Mobile Agent Programming in Ajanta

1
Mobile Agent Programming in Ajanta

• Anand Tripathi
• Department of Computer Science
• University of Minnesota
• Minneapolis MN 55455
• http//www.cs.umn.edu/Ajanta/
• This work was supported by NSF grants ANIR
  9813703 and EIA 9818338

2
Outline

• Mobile Agent Paradigm
• Benefits, Obstacles, and Potential Applications
• Evolution of the Mobile Agent Paradeigm
• Ajanta Mobile Agent Programming System
• Conclusions and Future Directions

3
Contributors to Ajanta Project

• Neeran Karnik (currently with IBM New Delhi)
• Manish Vora (currently with Fore Systems)
• Tanvir Ahmed
• Ram Singh (currently with Cisco)
• Arvind Prakash (currently with Microsoft)
• Shremattie Jaman

4
Aspects of Mobile Agent Research

• Distributed System Research
• Focus on system architectures and protocols for
  managing executions of mobile agent objects.
• Security, fault tolerance, naming, yellow pages
• Programming Languages Research
• Code mobility, safety, programming constructs
• Agent communication languages
• Artificial Intelligence Research
• Focus on intelligence, learning, and cooperation

5
What is an agent?

• An agent is a software component (object) which
  can perform one or more tasks in some predefined
  manner.
• Properties of an agent
• Mobility
• Autonomy
• Deliberative vs. Reactive
• Learning
• Cooperation
• See IEEE Spectrum April 1998 paper by Morreale

6
Evolution
Remote Procedure Call
parameters(data)
Code resides at the server
Client
Server
results (data)

• Courier at Xerox PARC in 1980
• Sun RPC 1984
• DCE, CORBA late 1980s

7
Evolution Process Migration

• Process migration allows a partially executed
  process to be relocated to another node.
• Execution state of the process is migrated.
• Stack, memory, program counter, state of open
  files.
• Mainly used for load balancing.
• In the mid 1980s several mechanisms were
  investigated and supported in a local area
  network environments.
• Locus (UCLA), Sprite (UC Berkeley), Condor
  (Wisconsin)

8
Evolution Object Migration

• Object migration allows objects to be moved
  across address spaces at different nodes.
• Requires mobility of objects code and data.
• Emerald supported object mobility under program
  control. (Univ. of Washington) (1986)
• Chorus distributed system (1988) supported object
  mobility with autonomous control by the object.
• Most of these system supported migration in a
  homogeneous system.

9
Evolution ...
Remote Programming and Code Mobility
procedure code data
Code transported to the server
Server
Client
results (data)

• Remote Evaluation model by Stamos and Gifford
• (MIT) (1990).
• Java Sun Microsystems (1995) allows code
  migration
• across heterogeneous platforms.

10
Mobile Agents

• A mobile agent is an object capable of
  autonomously migrating from one host to another
  in a distributed system to perform actions on
  behalf of its creator.

Client
Server 1
agent(codedata)
Mobile Agent
Server 2
Server 3
11
Mobile Agents

• A mobile agent is an object capable of
  autonomously migrating from one host to another
  in a distributed system to perform actions on
  behalf of its creator.

Client
Server 1
agent(codedata)
Mobile Agent
Server 2
Server 3
12
Potential Benefits and Capabilities

• Concurrency
• Reduced network usage (bandwidth frequency)
• No need to maintain client-server connection
• Move processing closer to where needed
• Client-server asynchrony
• Disconnected operations
• Installation of client-specific interfaces
• Dynamic interface upgrades

13
Examples of Potential Applications

• User-level applications
• Search and information filtering agents
• Personal assistants
• Middleware systems
• Global file systems
• Distributed collaboration and workflow systems
• System level tasks
• Network status monitoring and control
• Intrusion detection
• Software distribution, installation, upgrades

