1 Mobile Agent Security against Malicious Hosts CSE 591 Group1 Jamieson French Srikanth Varadarajan Donald Willey Yin Yin Presented 11/29/2006 Arizona State University Tempe, Arizona
Dec 22, 2015
1
Mobile Agent Security against Malicious Hosts
CSE 591 Group1Jamieson FrenchSrikanth VaradarajanDonald WilleyYin Yin
Presented 11/29/2006
Arizona State University
Tempe, Arizona
2
Presentation Contents
Introduction – James and Srikanth Secure Software/Hardware – Don Multiparty/Homomorphic Computation – Yin Signature Techniques – James Tracing Agent Execution/Agent Hiding – Srikanth Comparison and Discussion – Don Conclusion – Yin
3
Mobile Agent
Mobile Agent - A program that can exercise an individual’s or organization’s authority, work autonomously toward a goal, and meet and interact with other agents or hosts
An alternative to Remote Procedure Calls Universal framework for distributed
computing
4
Mobile Agent - Example
Originator
Airline Server A
Airline Server B
Airline Server C
MA
Initiated
Has customer preference
Collects Reservation Info for A
Collects Reservation Info and compare with A and decide
Collects Reservation Info, compares with previous decision
and decides
Returns with the decided
airline
5
Motivations
Mobile agent paradigm gives many advantages to network communication
– Improving network performance Direct host interaction instead of network communication
– Executing asynchronously and autonomously Runs independent from outside influence
– Upgrading protocols and software Eases the task of upgrading hosts on a large network
– Robust and fault-tolerant Dynamic response to emergency situations
6
Protecting Mobile Agents
Common belief - Mobile agents are at full mercy of the host because the host executes the agent and has all of the agent’s code
Cannot assume trust from any host in an open network environment
Questions raised on the security of mobile agents– Can mobile agents protect themselves from being
tampered by the host?– Can mobile agents remotely sign a document
without disclosing the private key?– Can a mobile agent conceal its data and the
program it wants to execute?
7
Security Requirements
Privacy and Integrity– Mobile agent carries its code, state, and data– Protocol needed to prevent eavesdropping– One security breach is modification of agent’s
code – Detectable but not preventable
Authentication– Host needs to verify agent’s rights and privileges– Agent needs to ascertain server’s identity– PKI needed for mutual authentication
8
Security Requirements
Authorization and Access Control– Restricted resource access rights to servers for
specific agents– Restrictions to parts of code and data in agents– Enforced through the use of secure hardware
Metering, Charging and Payment– E-Commerce agent can carry digital cash– Malicious host could gain control of the agent and
steal digital cash
9
Host Attacks and Threats
Integrity Threats – Modify the mobile agent’s code, state and data– Integrity interference– Information modification including altering,
corrupting, manipulating, deleting itinerary, data or code
– Example: Replay attack
10
Host Attacks and Threats
Availability Threats – Preventing access to resources that mobile agent is authorized to.– Denial of service when traffic floods a network– Delay of service when host makes the agent wait
for some time to access the resources– Transmission refusal when host disregards the
agent’s itinerary
11
Host Attacks and Threats
Confidentiality Threats – Illegal accessing / disposal of agent’s assets by the host– Eavesdropping the agent’s action and code to
gather data by host - Privacy is compromised– Stealing data from agents by the host– Reverse engineering by capturing code,
execution state to perform malicious acts using the agent
12
Host Attacks and Threats
Authentication Threats – Hiding host identity and refusing to show credentials
– Masquerading is when the host informs the agent that its one of the hosts in its itinerary when its not
– Cloning is when host duplicates the agent with the intent to access the agents services for malicious activities
Modification of JVM attacks – includes most of the
above attacks– Discloses confidential data including keys, results and
protocols
13
Mobile Agent - Simplified
Code
Data
Itinerary
Tells what to do.
Lists where to go.
Basis for continued computation.
14
Mobile Agent – With Signed Components
Code
Data
Itinerary
Code signed with originator’s private key.
