Title: Aglets 10 Aglet Security Kenji Taguchi Dept' Information Science Uppsala University
1Aglets (10)- Aglet Security - Kenji
TaguchiDept. Information ScienceUppsala
University
2Security in the Internet
- Application Level (e.g., e-Commerce)
- Some confidential information is transmitted
- Credit Card Info
- Mail address, ...
- Security Protocols such as SSL is used to assure
the security - Mobile Agents are a threat to a system
- There are also many threats to mobile agents
- Some security threats to mobile agents are common
problems in the Internet, but some are not.
3Mobile Agents Security Problems (1)
- Agent Protection
- Malicious Remote Hosts
- Tempering
- illegal execution
- illegal access
- A malicious agent threatens another innocent
agent - illegal access
- Unauthorised third parties threaten an innocent
agent - altering
- eavesdropping
In the framework of mobile agents
Outside of the framework of mobile agents
4Mobile Agents Security Problems (2)
- Host Protection
- A malicious agent threatens an innocent host
- illegal access
- masquerade
- Trojan horse
- denial of service
- repudiation
- Unauthorised third parties threaten an innocent
host - denial of service and reply
- Network Protection
- A malicious agent threatens the network
- denial of service
5Taxonomy of Attacks (1)
- Passive Attacks
- do not modify the agents and other information
- e.g., eavesdropping, traffic analysis
- Monitoring traffic (analysing transmitted
packets) is an easy job. - Active Attacks
- do something harmful to the agents
6Passive Attacks
Agent
Server
Info
Info
Perpetrator
7Active Attacks (1)
- Illegal Access
- An agent accesses forbidden information.
- Masquerade
- A malicious agent pretends to be a trusted agent
or an agent from trusted organisation. - Trojan Horse
- An agent that does something different from its
intention
8Active Attacks (2)
- Alteration
- An agent or message is deleted or changed while
in transit
- Reply
- A captured copy of a previous sent legitimate
agent is retransmitted for illegitimate purpose.
A
B
A
9Active Attacks (3)
- Resource Exhaustion (Denial of Service (DOS))
- A resource is deliberately used so heavily that
service to other users is disrupted. - E.g., the recent attacks against Yahoo.
- Repudiation
- A party to a communication exchange later denies
that the exchange took place.
10Cryptography
- Pubilc Key Cryptography
- Invented in 1975
Public Key
Plain Text
Enclypted Text
Plain Text
Enclypted Text
Private Key
11Digital Signature
Private Key (Signature)
Plain Text
Signed Text
Plain Text
Signed Text
Public Key (Verification)
12Security Services(1)
- Authentication
- Authentication of user (public-key encryption or
password) - Authentication of host
- Authentication of code (digital signatures)
- Authentication of agent (owner)
Agent
Code
Digital signatures
13Security Services(2)
- Integrity
- It must make sure that its state and code has not
be tampered - Confidentiality
- An agent may have some confidential information
which can be only accessible from trusted
entities (servers, agents, etc). - Authorisation
- Access control is given according to an agents
principal. - Nonrepudiation
- An agent or server cannot deny that a given
communication exchange has taken place. - Auditing
- An auditing service records activities and those
are later used for inspection.
14Inherent Limits to Agent Security Issues
private info
15Agent Execution
- Every execution of an agent is done by the
server(runtime system).
16Secrecy of Data to the Server
Private Infomation must be sealed from the
server. E.g., An agent carries an access key for
a specific server which should be kept secret to
others. One way to solve this problem is to
encrypt the key by the servers public key. Hence
it can be decrypted by the servers private key.
The server can read, steal and temper with
information an agent carries.
17Secrecy of Data to the Server (1)
Home
private
The server which has the private key can only
decrypt the data
public
18Secrecy of Data to the Server (2)
Home
encrypted data
Send the data back to the home server
Given a secret data
The server which has the private key can only
decrypt the data
data
Encrypt the data by the home servers public key.
19Secrecy of Data to the Server (3)
Malicious host
Malicious agent
Helps to retrieve info
Innocent agent
20Conclusion
- Trust no one except trusted servers.
21Agent Masquerading as a Trusted User
Innocent host
Pretends to be a trusted user
Malicious agent
Ownership
Digital Signature (applicable)
State
Digital Signature (not applicable)
The state will change
22Tampered Agent
Tampered agent
Both may be altered
23Agent Exceeds its Authority and Harms the Server
The correct identity is proved
24Agent Language Properties
- Language Safety
- Any illegal access to the system resources and
private information must be strictly prohibited. - An important point is that this must be taken
into consideration at the language design level
like Java. - Authorisation enforcement
- All agents must be strictly controlled under the
security policy defined by the authority.
25Security Model (Aglet)
Three Principals
Program
26Security Model (Context) (1)
Server
PolicyA
PolicyB
Different security policies
27Security Model (Context)
Three Principals
OS process
Program
28Security Model (Network Domain)
A Principal
Domain Authority
Domain (Group of servers)
Judges the membership of Servers
29Permissions (1)
- Based on JDK1.2 policy definition
- File Permission
- NetworkPermission
FilePermission /tmp/ read, write FilePermissi
on C\public\ read
SocketPermission trl.ibm.com100-100
connect SocketPermission trl.ibm.com100-300
listen, connect, accept
30Security Models in Java (1)
Remote Code
Local Code
JDK1.0
JVM Full Access to Resources
Sand Box Restricted Access
Security Manager
System Resources
Trusted Signed Code
Remote Code
JDK1.1
Local Code
JVM Full Access to Resources
Sand Box Restricted Access
Security Manager
System Resources
31Security Models in Java (2)
Local Code/ Remote Code
Security Policy
JDK1.2
JVM Full Access to Resources
Sand Box Restricted Access
Domain
Security Manager
System Resources
The runtime system organises code into individual
domains, each of which encloses a set of classes
whose instances are granted the same set of
permissions.
32Permissions (2)
- Aglet Permission
- an aglet can be allowed to invoke methods defined
in another aglet owned by a principal
AgletPermission Oshima dispose AgletPermission
dispatch
Methods
Owner
33Protection
- Aglet Protection against access
AgletProtection Oshima dispose AgletProtection
dispatch
Oshima can only allowed to dispose aglets which
he created.
Methods
Owner
34Permissions (3)
- Context Permission
- an aglet can be granted permission to use
services provided by the context.
codebase_at_classname
ContextPermission examples.HelloAglet
create ContextPermission context
start,remove
Listener Interface
35Hierarchy of Authorities
- A higher authority can override permissions and
protections set out by a lower authority
E.g., In a company, the CIO can override some
orders issued by his/her men. In OS, the
superuser supersedes any permission of files, etc
by users.
36Security Policies (1)
- A security policy is a set of rules.
Aglet Owner