1 Mobile Agent Security against Malicious Hosts CSE 591 Group1 Jamieson French Srikanth Varadarajan Donald Willey Yin Presented 11/29/2006 Arizona State.

1

Mobile Agent Security against Malicious Hosts

CSE 591 Group1Jamieson FrenchSrikanth VaradarajanDonald WilleyYin Yin

Presented 11/29/2006

Arizona State University

Tempe, Arizona

2

Presentation Contents

Introduction – James and Srikanth Secure Software/Hardware – Don Multiparty/Homomorphic Computation – Yin Signature Techniques – James Tracing Agent Execution/Agent Hiding – Srikanth Comparison and Discussion – Don Conclusion – Yin

3

Mobile Agent

Mobile Agent - A program that can exercise an individual’s or organization’s authority, work autonomously toward a goal, and meet and interact with other agents or hosts

An alternative to Remote Procedure Calls Universal framework for distributed

computing

4

Mobile Agent - Example

Originator

Airline Server A

Airline Server B

Airline Server C

MA

Initiated

Has customer preference

Collects Reservation Info for A

Collects Reservation Info and compare with A and decide

Collects Reservation Info, compares with previous decision

and decides

Returns with the decided

airline

5

Motivations

Mobile agent paradigm gives many advantages to network communication

– Improving network performance Direct host interaction instead of network communication

– Executing asynchronously and autonomously Runs independent from outside influence

– Upgrading protocols and software Eases the task of upgrading hosts on a large network

– Robust and fault-tolerant Dynamic response to emergency situations

6

Protecting Mobile Agents

Common belief - Mobile agents are at full mercy of the host because the host executes the agent and has all of the agent’s code

Cannot assume trust from any host in an open network environment

Questions raised on the security of mobile agents– Can mobile agents protect themselves from being

tampered by the host?– Can mobile agents remotely sign a document

without disclosing the private key?– Can a mobile agent conceal its data and the

program it wants to execute?

7

Security Requirements

Privacy and Integrity– Mobile agent carries its code, state, and data– Protocol needed to prevent eavesdropping– One security breach is modification of agent’s

code – Detectable but not preventable

Authentication– Host needs to verify agent’s rights and privileges– Agent needs to ascertain server’s identity– PKI needed for mutual authentication

8

Security Requirements

Authorization and Access Control– Restricted resource access rights to servers for

specific agents– Restrictions to parts of code and data in agents– Enforced through the use of secure hardware

Metering, Charging and Payment– E-Commerce agent can carry digital cash– Malicious host could gain control of the agent and

steal digital cash

9

Host Attacks and Threats

Integrity Threats – Modify the mobile agent’s code, state and data– Integrity interference– Information modification including altering,

corrupting, manipulating, deleting itinerary, data or code

– Example: Replay attack

10

Host Attacks and Threats

Availability Threats – Preventing access to resources that mobile agent is authorized to.– Denial of service when traffic floods a network– Delay of service when host makes the agent wait

for some time to access the resources– Transmission refusal when host disregards the

agent’s itinerary

11

Host Attacks and Threats

Confidentiality Threats – Illegal accessing / disposal of agent’s assets by the host– Eavesdropping the agent’s action and code to

gather data by host - Privacy is compromised– Stealing data from agents by the host– Reverse engineering by capturing code,

execution state to perform malicious acts using the agent

12

Host Attacks and Threats

Authentication Threats – Hiding host identity and refusing to show credentials

– Masquerading is when the host informs the agent that its one of the hosts in its itinerary when its not

– Cloning is when host duplicates the agent with the intent to access the agents services for malicious activities

Modification of JVM attacks – includes most of the

above attacks– Discloses confidential data including keys, results and

protocols

13

Mobile Agent - Simplified

Code

Data

Itinerary

Tells what to do.

Lists where to go.

Basis for continued computation.

14

Mobile Agent – With Signed Components

Code

Data

Itinerary

Code signed with originator’s private key.

Not changed during migration.

Itinerary may also change during migration.

