You are on page 1of 7

Security for Mobile Agents and Platforms

Security for Mobile Agents and Platforms


Miguel Ángel Domínguez Coloma
(madc@kth.se)

Kungliga Tekniska Högskolan | Universidad Rey Juan Carlos


March 7, 2010

ABSTRACT
In this report, we present an overview in the security of the mobile agents and platforms.
The recent necessity of mobile agents grow up with the global intercommunication. Mobiles
phones, PDA (Personal Digital Assistant), e-Readers and the apparition of thousands of
small devices which are introducing in the social life make that the mobile agent parading
and their security get turn in an important case of study. During this report, we will build an
overview of the mobile agent story, security research and an analysis about advantages and
disadvantages of methods used nowadays.

1. INTRODUCTION stations make a new case of study on security.


Also, the protection of stations against malicious
With the introduction of mobile agents, a new great
mobile agents (modified by other stations or virus)
type of possibilities have been presented in the e-
is a real problem. Nowadays, the first problem
commerce: transactions, offer routes, price
cited is a hard field of study in cryptography of
negotiation, shopping service. Furthermore, other
code or other methods in the protection of the
researches have used mobile agents as main object
mobile agent execution.
to create different services, as network
management which recollect information about the To sum up, the figure 1 shows the security
system through the computers in the network [1]. questions.
This new paradigm offer new advantages against Base Station
the client-server paradigm [2]. Some of them are
reduction of the network traffic, parallel processing
with asynchronous execution, dynamic adaptation
on heterogeneous platforms, tolerant to network
faults and flexible maintenance updating the
mobile agent code.
During this report, we will focus our research in an Malicious station? Malicious agent?
overview about mechanisms to create secure Agent modified? Security
mobile agents and stations. compromised?

The mobile agent paradigm create a new kind of


security problems which does not concert only to Fig. 1: Security questions in mobile agents.
the transport and network protocol, but the
execution in untrusted stations. The possibility of As we mentioned, the “Base” questions require
manipulation of mobile agents code on untrusted apply some security methods to the agents in order
Security for Mobile Agents and Platforms

to prevent modifications in it and its data. Also, the community that an entity which execute a given
“Station” questions need to apply security in their program, have the complete control in its execution
stations against malicious agents or virus (or bad and data and it can change the behavior once the
functionality of the mobile agent). entity have the enough knowledge about the
1.1. Methodology and audience program [3]. Chess et al., write in [4]:

The methodology used to write this report is “It is impossible to prevent agent tampering
literature review. In the section 3 we can find an unless trusted (and tamper resistant)
analysis of the advantages and disadvantages of the hardware is available (...). Without such
methods in the security of mobile agents. hardware, a malicious host can always
modify/manipulate the agent. (...) As alluded
This report contains an overview of general to above, it is impossible to keep an agent
methods in the security of mobile agents. Thus, the private unless its itinerary is known in
text is written to audiences who need a general advance.”
knowledge in protection of mobile agents and
stations, i.e. students. But in Sander and Tschudin et al., write in [3]:
“So our claim is that the folklore about the
2. BACKGROUND mobile agent’s vulnerability is wrong
because it tacitly assumes that a mobile
agent consists of clear-text data and clear-
2.1. Security paradigm
text programs.”
2.1.1. Detection of Tampering
2.2. Protection Mechanisms for Mobile
Detection of tampering have the interest in the Agents
actions of the host when a mobile agents join in
their network. This approach examine and save
2.2.1. Encrypted functions
records of the actions in the host via legal methods.
Alternatively one mobile agent could content In this section, we will notice the difference
“dummy data items” which reveal if these items between “function” and “program”. A program
were modified for other hosts. In general, detection will execute a set of clear-text instructions which
approaches are ineffective for attacks where the the processor can understand. A program has a set
guilty cannot be identify or it disappear once the of cipher-text functions which only the program
fraud was committed [3]. can understand and not the processor. The main
idea of encrypted functions (EF) was defined in
One major problem is that the techniques which [5]:
make tampering difficult or expensive usually are
immediately paralleled by countermeasures [3]. Bob has an algorithm to compute a function f
and is willing to compute f(x) for Alice. Alice
Other researches create a specific mobile agents wants to compute f on her private input x but
which split their tasks and they are sent to different does not want to reveal x to Bob.
computation platforms using secret sharing Furthermore Alice should not learn anything
schemes [3]. Furthermore, if collaborating agents substantial about the algorithm of Bob for
chose random destinations, the probability of the computing f .
attack is unlikely.
To generate an algorithm that follow this
2.2.2. The Old Idea definition, it exists a function which can encrypt
the function f, E(f). The scheme can be constructed
There is a widespread believe in the mobile agent as follows (also in illustration 2):
Security for Mobile Agents and Platforms

