agent privacy/ security akram sarhan western michigan university 4-14, 2014 cs 6800
TRANSCRIPT
OUTLINE
Research in Mobile Agents
Root of agent Technology
From AI to IA
What is an agent?
Why is an agent?
Agent vs Computer Worm
Mobile Agent & Turing Machine
Examples of Mobile Agent Systems
Mobile Agent Architecture
Classification of Security threats
Malicious Agent Threats Classification
Host Protection Mechanisms
Agent Protection mechanisms
Aspects of Mobile Agent Research
•Distributed System Research• Focus on system architectures and protocols for
managing executions of mobile agent objects.• Security, fault tolerance, naming, yellow pages•Programming Languages Research• Code mobility, safety, programming constructs • Agent communication languages•Artificial Intelligence Research• Focus on intelligence, learning, and cooperation
AI
Distributed AI
Structured Programming
OO
Client/server
Mobile computing
systems
Agents
Peer to Peer
Root of agent Technology
Artificial Intelligence (AI) (algorithm) that aims to build systems that can ultimately understand natural languages , use common sense , think creatively. [ Wooldeidge, 1999]
Intelligent Agents (IA) are systems that are built in a way that they can choose right action to perform at the right moment in a very specific domain
From AI to IA
An agent is a software component (object) which carries out tasks on behalf of its owners. in some predefined manner.
An agent is an autonomous software entity that can suspend its execution, transfer itself from one networked host to another and resume execution on the new host. Mobile Agent: composition of computer software
and data which is able to migrate (move) from one computer to another autonomously in a distributed system to perform actions on behalf of its creator.
Proposed to replace the client-server paradigm as a better, more efficient and flexible mode of communication
Two general goals: Reduction of network traffic Asynchronous interaction
What is an agent?
Agents can function independent of each other or cooperate to solve problemsLange et al. (1999) states seven reasons why mobile agents are a good idea:1- reducing network load2-executing asynchronously and autonomously3- encapsulating protocols4- overcoming network latency5- dynamic adaptability.6- naturally heterogeneous.7- robustness and fault tolerance
Source: Seven Good Reasons for Mobile Agents Danny B. Lange and Mitsuru Oshima
Why is an agent?
A worm : program that is able to move between nodes on a network suggests intriguing possibilities for distributed computing. labeled as dangerous and therefore very undesirable. (Denning, 1989)
If however these malicious programs could be controlled and reapplied in service of computer users then the potential of a revolution in distributed computing is possible. The candidate for this revolution is called a mobile agent and its application is a mobile agent system.
Agent vs. computer worm
Mobile Agent & Turing Machine• Host and Originators considered as a probabilistic
(universal) Turing Machine• Code of Mobile Agents considered as interactive
program ( description of a TM which can be simulated by UTM)
• Model of an interactive Turing Machine possesses a tape containing the messages received from other processes .
• A tape with the message sent to other processes an un-erasable coin-toss tape recording all random choices made by a Turing Machine and write-only output tape.
• The content of the communication tapes is expected to be not erased by the interactive Turing machine
Source : Mobile Agents: Second International Workshop, MA'98, Stuttgart, Germany, Kurt Rotherme, Fritz Hohl
•TACOMA(Tux) - Mobile Agent System. Operating System Support for mobility. Tromosø and Cornell Moving Agents (TACOMA) is a joint project between the University of Tromosø, Norway and Cornell University, USA. It is primarily focused on providing operating system support for agents.•Telescript- developed by General Magic, includes an object oriented, type-safe language for agent programming.•Agent TCL is a mobile agent system created at Dartmouth College. agents are written in the Tool Command Language (Tcl), which is an embeddable scripting language that is highly portable and freely available.•Aglets is a Java based system developed by IBM. Agents are called aglets in this System.•Jade is an open source framework that aid the development of distributed application based on agent paradigm.
Examples of Mobile Agent Systems
E- Commerce – Agents act and negotiate on behalf of the user. Example: Auctions, service negotiations, etc.
Personal Assistant – acts like a remote assistant. For example, can search and book airline ticket depending on a search criteria.
Secure Brokering - Mobile agents meet and collaborate on mutually agreed secure host.
Distributed information retrieval - Agent are dispatched to remote information sources and they can perform extended searches not restricted by working hours or connectivity.
Information distribution – works on the push model. Software distributor may send software updates and versions to the user.
Parallel processing – agents can execute concurrently in a distributed system. A single task can be decomposed amongst multiple agents.
Network Security testing - Agents can be used in network intrusion detection.
