The Mobile Code Paradigm and Its Security Issues

1
The Mobile Code Paradigm and Its Security Issues

• Anthony Chan
• September 13, 1999

2
Presentation Outline

• Drawbacks of client/server paradigm
• Classification of mobile code paradigm
• Mobile code applications and technologies
• Security concerns of mobile code paradigm
• Attack model of malicious hosts against mobile
  agents
• Conclusion

3
Client/Server Paradigm

• The most common paradigm being used for
  distributed application design
• Two problems
• high network bandwidth requirement (large number
  of message transfer)
• requirement for user-computer interactivity
• Mobile code emerges as a more efficient
  alternative

4
Classification of Mobile Code
Ghezzi and Vignas classification of mobile code
paradigms
5
Mobile Code Applications

• Examples of mobile code systems
• remote evaluation rsh utility, SQL queries
• code on demand Java applets
• mobile agents
• not common yet, but a lot of platforms for mobile
  agents being developed worldwide (e.g., Aglets
  from IBM, Concordia from Mitsubishi)
• Hurdle SECURITY

6
Security Concerns of Mobile Code

• A basic requirement
• an application developed using the mobile code
  paradigm can be as secure as the same application
  developed using the client/server paradigm
• otherwise mobile code could not be used for
  security-critical applications, which are very
  common

7
Security Attacks

• Actions that compromises security requirements of
  an application
• Attacks to Client/server masquerading, forging,
  etc.
• Additional attacks to remote evaluation/code-on-de
  mand Trojan horses
• Additional attacks to mobile agents agent
  tampering (data/execution)

8
Security Mechanisms

• Mechanisms designed to prevent, detect or recover
  from security attacks
• Security mechanisms for client/server
• Kerberos, Secure Socket Layer (SSL), etc.
• very well established
• Security mechanism for REV/COD
• sandboxing and code verification
• Security mechanism for mobile agents
• not established at all

9
Attack model of malicious hosts against mobile
agents
Model proposed by Fritz Hohl

• Attacks scenarios that can be described
• spy out and modify the whole data part of an
  agent
• spy out and modify the code part of an agent
• manipulate the code execution sequence of an
  agent
• manipulate the execution environment of an agent

Environment
Read/manipulate
Malicious Host
(Other agents)
Read/manipulate properties control execution
System call
Agent
10
A mobile agent application
Handheld PC (running Windows CE) System analyzes
the request and asks the server for data
agent
Proxy Server Get the request from client and
send agents to database servers
agent
Databases (Oracle server) Agents get appropriate
data here and bring back to proxy server
Network
Network
agent
agent
SERVER
CLIENT
A Traveling Information Agent system
11
Attacks to the sample agents

• Possible attacks to the system described
• a malicious host may spy out and modify data
  collected by the agent, thus false information is
  reported to user
• a malicious host may spy out the code of the
  agent, thereby get to learn what information the
  particular user is interested in
• a malicious host may manipulate the execution
  sequence of the agent, and make the agent request
  some information for it illegitimately
• a malicious host may manipulate the information
  obtained from the databases, and report false
  information to the agent

12
Conclusion

• Mobile code as an alternative to client/server
  for distributed applications
• Security as a major hurdle to mobile code
• Mobile code (especially mobile agents) faces more
  attacks than client/server do, while the
  corresponding security mechanisms are not well
  established
• An application to illustrate attacks to agents
• Efforts should be devoted to secure agents