Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Tønnes Brekne (31) is on leave<br />
from his position as Research<br />
Scientist at <strong>Telenor</strong> R&D. He is<br />
currently a doctoral student at<br />
the Department of Telematics at<br />
the Norwegian University of Science<br />
and Technology in Trondheim.<br />
Tonnes.Brekne@item.ntnu.no<br />
tonnes.brekne@telenor.com<br />
34<br />
Mobile Agents and (In-)security<br />
TØNNES BREKNE<br />
1 Introduction<br />
A mobile autonomous agent is a process that is<br />
capable of migrating between different execution<br />
environments during its computation. In doing<br />
so, it may cross boundaries between different<br />
domains, and do parts of its computation on<br />
different hosts.<br />
EXAMPLE 1. An autonomous mobile agent could be<br />
a program which visits database hosts to search<br />
for data, and place orders for query results at<br />
those sites where relevant data are found.<br />
There also exist mobile agents that are not<br />
autonomous, which follow data, and might<br />
even be embedded in data.<br />
EXAMPLE 2. Word and Excel macros embedded<br />
in the corresponding document types are examples<br />
of mobile agents that are embedded in document<br />
data, and that are supposed to lack autonomy,<br />
although they sometimes are autonomous.<br />
There is no inherent harm in using mobile software.<br />
As with other software, security issues<br />
should be satisfactorily resolved before using<br />
mobile software. Unresolved security issues usually<br />
introduce risks which are not under control.<br />
Knowledge about how to secure systems free<br />
of mobile agents is fairly widespread – at least<br />
among security professionals. What is not so<br />
widespread is knowledge about how one secures<br />
a system properly against any ill effects caused<br />
by mobile agent systems, especially those where<br />
the agents supported can be autonomous. This is<br />
primarily because such knowledge is currently<br />
far from complete.<br />
Code mobility violates several assumptions<br />
which are usually considered reasonable for systems<br />
without code mobility. Chess lists in [2] a<br />
number of previously reasonable assumptions<br />
that are violated by mobile code. Each of these<br />
violations gives an attacker more possibilities.<br />
Many of the services envisioned as important<br />
applications of mobile agents, require the agents<br />
to act as representatives of one identifiable legal<br />
person. This has important implications for the<br />
required level of security, because such action<br />
somehow has to be made legally valid. Such services<br />
will probably require the agent to be capable<br />
of generating a valid digital signature on<br />
behalf of its owner: the legal person sending the<br />
agent which is also represented by the agent. In<br />
any case some sort of signature traceable back<br />
to the agent’s owner will probably be required.<br />
Agents acting as representatives of legal persons<br />
may also have other requirements they must fulfill.<br />
EXAMPLE 3. Consider an agent that carries out a<br />
transaction on behalf of its owner. What happens<br />
if a fault disrupts the transaction? Two<br />
possibilities are:<br />
• The agent crashes on the host platform right<br />
after it commits to the transaction. Because<br />
it crashes, it does not return to its owner to<br />
inform the owner of the transaction’s completion.<br />
If the agent system has “at least once”<br />
semantics, then the owner’s system might send<br />
a new agent with the same instructions once<br />
more, potentially duplicating all the transactions<br />
that the first agent was supposed to<br />
carry out. If the agent system has “at most<br />
once” semantics, then the owner’s system<br />
might not do anything, and get a surprise<br />
when the service provider sends its bill.<br />
• The agent crashes during the transaction.<br />
Depending on the exact type of fault, and the<br />
construction of the agent platform itself, the<br />
host may not be able to recover the computation.<br />
In this case, the host might be able to roll<br />
back the transaction. Otherwise this is similar<br />
to the case above, with the exception that the<br />
transaction was not completed.<br />
The point of the above exercise is to demonstrate<br />
that fault-tolerance issues border on some security<br />
issues, and that the fault handling one selects<br />
has an influence on what happens when things<br />
go wrong. Faults may be induced by attacks<br />
(denial of service attacks, for example), so the<br />
way one handles faults is relevant not only for<br />
dependability, but also in part for the security<br />
of mobile agent systems.<br />
There are other issues as well. When an agent<br />
enters a domain under the control of another<br />
operator than the one it was sent from, there<br />
is the question of policy compatibility:<br />
• The agent may have defined which parts of it<br />
the host platform may pass on to the host, and<br />
which are only for use within the agent platform.<br />
This access control pattern may or may<br />
Telektronikk 3.2000