Database Searches – It is efficient to send out an agent to perform a specialized search on a large database than to move big chunks of data to the client using up enormous amount of bandwidth.
Applications of Agent Systems
Security Issues in Agent Systems
Source: Rothermel et alMobile Agent Systems: What is Missing?
• Agent environment (those allow for mobility of agents, much difficult to protect from intruders than conventional systems).
• Agent paradigm lack security, anonymity and untreacebility (protection against traffic analysis attacks) in open dynamic environment such as the internet
• “The vision of mobile agents as the key technology for future electronic commerce applications can only become reality if all security issues are well understood and the corresponding mechanisms are in place.”
Agent System Security threats Classification
Agents attacking Hosts Hosts attacking the Agents Malicious Agent attacking
another agent Attack by other entities
Agents Attacking Hosts•Since agents traverse multiple hosts trusted to different extents, implementing any security measure is complicated.•Lack of sufficient authentication and access control mechanism, can tamper data•Malicious agents can attack the Host , access sensitive data, steal or modify the data on the host. •No Set for resource constraints (limited computational, networking, and storage capabilities ), cause DoS attacks by exhausting computational resources and denying platform services to other agents.
Hosts Attacking The AgentsA malicious host can attack the agent, by stealing or modifying its data, corrupting or modifying its code or state, deny requested services, return false system call values, reinitialize the agent or even terminate it completely.
It can also masquerade the agent by delaying the agent until the task is no more relevant.
The Host may also analyze and reverse engineer the agent.
Malicious Agent attacking Another AgentAttack specific to software agents: masquerading, denial of service, unauthorized access and Repudiation.
A malicious agent may invoke public methods of another agent to interfere with its work.
Examples :Threat to the agent owner’s personal information
when an agent travels across many networks carrying personal information belonging to its owner.
An agent roams around the Internet to look for the lowest price of a air ticket; it remembers the lowest price it finds most recently
Data tampering: change of execution state of agents by malicious hosts (“brain-flush” the agent of the lowest price it remembers)
Execution tampering: change of code or execution sequence by malicious hosts (deliberately set the local price as the lowest price, and push the agent to return immediately)
In E-Commerce scenario, Agent may be carrying sensitive information like Social Security Number or Bank Account details. Agents must be secure and tamper-proof, and must not reveal information inappropriately.
Agent Attack by other entities
Some other entity in the network may manipulate or eavesdrop on agent communication.
Host Protection Mechanisms
1- Sandboxing2- Safe Interpreters 3-code signature4-State Appraisal5-Proof carrying code6- Path Histories7- Policy Management
Sandbox:• security mechanism for safely running
untrusted programs• used to execute untested code, or untrusted
programs from unverified third-parties (suppliers, users and websites)
Source : Wikebedia
Trusted/Tamper Proof Hardware
Obfuscation
Garbled Circuit
Privacy homomorphisms
Coding Theory
Function composition
AGENT PROTECTION MECHANISMS
Secure Coprocessor interfaces with main computer or server through a PCI-based interface. complete computing system [processor, RAM, ROM, backup battery, non-volatile persistent storage, and Ethernet network card] Secure separate storage for root keys (Keys never leave security processor)Receive encrypted data and return decrypted dataEncapsulate the entire agent execution environment in which the agent executes, thus isolating the agent from the malicious host. The whole agent is not visible to the host environment.
Drawback :Cost Expansive
Obfuscation
Scramble code so that it still works, but cannot be reverse engineered.Protect against reverse engineering (java byte code)Hiding program (data and code) in plaintext within code Example : algorithm that remove the code comments , insert dead code or unusable code, and rename identifier such as variables, classesDrawback : difficult to obfuscate arbitrary code. obfuscating deterministic programs is impossible
Garbled Circuit
Garbled Circuits 1
000AND
x y
z
Truth table:
x y z
0 1 01 0 0
1 1 1
00OR
x y
z
Truth table:
x y z
110
1
11
AND OR
AND
NOT
OR
AND
Alice’s inputs Bob’s inputs
Compute any function securelyHow Garbled circuit can protect mobile code? 1- Convert the function into a Boolean circuit2- Pick Random Keys For Each Wire (One key corresponds to “0”, the other to “1” (6 keys in total for a gate with 2 input wires)3-Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys 4-Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob 5-Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is6- Alice and Bob run oblivious transfer protocol ( a. Alice’s input is the two keys corresponding to Bob’s wire b. Bob’s input into OT is simply his 1-bit input on that wire)
k0y, k1yk0x, k1x
k0z, k1z
Ek0x(Ek0y
(k0z))Ek0x
(Ek1y(k0z))
Ek1x(Ek0y
(k0z))
Ek1x(Ek1y
(k1z))
Does not know which row of garbled table corresponds to which
row of original tableIf Alice’s bit is 1, shesimply sends k1x to Bob;if 0, she sends k0x
k0x, k1x
k0y, k1y
If Alice’s bit is 1, shesimply sends k1x to Bob;if 0, she sends k0x
Drawback: Circuit size
Coding Theory
• Coding theory is Methods to protect information against a noise•-Error-correcting codes are used to correct messages when they are transmitted through noisy channels.Without coding theory and error-correcting codes there would be no deep-space travel and pictures, no satellite TV, no compact disc, no … no … no ….
