This article describes a security scheme, based on crypto- graphic protocols ... we proposed security mechanisms to protect the communications infrastructure,.
MASS : A Mobile Agent Security Scheme for the Creation of Virtual Enterprises Michelle S. Wangham, Joni Fraga, Ricardo Schmidt, and Ricardo J. Rabelo Department of Automation and Systems Federal University of Santa Catarina C. P. 476 – 88040-900 – Florian´ opolis – SC – Brazil {wangham, fraga, rschmidt, rabelo}@das.ufsc.br
Abstract. This article describes a security scheme, based on cryptographic protocols and SPKI/SDSI chains of trust, for protecting agent platforms and mobile agents in large-scale distributed systems. In addition, it proposes an approach on how trust building in mobile agent-based architectures can be reinforced by using security mechanisms in the process of searching and selecting partners to create a Virtual Enterprise.
1
Introduction
A mobile agent in a large-scale network can be defined as a software agent that is able to autonomously migrate from one host to another in a heterogeneous network to perform tasks on behalf of its creator [1]. In order for these agents to exist within a system or to form a system themselves, they require a computing environment — an agent platform — for deployment and execution. The ability to move agents allows deployment of services and applications in a more flexible and dynamic way with respect to the client-server paradigm [2]. Despite its many benefits, the mobile agent paradigm introduces new security threats from malicious agents and platforms. Mechanisms currently available for reducing the risks of this technology do not efficiently cover all the existing threats. Moreover, they introduce performance restrictions that frequently outweigh the benefits from the use of this paradigm. This paper focuses on security scheme applied to a mobile agent-based application for searching and selecting partners in the formation of Virtual Enterprises (VEs) — MobiC-II system [3]. Cooperation in the form of Virtual Enterprises represents a modern strategy which has been applied by many companies over the world to expand their participation in the market without drastically changing their structures. Actually, a VE corresponds to a set of companies that are selected to meet the requirements of a given business opportunity (BO) as none of them is able to attend to it alone. The selection of the VE members has been often supported by partner’s search and selection systems (PSS), and this search in turn is usually made over a pre- defined group of companies — a cluster. The decision process is performed in an interactive way, in which the company that receives the BO, called broker,
negotiates it with the cluster companies. This negotiation lasts until the selection of the most suitable subset of members is finished. These members comprise the VE, which is finally created. Aiming at greater efficiency and flexibility, this paper brings an approach to aid the creation phase of VEs which is based on an agents hybrid architecture mobile and stationary agents. This work comprises security aspects for the use of mobile agents. These aspects strengthen the trust building process in the VEs’ formation. The security threats in the MobiC-II scenario are also analyzed and a security policy that aims at mitigating most of these threats is defined. One of the main concerns about an agent platform implementation is ensuring that agents are not able to interfere with an underlying agent platform [4]. A common approach for accomplishing it is to establish isolated protection domains for each incoming mobile agent and platform, and to control all inter-domain access. Protection against malicious agents is not restricted to confining their execution to their own execution domains in agent platforms; other issues need to be considered when large-scale distributed applications are the focus. Malicious platforms’ attacks against agents are the most difficult security problems to overcome and have still been left without an appropriate solution. While mechanisms directed towards the platform security are a direct evolution from traditional mechanisms that emphasize techniques of prevention, mechanisms directed towards agent security usually correspond to detection measures. This occurs due to the fact that an agent is totally susceptible to a platform and that it is difficult to prevent the occurrence of malicious behaviors [5]. Based on cryptographic protocols and on decentralized authentication and authorization controls that use SPKI/SDSI certificates [6], we defined the MASS — Mobile Agent Security Scheme for large-scale systems. In the present study, we proposed security mechanisms to protect the communications infrastructure, agent platforms and agents themselves. In our scheme, the flexibility needed for the implementation of a security policy to the MobiC-II system is given by the ability to select only the subset of mechanisms desired by this application.