Read-only data is signed with originator’s private key. Changing data also should be encrypted and signed by hosts.

Signature

Signature

Signature

Orig

inat

or’s

C

ertif

icat

e

15

Example Agent Structure

Real agents have a more involved structure.

Components may vary in number and type.

From Itinerant Agents for Mobile Computing,

Chess, Grosof, Harrison, et al, IEEE Personal Communications, October 1995

16

Mobile Agent Structure (OMG MASIF)Schelderup and Ølnes example of an agent passport.

17

Mobile Agent Execution Use Case

Processing Host

Originating Host

1. Create Mobile Agent

2. Sign and Certify

3. Encrypt with Pubkey

of Host 1

10. MigrateTo Next HostVia Secure

Channel

4. Transport to Host 1 Via

Secure Channel

5. Verify Agent Integrity

(Signatures & Certificates)

6. Decrypt any data privately provided for

Host

7. Run Agent

8. Sign Results with Host

Private Key

9. Encrypt Results

(Originator Public Key)

Report Error, Encrypt Originator Public Key

Process Error

No

11. Receive Final results

Yes

Goal Reached or

Itinerary Exhausted?

18

Host

LibrariesAnd System

Services

Untrusted Environment - Example

Mobile Agent Loader Mobile Agent Execution

Mobile Agent

Analyze Code,Data, Itinerary

ModifiedMobile Agent

Modify code,Data, Itinerary

Insert Breakpoints

Single Step

System CallWith Data Leak

To Host

CompromisedMobile Agent

Keys

ECashLost

Integrity

19

Existing Approaches

Trusted Software and HardwareSecure Multiparty ComputationDigital Signature TechniquesTracing Execution and Agent Hiding

20

Trusted Hardware - Don

Trusted Hardware– Smart Cards– Java Cards– An example using Java Card– Trusted Platform Module– Trusted Computing

21

Trusted Hardware – Smart Card

Invented around 1970 in Europe.

Tamper-resistant Contact* /

contactless interface Memory /

Microprocessor cards* Photo source:

http://en.wikipedia.org/wiki/Image:Smartcard.JPG, published under GNU public license v1.2.

22

Smart Card Continued

Microprocessor card– Small memory– Powered externally– Secure files– Crypto capabilities

PIN and/or biometric access Participates in PKI Protocols

Evaluation and Adoption– Common Criteria Evaluation Assurance Level EAL 5

semi-formally designed and tested

– DoD Common Access Card

23

Trusted Hardware – Java Card

Specified and supported by Sun and others. Adds to Smart Card

– Java Virtual Machine– More Interfaces, more crypto.– More memory

Evaluation and Adoption– EAL4+

methodically designed, tested, and reviewed

– SIM cards in most GSM and some CDMA cell phones

24

Trusted Hardware – Java Card Block Diagram

25

Trusted Hardware Use Case

Processing Host

Trusted Hardware

Originating Host

1. Create Mobile Agent

2. Sign and Certify

3. Encrypt with Card Pubkey of

Host 1

10. MigrateTo Next HostVia Secure

Channel

4. Transport to Host 1 Via

Secure Channel

5. Verify Agent Integrity

(Signatures & Certificates)

6.1 Decrypt Agent Code,

Data, Itinerary, keys

7.1 Run Agent

8. Encrypt Mobile agent

with Next Host’s Card

Pubkey

9. Encrypt Results

(Originator Public Key)

Report Error, Encrypt Originator Public Key

Process Error

11. Receive Final results

Yes

7.3 Securely Communicate with Next Host for Verifiable

Pubkey

7.2 If Warranted, Micropay, or

Execute Contract

Goal Reached or Itinerary Exhausted?

26

Migration and Execution

GetKey is a java card function that transfers a public key in a way that allows it to be verified as belonging to another Java card, probably using certificates that reference back to a well trusted certificate authority.

The increasing complexity of the shape representing the agent shows that it combines results from hosts that it visits.

Fünfrocken illustration of Java card based mobile agent execution and migration.