How Coding theory protect Mobile agent?.Incorporation of error correcting codes to hide the function from a potential host. Represent Agent code as Matrix Transforms M to M’, where M’=M*P (P is a random matrix). Attach M’ within a mobile agent. Computes M’ to output y’ by Host that receives the agent Mobile agent returns to the originator with y’. Originator uses the inverse of P, P-1, to compute y from y’.
Privacy homomorphisms •Computing on encrypted data •Ability to Encrypt data in the cloud While still allowing the cloud to sear ch/sort/edit/… this data on my behalf•Keeping the data in the cloud in encrypted form Without needing to ship it back and forth to be decrypted•privacy homomorphism protect Mobile agent data privacy.
Function compositionValue fed to first function Resulting value fed to second function End result taken from second function Given two functions:
p(x) = 2x + 1 q(x) = x2 - 3
Then p ( q(x) ) = p (x2 - 3) = 2 (x2 - 3) + 1 = 2x2 - 5
•function composition protect mobile agent function privacy.• How function composition can protect confidentiality of mobile agent ?• Originator transforms function f using encryption function g.• Code of the agent is replaced by code that implements the composite function h = g o f. •The originator sends the agent to a destination host.•Agent executed at the Host using the host’s input, and obtain encrypted output.•Host return encrypted output to the originator. •Originator “decrypts” the output using g-1.
Privacy homomorphisms
Source : IBM |NYU|Columbia Theory Day
$skj#hS28ksytA@ …
Directions• From: 19 Skyline Drive, Hawothorne, NY 10532, USA• To: Columbia University
Privacy homomorphisms
Computing on Encrypted DataSource: IBM|NYU|Columbia Theory Day
$kjh9*mslt@na0&maXxjq02bflx
m^00a2nm5,A4.pE.abxp3m58bsa(3saM%w,snanbanq~mD=3akm2,AZ,ltnhde83|3mz{ndewiunb4]gnbTa*kjew^bwJ^mdns0
typo
Conclusion • Agent Technology is the future promising
potential revolution in distributed computing.
• Mobile agent systems offer many features and developed to replace client server paradigm
• Security & Privacy two important factors that blocking the contribution of agent technology.
• No optimal practical solution yet that can address all security and privacy issues
References •http://en.wikipedia.org/wiki/Mobile_agent•"Security in Mobile agents", by Padma Kapse•“Mobile Agent Programming in Ajanta” by Anand Tripathi•Lange et al. (1999) states seven reasons why mobile agents are a good idea•Mobile Agents: Second International Workshop, MA'98, Stuttgart, Germany, Kurt Rotherme, Fritz Hohl•Rothermel et al Mobile Agent Systems: What is Missing?•IBM|NYU|Columbia Theory Day•Protecting Mobile Web-Commerce Agents with Smartcards , Stefan Funfroken, Dept of CS, Darmstadt Univ of Tech. , Germany : http://citeseer.nj.nec.com/unfrocken99protecting.html•http://www.cs.fsu.edu/research/reports/TR-050329.pdf" :•Mobile Agents: Are they a good idea? , David Chess, Colin Harrison, Aaron Kershenbaum: http://citeseer.nj.nec.com/chess95mobile.html•Is it an Agent, or just a Program? : A Taxonomy for Autonomous Agents, Stan Franklin and Art Graesser , Institute for Intelligent Systems, University of Memphis : http://www.cs.memphis.edu/~franklin•protecting Mobile Agents against Malicious Hosts, Tomas Sanders and Christian Tschudin. Proceedings of Workshop on Mobile Agents and Security, number 1419 in LCNS, pages 44-60, 1997: http://citeseer.nj.nec.com/sander98protecting.html•NIST Special Publication 800-19 – Mobile Agent Security: http://gunther.smeal.psu.edu/2276.html