2
MobiC-II : The Partners Search and Selection System
The PSS System proposed in this work is based on an agent hybrid architecture. This system exploits the benefits of the mobile agents’ paradigm to improve agility in the presentation of business opportunities to the cluster of companies and to achieve higher efficiency in the formation and analysis of the possible virtual enterprises to be constituted. Stationary agents, which represent every real company of a virtual organization, are responsible for interactions with the companies’ legacy systems. A prototype which implements the PSS system —MobiC-II — was developed for the TechMoldes cluster, a group of mold makers in southern Brazil whose members have been collaborating to enhance their global competitiveness. The main idea of Techmoldes is to act as a single/larger productive entity in the market, combining the individual skills and resources of each member; transparent
to the final customer, however. When collaborating within Techmoldes, each member remains independent and autonomous, even to the extent of making business out of the cluster. Three classes of agents compose MobiC-II system: – Broker Agent: it is a stationary agent responsible for receiving BO, distributing it to the potential enterprises, sending a mobile agent to them, and collecting/electing the final VE composition. – Mobile Agent: it is a mobile agent responsible for delivering a BO to the enterprises, negotiating locally with them, and travelling through the net to the other enterprises and finally back to the broker. This agent may have to perform different roles (missions) - from acting as a simple information messenger agent, as a data researcher, to acting as a negotiator capable of making decisions and negotiations independently - without counting on the orders sent by the broker agent during the accomplishment of a task. Thereby, roles are created to the agents according to their desired function. – Enterprise Agent: it is a stationary agent that represents an enterprise and is responsible for receiving a BO, evaluating it, accessing the local database to get the required information, and answering the BO to the mobile agent. The PSS System is shown in Fig. 1. Mobile agents are used as a means to travel through the selected enterprises in order to interact with the stationary agents for receiving the required information (e.g., delivery time and capacity) or for negotiating lower costs or shorter delivery time.
1 Mobile Agent
2, 4, 9
Broker
3 Stationary agent
7
7
3
8
Mobile Agent
3
5, 6
Supervisor
Enterprise 2
Supervisor Enterprise 1
Supervisor Enterprise n
Fig. 1. Scenario for PSS System
When a business opportunity appears, it is received by the broker, which identifies (only) the potential enterprises that can supply each mold (step 1, 1). A summary of the mold specification is immediately sent out to the enterprises (step 2). Each enterprise receives it, evaluates its preliminary interest
and capacity, and sends back an answer to the broker, either yes (expressing its interest) or no (step 3). The broker receives the answers and sends a mobile agent to the enterprises that answered yes, provided with the full BO specification and the list of candidate enterprises to visit (step 4). The mobile agent arrives at the first enterprise and interacts with the local stationary agent, asking for its delivery time and capacity (step 5). The local agent, acting as the enterprise’s representative, retrieves this information from its legacy system or local database. After that, the mobile agent asks the local supervisor about the price, as it is a very important piece of information in the molding sector. A negotiation process may be carried out locally (step 6). Then, the mobile agent moves to the next enterprise of the list with these information (step 7). This process is repeated until all the candidate enterprises in the list are visited, when the mobile agent then returns to the broker agent with their proposals (step 8). The agent broker generates a set of possible VEs, assesses every VE composition and a human broker elects the most suitable one. Afterwards, the human broker sends a win or lose message to the enterprises (step 9). The election criteria applied on this case are global lowest cost and shortest delivery time. The trust building process is indeed one of the most difficult issues to be overcome by the developers of VE solutions. MobiC-II considers the need of having more than one broker acting within a VE. This characteristic brings advantages to the MobiC-II due to the fact that (1) there is a reduction of a number of activities into a sole element and that (2) having many brokers makes a decentralized system’s hierarchy possible, which aids trust building process among participant enterprises. However, even though the members know one another and are aware of what they are supposed to do in order to be a candidate for a BO, they get reluctant to share some kinds of information, such as prices, delivery dates and capacities. Cultural, ethical, managerial, besides other ”pure” IT-related problems, have been pointed out as obstacles for a wider adoption of the VE paradigm by the companies [7]. Therefore, security mechanisms that ensure the confidentiality, integrity and availability of information, according to the cluster security policy, should be introduced aiming at trust building. This paper presents an approach on how trust building in mobile agent-based architectures can be reinforced by using some security mechanisms in the process of searching and selecting partners to create a Virtual Enterprise.