Not changed during migration.
Itinerary may also change during migration.
Read-only data is signed with originator’s private key. Changing data also should be encrypted and signed by hosts.
Signature
Signature
Signature
Orig
inat
or’s
C
ertif
icat
e
15
Example Agent Structure
Real agents have a more involved structure.
Components may vary in number and type.
From Itinerant Agents for Mobile Computing,
Chess, Grosof, Harrison, et al, IEEE Personal Communications, October 1995
17
Mobile Agent Execution Use Case
Processing Host
Originating Host
1. Create Mobile Agent
2. Sign and Certify
3. Encrypt with Pubkey
of Host 1
10. MigrateTo Next HostVia Secure
Channel
4. Transport to Host 1 Via
Secure Channel
5. Verify Agent Integrity
(Signatures & Certificates)
6. Decrypt any data privately provided for
Host
7. Run Agent
8. Sign Results with Host
Private Key
9. Encrypt Results
(Originator Public Key)
Report Error, Encrypt Originator Public Key
Process Error
No
11. Receive Final results
Yes
Goal Reached or
Itinerary Exhausted?
18
Host
LibrariesAnd System
Services
Untrusted Environment - Example
Mobile Agent Loader Mobile Agent Execution
Mobile Agent
Analyze Code,Data, Itinerary
ModifiedMobile Agent
Modify code,Data, Itinerary
Insert Breakpoints
Single Step
System CallWith Data Leak
To Host
CompromisedMobile Agent
Keys
ECashLost
Integrity
19
Existing Approaches
Trusted Software and HardwareSecure Multiparty ComputationDigital Signature TechniquesTracing Execution and Agent Hiding
20
Trusted Hardware - Don
Trusted Hardware– Smart Cards– Java Cards– An example using Java Card– Trusted Platform Module– Trusted Computing
21
Trusted Hardware – Smart Card
Invented around 1970 in Europe.
Tamper-resistant Contact* /
contactless interface Memory /
Microprocessor cards* Photo source:
http://en.wikipedia.org/wiki/Image:Smartcard.JPG, published under GNU public license v1.2.
22
Smart Card Continued
Microprocessor card– Small memory– Powered externally– Secure files– Crypto capabilities
PIN and/or biometric access Participates in PKI Protocols
Evaluation and Adoption– Common Criteria Evaluation Assurance Level EAL 5
semi-formally designed and tested
– DoD Common Access Card
23
Trusted Hardware – Java Card
Specified and supported by Sun and others. Adds to Smart Card
– Java Virtual Machine– More Interfaces, more crypto.– More memory
Evaluation and Adoption– EAL4+
methodically designed, tested, and reviewed
– SIM cards in most GSM and some CDMA cell phones
25
Trusted Hardware Use Case
Processing Host
Trusted Hardware
Originating Host
1. Create Mobile Agent
2. Sign and Certify
3. Encrypt with Card Pubkey of
Host 1
10. MigrateTo Next HostVia Secure
Channel
4. Transport to Host 1 Via
Secure Channel
5. Verify Agent Integrity
(Signatures & Certificates)
6.1 Decrypt Agent Code,
Data, Itinerary, keys
7.1 Run Agent
8. Encrypt Mobile agent
with Next Host’s Card
Pubkey
9. Encrypt Results
(Originator Public Key)
Report Error, Encrypt Originator Public Key
Process Error
11. Receive Final results
Yes
7.3 Securely Communicate with Next Host for Verifiable
Pubkey
7.2 If Warranted, Micropay, or
Execute Contract
Goal Reached or Itinerary Exhausted?
26
Migration and Execution
GetKey is a java card function that transfers a public key in a way that allows it to be verified as belonging to another Java card, probably using certificates that reference back to a well trusted certificate authority.
The increasing complexity of the shape representing the agent shows that it combines results from hosts that it visits.
Fünfrocken illustration of Java card based mobile agent execution and migration.