1. Alice encrypts f and obtains E(f). host, i.e. to test out that the agent was not modified
2. Alice creates a program P(E(f)). [8].
3. Alice sends P(E(f)) to Bob. Cryptographic traces detect attacks against the
4. Bob executes P(E(f)) at x. state and control flow. This mechanism involved to
5. Bob sends P(E(f))(x) to Alice create and retain a non-repudiation log or trace of
6. Alice decrypts P(E(f))(x) and obtains f(x). the operations performed by the agent.
The approach has some disadvantages which the
most obvious being the size and number of logs to
be retained. Moreover, the fact that the detection
process is triggered sporadically.
Despite it is a mobile agent protection method, this
mechanism propose that platforms involved in the
router cannot obtain relevant information about
others, thus it is a platform security method as well.

2.2.4. Chained MAC Protocol


Fig. 2: Encrypted function procedure. This protocol allow to the agent to accomplish the
full integrity. To use this protocol the public key of
2.2.2. Obfuscated Code the agent owner is known by every mobile agent
Obfuscated code is source code which has been [9].
designed difficult to understand. This approach try When a mobile agent arrive to a host, a partial
to avoid the reverse engineering which is a well- result mn (single piece of data generated by the nth
know practice between attackers to obtain the host) is encrypted with a random key rn. Both mn
original source code and make modifications on it. and rn are encrypted with the agent public key
Obfuscated code can decrease risks that include K(i0), creating the encapsulated message Mn:
loss of intellectual property, ease of probing for
application vulnerabilities and loss of revenue that M n={r n , mn ,id i n1 }K i0

can result when applications are reverse A chaining relation is defined as follows (H
engineered, modified to circumvent metering or denotes a hash-function):
usage control and then recompiled [6].
h 0={r n , m 0 id i 0 }K i
Obfuscated code is suitable for applications that
0

does not convey information for long-lived h n=H  hn−1 , r n , o n , id i n1 


concealment. Also it is possible that an attacker When the agent travel from the host n to n+1:
introduce random values to validate the application
behavior but the results of this attack have not i n i n1 :{ M k∣0≤k ≤n }, hn
meaning for the attacker [7]. The figure 3 shows an example of this protocol
with three terminals [10].
2.2.3. Cryptographic Traces
A Cryptographic traces is a way to verify the 2.3. Protection Mechanisms for Stations
correctness execution of an agent. The traces are
made in the station host by the agent and they 2.3.1. Authenticating Credentials
provide a way to the verification if the base station
need to verify the default execution of its agent in a One or more parties signed digitally a mobile
Security for Mobile Agents and Platforms

h 2=ENC 0 r 1, o1, P 2
O 1=ENC 0  r 1 , o1 , P 2 

P1
{O 0 }, [h 1 ] {O 0 , O1 } ,[ h2 ]

h 1=ENC 0 r 0, o 0, P1  h 3=ENC 0 r 2, o2, P 3


O0 =ENC 0  r 0 , o0 , P 1  P0 P2 O2 =ENC 0 r 2 , o2 , P 3 

{O 0 , O 1 , O 2 ,O 3 }[ h4 ] {O 0 , O 1 , O 2 }[ h3 ]

P3 P i :Originator
oi :Offer
h 3=ENC 0 r 3, o 3, P 4 O i : Encapsulated offer
O3= ENC 0  r 3 , o 3 , P 4h i : Hash result
ENC i : Encryption with i public key
r i : Random number created by i station
Fig. 3: Example of Chained MAC Protocol