14
Basic Requirements

• A mobile agent system needs to support migration
  of a partially executed agent object from one
  node to another.
• Code migration to the destination node
• Agent state migration
• There are two approaches to state migration
• Strong mobility refers to transfer of system
  level execution state, such as execution stack,
  program counter, memory
• Weak mobility refers to application level state
  transfer
• IEEE TSE May98 paper by Fugetta, Picco, Vigna

15
Obstacles -- Security Issues

• Protection of host resources
• Unauthorized access to host resources
• files, processes, system programs
• privacy concerns
• Damage to resources
• Denial of service attack
• annoyance attacks
• Privacy integrity of agent data
• Passive active attacks
• Beyond applet security model

16
Obstacles -- Robustness Issues

• Fault Tolerance Issues
• Exceptions during agents remote execution
• Unavailability of server
• Loss of an agent during migration
• Status Monitoring and Control
• Support to monitor an agents status
• Support to recall or terminate an agent

17
Obstacles - Programming Support

• Programming model and APIs
• Programming infrastructure and services
• Naming scheme for servers, agents, resources
• Agent transfer protocol
• Inter-agent communication protocol
• Debugging facilities

18
Mobile Agent Systems - Approaches

Mobile Agent Systems
Languages
Middleware Systems
Telescript Oblique
OO Language Based
Script Language Based
Java based
Tcl, Python, Perl
19
Agent Programming Systems

• Telescript - A language developed by
• General Magic in the early 1990s.
• OO language for programming mobile agents.
• Designed with security requirements.
• It was used for email
• It was used in Sonys Magic Link personal digital
  assistant linking to messaging and email services
  of ATT and AOL
• Now discontinued in favor of Odyssey.

20
Agent Programming Systems

• Tacoma - Tcl based system developed at Cornell
  and Tromso University (1994-95)
• Agent Tcl - Tcl based system developed at
  Dartmouth College. (1994-95) DAgents
• Aglets - Java based system from IBM. (1996)
• Concordia - Java based system from Mitsubishi
  Research. (1997)
• Voyager - Java based system from ObjectSpace
• Odyssey - Java based system from General Magic
• See http//www.informatik.uni-stutgart.de/pvr/proj
  ekte/mole/mal/mal.html

21
Ajanta Mobile Agent System

• Ajanta System Architecture
• Agent Programming Primitives
• Agent Server Architecture and Security
• Agent Protection
• Patterns for Agent Migration
• Agent-Based Applications
• Conclusions and Future Directions

22
Ajanta System Architecture

• A mobile agent in Ajanta is a Java object
• Infrastructure for agent-based applications
• The base Agent and AgentServer classes
• Infrastructure for hosting agents
• Applications extend the generic agent server to
  define
• Name service
• Location information and public-key distribution
• Based on Uniform Resource Naming (URN) framework

23
Mobile Agents in Ajanta
Object
Object
byte array
serialize
deserialize
Host-A
Host-B
n e t w o r k

• state mobility using Java object serialization
• code mobility based on on-demand class
  loading
• Agent transfer is lightweight (no code or thread
  state transfer) weak mobility
• execution context - control flow by method
  chaining

24
Agent Programming Support

• Base Agent class defines basic functionality for
  creating and launching an agent.
• Agent execution model
• arrive and depart methods define entry and exit
  protocols at a host.
• ItinAgent class defines itinerary based agents
• Migration patterns for itinerary composition
• Exception handling by guardians.

25
Defining an Application Agent

• An application specific agent is defined by
  inheriting from Ajantas base Agent class.
• The base Agent class has empty definitions for
  run, arrive, and depart methods.
• Application specific agent class must suitably
  redefine these methods.