27
Trusted Computing
Trusted Computing Group (TCG)– AMD, HP, IBM, Intel, Microsoft, Sun, others.– Trusted Platform Module (TPM)– In many new PCs already.– Basis for Vista BitLocker Drive Security– In all notebooks, most desktops by 2010.– Controversial. 50% net managers surveyed don’t want it.
Hengzhi – Chinese alternative to TPM, used in Lenovo products.– Does not follow TCG standards.– Specifications are not publicly available.
28
Trusted Computing - Microsoft
Palladium -> NGSCB– From Greek mythology, a statue of Athena kept in Troy
upon which the safety of the city depended. Only after it was stolen by Odysseus, could the Trojan Horse be used.
– Microsoft renamed to Next-Generation Secure Computing Base (NGSCB) after Palladium Books enforced trademark.
– Open source advocates Richard Stallman, and social activists like Against TCPA are solidly against it.
– Security expert Bruce Schneier is concerned about it, believes it has a lot of power to do what it claims.
– Electronic Frontier Foundation recommends modifications.– NSA, RIAA, MPIA like it. It can make Digital Rights
Management much more effective.
29
Trusted Computing – Microsoft Continued
Main Features– Secure Storage– Attestation– Curtained Memory– Secure I/O– Crypto engine
Mobile agents could:– Decrypt and execute in
curtained memory– Greater processor and
memory resource than Java cards.
– Eliminates a big bottleneck. Would you trust Microsoft to
get this right? Linux community working
toward similar TPM capability. Figure copyright 2005, Daniel Göhler, permission under GNU Free Documentation License V2.1, http://en.wikipedia.org/wiki/Image:NGSCB-diagram.png
30
To Learn More
B. S. Yee, "A sanctuary for mobile agents," Lecture Notes in Computer Science, vol. 1603, pp. 261-273, 1999.
– Great discussion of protecting mobile agent. S. Funfrocken, "Protecting Mobile Web-Commerce
Agents with Smartcards," Autonomous Agents and Multi-Agent Systems, vol. 4, pp. 339-358, 2001.
– Useful illustration of specifics of a Java Card implementation. B. Stephan and L. Vogel, "Trusted Computing - http://
www.lafkon.net/tc/," 2006. – Interesting and provocative animation. As someone once said,
if you are not outraged, you don’t know what is going on. If you put faith in TC folks, at least expect unforseen consequences.
31
Multiparty/Homomorphic Computation – Yin
Multiparty computation is a computation among more than one participants
– Just like a black box– Collect inputs from all participants– Compute and return outputs to everyone
Mobile agent collects data from several hosts and generates the results for the originator and hosts.
Mobile agent is a special case of multiparty computation
F(x0,x1,…,xn) = (y0,y1,…,yn)
32
Secure Multiparty Computation
Security requirements of multiparty computation– Any participant only learns his own input– Any participant only learns his own output– Any outside adversary learns nothing about all inputs and
outputs
Mainly consider confidentiality rather than integrity or availability
33
An Example of Multiparty Computation
Yao’s Millionaires’ Problem– Two millionaires want to know who has more
money– They don’t like to reveal the exact number of their
money – F(x1,x2) = (x1>x2?, x1>x2? )
34
Some Results in Multiparty Computation
1986, Yao triggered the research in this area 1987, Goldreich gave a general solution for any function
– All participants are honest– Oblivious transfer protocol
1988, Kilian gave another general solution– Oblivious transfer protocol
2003, Ivan Damgård and Nielsen constructed oblivious transfer protocol from homomorphic encryption
The main goal: efficient, general solution using less assumptions. Until now, no good solution exists
35
Homomorphic Encryption
Homomorphic encryption is a special type of encryption scheme
– Can get E(x+y) from E(x) and E(y)– Can get E(xy) from E(x) and E(y)
RSA is multiplication homomorphic encryptionE(xy) = (xy)e = xeye = E(x)E(y)
Paillier is addition homomorphic encryption
E(x+y) = gx+y(r1r2)p = (gxr1p)(gyr2
p) = E(x)E(y)
But until now, no encryption is both multiplication and addition homomorphic
36
The Application of Homomorphic Encryption in Mobile Agents
