Combining techniques for protecting mobile agents Lucas de Carvalho Ferreira, Nelson Uto, and Ricardo Dahab
Instituto de Computação - Unicamp Avenida Albert Einstein, 1251 Caixa Postal 6176 13083�970 Campinas, SP - Brazil phone: +55-19-3788-5874, Fax: 55 19 3788-5847 {lucasf,nelsuto,rdahab}@ic.unicamp.br
This paper presents several techniques for protecting mobile agents against malicious hosts and describes the strengths and weaknesses that arise from the combination of those techniques. A protocol which combines these techniques is also presented. The techniques discussed are: environmental key generation, cryptographic traces, time-limited black boxes and blinded-key signatures. Abstract.
1
Introduction
Mobile agent systems are a promising paradigm for building distributed applications. They are characterized by the presence of mobile agents, pieces of software that have mobility as an intrinsic property. The term mobile agent systems usually refers to the middleware necessary to support agent mobility and any other elements that interact with the agents. A mobile agent system is usually comprised of:
Agent owners which are the elements (usually humans) that build and/or release agents in the system.
Agents which are mobile pieces of code. Agents must be autonomous, in that they have a goal set by their owners and are able to roam around the system to complete this goal without needing to interact with the owner.
Agent servers which are the places where agents may execute. Usually agent servers are required to run some middleware software to support agent mobility. Those are sometimes called hosts or agencies. The mobile agent paradigm brings many new possibilities for building distributed systems, but also introduces new security requirements and challenges. Researchers usually de�ne two classes of security problems related to mobile agents: server or host protection and agent protection.
Server protection problems deal with the protection of agent server resources and integrity against attacks from malicious agents. Most modern mobile agent platforms o�er some kind of support for server protection, usually based on the
sandbox model. For more details on how actual mobile agent systems handle server protection, refer to [1,2]. The agent protection problem may be further divided in two: protection from other agents and protection from the agent server. As with server protection problems, most modern agent systems address the issues of protecting agents against other agents running on the same agent system (possibly on other hosts or servers). The protection of agents from malicious servers was once considered unsolvable [2], but Sander and Tschudin [3] have since given a partial crypto-
1
graphic solution to this problem ; unfortunately, general cryptographic solutions to protect mobile agents are still not practical. Nevertheless, several techniques that provide partial solutions have been proposed. In this paper, we analyze how the combination of some of these techniques can be used to increase the security of mobile agents against malicious agent servers. In the next two sections, we describe related works and the techniques we will be combining to increase the overall security of the agent system. In Sections 4 and 5 we detail the strengths and weaknesses of combinations of the techniques of Section 3; a protocol which combines the techniques is outlined and discussed. The last section concludes the paper.
2
Related work
In this section, we summarize several mechanisms that have been proposed in the literature to protect agents against attacks perpetrated by malicious hosts and agents. As we shall see, this is a hard problem to deal with. The main di�cult is the inability to e�ectively provide a trusted computing base to an agent while it roams around the network, since the platform it will be run belongs to some (possibly malicious) third party. Meadows [4] describes in the use of detection objects to allow the detection of tampering of data collected by agents. The idea is to let an agent carry dummy items together with real data. Later, when the agent returns to its home server, those dummy items can be checked to detect tampering. If these dummy items have not been tampered with, one could expect that the real ones are also untouched. The main weakness of this approach is that it lacks the cryptographic strength necessary to be used as a proof in a trial. Schneider [5] applies fault tolerant techniques to counter threats by malicious servers. This approach uses multiple copies of an agent to perform a single computation. This way, considering that the majority of the servers are well behaved, it is possible to discard any maliciously altered agent by a voting protocol. The natural drawback here is the additional cost due to the replication of servers and agents. A very interesting mechanism was proposed by Sander and Tschudin [3]. In their approach, a function
f (x)
that should be calculated by an agent in foreign
servers is �rst encrypted resulting in a second function
1
Their solution is applicable only to polynomial functions
E(f (x)).
This function
is then coded so the agent can execute it. Since we suppose that only the agent owner knows the corresponding decrypting function and it is hard to compute
f (x)
from
E(f (x)),
we get the privacy of the original function. Unfortunately,
this powerful mechanism has not been yet generalized to be used with all sort of functions. Several mechanisms have been devised to allow the veri�cation of the integrity of an agent's state [6,7,8,9]. These mechanisms usually employ a cryptographic checksum which is calculated over the data collected so far, before each agent migration. The objective of the checksum is to link the new data obtained at the present server with the data provided by servers previously visited. The main disadvantage of these techniques is that data can be undetectably forged, erased or modi�ed if a malicious server is visited by the same agent more than once. Finally, we have the use of tamper-resistant hardware to provide a trusted computing base to the visiting agents [10,11]. The idea is to encapsulate the execution environment within the tamper-proof hardware, so the agents are protected from modi�cations and unauthorized accesses by malicious third parties. This is achieved because the agents are encrypted while outside the tamperresistant hardware and, while inside, communication with agents is possible only through a well-de�ned and restricted interface. Those solutions are costly because they employ specialized hardware and are susceptible to API attacks [12]. Some other techniques are not cited here because they are part of the main goals of this paper and are analyzed in detail in the next Section. Table 1 summarizes the agent protection techniques described in this paper.