26
Agent Credentials

• Credentials object includes
• agent name (its own identity, in URN format)
• owner (URN of the human user it represents)
• creator (program/application that created it)
• guardian (its home site/exception handler)
• code base (class bytecode server)
• owners signature on the above

27
Agent Migration Request

• go(destination,methodName, parameter
  description)
• If no method is specified, by default run method
  is executed at the destination server.
• Absolute vs Relative migration (co-location with
  other agents/resources)

28
Agent Execution at a Server

• When an agent arrives at a server
• Its credentials are verified.
• A thread is created for its execution.
• This thread first executes the arrive method of
  the agent.
• It then executes the requested method.
• Finally it executes the depart method.

29
Exception Handling -- Guardian
Agent Server
Agent Creator
Agent launch

Agent
Code Base Server
Exception
Agent transfer on exception
Agent
Agent colocates with the Guardians and calls its
Report method
Guardian
30
Protection of Server Resources

• Agents should be granted controlled access to
  host resources based on their credentials.
• Access to files, network, application resources
• Agents should be prevented from bringing impostor
  code for security sensitive classes.
• Agents should be prevented from transferring a
  resource to a remote site.

31
Protection of Server Resources

• Based on JDK 1.1 security model
• Protection domains for agents
• Thread groups in Java
• Using the thread-group ID to identify the agent
• The Domain Registry
• Class loading in Java Lindholm Yellin 1996
• Class loader-based namespace isolation
• One class loader per agent (domain)
• On-demand, secure code transfer

32
Agent and Server - Interactions
AGENT
current
Itinerary
AGENT SERVER
State
Resource
Unprotected Data AppendOnly Data Targeted
Data ReadOnly Data
Proxy1
Proxy2
Credentials
AccessProtocol
host
Agent Environment
RMI
ResourceRegistry
AgentTransfer
DomainRegistry
ServerInterface
ATP
33
Proxy Based Resource Access

• Agents arent given references to resource
  objects
• Proxy interposition Shapiro 1986
• Proxy as identity-based capability Gong 1989
• access control
• dynamic revocation
• usage metering
• Assumption agent server is not malicious

Agent1
Proxy1
Resource
Agent2
Proxy2
34
Resource binding protocol
Resource
Agent
Proxy2
Proxy1
6
AccessProtocol
1
2
4
5
Agent Environment
3
Resource Registry
Domain Registry
Server Interface
Agent Transfer
1. Resource registers its URN2. Agent requests a
resource3. Server locates resource in registry
4. getProxy method is invoked5. New proxy object
is returned to agent6. Agent accesses resource
via proxy
35
Security against potential attacks

• Indirect access to the embedded resource
  prevented using Java encapsulation (private).
• Copying of embedded resource via serialization
  prevented using Javas transient keyword.
• Use of proxy class that compromises embedded
  resource Ajanta class loader only loads trusted
  proxy classes.
• Typecasting of proxy not possible, since proxy
  class has no ancestors (other than the base Java
  class Object).
• Cloning of proxy not allowed, since proxy class
  does not implement Cloneable interface.

36
Inter-agent Communication

• Inter-agent communication for co-located agents
  using proxy-based binding
• Remote communication with agent using RMI
• leakage of sensitive data via remote invocation
• proxy interposition between remote caller and
  agent
• the createRMIProxy primitive
• proxy screens (authenticates) incoming RMI calls
• security manager screens outgoing connections

37
Protection of Agent State

• On the network ATP uses encryption
• Types of objects contained in an agent
• read-only (constants)
• append-only (logs, write-once data)
• targeted (private, for specific servers)

38
Agent Control Primitives

• Remote agents can be terminated or recalled home
• public void terminate (URN agent,...)
• public void recall (URN agent,...)
• public void retract (URN agent,...)
• Authentication necessary for these primitives
• public Ticket authenticate (URN caller, int
  nonce)

39
Agents and Itineraries
An example of a simple itinerary
next
Host A, action M
Host B, action M
Host C, action M
Current
Host D, action M
Host E, action M
Host F, action M
40
Migrations Patterns

• An itinerary is a sequence of patterns.
• A pattern is a collection of patterns. (Recursive)

