Enabling Technologies for Wireless E-Business phần 6 doc

190 B. Yang and J. Liu

fitness value an agent has, the more pheromone it will release. When agents move

to a crossroad, they will preferentially select the path with a denser concentration

of pheromone. A group of mobile agents will solve the DOPS collectively through

a positive feedback mechanism: agents that can find optimal solutions will have a

higher fitness value; their routes will have denser pheromone levels, attracting

more agents to choose them; and bad agents with a lower fitness value will adjust

their direction of travel (or other behaviors) by following the good agents. Eventu￾ally, after a period of evolution controlled by positive feedback, the entire system

will reach an equilibrium state corresponding to the desired optimal solution.

In this model, changes to agents’ fitness value embody their self-adaptive behav￾iors as single entities, while the positive feedback system embodies the self￾organized behaviors of multiple agents.

8.5 Security

With code migration, the mobile agent paradigm brings increased performance

and flexibility to distributed systems. On the other hand, the ability to move in

itself brings significant security threats, to both agents and hosts. Only a perfect

solution to these serious security problems would enable the mobile agent para￾digm to become the mainstream software technique for constructing large-scale

distributed commercial applications.

8.5.1 Issues and Countermeasures

Two main types of threat need to be addressed: agent-to-system and system-to￾agent attacks. Jansen et al. [27] present a good survey of the threats faced by the

mobile agent paradigm and the corresponding countermeasures.

The agent-to-system category includes the kind of threats in which agents ex￾ploit security weaknesses to attack an agent system. This group mainly comprises

masquerading, denial of service, and unauthorized access. Conversely, the system￾to-agent category includes threats in which systems attack agents that are situated

within them. Again, masquerading and denial of service form part of this group, as

additionally do eavesdropping and alteration.

Many conventional security techniques used in traditional distributed applica￾tions such as identity authentication, encryption, integrity verification, authoriza￾tion, access control, and so on are also useful as countermeasures within the

mobile agent paradigm. There are also several extensions to these conventional

techniques and new methods devised specifically to control mobile agent security.

Jansen et al. [27] survey some recently developed security techniques. Counter￾measures aimed at platform protection include software-based fault isolation, safe

code interpretation, signed code, authorization, and attribute certificates, state ap￾praisal, path histories, and proof carrying code. Countermeasures for agent protec￾tion include partial result encapsulation, mutual itinerary recording, itinerary

8 Mobile Agents: The State of the Art 191

recording with replication and voting, execution tracing, environmental key gen￾eration, computing with encrypted functions, and obfuscated code.

8.5.2 Facility

In this section we present a concrete mobile agent security facility (MASF), which

we have ourselves developed, in order to illustrate some of the threats and coun￾termeasures discussed earlier from a more practical and implementation-oriented

point of view [28].

Issues

The security threats that may occur over the whole lifecycle of a mobile agent

come from both malicious agents and the hosts to which agents migrate. Malicious

mobile agents may access and modify data to which they should not have access

or attempt to interfere with the execution of their hosts. The potential threats, from

both the agent and host points of view, can be:

• Before migration. Threat A: During mobile agent storage, the repository

might be invaded and the code or class for the mobile agent changed before

initiation.

• During migration. Threat B1: When a mobile agent migrates across net￾works are not controlled by sender or receiver, while in possession of confi￾dential data, disclosure of this information could be fatal. Threat B2: The

execution logic of the mobile agent might also be changed by the interrupter,

which might cause damage to the destination host.

• After migration. Threat C1: the supposed “destination” might in fact be a

counterfeit, created by a business rival to steal important information being

carried by the mobile agent. Threat C2: even if the destination is correct, the

agent may still be deceived by a malicious host. For example, it might not

receive the contracted services or resources, or might even be maliciously

changed before going for another hop. Threat C3: At the same time, the land￾ing host of the mobile agent should also be sure that the incomer is from the

correct service contractor and will not cause it any damage. Threat C4: even

if the mobile agent does come from the correct peer, the host still needs to

keep itself informed about its behavior in case the agent does something that

goes beyond its contract or its rights on the system.

Countermeasures

To address such threats, a MASF must provide the following features:

• Authentication. This involves checking whether or not an agent comes from

a trustworthy source. This can involve asking for the authentication details to

be sent from the site where the mobile agent was launched or from which it

last migrated. At the same time, authentication also enables the mobile agent

to be aware of the real identity of the receiver, which should be the proper

192 B. Yang and J. Liu

service level agreement (SLA) contractor. Authentication is mainly used to

solve threats C1 and C3 as described earlier. It can also be used to check on

users who want to access the mobile agent repository, which also involves

threat A.

• Confidentiality. When a mobile agent transports confidential data, the

transmitted agent must be encrypted while in transit. This makes it useless to

any host, which does not know how to decrypt it (which should only be the

designated server). Confidentiality, implemented by encryption/decryption,

can cope with the potential data disclosure of threat B1, and can prevent the

repository from attack (threat A).

• Integrity. On reception, the mobile agent must be checked against any

modification or corruption due to network transmission errors or intentional

invasion. If the integrity check fails, the receiver can ask the client to repeat

the transmission. This can protect the mobile agent from the code modifica￾tion attack outlined in threat B2.

• Authorization. This determines the mobile agent’s access permissions to

host resources. It is intended to protect those resources from unauthorized or

overused access. It indicates, for example, how many times a resource can be

accessed or how much it can be used, and what type of access the agent can

perform. For instance, one agent on behalf of a network administrator may

be able to read, write, and modify a given resource and have unlimited access

to it, whilst another agent representing a normal user may only be able to

read the resource and access it a limited number of times. Authorization

mainly deals with the runtime actions of the mobile agent. Usually this is

achieved through an access control policy that grants access to system

resources based upon different levels of trust. Authorization, empowered by

access control, can defeat threat C4.

• Logging. This is a mechanism to keep track of any events relevant to secu￾rity, such as an agent trying to access system resources or the system itself,

as well as authentication failures. These events should be logged to a file for

later analysis. Logging can, to some degree, detect and therefore prevent a

mobile agent being deceived by the host, as described in threat C2.

Architecture

The implementation of these features, for the protection of both mobile agent and

host, is achieved in the MASF, the architecture of which is illustrated as Fig. 8.6.

MASF architecture is functionally divided into two layers, the higher being a

function layer and the lower a base service layer. The components or services in

the latter are common functionalities used by the former.

Obviously, many services of the function layer depend on cryptographic func￾tions based on either symmetric or asymmetric keys to encrypt/decrypt and sign

data. Therefore, MASF has a cryptography library integrated in its base service

layer.

data integrity and authentication services, using digital signatures. The authentica￾The key management service enables users to administer their own public/

private key pairs and associated certificates for use in self-authentication or