3
Security in Mobile Agent Systems
Mobile agent platforms face several threats, such as [4]: (1) masquerading, when an agent poses as an authorized agent in an effort to gain access to services and resources to which it is not entitled; (2) denial of service, when an agent launch attacks to consume an excessive amount of the agent platform’s computing resources; and (3) unauthorized access- for example, when an agent obtains read or write access to data for which it has no authorization. The establishment of isolated protection domains for each incoming mobile agent and control of system domains entrances is an approach that has been
commonly adopted with the purpose of offering protection to agent platforms. In addition to this approach, other techniques were proposed based on conventional security techniques. Some of these techniques are safe code interpretation, digital signatures, path histories, State Appraisal, and Proof-Carrying Code (PCC). The dangerous attacks of agents platforms against mobile agents are critical security problems to solve. The set of threats includes [4]: (1) masquerading, when a platform poses as another platform in an effort to deceive a mobile agent misleading it from its true destination; (2)denial of service, when a malicious platform ignores agent service requests, introduces unacceptable delays for critical tasks, or simply does not execute the agent’s code; (3)eavesdropping, when a platform monitors every instruction executed by the agent, and all the subsequent data generated on the platform; and (4) unauthorized access, when a platform modifies a mobile agent by changing its code, its state, or both. The security of mobile agents mainly involves (1) the agent’s integrity, in order to prevent the platforms from altering the code or the data which are collected during the visits, and (2) the confidentiality of the code and of the agent’s state, in order to avoid violating the intellectual property. Some mechanisms for agent protection include Secure Hardware, Partial Result Encapsulation, Computing with Encrypted Functions, and Time Limited Blackbox. However, these techniques cannot be considered suitable and flexible when a mobile agent needs to travel through several sites in a large-scale system. This occurs because mobile agents run under the control of a platform and it is very difficult to prevent attacks against them. 3.1
MASS : A Mobile Agent Security Scheme
The security scheme proposed — MASS 1 — is based on an agents’ model that assumes free itineraries and multi-hops. The Mobile Agent Facility (MAF) specification [9] is used as a guideline to achieve interoperability between mobile agent systems. MASS is composed of security mechanisms to protect the communications infrastructure, agent platforms and agents themselves. Figure 2 shows the procedures defined in the security scheme, which are composed by prevention and detection techniques. we analyze some aspects of the mechanisms in the following proposed scheme. Techniques for Creating a Protected Mobile Agent During a mobile agent creation process, the owner, who is the authority that an agent represents, provides a set of SPKI/SDSI authorization certificates defining the agent’s privilege attributes (its credentials). The owner of the agent has to put in an object that will contain the list of previously visited platforms (called the path register ) a signature indicating its identity and the identity of the first platform to be visited. This object is attached to the agent. Also, agents can have attached platform lists that indicate which platforms are authorized to execute the agent. Visited platforms must be associated with the agent’s authority. The agent programmer can protect items in the agent’s state so they 1
Further details on the security mechanism of MASS can be found in [1], [8].