27

Trusted Computing

Trusted Computing Group (TCG)– AMD, HP, IBM, Intel, Microsoft, Sun, others.– Trusted Platform Module (TPM)– In many new PCs already.– Basis for Vista BitLocker Drive Security– In all notebooks, most desktops by 2010.– Controversial. 50% net managers surveyed don’t want it.

Hengzhi – Chinese alternative to TPM, used in Lenovo products.– Does not follow TCG standards.– Specifications are not publicly available.

28

Trusted Computing - Microsoft

Palladium -> NGSCB– From Greek mythology, a statue of Athena kept in Troy

upon which the safety of the city depended. Only after it was stolen by Odysseus, could the Trojan Horse be used.

– Microsoft renamed to Next-Generation Secure Computing Base (NGSCB) after Palladium Books enforced trademark.

– Open source advocates Richard Stallman, and social activists like Against TCPA are solidly against it.

– Security expert Bruce Schneier is concerned about it, believes it has a lot of power to do what it claims.

– Electronic Frontier Foundation recommends modifications.– NSA, RIAA, MPIA like it. It can make Digital Rights

Management much more effective.

29

Trusted Computing – Microsoft Continued

Main Features– Secure Storage– Attestation– Curtained Memory– Secure I/O– Crypto engine

Mobile agents could:– Decrypt and execute in

curtained memory– Greater processor and

memory resource than Java cards.

– Eliminates a big bottleneck. Would you trust Microsoft to

get this right? Linux community working

toward similar TPM capability. Figure copyright 2005, Daniel Göhler, permission under GNU Free Documentation License V2.1, http://en.wikipedia.org/wiki/Image:NGSCB-diagram.png

30

To Learn More

B. S. Yee, "A sanctuary for mobile agents," Lecture Notes in Computer Science, vol. 1603, pp. 261-273, 1999.

– Great discussion of protecting mobile agent. S. Funfrocken, "Protecting Mobile Web-Commerce

Agents with Smartcards," Autonomous Agents and Multi-Agent Systems, vol. 4, pp. 339-358, 2001.

– Useful illustration of specifics of a Java Card implementation. B. Stephan and L. Vogel, "Trusted Computing - http://

www.lafkon.net/tc/," 2006. – Interesting and provocative animation. As someone once said,

if you are not outraged, you don’t know what is going on. If you put faith in TC folks, at least expect unforseen consequences.

31

Multiparty/Homomorphic Computation – Yin

Multiparty computation is a computation among more than one participants

– Just like a black box– Collect inputs from all participants– Compute and return outputs to everyone

Mobile agent collects data from several hosts and generates the results for the originator and hosts.

Mobile agent is a special case of multiparty computation

F(x0,x1,…,xn) = (y0,y1,…,yn)

32

Secure Multiparty Computation

Security requirements of multiparty computation– Any participant only learns his own input– Any participant only learns his own output– Any outside adversary learns nothing about all inputs and

outputs

Mainly consider confidentiality rather than integrity or availability

33

An Example of Multiparty Computation

Yao’s Millionaires’ Problem– Two millionaires want to know who has more

money– They don’t like to reveal the exact number of their

money – F(x1,x2) = (x1>x2?, x1>x2? )

34

Some Results in Multiparty Computation

1986, Yao triggered the research in this area 1987, Goldreich gave a general solution for any function

– All participants are honest– Oblivious transfer protocol

1988, Kilian gave another general solution– Oblivious transfer protocol

2003, Ivan Damgård and Nielsen constructed oblivious transfer protocol from homomorphic encryption

The main goal: efficient, general solution using less assumptions. Until now, no good solution exists

35

Homomorphic Encryption

Homomorphic encryption is a special type of encryption scheme

– Can get E(x+y) from E(x) and E(y)– Can get E(xy) from E(x) and E(y)

RSA is multiplication homomorphic encryptionE(xy) = (xy)e = xeye = E(x)E(y)

Paillier is addition homomorphic encryption

E(x+y) = gx+y(r1r2)p = (gxr1p)(gyr2

p) = E(x)E(y)

