, pp. 203 –216. WAP Forum, Technical Reports WAP-193-WMLScript, WAP-170-WTAL, WAP 169-WTA, July 2000 at http://www.wapforum.org Edgar Weippl, The Transition from E-Commerce to M-Commerce: Why Security Should Be the Enabling Technology, Journal of Information Technology Theory and Application (JITTA), 3:4, 2001 B.S. Yee, A Sanctuary for Mobiel Agents, Technical Report CS97-537, University of California in San Diego, April 1997 Y. Zhang & W. Lee, Intrusion Detection wirelessed-ad hoc networks, in Proceedings of ACM/IEEE Mobile Computing ( Aug, 2000) Scott R. Zemnick, The E-Sign Act: The Means to Effectively Facilitate the Growth and Development of E-Commerce, [2001] 76 Chicago-Kent Law Review 1965 Scott R. Zemnick, The E-Sign Act: The Means to Effectively Facilitate the Growth and Development of E-Commerce, Chicago-Kent Law Review 2001, 76 Chi.-Kent L. Rev. 1965 Lidong Zhou and Zygmunt J. Haas. Securing ad hoc networks. IEEE Network Magazine, 13(6):24-30, November/December 1999. 21 Y. Zhang & W. Lee, Intrusion Detection in Wireless Ad-Hoc Networks, in Proceedings of MOBICOM, 2000.