Techniques for Creating a Protected Mobile Agents
1
- Code Signed - Read-Only Repository (RORepository) - Partial Result Repository (PRRepository) - Directed Data Repository (DDRepository) - Histories of visited platforms (PathRegister) Protocol for Secure Channel Establishment
- SSL Protocol - Mutual Authentication
Source Platform
2
Multi-hop MA authenticator agent + auth_certificates + path register + repositories
Destination Platform
3
Scheme for Protection Domain Generation 4
Fig. 2. MASS :Security Scheme to Mobile Agent Systems
are only accessible to certain platforms. To accomplish this, the programmer can use a directed data vector — DDRepository. This allows for selective disclosure of the agent’s state [10]. Moreover, we propose that platform-generated sensitive data should be stored in a repository to be carried by the agents. These sensitive data should be signed by the generating platform so that possible modifications can be detected. So, the programmer can create the partial result repository — PRrepository — to protect visited platform-generated data. Finally, the agent’s owner must first sign the agent’s code and the data defined by the programmer as read-only (in RORepository), and then create the agent in its home platform. Protocol for Secure Channel Establishment In the proposed scheme, mutual authentication between the involved platforms must be established before agents can be transferred, which creates a secure channel in the communications infrastructure. This is performed via a Challenge/Response protocol based on SPKI/SDSI certificates of the owners of the platforms. The basis for authentication in SPKI/SDSI are chains of authorization certificates [6]. The establishment of a secure channel will remain valid in the subsequent interactions. For secure channel establishment, an underlying security technology (Secure Sockets Layer - SSL) is used for ensuring confidentiality and integrity of the communications between agent platforms. Mobile Agents Authentication Before instantiating a thread to an agent, the destination platform must authenticate the received agent. We define a multi-hop authenticator that establishes trust on an agent, based on the authenticity of the owner of the agent, and on the authenticity of the platforms visited by the agent. As a platform receives a mobile agent, it must first check, through verification of the code’s signature and of the RORepositorys signature, that this agent has not been corrupted and confirm its association to a principal, that is, to its owner. Thus, modifications introduced by malicious platforms can be detected by any platform visited by the agent. In addition, for detecting other possible modifications and checking the multi-hop agent’s traveling history (path register ), the destination agent platform must analyze the record of the agent’s path. If defined
by the agent owner, the authenticator should verify the PRRepository’s and the DDRepository’s integrity. Procedure for Generation of Protection Domains Protection domains and the permissions assigned to them are defined after the trust in an agent has been established. They are based on the agent’s SPKI/SDSI authorization certificates. The authorization chains carried by an agent, which represent its credentials, need to be verified by the platform guardian for the set of permissions to be defined and for the protection domains to be generated. This scheme decouples the privilege attributes granted to principals (agent’s credentials) from the attributes required to access resources protected by the platform (control attributes or policies), offering a more flexible and dynamic access control for large-scale systems with respect to the Java access control. 3.2
The MASS for MobiC-II
The selection of the security mechanisms that were applied to the partners search and the selection system was carefully evaluated in the design phase of the proposed hybrid agent system. This enhances the quality of the system in the sense that the most suitable mechanisms can be conceived without losing their potentialities, which usually happens when they are implemented afterwards. Security policies and mechanisms determine which agents will be mobile and which will stay stationary, the scope of the agents’ functionalities, and others. All the security threats (identified in section 3.1) against the agents and the mobile agent platforms are also found in the MobiC-II system’s steps — steps 2, 4, 5, 6, 7, and 8 (see Figure 1). The threats against the communications channel that can compromise the dispatch of agents as well as the sending of messages among mobile agents platforms, such as unauthorized modification, and eavesdropping, are found in steps 1, 2, 3, 7, and 8 of the MobiC-II system. Security Policy to the TechMoldes Scenario. An organization security policy is a set of rules and practices imposed by an organization to establish the operating limits of the users of a