Sander and Tschudin claimed:
Mobile agent is the cipherprogram All participants encrypt their inputs and feed these
ciphermessages to the mobile agent Mobile agent operates these ciphermessages
without understanding them
You can communicate some ciphermessage to another party without understanding it, we would like a computer to execute a cipherprogram without understanding it
37
How to Construct Cipherprogram
It is hard! A general construction is equal to a general solution for
secure multiparty computation Sander and Tschudin only gave an immature
construction using a weak homomorphic encryption, but it– Only for polynomial function– Need multi-round interaction between the mobile agent and
hosts, which means that the mobile agent would roam among the hosts frequently
– Only consider two parties, which means that the mobile agent can only visit one host exclude the originator
38
Expand Applicable Function
Sander et. al extended their solution to all functions computable by circuits of logarithmic depth circuit
Domingo and Ferrer proved that as long as the ciphertext space is much larger than the cleartext space, a homomorphic encryption can be construed.
Lee et. al. suggested a hybrid method to improve the security of homomorphic encryption based system .
A general construction for addition and multiplication homomorphic encryption is still an open problem.
39
Reduce Communication Round and Handle Multiparty scenario
Christian Cachin et. al. extended Sander and Tschudin’s work into a one-round multiparty computation – One-round: the mobile agent will visit every host
only once– Multiparty: the mobile agent can visit more than
one host before returning the originator
40
The Application of TTP in Mobile Agents
Algesheimer et. al. provided a method to construct cipherprogram using the trusted third party– The trusted third party is the most
attractively attack object– The trusted third party is the bottleneck of
performance
41
Distributed Trusted Third Parties
Zhong et. al. expanded the single trusted node to a set of trusted nodes which cooperate with each other to provide a security service – Greatly reduced the computation burden of single
trusted third party– Greatly improved the robust of the whole system
by using fault-tolerable secret sharing schemes
42
Signature Techniques – James
Cryptographically based assurance scheme Commonly used with PKI with a third party
issued public key Main problem – The signature function,
signature key, and even the signature can be stolen and used to sign arbitrary messages.
The creation of the signature scheme should be simple, realistic, flexible, and ubiquitous
43
Signature Techniques
Undetectable signatures allow mobile agents to create a signature that the host can not deduce the signature
Signature techniques are known as a preventive measure
Main goal is to prevent modification and masquerading
Most signature techniques use the multiple cryptographic scheme
44
Multiple Cryptography
The case of cryptography that involves more than two parties
Comparable to real-world signatures but different because the real-world signature is unique per person
Real-world can still be duplicated but with sophisticated methods to determine a fake
45
Bank Example – Real World
Document
Bank
Employee
Employee
Employee
Signature
Signature Signature
Signed
47
Single-Agent Signature Techniques
Proxy Based Signature– A mobile agent might be worried about privacy so
it has a proxy server sign for it– Like a secretary signing a document for a
manager while they are out of the office– Three levels of delegation: Full Delegation, Partial
Delegation, and Delegation by Warrant– The problem is that there is still network traveling
and sacrifices the agents autonomous property
48
Single-Agent Signature Techniques
Blind Based Signature– The host will sign a message of the mobile agent
without knowing the message– This is known as signing the message “blindly”– Commonly used with RSA public key
cryptosystem– Useful for e-voting and e-payment
49
Single-Agent Signature Techniques
Blind Proxy Signature– Combines both resources of the blind and proxy
based signature techniques– This is where the proxy is allowed to sign a