But until now, no encryption is both multiplication and addition homomorphic

36

The Application of Homomorphic Encryption in Mobile Agents

Sander and Tschudin claimed:

Mobile agent is the cipherprogram All participants encrypt their inputs and feed these

ciphermessages to the mobile agent Mobile agent operates these ciphermessages

without understanding them

You can communicate some ciphermessage to another party without understanding it, we would like a computer to execute a cipherprogram without understanding it

37

How to Construct Cipherprogram

It is hard! A general construction is equal to a general solution for

secure multiparty computation Sander and Tschudin only gave an immature

construction using a weak homomorphic encryption, but it– Only for polynomial function– Need multi-round interaction between the mobile agent and

hosts, which means that the mobile agent would roam among the hosts frequently

– Only consider two parties, which means that the mobile agent can only visit one host exclude the originator

38

Expand Applicable Function

Sander et. al extended their solution to all functions computable by circuits of logarithmic depth circuit

Domingo and Ferrer proved that as long as the ciphertext space is much larger than the cleartext space, a homomorphic encryption can be construed.

Lee et. al. suggested a hybrid method to improve the security of homomorphic encryption based system .

A general construction for addition and multiplication homomorphic encryption is still an open problem.

39

Reduce Communication Round and Handle Multiparty scenario

Christian Cachin et. al. extended Sander and Tschudin’s work into a one-round multiparty computation – One-round: the mobile agent will visit every host

only once– Multiparty: the mobile agent can visit more than

one host before returning the originator

40

The Application of TTP in Mobile Agents

Algesheimer et. al. provided a method to construct cipherprogram using the trusted third party– The trusted third party is the most

attractively attack object– The trusted third party is the bottleneck of

performance

41

Distributed Trusted Third Parties

Zhong et. al. expanded the single trusted node to a set of trusted nodes which cooperate with each other to provide a security service – Greatly reduced the computation burden of single

trusted third party– Greatly improved the robust of the whole system

by using fault-tolerable secret sharing schemes

42

Signature Techniques – James

Cryptographically based assurance scheme Commonly used with PKI with a third party

issued public key Main problem – The signature function,

signature key, and even the signature can be stolen and used to sign arbitrary messages.

The creation of the signature scheme should be simple, realistic, flexible, and ubiquitous

43

Signature Techniques

Undetectable signatures allow mobile agents to create a signature that the host can not deduce the signature

Signature techniques are known as a preventive measure

Main goal is to prevent modification and masquerading

Most signature techniques use the multiple cryptographic scheme

44

Multiple Cryptography

The case of cryptography that involves more than two parties

Comparable to real-world signatures but different because the real-world signature is unique per person

Real-world can still be duplicated but with sophisticated methods to determine a fake

45

Bank Example – Real World

Document

Bank

Employee

Employee

Employee

Signature

Signature Signature

Signed

46

Bank Example – Virtual World

Electronic Document

Bank

Mobile Agent

Signature

Signed

47

Single-Agent Signature Techniques

Proxy Based Signature– A mobile agent might be worried about privacy so

it has a proxy server sign for it– Like a secretary signing a document for a

manager while they are out of the office– Three levels of delegation: Full Delegation, Partial

Delegation, and Delegation by Warrant– The problem is that there is still network traveling

and sacrifices the agents autonomous property

48

Single-Agent Signature Techniques

Blind Based Signature– The host will sign a message of the mobile agent

without knowing the message– This is known as signing the message “blindly”– Commonly used with RSA public key

cryptosystem– Useful for e-voting and e-payment

49

Single-Agent Signature Techniques

Blind Proxy Signature– Combines both resources of the blind and proxy

based signature techniques– This is where the proxy is allowed to sign a

message “blindly” on behalf of the mobile agent– Still suffers from many attacks, the most

prominent being the forgery attack

50

Multi-Agent Signature Techniques

Major techniques are key-splitting and distributed signature generations

Techniques based on the El-Gamal Cryptosystem because of the easy computation and the El-Gamal is used as part of the Digital Signature Standard (DSS)