ItinEntry - primitive pattern
host, action
Sequence of patterns execute the patterns in
a sequential order.
Set of patterns execute in any arbitrary order
3
1
4
3
Selection of one pattern among a set of patterns
1
41
Applications of mobile agents

• A Calendar Management System
• a calendar server maintaining users calendars
• agents for scheduling meetings using patterns
• Global File Access System
• agent-based remote file access system
• Web Index Search Service
• built above the file access system. Agents are
  used for searching a users web-page directory.
• Distributed Collaboration

42
Distributed Calendar System

• Each person in a group maintains a calendar and
  runs a calendar server.
• Calendar is a collection of events, organized by
  days.
• An event has start time, duration, description
• To schedule a meeting of a set of people, an
  agent is sent to check each participants
  calendar server with proposed meeting times.

43
Calendar Agent and Servers
Cal Server of User A
Cal Server of User B
Agent
Agent
Calendar
Calendar
Cal Server of User C
Cal Server of User D
Agent
Agent
Calendar
Calendar

44
Global File Access System
Agent Migration
Files with ACL
User As File Access Server
Client
Agent to fetch/deposit files
Files with ACL
Files with ACL
User As File Access Server
User As File Access Server
45
Global File Access System

• File load, store, transfer, stat, keyword
  search
• Interface primitives
• fetchFile (URN fileName)
• transferFile (URN fileName, URL dest)
• depositFile (byte data, URN fileName)
• getFileStat (URN fileName)
• search (String keywords)
• root directory, and access control list

46
Web Index Search Service

• A user can run a Web-Index Server for his/her web
  directory.
• This server stores an index for the users web
  directory.
• This index is prepared using Glimpse, an indexing
  and search tool from the University of Arizona.
• A client can send an agent to one or more
  web-index servers to search for files containing
  some given set of words.

47
Agent Based Web Search
Server
Client
Launch
Agent
Browser
View Processing
Results
File Server Thread
Search/Filter
Glimpse index of the .www
48
Global File System

• Requirements
• - open, read and write a remote file
• - support for different consistency model (AFS,
  Sprite, NFS etc)
• - dynamically configurable cache module (block
  size, cache size etc)
• - centralized as well as distributed caching
  policy

49
File System Initialization and Open Command

Client Agent Environment
File Server
open
Agent
AjfsFile
File Server Agent
File Client Agent
File Client Agent
50
Agent-based Distributed Collaboration

• Agent can be used as workflow objects.
• Agents can be installed or transported to
  different users nodes for executing coordination
  protocols.
• Specify workflow constraints for a dynamic
  collaboration
• Role based access-control

51
Approach

• Define a collaboration environment
• in terms of user roles, shared objects, security
  and coordination requirements using XML DTD
• A written contract between Ajanta Collaborative
  System and a convener.
• Specify a collaboration plan in XML
• This plan conforms to the DTD and shared
• Role are assigned to people
• Execute the Ajanta Collaborative System

52
Steps in Building a Collaboration
Collaborative Environment in XML DTD
XML Specification of a Collaborative Plan
Agent based Distributed Collaborative
System using Ajanta
53
Agent-based Collaborative System
User A
User B
Communication Network
User Interface
User Interface
a
b
d
c
a
b
d
c
Shared Replicated Objects (Object Space)
Shared Replicated Objects(Object Space)
Dispatching of a Coordination Agent
Agent-based Coordination Facility
Agent-based Coordination Facility
54
Collaborative Authoring System
User Interface
Document Manager
AGENT from a remote users UCI
Proxy
Objects created from XML plan
AccessProtocol
55
Future Directions

• Further investigations into agent security
  issues, and analysis of integrity and security of
  the Ajanta mechanisms
• Scale of operations with a number of different
  kinds of applications involving a significant
  number of agents.
• Robustness and fault-tolerance
• Agent group coordination and management
• Support for debugging agent applications
• High level language for agent programming