agent. One kind of digital signature comprise the configuration, information, databases, and so on
public key signature. In the public key algorithm [11].
exists two keys, one private Kd and another public A reference monitor is based in a policy which can
Ke. To apply this algorithm, the base station be given by the host administrator or by the
encrypts the binary file (or a checksum of the authenticating credentials. Some modern languages
mobile binary application) with its private key Kd. which are interpreted have incorporated a monitor
When the foreign station receive the mobile agent, (i.e., Java, PHP-Apache). When a mobile agent
it decrypts the mobile agent (or checksum) using tries to access to a restricted resource, it is stopped.
the public key Ke. If the result match, the integrity Thus, resources are always in a safe zone which are
of the mobile agent is rightfulness. defined by a monitor policy and the mobile agent
With digital signatures, the host can check the cannot cause harm.
integrity of the agent and its owner. These This mechanism is usually combined with
mechanisms allow the detection of tampering in an authenticating credentials which are the first way to
agent, even it does not prevent it. trust in the mobile agent. Despite the integrity of
the mobile agent can be intact, the mobile agent
2.3.2. Access-Level Monitoring and Control can have source weakness or it can be designed to
A reference monitor controls the access to the access to forgiven resources (pointedly or not).
resources which the mobile agent can we access: Some of the policy implementations can be
files, communications, peripheral devices, system designed as an access control list which specify
Security for Mobile Agents and Platforms

which objects can be accessed by what users (or Method Advantages Disadvantages
system process) and which operations are allowed.
M.2.2.1. · Straightforward idea. · Difficult to find
· Many researches. appropriate encryption
2.3.3. Code verification schemes that can
transform the
The station can verify the binary image of the functions.
mobile agent. A code verification program can find
M.2.2.2. · Easy implementation · Difficult to find good
vulnerabilities on restricted access to the memory, of mobile agents obfuscated methods.
files or networking. (applying obfuscated · Depend on the
Java program may be checked with the “byte-code methods after that). ability of the re-
· Difficult to analyze engineer as well.
verifier” in its runtime environment [12]. the code. · Not intended for
Some disadvantages can be found in method. long-lived
applications.
Firstly, the method performs actions which require
big operations. It is slow. Furthermore, some of M.2.2.3. · Non-repudiation. · Needed of trust in
these methods verify the code in a concrete channel · Statistics included. most of the stations.
· Needed of trust in a
meanwhile the mobile agent is downloaded. If the third party station to
mobile agent is downloaded from another channel retain the log.
(as FTP, HTTP, e-mail, and so on) the code
M.2.2.4. · Non-repudiation. · Vulnerable to
verification application might not check them. · Easy interleaving attacks.
implementation.
3. ANALYSIS OF METHODS
Table 1: Advantages and disadvantages on mobile
In this section, we present a table with the agent protection methods
advantages and disadvantages of the methods 3.2. Analysis on station protection methods
mentioned in the background. In the background
section, we can find some of them mentioned. The table 2 shows the names of the methods as
sections in this paper (i.e. Authenticating
The analysis of advantages and disadvantages is credentials is M.2.3.1).
based in the literature offer in the reference section,
which was cited in the background. Other Some of these methods can be merged to avoid the
advantages and disadvantages are cited in the disadvantages of others. A station may use M.2.3.1.
discussion section. in order to trust in the channel of M.2.3.2.
3.1. Analysis on mobile agent protection
methods The protection of the station become easier than
the protection of the mobile agents as we cited in
The table 1 shows the names of the methods as the introduction. A station should control their
sections in this paper (i.e. Encrypted functions is resources, channels and public keys which comes
M.2.2.1). from trusty sources. Stations can manage mobile
As we can see in the table 1, every protocol has agents as other kind of applications and scan them
their own disadvantages. M.2.2.1. has a with virus scans.
vulnerability in his protocol. M.2.2.1. and M.2.2.2.
have simple implementation or are based in a 4. DISCUSSION
simple idea or algorithm. M.2.2.3. has non-
repudiation which is used to find which station The protection of the mobile agents is a different
tried to manipulate the mobile agent. concept of the traditional security. The traditional
thought of encrypt the information transmitted
Security for Mobile Agents and Platforms