message “blindly” on behalf of the mobile agent– Still suffers from many attacks, the most
prominent being the forgery attack
50
Multi-Agent Signature Techniques
Major techniques are key-splitting and distributed signature generations
Techniques based on the El-Gamal Cryptosystem because of the easy computation and the El-Gamal is used as part of the Digital Signature Standard (DSS)
Two main protocols were developed for the multi-agent scheme: sequential and parallel signing
51
In Sequence Signing
Long term key: S = Sa + Sb + Sc
Short term key: r = ra + rb + rc
Xa = ra + dm Sa mod (p – 1)
Xb = rb + Xa Sb mod (p – 1)
Xc = rc + Xb Sc mod (p – 1)
X = Xc – (Sc – 1) rb – (Sb Sc – 1) ra mod (p – 1)
53
In Parallel Signing
Long term key: S = Sa + Sb + Sc
Short term key: r = ra + rb + rc
Xa = ra + dm Sa mod (p – 1)
Xb = rb + dm Sb mod (p – 1)
Xc = rc + dm Sc mod (p – 1)
X = Xa + Xb + Xc
55
Tracing Agent Execution – Srikanth
Mobile Agent gets executed in various hosts Mobile agent carries both code and state information Leave traces of their execution and their states in each and
every host they enter Traces are recorded in a log file
– <Executed code identifier 1><Time stamp 1>– <Executed code identifier 2><Time stamp 2>– .– .
The log file is checked back to detect any malicious activity in any host
56
Identifying Malicious ActivityRemote Code Execution
Local Host
Remote Host
Message 1 - Encrypts program P with a random secret key K
Message 2 - Sends acknowledgement with Hash (Message 1)
Message 3 - Encrypts random secret key K with public key of Remote Host
Message 4 – Sends acknowledgement with Hash (Message 3)
Message 5 - Encrypts final state S with a random secret key K.
Hash (Program Trace)
Message 6 – Sends acknowledgement with Hash (Message 4)
Message 7 - Encrypts random secret key K with public key of Local Host
57
Identifying Malicious ActivityMobile Agent Execution
Originator
Host 2
Host 3
Host N
Encrypts program P and current state with a
random secret key K; Hash (P
rogram)
Encrypts the secret key K with public key of
Host 2
Sends Acknowledgment
Encrypts program P and current state with a
random secret key K; Hash (Program Trace)
Encrypts the secret key K with public key of
Host 3Sends Acknowledgment
58
Identifying Malicious ActivityMobile Agent Execution
Originator
Host 2
Host 3
Host N
Hash (Program)
Hash (Program Trace of Host 2)
Hash (Program Trace of Host
N-1)
Hash (Program Trace of Host N)
59
Tracing – Weaknesses
Not done online. Tracing is just a detection scheme and not preventive scheme
Trace logs are huge to store and transfer
Involves PKI which is computationally exhaustive
61
Agent Deployment Language
Deployment of agents requires support of a language
For Tcl scripts, the language for deployment in Safe-Tcl
Two interpreters – Master and Safe Master – Trusted Scripts Safe – Untrusted Scripts
62
Agent Deployment Language
SALTA – Secure Agent Language with Tracing of Actions
Extension of Safe-Tcl with two extra commands for tracing
63
Agent Route Hiding
Routing information is as important as data, code in a mobile agent
Knowing the route, malicious hosts know the exact location and launch attacks
Also, malicious hosts can modify the route information for its benefits
64
Atomic Encryption
Route information is sent as:
Each successive host to visit is concatenated Host information is encrypted and signed for
protection Thus each host can determine only the next host
address Easy to modify the route information Computationally faster
65
Nested Encryption
Route information is sent as:
Each successive host to visit is embedded inside the encrypted message of each host in a nested fashion
Thus each host can determine only the next host address
Difficult to modify the route information Computationally slower but more resistant to route
modification
66
References
G. Vigna, "Cryptographic Traces for Mobile Agents," in Mobile Agents and Security, 1998, pp. 137-153.
X. Guan, Y. Yang, and J. You, "POM - A Mobile Agent Security Model against Malicious hosts," in The Fourth International Conference on High-Performance Computing in the Asia-Pacific Region, vol. 2, 2000, pp. 1165-1170.
