Security - Telenor

More documents

Recommendations

Info

42 ating system(s) and/or platform to enforce access restrictions placed on the agents. The second attack is not necessarily halted by a virtual machine-based platform, although such a platform can thwart a selection of direct attacks. The problem is that the agent may try to do actions allowable within its platform environment, that still affect host data external to the platform in accordance with the platform’s policy, but in violation of the agent’s policy. EXAMPLE 7. Consider a spreadsheet which includes an embedded agent in the form of macros for a computation. A virtual machine executing those macros might allow write operations to one particular file on the host. An attacker could exploit this by letting the original embedded agent itself be harmless, while the output to the file is a spreadsheet with macros that make up a malicious agent. Such an agent might subsequently be executed with the permissions of a local user on the host. This type of attack is also related with the problems concerning legitimate usage of resources. The third type of attack can in part be thwarted using systematic trust management. Discerning intentionally falsified information from wrong information given in good faith is at best very difficult, and undecideable, as it encompasses at least one problem with inherent ambiguity (computers are generally not particularly good at deducing intent). Farmer et al. give examples of this type of attacks in [5]. The fourth attack is usually stopped by protocols constructed to take such conditions into account, or by restricting the communication of the agent (as is already done with Java applets). 6.2 Platform Attacks Platforms can attempt to compromise the integrity of an agent by 1. modifying data carried by the agent or in the agent’s workspace; 2. manipulating the agent’s execution; or 3. not properly protecting the agent’s workspace. The novel attack here is the manipulation of execution. Not only must the agent’s data be protected, but the agent’s execution must also be protected. Even if an agent could be executed in an encrypted form, this would still be a problem – the only difference would be that the platform would not know what it was doing. In effect, some sequence σ = σ 1 σ 2 ... σ n of actions must not be interfered with, or any interference must be detectable. 6.2.1 Execution Traces Vigna proposes in [9] a protocol, which in combination with a trusted third party, enables the sender to check the execution of an agent upon completion. The protocol bases itself upon a system where each platform records the execution trace of an agent from the agent’s execution on that platform. An execution trace is a series of pairs (n,s), where n uniquely identifies a particular action in the agent, and s records changes in internal variables as a result of the execution of n. In a sense this is nothing more than specifying the format of an “action”, as mentioned earlier, so these traces can also be considered executions in the sense mentioned in Section 2. The protocol itself consists of messages prior to, and after, the agent’s execution which transmit data about the agent and its execution. After an execution, the agent’s sender should be able to check an execution trace T p by using the data in T p to simulate the complete execution of the agent locally, and compare the outcome to that provided by the remote platform. Obviously, this check is only done when there is a suspicion that the remote platform somehow has tried to compromise the agent’s computation. Denote by E K (data) the symmetric encryption of “data” by encryption function E using key K. Denote by X s (data) the “data” signed with X’s private key. Denote by H(data) the hash value of “data”. Write the identity of the trusted third party as T. The notation A → m B:data denotes the transmission of message m from A to B, where message m consists of “data”. Let A be the sender of the agent in question. Denote by B 1 , ..., B n the list of platforms the agent is to visit. For the initial platform, the following steps initiate the protocol: 1. A m1 → B1 : As(A, B1,EKA(p, SA),As(A, iA,tA,H(p), T )) m2 2. B1 → A : B1s(B1,A,iA,H(m1),M) The field A s (A, i A , t A , H(p), T ) will also be written agent A , and be referred to as the agent token. The contents of the messages is given in Table 1. Telektronikk 3.2000
