Aglets 10 Aglet Security Kenji Taguchi Dept' Information Science Uppsala University

1
Aglets (10)- Aglet Security - Kenji
TaguchiDept. Information ScienceUppsala
University
2
Security in the Internet

• Application Level (e.g., e-Commerce)
• Some confidential information is transmitted
• Credit Card Info
• Mail address, ...
• Security Protocols such as SSL is used to assure
  the security
• Mobile Agents are a threat to a system
• There are also many threats to mobile agents
• Some security threats to mobile agents are common
  problems in the Internet, but some are not.

3
Mobile Agents Security Problems (1)

• Agent Protection
• Malicious Remote Hosts
• Tempering
• illegal execution
• illegal access
• A malicious agent threatens another innocent
  agent
• illegal access
• Unauthorised third parties threaten an innocent
  agent
• altering
• eavesdropping

In the framework of mobile agents
Outside of the framework of mobile agents
4
Mobile Agents Security Problems (2)

• Host Protection
• A malicious agent threatens an innocent host
• illegal access
• masquerade
• Trojan horse
• denial of service
• repudiation
• Unauthorised third parties threaten an innocent
  host
• denial of service and reply
• Network Protection
• A malicious agent threatens the network
• denial of service

5
Taxonomy of Attacks (1)

• Passive Attacks
• do not modify the agents and other information
• e.g., eavesdropping, traffic analysis
• Monitoring traffic (analysing transmitted
  packets) is an easy job.
• Active Attacks
• do something harmful to the agents

6
Passive Attacks
Agent
Server
Info
Info
Perpetrator
7
Active Attacks (1)

• Illegal Access
• An agent accesses forbidden information.
• Masquerade
• A malicious agent pretends to be a trusted agent
  or an agent from trusted organisation.
• Trojan Horse
• An agent that does something different from its
  intention

8
Active Attacks (2)

• Alteration
• An agent or message is deleted or changed while
  in transit

• Reply
• A captured copy of a previous sent legitimate
  agent is retransmitted for illegitimate purpose.

A
B
A
9
Active Attacks (3)

• Resource Exhaustion (Denial of Service (DOS))
• A resource is deliberately used so heavily that
  service to other users is disrupted.
• E.g., the recent attacks against Yahoo.
• Repudiation
• A party to a communication exchange later denies
  that the exchange took place.

10
Cryptography

• Secret Key Cryptography

• Pubilc Key Cryptography
• Invented in 1975

Public Key
Plain Text
Enclypted Text
Plain Text
Enclypted Text
Private Key
11
Digital Signature

• Pubilc Key

Private Key (Signature)
Plain Text
Signed Text
Plain Text
Signed Text
Public Key (Verification)
12
Security Services(1)

• Authentication
• Authentication of user (public-key encryption or
  password)
• Authentication of host
• Authentication of code (digital signatures)
• Authentication of agent (owner)

• Public-key
• password

Agent
Code
Digital signatures
13
Security Services(2)

• Integrity
• It must make sure that its state and code has not
  be tampered
• Confidentiality
• An agent may have some confidential information
  which can be only accessible from trusted
  entities (servers, agents, etc).
• Authorisation
• Access control is given according to an agents
  principal.
• Nonrepudiation
• An agent or server cannot deny that a given
  communication exchange has taken place.
• Auditing
• An auditing service records activities and those
  are later used for inspection.

14
Inherent Limits to Agent Security Issues
private info
15
Agent Execution

• Every execution of an agent is done by the
  server(runtime system).

16
Secrecy of Data to the Server
Private Infomation must be sealed from the
server. E.g., An agent carries an access key for
a specific server which should be kept secret to
others. One way to solve this problem is to
encrypt the key by the servers public key. Hence
it can be decrypted by the servers private key.
The server can read, steal and temper with
information an agent carries.
17
Secrecy of Data to the Server (1)
Home
private
The server which has the private key can only
decrypt the data
public
18
Secrecy of Data to the Server (2)
Home
encrypted data
Send the data back to the home server
Given a secret data
The server which has the private key can only
decrypt the data
data
Encrypt the data by the home servers public key.
19
Secrecy of Data to the Server (3)
Malicious host
Malicious agent
Helps to retrieve info
Innocent agent
20
Conclusion

• Trust no one except trusted servers.

21
Agent Masquerading as a Trusted User
Innocent host
Pretends to be a trusted user
Malicious agent
Ownership
Digital Signature (applicable)
State
Digital Signature (not applicable)
The state will change
22
Tampered Agent
Tampered agent
Both may be altered
23
Agent Exceeds its Authority and Harms the Server
The correct identity is proved
24
Agent Language Properties

• Language Safety
• Any illegal access to the system resources and
  private information must be strictly prohibited.
• An important point is that this must be taken
  into consideration at the language design level
  like Java.
• Authorisation enforcement
• All agents must be strictly controlled under the
  security policy defined by the authority.

25
Security Model (Aglet)
Three Principals

• Aglet

Program

• Manufacturer

• Owner

26
Security Model (Context) (1)
Server
PolicyA
PolicyB
Different security policies
27
Security Model (Context)
Three Principals

• Context

OS process
Program

• Manufacturer

• Owner

28
Security Model (Network Domain)
A Principal
Domain Authority
Domain (Group of servers)
Judges the membership of Servers
29
Permissions (1)

• Based on JDK1.2 policy definition
• File Permission
• NetworkPermission

FilePermission /tmp/ read, write FilePermissi
on C\public\ read
SocketPermission trl.ibm.com100-100
connect SocketPermission trl.ibm.com100-300
listen, connect, accept
30
Security Models in Java (1)
Remote Code
Local Code
JDK1.0
JVM Full Access to Resources
Sand Box Restricted Access
Security Manager
System Resources
Trusted Signed Code
Remote Code
JDK1.1
Local Code
JVM Full Access to Resources
Sand Box Restricted Access
Security Manager
System Resources
31
Security Models in Java (2)
Local Code/ Remote Code
Security Policy
JDK1.2
JVM Full Access to Resources
Sand Box Restricted Access
Domain
Security Manager
System Resources
The runtime system organises code into individual
domains, each of which encloses a set of classes
whose instances are granted the same set of
permissions.
32
Permissions (2)

• Aglet Permission
• an aglet can be allowed to invoke methods defined
  in another aglet owned by a principal

AgletPermission Oshima dispose AgletPermission
dispatch
Methods
Owner
33
Protection

• Aglet Protection against access

AgletProtection Oshima dispose AgletProtection
dispatch
Oshima can only allowed to dispose aglets which
he created.
Methods
Owner
34
Permissions (3)

• Context Permission
• an aglet can be granted permission to use
  services provided by the context.

codebase_at_classname
ContextPermission examples.HelloAglet
create ContextPermission context
start,remove
Listener Interface
35
Hierarchy of Authorities

• A higher authority can override permissions and
  protections set out by a lower authority

E.g., In a company, the CIO can override some
orders issued by his/her men. In OS, the
superuser supersedes any permission of files, etc
by users.
36
Security Policies (1)

• A security policy is a set of rules.

Aglet Owner