Mobile%20Code%20Security%20Evaluation

About This Presentation

Title:

Mobile%20Code%20Security%20Evaluation

Description:

remote evaluation (REV), code on demand (COD), mobile agent (MA) Common examples of mobile code: ... downloading Java applets (COD) Other possible applications ... – PowerPoint PPT presentation

Number of Views:56

Avg rating:3.0/5.0

Slides: 27

Provided by: CSE

Category:

more less

Transcript and Presenter's Notes

Title: Mobile%20Code%20Security%20Evaluation

1
Mobile Code Security Evaluation

Presented by Chan Hing Wing, Anthony
April 26, 1999
Room 1027, SHB, CUHK

2
Introduction

Problems of the client/server paradigm
The mobile code paradigm (MCP) and supporting
implementation technologies
Security evaluation of mobile code paradigms and
technologies
A security model for mobile agents
Conclusion and future work

3
The Client/Server Paradigm

The conventional design paradigm (i.e., example
or pattern, Webster) of distributed applications
Two processes (client and server) running on two
different hosts communicate by message exchange
Example a simple network file server
handle only one file per client request (I.e., no
mput / mget)
file listing service also provided
How to delete all files starting with f?

4
Problems, Client/Server

The only way
list all files on server
figure out files starting with f
delete files one by one
Problems
large number of exchanged messages
requirement of user-computer interactivity
Solution
upgrade the server and client (to provide
mdelete)
inflexible how about next time I want mput/mget?
any other solution?

5
The Mobile Code Paradigm

It would be great if I could send a
self-executing code fragment (instead of a single
instruction) to the server side, that decides
which file to delete for me dynamically!
Advantages
reduced network traffic (only code sending, and
perhaps an acknowledgement)
no need for user-computer interactivity

6
Mobile Code Paradigm (MCP)

Three forms of MCP (Ghezzi Vigna)
remote evaluation (REV), code on demand (COD),
mobile agent (MA)
Common examples of mobile code
rsh in Unix (REV)
SQL queries (REV)
downloading Java applets (COD)
Other possible applications (MA)
mobile computing
electronic commerce, etc.

7
Mobile Agents

The most interesting form of mobile code one
form of Intelligent Agents, which is a hot
topic in the AI field
Mobility programs can move across different
machines and platforms, and run on different host
machines
Agency programs act autonomously for the their
users / owners
Agents can move with different execution states,
therefore, they can roam around the network to
perform complex tasks

8
Why Mobile Agents?

Seven Good Reasons for Mobile Agents (in CACM,
March, 1999)
They reduce the network load
They overcome network latency
They encapsulate protocols
They execute asynchronously and autonomously
They adapt dynamically
They are naturally heterogeneous
They are robust and fault-tolerant

9
Supporting Technologies

Client/Server Sockets / RPC / CORBA
Remote evaluation rsh, SQL, etc.
Code on demand Java applets
Mobile Agents?
Many Mobile Agent Systems (MAS) being developed,
e.g., Aglets from IBM, Odyssey from General
Magic, and Objectspaces Voyager (ORB)
OMG is drafting the Mobile Agent System
Interoperability Facility (MASIF) to allow for
cross-MAS agents under CORBA

10
Security Evaluation of MCP

Before we adopt MCP, we should evaluate the
security cost and benefit of MCP, compared
with the client/server paradigm
Two criteria for accepting MCP in application
development
no extra security attacks without corresponding
security mechanisms
easy-to-use, reliable security services provided
by supporting technologies

11
Client/Server Security

Client/Server security
usually adopt the security fortress model
each particular computing base forms a
security fortress, everything (code, data,
users, computers) in the same fortress are
trusted
major challenges
client/server authentication (establishing trust
with another side)
data/request confidentiality across insecure
channel (by encryption)
already well developed

12
Mobile Code Security Concerns

Remote evaluation
fortress model also applicable
challenges
code sender/receiver authentication
code encryption across the channel
Code on demand
can also apply the fortress model
challenges
client building trust on downloaded code
(sandboxing, applet signing)
server verifying the correct client
(authentication)

13
Mobile Agent Security

More complex/challenging because of
roaming agents
co-operating agents
Two aspects
host security
protecting the host against malicious agents
fortress model applies
agent security
protecting the agents against malicious host
fortress model does not apply!

14
Host security

Agent Integrity
sandboxing, run-time verification, proof-carrying
code
Agent Authentication
digital signatures (analogy signed applets)
Authorization
access control lists
Allocation (against denial-of-service attack)
market-based mechanism

15
Agent Security

Example
An agent roams around the Internet to look for
the lowest price of an air ticket it remembers
the lowest price it finds most recently
Data tampering change of execution state of
agents by malicious hosts (brain-flush the
agent of the lowest price it remembers)
Execution tampering change of code or execution
sequence by malicious hosts (deliberately set the
local price as the lowest price, and push the
agent to return immediately)

16
Agent Protection

Some proposed approaches
Agent tampering detection
range verification, timing information
addition of dummy items and functions
state appraisal functions, cryptographic
watermarks
Agent tampering prevention
time-limited black-box Hohl
shared secrets, interlocking of agents
a fault-tolerance approach
execution of encrypted functions Sander
Tschudin
Not very well developed

17
Security Services, RPC

Sockets no security services at all!
Sun RPC
secure RPC services for authentication (man
secure_rpc) with four options
Kerberos v5 authentication, per-session key
generation
ssleay free library functions implementing
SSLv3, for authentication and encryption
Proposed standard Generic Security Services
Application Program Interface version 2 (GSS-API
v.2) (RFC2078)

18
Security Services, CORBA

CORBA Security Services specification
required implementation of objects Credentials,
Principal Authenticator, Security Context, Access
Control, etc.
support authentication, authorization, security
auditing, etc.
however, existing implementation of the
specification is unknown
some vendors add their own security add-on for
their ORB product (e.g., SSL pack for Visibroker)

19
Security Services of MAS

Aglets and Odyssey
Host protection based on Java security model
(sandboxing and signed applets)
No information about agent protection
Voyager
SSL for communication security
No details available about host and agent security

20
Summary of Evaluation
Intuitively speaking,
Client/server
Mobile agents
REV/COD
More possible attacks, mechanisms less developed
RPC
MAS
CORBA
Higher level of abstraction, services less
developed
21
Security Model for Mobile Agents
Host 2
Host n
Host 1
Agent

The agent stay at host i for a time period
ti Assume independent, exponential, distribution
of time-to-breach (Jonssons experiment) at each
host i, i.e., P(breach at host i) 1 -
exp(-?iti), for i 1 to n where ?i vki is a
constant v index of vulnerability ki index of
malice
22
Proposed Security Model (contd)
Security of system P(no breach at all
hosts) exp(-?1t1)exp(-?2t2)...exp(-?ntn),
A Possible Application of the model Assume we
can estimate ?i for each i from 1 to n, then we
can determine the upper limits of time to stay on
each host i (a set of values of ti) for the agent
to become free of breach at a certain probability
(ref time-limited black-box)
23
Conclusion