K. Schougaard and U. Schultz, "POMP – Pervasive Object Model Project," in MOS'03 (ECOOP'03 Workshop), 2003.
J. Y. Levy, J. K. Ousterhout, and B. B. Welch, "The Safe-Tcl Security Model," Sun Microsystems, Inc. 1997.
D. Westhoff, M. Schneider, C. Unger, and F. Kaderali, "Method’s for protecting a mobile agent’s route," in Information Security: Second International Workshop, ISW'99, 1999, pp. 57.
V. Roth, "On the robustness of some cryptographic protocols for mobile agent protection," in Mobile Agents, 5th International Conference, vol. 2240, Spinger, Ed. Atlanta, GA, USA: Lecture Notes in Computer Science, 2002, pp. 1-14.
67
Comparison and Discussion
Techniques for Mobile agent security. Many based on cryptography.
– Encrypt, Decrypt, Hashing, Random Numbers
Complementary, should be combined.– Signed agents used on trusted hardware for multiparty
computation with logging?
Some techniques are ready for application today, others may work better a few years from now.
68
Ranking Strengths and Weaknesses
Aspect Trusted Hardware
Multiparty Computation
Digital Signature
AgentTracing
Generality 3 4 1 2
Efficiency 1 4 2 3
Scalability 3 2 1 4
Mathematical Security 2 3 1 4
Resistance to Tampering
1 2 3 4
Reveals Malicious Hosts
2 4 3 1
Private Keys carried by the agent?
Yes No Maybe No
69
Attacks and Countermeasures
Occur at many times during agent lifecycle. Creation
– Code Obfuscation– Digital Signatures– Encrypt for trusted kernel/trusted hardware.
Transport– Attacks: Eavesdropping, Man-In-the-Middle– Counter: Secure Channel, Tracing and Logging
70
Execution
Attack Countermeasure
Code ModificationDigital signatures
Obfuscation
Data ModificationDigital signatures
ObfuscationPartial Result Authentication Codes
Insecure use of keys
Homomorphic encryptionObfuscation
Secure kernelTime-limited black box security
Replay attacks Secure hardware
71
Attacks and Countermeasures continued
Authentication and Integrity– Attack: Code, Data, Itinerary Modification– Counter: Digital signatures, Trusted Node, Trusted
hardware Migration
– Attacks: Denial of Service, Misrouting– Counter: Trusted Node, Partial Result Authentication Codes
Digital Cash Payment, Non-Reputable Signatures– Attack: Replay Attack, Selective Execution– Counter: Trusted Hardware, Homomorphic Encryption
72
Relevance and Future Adoption
Like distributed systems ten years ago, mobile agents may grow from research toy to common tool along a surprising path.
Enabling technologies like web services, digital cash, and trusted hardware are becoming common.
Trusted hardware may be a “Next Big Thing” in computer security, privacy, and even consumer choice, so be prepared.
Agents, expert systems, remote procedure calls, and middleware may borrow concepts and techniques from mobile agent research to accomplish tasks like information gathering/sharing, resource sharing, network load reduction, and distributed auctions.
73
Conclusion - Yin
1. Trusted nodes: – Pro: efficient, reliable, protect confidentiality and integrity– Con: rely on tamper-resistant hardware, potential high
prices of tamper-resistant hardware, the unwillingness to implement of host owners
2. Multiparty computation: – Pro: powerful, software only– Con: heavy communication and computation burdens, no
secure implementation for arbitrary functions without trusted third party
74
Conclusion (cont.)
3. Signature: – Pro: protect integrity– Con: no security proof
4. Tracing: – Pro: simple, protect integrity– Con: only detect, large log file, only the
originator can check the log file
75
Future Work
A perfect solution should be – economical– efficient– adaptable to all mobile agents’ applications– invulnerable to all potential attacks
When solutions to certain problems do exist, designing universal solutions is still a hot research area where no great progress has been achieved.