Method Advantages Disadvantages customer trust in other closest customers which


give them services. Their lists of costumers usually
M.2.3.1. · Easy · Customer need to
has one or two levels of reliability in the costumers'
implementation: know that the mobile
checking the integrity agent was proven. costumers.
with public key · Trust in the mobile In the other hand, mechanisms to make secure a
cryptography. agent word, not in the
mobile agent code.
station are based in the resources access. These
methods were not only created for mobile agents,
M.2.3.2. · Easier way to avoid · It is not checked the but for their local applications. Resource access
harm in the resources. channel which the
mobile agent was methods implied an Access Control Matrix or
received. similar approach which characterizes the rights
rights of each subject with respect to every object
M.2.3.3. · Work as well as the · Slow.
mobile agent · Assumption that it in the system. Thus, each station set rights of their
implementation. comes from a trusted resources (files, printers, databases, and so on) to
source. each mobile agent.
· Code is vulnerable to
subversion. Integrity of mobile agents can be checked with
public key encryption in the stations. But, as we
Table 2: Advantages and disadvantages on station discuss in the previous paragraphs, even the mobile
protection methods agent is sent from a trusty station and the resources
between two points use concepts as secure are limited, the station must specify the rights
channels or encrypted messages. The hard task in which modify the resources from the mobile agent.
the security of mobile agents is the integrity of
their code. Any entity which can access to a mobile 5. CONCLUSIONS
agent (to a software application) can access to their
Mobile agents give more flexibility in a networking
code and modify it.
communications. This approach shares the way that
Some methods were researched to preserve the the communications have been from tens of years,
integrity of the software. Encrypt the code or create client-server paradigm. Some of the mobile agents
cryptographic traces are some solutions. But the advantages are:
traditional security require other concepts as denial
• Reduction of network broad.
of service. Once an agent join in a station, it is not
possible to prevent it, even it possible to detect it • Parallel processing: asynchronous execution
(via non-repudiation techniques). on multiple heterogeneous network hosts.
The designed of the mobile agents must be create • Dynamic adaptation: actions are dependent
for heterogeneous systems. Its code is usually a on the state of the host environment.
black box which customer cannot check. • Tolerant to network faults: able to operate
Customers could not trust in three-party software without an active connection between a
and they could not decide to open their channels in client and server
order to receive software from outside. Customers • Flexible maintenance: to change an agent's
need to add extra security to their systems in order actions, only the source (rather than the
to check every resource on their machines. computation hosts) must be updated.
The protection of mobile agents is in an early stage The principal disadvantage is that this paradigm
which requires to trust not only in the author of the open a new approach in the classic security
mobile agent, but in the platforms which the methods. Security in mobile agents are focus in
mobile agent travels. In the traditional security, one two aspects in the integrity: protect the mobile
agent code and execution and protect the stations
Security for Mobile Agents and Platforms

against malicious mobile agents. Furthermore, this [11] M.S. Greenberg, J.C. Byington, and D.G.
protection may be not only in the mobile agent Harper, “Mobile agents and security”, IEEE
code, but the data which the mobile agents Communications Magazine, 1998.
transport. [12] X. Leroy, “Java bytecode verification:
algorithms and formalizations”, Journal of
During this report, we created an overview of
Automated Reasoning, 2003.
several generic methods in the protection of mobile
agents and platforms. Furthermore, we created an
analysis table with advantages and disadvantages
of them. We finish with a discussion section which
we explain which doubts are presented in this
paradigm and which are presented in a customer's
point of view.

BIBLIOGRAPHY
[1] A. Bieszczad, B. Pagurek, and T. White,
“Mobile agents for network management”, IEEE
Communications Surveys, 1998.
[2] C.G. Harrison, D.M. Chess, and A.
Kershenbaum, “Mobile agents: Are they a good
idea”, Mobile Object Systems: Towards the
Programmable Internet, 1997.
[3] T. Sander and C.F. Tschudin, “Protecting
mobile agents against malicious hosts”, Lecture
Notes in Computer Science, 1998.
[4] D. Chess, B. Grosof, C. Harrison, D. Levine, C.
Parris, and G. Tsudik, “Itinerant agents for mobile
computing”, Readings in agents, 1997.
[5] M. Abadi and J. Feigenbaum, “Secure circuit
evaluation”, Journal of Cryptology, 1990.
[6] M. Mateas and N. Montfort, “A box, darkly:
Obfuscation, weird languages, and code
aesthetics”, Proceedings of digital arts and culture,
2005.
[7] A. Zwierko and Z. Kotulski, “Security of
mobile agents: a new concept of the integrity
protection”, Arxiv preprint cs/0506103, 2005.
[8] G. Vigna, “Cryptographic traces for mobile
agents”, Lecture Notes in Computer Science, 1998.
[9] L. Fischer, “Protecting integrity and secrecy of
mobile agents on trusted and non-trusted agent
places”, 2003.
[10] A. Suen and M. Protocol, “Protecting Mobile
Agent Data with Data Encapsulation and
Cryptographic Tracing”, 2003.