Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

Similar presentations


Presentation on theme: "The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999."— Presentation transcript:

1 The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999

2 Presentation Outline Drawbacks of client/server paradigm Classification of mobile code paradigm Mobile code applications and technologies Security concerns of mobile code paradigm Attack model of malicious hosts against mobile agents Possible solutions to protect mobile agents Conclusion

3 Client/Server Paradigm The most common paradigm being used for distributed application design Two problems: –high network bandwidth requirement (large number of message transfer) –requirement for user-computer interactivity Mobile code emerges as a more efficient alternative

4 Classification of Mobile Code Ghezzi and Vigna’s classification of mobile code paradigms Know-how: the code to execute Resources: input/output for code execution Processor: abstract machine that holds the state of computation

5 Mobile Code Applications Examples of mobile code systems: –remote evaluation: rsh utility, SQL queries –code on demand: Java applets –mobile agents: a lot of possible applications, e.g., information retrieval, electronic commerce (bargaining) not common yet, but a lot of platforms for mobile agents being developed worldwide (e.g., Aglets from IBM, Concordia from Mitsubishi) Hurdle: SECURITY

6 Security Concerns of Mobile Code A basic requirement: –an application developed using the mobile code paradigm can be as secure as the same application developed using the client/server paradigm –otherwise mobile code could not be used for security-critical applications, which are very common –In other words, the mobile code paradigm should not bring additional security attacks that do not have proper security mechanisms to defend

7 Security Attacks Actions that compromises security requirements of an application Attacks to Client/server: masquerading, forging, eavesdropping, etc. Additional attacks to remote evaluation (REV)/code-on-demand (COD): Trojan horses Additional attacks to mobile agents: agent tampering (data/execution)

8 Security Mechanisms Mechanisms designed to prevent, detect or recover from security attacks Security mechanisms for client/server: –Kerberos, Secure Socket Layer (SSL), etc. –very well established Security mechanism for REV/COD: –sandboxing and code verification –quite well established Security mechanism for mobile agents: –not established at all!

9 Mobile Agent Security: A Closer Look Two facets of mobile agent security: –host security protect hosts from malicious agents (code/data) similar to remote evaluation and code on demand approaches –agent security protect agents from malicious hosts a relatively new area in security research

10 Attack model of malicious hosts against mobile agents (Other agents) Environment Malicious Host Agent System call Read/manipulate properties; control execution Read/manipulate Model proposed by Fritz Hohl: Attacks scenarios that can be described: spy out and modify the whole data part of an agent spy out and modify the code part of an agent manipulate the code execution sequence of an agent manipulate the execution environment of an agent

11 A mobile agent application Handheld PC (running Windows CE) System analyzes the request and asks the server for data Proxy Server Get the request from client and send agents to database servers Network agent Databases (Oracle server) Agents get appropriate data here and bring back to proxy server CLIENT SERVER A Traveling Information Agent system agent Network

12 Mobile agent application Advantages of developing the application using mobile agents over conventional client/server: –reduced network traffic for client: client (handheld PC) needs to handle only two network transmissions (agent sending and receiving) –non-interactivity of client: client can be plugged to network, send agent, disconnect from network; then after a while reconnect at another physical location, and receive agent

13 Attacks to the sample agents Possible attacks to the system described: –a malicious host may spy out and modify data collected by the agent, thus false information is reported to user –a malicious host may spy out the code of the agent, thereby get to learn what information the particular user is interested in –a malicious host may manipulate the execution sequence of the agent, and make the agent request some information for it illegitimately –a malicious host may manipulate the information obtained from the databases, and report false information to the agent

14 Possible solutions An open research question Two cases: –closed network: malicious hosts are identifiable –open network: malicious hosts are not identifiable

15 Closed network Integrity checks –integrity check on agent’s result code and data –report to public that host is malicious if integrity check fails –send agents only to those hosts not reported as malicious Encryption –encrypt agent transmission, to avoid eavesdropped by malicious hosts

16 Closed network Time-limiting techniques –malicious hosts takes time to tamper with / modify agents –limit the time for an agent to survive in the network –do not trust agents and their results that have expire the time limits

17 Open network Encryption –need to hide the code (algorithm) and data of agents so that any malicious hosts would not be able to tamper –one possible way would be “mobile cryptography” using probabilistic encryption –under active research Time-limiting techniques –limit the time for an agent to survive –security modeling

18 Security Modeling - some ideas Agent Host 1Host 2Host n … Assume: the time to breach the agent on host i is inversely exponential to the number of instructions carried out by host i the number of instructions carried out by a host is directly proportional to time

19 Security modeling Let an agent stays at host i for time T i, P(breach at host i) = 1 - exp(- i T i ), i is a constant Then the agent security, i.e., probability of no breach at all host, We may use this to measure the time we allow an agent to stay on a host, so that the agent is still safe up to a certain probability

20 Conclusion Mobile code as an alternative to client/server for distributed applications Security as a major hurdle to mobile code Mobile code (especially mobile agents) faces more attacks than client/server do, while the corresponding security mechanisms are not well established An application to illustrate attacks to agents Efforts should be devoted to secure agents


Download ppt "The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999."

Similar presentations


Ads by Google