Two main protocols were developed for the multi-agent scheme: sequential and parallel signing

51

In Sequence Signing

Long term key: S = Sa + Sb + Sc

Short term key: r = ra + rb + rc

Xa = ra + dm Sa mod (p – 1)

Xb = rb + Xa Sb mod (p – 1)

Xc = rc + Xb Sc mod (p – 1)

X = Xc – (Sc – 1) rb – (Sb Sc – 1) ra mod (p – 1)

52

In Sequence Signing

53

In Parallel Signing

Long term key: S = Sa + Sb + Sc

Short term key: r = ra + rb + rc

Xa = ra + dm Sa mod (p – 1)

Xb = rb + dm Sb mod (p – 1)

Xc = rc + dm Sc mod (p – 1)

X = Xa + Xb + Xc

54

In Parallel Signing

55

Tracing Agent Execution – Srikanth

Mobile Agent gets executed in various hosts Mobile agent carries both code and state information Leave traces of their execution and their states in each and

every host they enter Traces are recorded in a log file

– <Executed code identifier 1><Time stamp 1>– <Executed code identifier 2><Time stamp 2>– .– .

The log file is checked back to detect any malicious activity in any host

56

Identifying Malicious ActivityRemote Code Execution

Local Host

Remote Host

Message 1 - Encrypts program P with a random secret key K

Message 2 - Sends acknowledgement with Hash (Message 1)

Message 3 - Encrypts random secret key K with public key of Remote Host

Message 4 – Sends acknowledgement with Hash (Message 3)

Message 5 - Encrypts final state S with a random secret key K.

Hash (Program Trace)

Message 6 – Sends acknowledgement with Hash (Message 4)

Message 7 - Encrypts random secret key K with public key of Local Host

57

Identifying Malicious ActivityMobile Agent Execution

Originator

Host 2

Host 3

Host N

Encrypts program P and current state with a

random secret key K; Hash (P

rogram)

Encrypts the secret key K with public key of

Host 2

Sends Acknowledgment

Encrypts program P and current state with a

random secret key K; Hash (Program Trace)

Encrypts the secret key K with public key of

Host 3Sends Acknowledgment

58

Identifying Malicious ActivityMobile Agent Execution

Originator

Host 2

Host 3

Host N

Hash (Program)

Hash (Program Trace of Host 2)

Hash (Program Trace of Host

N-1)

Hash (Program Trace of Host N)

59

Tracing – Weaknesses

Not done online. Tracing is just a detection scheme and not preventive scheme

Trace logs are huge to store and transfer

Involves PKI which is computationally exhaustive

60

Mobile Agent ModelsPolice Office Model

Region R

Police Office

Host

Master

Slave

Mobile Agent

61

Agent Deployment Language

Deployment of agents requires support of a language

For Tcl scripts, the language for deployment in Safe-Tcl

Two interpreters – Master and Safe Master – Trusted Scripts Safe – Untrusted Scripts

62

Agent Deployment Language

SALTA – Secure Agent Language with Tracing of Actions

Extension of Safe-Tcl with two extra commands for tracing

63

Agent Route Hiding

Routing information is as important as data, code in a mobile agent

Knowing the route, malicious hosts know the exact location and launch attacks

Also, malicious hosts can modify the route information for its benefits

64

Atomic Encryption

Route information is sent as:

Each successive host to visit is concatenated Host information is encrypted and signed for

protection Thus each host can determine only the next host

address Easy to modify the route information Computationally faster

65

Nested Encryption

Route information is sent as:

Each successive host to visit is embedded inside the encrypted message of each host in a nested fashion

Thus each host can determine only the next host address

Difficult to modify the route information Computationally slower but more resistant to route

modification

66

References

G. Vigna, "Cryptographic Traces for Mobile Agents," in Mobile Agents and Security, 1998, pp. 137-153.

X. Guan, Y. Yang, and J. You, "POM - A Mobile Agent Security Model against Malicious hosts," in The Fourth International Conference on High-Performance Computing in the Asia-Pacific Region, vol. 2, 2000, pp. 1165-1170.