system, aiming at protecting the organization’s sensitive data. During the project period of the MobiC-II system, a security policy was defined to the TechMoldes scenario and an answer was planned against systems threats — the MASS ’ security objectives for the MobiC-II system. A summary of the security policy’s rules is listed as follows: – P1: The integrity of read-only data carried by mobile agents (e.g.: summary of the mold specification) should be provided by the MASS ; – P2: Only the cluster’s enterprises may have access to the summary of the mold specification and the full BO specification; – P3: Only the cluster’s enterprises may take the broker’s role and thus only these enterprises will be able to send (1) mobile agents with the BOs’ specifications as well as (2) researcher agents and (3) negotiator agents; – P4: The MASS may control the access of mobile agents to the platforms’ sensitive data;
– P5: The authenticity origin of a mobile agent (its creator) must be verifiable; – P6: Only the participant enterprises may reply to a given BO (through the negotiator or researcher mobile agents). These collected proposals must be revealed only to the broker and their integrity must be assured; – P7: The integrity and authenticity of the origin of all messages exchanged between the mobile agents’ platforms, while being sent by the communications channel, must be assured by the MASS ; – P8: The integrity and authenticity of mobile agents, while being sent through the communications channel, must be assured by the MASS ; – P9: Only a mobile agent’s owner may change its code; – P10: An enterprise may not deny that it has received a given BO; – P11: An enterprise may not repudiate a proposal, that it has presented, in reply to a given BO. Analysis of Security Mechanisms. After identifying the threats and defining the organizational security policy, we analyzed the security mechanisms supported by the MASS and the mechanisms needed to minimize or eliminate the exploitation of one or more vulnerabilities that would hinder trust building in the MobiC-II System. These mechanisms are listed in the Table 1. Table 1. Security Mechanisms to the MobiC-II System Security Mechanisms Repository of read-only data (RORepository) Repository of Partial Results (PRRepository) A list containing the platforms authorized to receive mobile agents A signature of the mobile agent’s code Multi-hop authenticator — use of the PathRegister object Multi-hop authenticator — verification of RORepository’ and PRRepository integrity Multi-hop authenticator — verification of the mobile agent signature Procedures for Protection Domain Generation Secure channel establishment — mutual authentication Secure channel establishment — use of SSL Protocol
4
Rules satisfied P1 P6 and P11 P2 and P6 P9 P2 and P10 P1 and P6 P3, P5, and P9 P4 P3 P7 and P8
Implementation
A prototype of the MASS was implemented and integrated to MobiC-II in order to demonstrate its suitability for distributed applications with mobile agents. For the mobile agents support layer we have chosen IBM Aglets2 , an opensource platform that uses Java as its mobile code language. The Aglets software 2
http://aglets.sourceforge.net/
development kit (ASDK) provides mechanisms for code and state information mobility, and a computational environment. In order to aid the agent creation process and the use of secure data repositories, a GUI was implemented. This interface enables an owner to define which data repositories are going to be used and attached to the agent. The algorithm of the multihop authenticator was implemented to a stationary agent called SecurityInterceptor. This agent must be initiated in all platforms that are to receive the mobile agent and has as a role to intercept the mobile agent receiving process. This interception enables the verification of the incoming mobile agent’s integrity prior to its initiation in the platform. The protocol for the secure channel establishment and the multi-hop authenticator (see section 3.1) were implemented with the SDSI 2.0 library [11] and with Java 2 cryptographic tools. The SSL support is provided by the iSaSiLk toolkit3 and was integrated to the Aglets platform. As the agent platform chosen for the prototype is based on Java, the secure interpretation of the agents’ code and the definition of the protections domains to mobile agents are provided, in part, by the Java 2 security model. The process for generating the set of permissions was defined to overcome the limitations related to the Java 2 access control model. Some extensions to the Java 2 security model were needed for generating the protection domain. As described in [3], in MobiC-II, agents were placed in two platforms. The mobile agents were coded in Java and the Aglets platform was used. The stationary agents were coded in C++ and the MASSYVE-KIT platform4 was used. CORBA is the technology applied to support the multi-platform interoperation.
