ATOMAS A Transaction-oriented Open Multi Agent-System. Final(8)

ATOMAS:

3WP 2.2: Security93WP 2.2: Security

This section summarizes a paper published in [Vig98].

3.1Abstract

In this report, an approach to partially solve one of the most dif cult aspects of security of mo-bile agents systems is presented, the problem of malicious hosts. This problem consists in thepossibility of attacks against a mobile agent by the party that maintains an agent system node,a host. The idea to solve this problem is to create a blackbox out of an original agent. A blackboxis an agent that performs the same work as the original agent, but is of a different structure. Thisdifference allows to assume a certain agent protection time interval, during which it is impossi-ble for an attacker to discover relevant data or to manipulate the execution of the agent. Afterthat time interval the agent and some associated data get invalid and the agent cannot migrateor interact anymore, which prevents the exploitation of attacks after the protection interval.

3.2Introduction

Mobile agent systems are expected to become a possible base platform for an electronic servicesframework (see e.g. [Mob96]), especially in the area of Electronic Commerce. In this applica-tion area, security is a crucial aspect since all parties involved require the con rmation that noneof the other parties will break the rules without being punished. This requirement is not alwaysful lled even in the traditional, non-electronic commerce. The anonymity of a worldwide com-munication network and the ease of automatic exploitation of security gaps in electronic appli-cations make it necessary to meet this demand in the area of commercial transactions done bycomputers.

Mobile agents are entities that consist of code, data and control information (e.g. thread states).Mobile agent systems are platforms that allow mobile agents to migrate between different nodesof the agent system. From a more technical view, mobile agents can be compared to programsthat migrate to nodes autonomously, while nodes offer the run-time environment of these pro-grams including the program interpreters.

As in Mobile Code systems (e.g. the Java applet system), one aspect of security is the protectionof the node, orhost, against possible attacks of the mobile agent. Therefore, some of the securitymechanisms developed in this eld can also be applied to mobile agent systems. An example issandbox security, i.e. the need of authorizing security-sensitive commands like the deletion ofa le by a designated component. Other security mechanisms like authentication of singleagents instances do not have a counterpart in mobile code systems and have to be designed usingstandard cryptographic techniques like encryption or digital signatures.

The reverse security issue, the protection of a mobile agent from possible attacks by a malicioushost, is new as there are barely other areas where this aspect is important. Nevertheless, the pro-tection of mobile agents from malicious hosts is — at least from the viewpoint of the owner ofthe agent — as important as the protection of the host from malicious agents. As we will see,apart from organisational solutions, no technical approaches to solve this problem without spe-