K. Schougaard and U. Schultz, "POMP – Pervasive Object Model Project," in MOS'03 (ECOOP'03 Workshop), 2003.

J. Y. Levy, J. K. Ousterhout, and B. B. Welch, "The Safe-Tcl Security Model," Sun Microsystems, Inc. 1997.

D. Westhoff, M. Schneider, C. Unger, and F. Kaderali, "Method’s for protecting a mobile agent’s route," in Information Security: Second International Workshop, ISW'99, 1999, pp. 57.

V. Roth, "On the robustness of some cryptographic protocols for mobile agent protection," in Mobile Agents, 5th International Conference, vol. 2240, Spinger, Ed. Atlanta, GA, USA: Lecture Notes in Computer Science, 2002, pp. 1-14.

67

Comparison and Discussion

Techniques for Mobile agent security. Many based on cryptography.

– Encrypt, Decrypt, Hashing, Random Numbers

Complementary, should be combined.– Signed agents used on trusted hardware for multiparty

computation with logging?

Some techniques are ready for application today, others may work better a few years from now.

68

Ranking Strengths and Weaknesses

Aspect Trusted Hardware

Multiparty Computation

Digital Signature

AgentTracing

Generality 3 4 1 2

Efficiency 1 4 2 3

Scalability 3 2 1 4

Mathematical Security 2 3 1 4

Resistance to Tampering

1 2 3 4

Reveals Malicious Hosts

2 4 3 1

Private Keys carried by the agent?

Yes No Maybe No

69

Attacks and Countermeasures

Occur at many times during agent lifecycle. Creation

– Code Obfuscation– Digital Signatures– Encrypt for trusted kernel/trusted hardware.

Transport– Attacks: Eavesdropping, Man-In-the-Middle– Counter: Secure Channel, Tracing and Logging

70

Execution

Attack Countermeasure

Code ModificationDigital signatures

Obfuscation

Data ModificationDigital signatures

ObfuscationPartial Result Authentication Codes

Insecure use of keys

Homomorphic encryptionObfuscation

Secure kernelTime-limited black box security

Replay attacks Secure hardware

71

Attacks and Countermeasures continued

Authentication and Integrity– Attack: Code, Data, Itinerary Modification– Counter: Digital signatures, Trusted Node, Trusted

hardware Migration

– Attacks: Denial of Service, Misrouting– Counter: Trusted Node, Partial Result Authentication Codes

Digital Cash Payment, Non-Reputable Signatures– Attack: Replay Attack, Selective Execution– Counter: Trusted Hardware, Homomorphic Encryption

72

Relevance and Future Adoption

Like distributed systems ten years ago, mobile agents may grow from research toy to common tool along a surprising path.

Enabling technologies like web services, digital cash, and trusted hardware are becoming common.

Trusted hardware may be a “Next Big Thing” in computer security, privacy, and even consumer choice, so be prepared.

Agents, expert systems, remote procedure calls, and middleware may borrow concepts and techniques from mobile agent research to accomplish tasks like information gathering/sharing, resource sharing, network load reduction, and distributed auctions.

73

Conclusion - Yin

1. Trusted nodes: – Pro: efficient, reliable, protect confidentiality and integrity– Con: rely on tamper-resistant hardware, potential high

prices of tamper-resistant hardware, the unwillingness to implement of host owners

2. Multiparty computation: – Pro: powerful, software only– Con: heavy communication and computation burdens, no

secure implementation for arbitrary functions without trusted third party

74

Conclusion (cont.)

3. Signature: – Pro: protect integrity– Con: no security proof

4. Tracing: – Pro: simple, protect integrity– Con: only detect, large log file, only the

originator can check the log file

75

Future Work

A perfect solution should be – economical– efficient– adaptable to all mobile agents’ applications– invulnerable to all potential attacks

When solutions to certain problems do exist, designing universal solutions is still a hot research area where no great progress has been achieved.

76

Questions?

?

77

Thank You

Group 1– James– Srikanth– Yin – Don