Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
36<br />
Sets definable by such predicates are also called<br />
properties. Sets that cannot be defined by first<br />
order logic are called quasi-properties for the<br />
duration of this article.<br />
A system, or a part of it, is called secure if:<br />
1. the operator’s risk associated with operating the<br />
system is bounded and under control; and/or<br />
2. all executions adhere to the security policy<br />
defined using the risk assessment.<br />
There exist a lot of models for access control,<br />
but until recently there was only one widespread<br />
mechanism employed in implementations: the<br />
reference monitor. Execution monitoring can be<br />
considered a generalization of the reference<br />
monitor model, where a monitor can be built<br />
into a process p prior to execution. This monitor<br />
observes events, states, or a combination of<br />
these as they occur during p’s execution. These<br />
actions form a string σ which is the prefix of<br />
some execution ψ ∈ Ψ p . If σ is such that there is<br />
no execution in Ψ p ∩ P having σ as prefix, the<br />
process p is terminated. By definition p has violated<br />
the security policy by attempting an execution<br />
not in P.<br />
3 Securing Agents<br />
This section lists many of the properties (and<br />
quasi-properties) one could wish from mobile<br />
agents in a security context. It outlines the challenges<br />
that arise when one tries to construct<br />
agents that satisfy these properties. The challenges<br />
are subdivided according to the sourcebased<br />
partitioning of threats given in Section 1.<br />
Mobile agents are dependent on a host platform,<br />
which:<br />
1. supports their computations;<br />
2. interacts with them; and<br />
3. supports their interaction with other “nearby”<br />
agents.<br />
In the case of the autonomous agent in Example<br />
1, one possible platform type would be TACO-<br />
MA. In the case of the macro agent in Example<br />
2, the platform could be a Word or Excel program<br />
combined with underlying network services<br />
used to transport Word and/or Excel documents<br />
between hosts.<br />
From this starting point, threats can be partitioned<br />
according to their source(s):<br />
• agents; and<br />
• agent environments.<br />
Many of the relevant problems have been studied<br />
in some depth before, either in the context of<br />
viruses (in the sense of Cohen in [3]) or hostile<br />
applets. The results for viruses are perhaps especially<br />
interesting for agents embedded in document<br />
data, as is the case with Excel and Word<br />
macros, and languages like PostScript. This article,<br />
however, will not focus on the challenges<br />
that still remain with respect to malicious software.<br />
In the following, subsections titled “Agent<br />
Attacks” deal with attacks carried out by agents<br />
on other agents in the host platform environment<br />
or on the host platform itself.<br />
4 Availability<br />
Availability is of fundamental importance. If<br />
resources are not available to legitimate users,<br />
other security properties or quasi-properties are<br />
usually of little or no interest. For an agent platform<br />
at some host, availability may be associated<br />
with an ability to:<br />
• receive incoming agents, and initiate their<br />
computation within a reasonable amount of<br />
time;<br />
• supply visiting agents with the resources necessary<br />
for them to complete their tasks at that<br />
host within a reasonable amount of time; and<br />
• do limited recovery from faults, for as many<br />
types of faults as is cost-effectively possible.<br />
For an agent at some platform, availability may<br />
be associated with an ability to:<br />
• have limited fault-tolerance in the face of<br />
host-induced faults;<br />
• have some graceful mode of failure as a<br />
(hopefully) last resort, which informs the<br />
sender of the failure, and how far the computation<br />
had proceeded prior to the failure.<br />
Availability is primarily a dependability issue,<br />
but it is also security relevant. Several attacks<br />
base themselves on causing resource outages in<br />
the attacked system (or a component therein).<br />
Attacks of this type are usually called denial-ofservice<br />
attacks. The point of causing resource<br />
outages may be to:<br />
1. cause parts or all of the system to stop functioning<br />
and cause economic or other damage;<br />
or<br />
2. generate a vulnerability, which can subsequently<br />
be used to mount the “real” attack.<br />
Telektronikk 3.2000