5
Concluding Remarks
Security issues still hamper the development of applications with mobile systems. Current security mechanisms do not present satisfactory results for protecting mobile agent platforms. There are even more limitations when we consider largescale systems, which impose stronger requirements with regard to flexibility and scalability. MASS was motivated by the perception of these limitations and a concern about aspects of security specific to large-scale applications. This article proposes an approach to improve trust building in Virtual Enterprises, especially in their creation phase (searching and selecting partners). To accomplish this, MASS ’s security mechanisms were used for the conception of the MobiC-II. Comparing secure data repositories presented in section 3.15 to related works described in [10],[12], one can ascertain that the proposed repositories overcome some of the limitations and vulnerabilities described in this works. In comparison to the static model in Java 2 and to the platforms that extend the Java Security Manager [10], our scheme has the advantage of decoupling privilege attributes (credentials) from control attributes (policies), its use of some Java 3 4 5
http://jce.iaik.tugraz.at/products/02 isasilk/ http://www.gsigma-grucon.ufsc.br/massyve/mkit.htm These repositories were described in detail in [8]
security features notwithstanding. This means that, although a policy configuration file still needs to be statically defined, the proposed mechanisms add the flexibility offered by SPKI certificates to domain generation. That is, domains are dynamically defined when an agent aggregates the delegated certificates received during its itinerary to its credentials. Besides, in the agent authentication process described in section 3.1, the information used to determine an agent’s set of access rights is based not only on the identity of the agent’s owner, but also on the public keys of the owner of the visited platforms, which avoids global name resolutions in large-scale systems. The work described in this paper was fully implemented. Integration and adaptation of the MASS to the MobiC-II system was done in order to demonstrate its usefulness. At present, its performance is being properly measured and evaluated. Acknowledgments The authors thank the “IFM (Instituto F´abrica do Milˆenio)” and “Chains of Trust” project (CNPq 552175/01-3) members for their contributions. The first and the second authors are supported by CNPq (Brazil).
References 1. Wangham, M.S., da Silva Fraga, J., Obelheiro, R.R., Jung, G., Fernandes, E.: Security mechanisms for mobile agent platforms based on spki/sdsi chains of trust. In: Software Engineering for Multi-Agent System II. Volume 2940 of LNCS. Springer (2004) 207–224 2. Vigna, G., ed.: Mobile Agents and Security. Volume 1419 of LNCS. Springer (1998) 3. Rabelo, R., Wangham, M., Schmidt, R., Fraga, J.: Trust building in the creation of virtual enterprises in mobile agent-based architectures. In: 4Th IFIP Working Conference on Virtual Enterprise. (2003) 4. Jansen, W., Karygiannis, T.: Mobile agent security. Technical Report NIST Special Publication 800-19, National Institute os Standards and Technology (1999) 5. Chess, D.M.: Security issues in mobile code systems. In Vigna, G., ed.: Mobile Agents and Security. Volume 1419 of LNCS. Springer (1998) 6. Elisson, C.: SPKI Requirements (RFC 2692). The Internet Engineering Task Force. (1999) http://www.ietf.org/rfc/rfc2692.txt. 7. Camarinha-Matos, L., Afsarmanesh, H.: Dynamic virtual organizations, or not so dynamic ? In: Third IFIP Working Conference on Virtual Enterprise (PROVE2002). (2002) 111–124 8. Wangham, M.S., da Silva Fraga, J., Deitos, R., Fernandes, E.: Reposit´ orios seguros de dados para protec˜ ao de agentes m´ oveis contra plataformas maliciosas. In: IV Workshop em Seguranca de Sistemas Computacionais. (2004) (in portuguese). 9. OMG: Mobile agent facility specification. OMG Document 2000-01-02 (2000) 10. Karnik, N.: Security in Mobile Agent System. PhD thesis, University of Minnesota (1998) http://www.cs.umn.edu/Ajanta. 11. Morcos, A.: A java implementation of simple distributed security infrastructure. Master’s thesis, Massachusetts Institute of Technology (1998) 12. Karjoth, G., Asokan, N., C.Gulcu: Protecting the computing results of free-roaming agents. In: Proc. of the Second International Workshop on Mobile Agents. (1998)
