The Mobile Code Paradigm and Its Security Issues

1
The Mobile Code Paradigm and Its Security Issues

• Anthony Chan and Michael Lyu
• September 27, 1999

2
Presentation Outline

• Drawbacks of client/server paradigm
• Classification of mobile code paradigm
• Mobile code applications and technologies
• Security concerns of mobile code paradigm
• Attack model of malicious hosts against mobile
  agents
• Possible solutions to protect mobile agents
• Conclusion

3
Client/Server Paradigm

• The most common paradigm being used for
  distributed application design
• Two problems
• high network bandwidth requirement (large number
  of message transfer)
• requirement for user-computer interactivity
• Mobile code emerges as a more efficient
  alternative

4
Classification of Mobile Code
Know-how the code to execute Resources
input/output for code execution Processor
abstract machine that holds the state of
computation
Ghezzi and Vignas classification of mobile code
paradigms
5
Mobile Code Applications

• Examples of mobile code systems
• remote evaluation rsh utility, SQL queries
• code on demand Java applets
• mobile agents
• a lot of possible applications, e.g., information
  retrieval, electronic commerce (bargaining)
• not common yet, but a lot of platforms for mobile
  agents being developed worldwide (e.g., Aglets
  from IBM, Concordia from Mitsubishi)
• Hurdle SECURITY

6
Security Concerns of Mobile Code

• A basic requirement
• an application developed using the mobile code
  paradigm can be as secure as the same application
  developed using the client/server paradigm
• otherwise mobile code could not be used for
  security-critical applications, which are very
  common
• In other words, the mobile code paradigm should
  not bring additional security attacks that do not
  have proper security mechanisms to defend

7
Security Attacks

• Actions that compromises security requirements of
  an application
• Attacks to Client/server masquerading, forging,
  eavesdropping, etc.
• Additional attacks to remote evaluation
  (REV)/code-on-demand (COD) Trojan horses
• Additional attacks to mobile agents agent
  tampering (data/execution)

8
Security Mechanisms

• Mechanisms designed to prevent, detect or recover
  from security attacks
• Security mechanisms for client/server
• Kerberos, Secure Socket Layer (SSL), etc.
• very well established
• Security mechanism for REV/COD
• sandboxing and code verification
• quite well established
• Security mechanism for mobile agents
• not established at all!

9
Mobile Agent SecurityA Closer Look

• Two facets of mobile agent security
• host security
• protect hosts from malicious agents (code/data)
• similar to remote evaluation and code on demand
  approaches
• agent security
• protect agents from malicious hosts
• a relatively new area in security research

10
Attack model of malicious hosts against mobile
agents
Model proposed by Fritz Hohl

• Attacks scenarios that can be described
• spy out and modify the whole data part of an
  agent
• spy out and modify the code part of an agent
• manipulate the code execution sequence of an
  agent
• manipulate the execution environment of an agent

Environment
Read/manipulate
Malicious Host
(Other agents)
Read/manipulate properties control execution
System call
Agent
11
A mobile agent application
Handheld PC (running Windows CE) System analyzes
the request and asks the server for data
agent
Proxy Server Get the request from client and
send agents to database servers
agent
Databases (Oracle server) Agents get appropriate
data here and bring back to proxy server
Network
Network
agent
agent
SERVER
CLIENT
A Traveling Information Agent system
12
Mobile agent application

• Advantages of developing the application using
  mobile agents over conventional client/server
• reduced network traffic for client client
  (handheld PC) needs to handle only two network
  transmissions (agent sending and receiving)
• non-interactivity of client client can be
  plugged to network, send agent, disconnect from
  network then after a while reconnect at another
  physical location, and receive agent

13
Attacks to the sample agents

• Possible attacks to the system described
• a malicious host may spy out and modify data
  collected by the agent, thus false information is
  reported to user
• a malicious host may spy out the code of the
  agent, thereby get to learn what information the
  particular user is interested in
• a malicious host may manipulate the execution
  sequence of the agent, and make the agent request
  some information for it illegitimately
• a malicious host may manipulate the information
  obtained from the databases, and report false
  information to the agent

14
Possible solutions

• An open research question
• Two cases
• closed network malicious hosts are identifiable
• open network malicious hosts are not identifiable

15
Closed network

• Integrity checks
• integrity check on agents result code and data
• report to public that host is malicious if
  integrity check fails
• send agents only to those hosts not reported as
  malicious
• Encryption
• encrypt agent transmission, to avoid eavesdropped
  by malicious hosts

16
Closed network

• Time-limiting techniques
• malicious hosts takes time to tamper with /
  modify agents
• limit the time for an agent to survive in the
  network
• do not trust agents and their results that have
  expire the time limits

17
Open network

• Encryption
• need to hide the code (algorithm) and data of
  agents so that any malicious hosts would not be
  able to tamper
• one possible way would be mobile cryptography
  using probabilistic encryption
• under active research
• Time-limiting techniques
• limit the time for an agent to survive
• security modeling

18
Security Modeling - some ideas
Agent
Host 1
Host 2
Host n

• Assume
• the time to breach the agent on host i is
  inversely exponential to the number of
  instructions carried out by host i
• the number of instructions carried out by a host
  is directly proportional to time

19
Security modeling

• Let an agent stays at host i for time Ti,
• P(breach at host i)
• 1 - exp(-?iTi), ?i is a constant
• Then the agent security, i.e., probability of no
  breach at all host,

We may use this to measure the time we allow an
agent to stay on a host, so that the agent is
still safe up to a certain probability
20
Conclusion

• Mobile code as an alternative to client/server
  for distributed applications
• Security as a major hurdle to mobile code
• Mobile code (especially mobile agents) faces more
  attacks than client/server do, while the
  corresponding security mechanisms are not well
  established
• An application to illustrate attacks to agents
• Efforts should be devoted to secure agents