Before continuing, A must examine M to see if it constitutes an acceptance or refusal on B 1 ’s part. If it is a refusal, the protocol is finished. If it is an acceptance, the protocol continues for the initial platform as follows: 3. A m3 → B1 : As(A, B1,iA,B1p(KA)) m4 4. B1 → A : B1s(B1,A,iA,H(m3)) The contents of the messages is given in Table 2. When all necessary verifications have been done, B1 can begin executing the agent. This execution continues until the agent requests migration to a new platform B2 . The migration from any given Bi to Bj requires a separate protocol. Denote by T p B the trace produced by the part i of the execution carried out on Bi . The migration to the next platform Bj is initiated by the following three messages: 1. m 2. Bi ′ → Bj : Bis(KBi(p, SBi),H(m)) 3. m Bi → Bj : Bis(Bi,Bj, agentA,H(T p Bi ),H(SBi,tBi)) m Bj ′′ → Bi : Bjs(Bj,Bi,iA,H(m, m ′ ),M) The last field in the third message (M) contains either B j ’s acceptance to run the agent, or its refusal to run the agent. The contents of the messages are given in Table 3. 7 Authenticity There are two types of authenticity: 1. authenticity of origin; and 2. authenticity of identity. Authenticity of origin deals with proving or disproving the claimed identity of the creator of some data, be it art, code or something else. Authenticity of origin is a very hard problem, which might not have any good solution. With respect to agents, the most relevant cases probably include authenticity of the origin of: 1. data carried by an agent from its sender; 2. data acquired by an agent at some platform; 3. an agent’s code. Telektronikk 3.2000 Message Sender Recipient Message part Explanation m1 A B1 As ( Signature generated by A A, A’s identity B1 , B1 ’s identity EKA ( Encryption with A’s key KA p, The agent’s code SA ), The agent’s initial state As ( Signature generated by A A, A’s identity iA , The agent’s identifier tA , Time stamp for agent dispatch H(p), Hash of agent’s code T)) Identity of TTP m2 B1 A B1s ( Signature generated by B1 B1 , B1 ’s identity A, A’s identity iA , The agent’s identifier H(m1 ), Hash of previous message M) B1 ’s reply It is important to note that authenticity of origin is not the same as authenticity of the sender: data may be sent without their creator having to do the sending in person. Authenticity of identity deals in general with proving or disproving the identity claimed by a subject. Traditionally, authenticity has been proven using one or more independent techniques, and efforts have been concentrated on the case where humans prove their identity to an (automated) subject of some sort, or where automated subjects need to prove their identities to each other as the initial step in some protocol. Within automated environments, only passive data have been authenticated. What one effectively needs for agents is authentication of process instances. Message Sender Recipient Message part Explanation Table 1 Initialization of protocol for execution traces Table 2 The rest of the initialization of the protocol for execution traces, if B 1 agrees to participate in the protocol m3 A B1 As ( Signature generated by A A, A’s identity B1 , B1 ’s identity iA , The agent’s identifier B1p ( Encryption with B1 ’s public key KA )) A’s symmetric encryption key m4 B1 A B1s ( Signature generated by B1 A A’s identity iA , The agent’s identifier H(m3 )) Hash of message m3 43
Page 2 and 3: Telektronikk Volume 96 No. 3 - 2000
Page 4 and 5: Øyvind Eilertsen (34) is Research
Page 6 and 7: 4 E(P) = a ⋅ P + b (mod 26) D(C)
Page 8 and 9: 6 In 1997, NIST initiated the proce
Page 10 and 11: 8 decrypt the signed hash value, re
Page 12 and 13: Lars R. Knudsen (38) is Professor a
Page 14 and 15: Table 1 Timetable for AES Table 2 T
Page 16 and 17: 14 K m i Stream cipher algorithm Fi
Page 18 and 19: 16 6 Use of Encryption in Telecommu
Page 20 and 21: 18 mode, integrity mode, key divers
Page 22 and 23: 20 7 Beaver, D. Computing with DNA.
Page 24 and 25: 22 In both cases, my trust depends
Page 26 and 27: 24 A number of standard PC applicat
Page 28 and 29: Henning Wright Hansen (28) is Resea
Page 30 and 31: 28 Securing Locally Stored Informat
Page 32 and 33: Figure 3 A simple Public Key Infras
Page 34 and 35: 32 The Policy Control Center An imp
Page 36 and 37: Tønnes Brekne (31) is on leave fro
Page 38 and 39: 36 Sets definable by such predicate
Page 40 and 41: 38 A failure is caused by some type
Page 42 and 43: Figure 1 This figure illustrates th
Page 46 and 47: Message Sender Recipient Message pa
Page 48 and 49: 46 Assume some agent a carries with
Page 50 and 51: 48 gateway from attack, while the i
Page 52 and 53: 50 transfer at the expense of secur
Page 54 and 55: 52 7 FORE Systems. Firewall Switchi
Page 56 and 57: Figure 2-1 Object invocations throu
Page 58 and 59: Figure 4-1 3 Levels of different fi
Page 60 and 61: 58 phase two, in which the client r
Page 62 and 63: 60 5 CORBA Firewall Traversal 5.1 F
Page 64 and 65: 62 7.2 Visibroker Gatekeeper of Inp
Page 66 and 67: 64 References 1 Abie, H. An Overvie
Page 68 and 69: Cost Figure 1 Minimising total cost
Page 70 and 71: 68 In the coming years it is likely
Page 72 and 73: 70 financial, social, environmental
Page 74 and 75: Consequence 72 Insignificant Substa
Page 76 and 77: 74 in a one week time-frame, using

Security - Telenor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?