56
Resource Implementation
Resource
ResourceImpl
Calendar
AccessProtocol
CalendarImpl
CalendarProxy
implementation inheritance
provided by Ajanta
interface inheritance
written by resource provider
57
Access control in the proxy

• The Calendar proxyprivate transient Calendar
  ref // the hidden resourceprivate Method
  enabledMethodsboolean isFree (TimeRange t)
  // Use Java reflection to find the isFree Method
  object thisMethod myClass.getMethod
  (isFree,) if (isEnabled(thisMethod))
  return ref.isFree(t) // pass it through to
  ref else // throw security violation
  exception

58
Server and Agent Interactions
File System Resource
File SystemProxy
Job buffer
Agent
File SystemThread
Agent Thread
Access Control List
File Server
OS File System
59
Team Members

• Anand Tripathi
• Associate Professor, Computer Science
• B.Tech (Elect. Eng.), 1972, IIT Bombay
• Ph.D. 1980, University of Texas at Austin
• 1981-84, Senior Principal Research Scientist,
  Honeywell Inc. Minneapolis
• 1995-97 Program Director for Operating Systems
  and Systems Software program at the National
  Science Foundation.

60
Team Members

• Anand Tripathi ( Principal Investigator)
• Current Team Members
• Tanvir Ahmed (M.S. student)
• Ram Singh (M.S. student)
• Arvind Prakash (M.S. student)
• Graduated Team Members
• Neeran Karnik (Ph.D.)
• Manish Vora (M.S.)

61
RESEARCH GOALS
The primary goal of the Ajanta project is to
investigate and build an agent programming
infrastructure for programming secure,
high-confidence agent-based applications.

62
Current Research Activities

• The Ajanta infrastructure
• agent execution, migration binding
• agent programming primitives
• secure, remote control of agents
• Location-independent naming based on the URN
  framework
• Secure Agent Transfer
• Mechanisms for server resource protection

63
Current Research Activities

• Secure inter-agent communication using RMI
• Authentication protocol for client-server
  interactions
• Mechanisms to protect agent state
• Read-only state, Append-only state, Targeted
  state
• the ElGamal cryptosystem in Java

64
Evolution
parameters(data)
Client
Server
RPC
results (data)
procedure (code)
Server
Client
REV
results (data)
65
Applications of mobile agents

• A Global File System
• Agents to act as client-side protocol managers
  with dynamic policies for caching and
  synchronization.
• Agents as mobile shared objects
• Server should be able to control the client-side
  protocol managers behavior dynamically
• Active Mail System
• Agents as multimedia mail carriers
• On-demand retrieval of multimedia

66
Patterns for Itinerary Composition

• Itinerary sequence of patterns
• A pattern is a collection of patterns.
  (Recursive)
• Pattern types
• ItinEntry (server method specification)
• Sequence (ordered list of patterns)
• Set (unordered list of patterns)
• Selection (any one from a list of patterns)
• Loop (iterate over a sequence of patterns)
• Split (create one child agent per pattern in
  list)
• SplitJoin (wait for child agents to return)

67
Secure Agent Transfer

• Requirements
• Code and state transfer
• Security requirements (secrecy, integrity,
  authentication)
• Failure/exception handling
• Name service updates
• Audit trails
• Garbage collection
• Thread allocation
• Absolute vs Relative migration (co-location with
  other agents/resources)

68
Applications of mobile agents

• Global File Access System
• Currently we have a simple agent-based remote
  file access system
• An agent can be used to fetch/deposit files at
  remote users node.
• Web Index Search Service
• This is built on the file access system. Agents
  are used for searching a users web-page
  directory.
• User runs a web-index server

69
Web Index Sever and Agent

• The server uses Glimpse to search the index and
  get the list of files satisfying the given search
  query. The agent is given the URLs of these
  files.
• Agent can bring back some initial parts of files.
• The agent returns home and creates an HTML
  document with these URLs as hypertext links.
• The result document also shows the frequency of
  occurrence of the search string in each document.