Technique Detection objects Replication and voting Computing with encrypted functions Partial result authentication code Ajanta mechanisms KAG protocols SOMA protocols Tamper-resistant hardware Blinded-key signatures
Objective Integrity of data collected by agents Integrity of agent execution Secrecy of agent's data and code Integrity of data collected by agents
Secrecy and integrity of agent's data and code Protection of private keys carried by agents Secrecy of code until a speci�c environmental Environmental key generation condition is found Auditing of agent execution Execution traces Secrecy of data and code only for a limited Time-limited black boxes amount of time Table 1. Summary of agent protection techniques.
3
Brief descriptions of the chosen techniques
In this section, we present several techniques that address the problem of protecting mobile agents from malicious hosts. Each of these techniques helps to enhance the security of code executing in an untrusted environment against tampering and the disclosure of sensitive data. We believe that a higher level of security may be achieved by combining some or all of these techniques. We speci�cally refrain from including in this discussion general cryptographic techniques, including those proposed by [3,13], since those techniques are not considered practical enough to be implemented. We also do not include techniques to protect partial results carried by mobile agents as discussed in Section 5.2. As we focus on combining di�erent techniques, the feasibility of implementing and combining the techniques is a major concern to us.
3.1
Blinded-key signatures
Ferreira and Dahab [14] present a new cryptographic technique that allows private keys to be carried by mobile agents. It consists of hiding the key by multiplying it by a random number called the blinding factor before making it part of the agent's data. The blinding factor is kept secret and must be used to verify the signatures generated by the agent. Blinded-key signatures require the use of notaries, which are trusted third parties that are able to verify the validity of the blinded-key signatures output by the agents. Notaries are trusted by both the agent owners and agencies to correctly execute the protocols de�ned in [14].
Strengths Blinded-key signatures are an e�cient technique to hide private keys in agents that need to sign all sorts of agreements, including contracts and payment orders. The technique is simple to implement and can be applied to well-known cryptographic primitives like RSA signatures.
Drawbacks Since the private key, although hidden, must be embedded in the mobile agent's state, a malicious host may extract and use it (or the whole signature routine) to sign as many di�erent agreements as it likes. The authors proposed the use of policies, which would be enforced by the trusted third party responsible for verifying the blinded-key signatures. This reduces the risk of the agent owner but does not guarantee a fair negotiation of the terms of the agreement that will be signed. The host is still able to interpret the agent's code to determine the upper bound (or lower bound depending on its intent) of the set of acceptable agreements and generate a signed agreement without going through the negotiation process. In summary, blinded-key signature techniques can protect an agent's private key but do not protect any other part of the agent's state or the agent's code, which are still vulnerable to attacks by the host.
3.2
Environmental key generation
Riordan and Schneier [15] proposed using data found on the environment where the agent executes to construct decryption keys. Their constructs could be used to build what they call clueless agents, which are agents that have no clues about their mission until it is time to execute it. They propose building clueless agents by encrypting the code segment that speci�es the agent's behavior. The agent would then have to collect data in its environment to build a key to decrypt this speci�c part of its code. Until this data has been collected, neither the agent nor the host are able to execute or understand the agent's mission or strategy. The authors describe several types of environmental data that could be used to �wake-up� the agent: keywords in messages such as email or Usenet news, keywords in a database that trigger �search agents� and time-based broadcasts. The authors also present techniques for activating or deactivating the agent on given moments.
Strengths The technique allows the agent owner to specify some constraints on the environment where the agent will execute. In particular, the agent may rely on a time-based broadcast from a trusted third party to activate its payload. Such time-based agents may be useful to restrict the time a malicious host has to subvert an agent.
Drawbacks The main drawback of this technique is that, once the agent code or state is decrypted, it is available to a malicious host for reading or manipulating at will. The authors describe the use of database contents to generate keys that may be defeated by dictionary attacks.
3.3
Execution traces
Vigna [16] proposes using cryptographic traces to protect mobile agents from tampering by malicious hosts. Traces compile the information needed to recreate a given execution of a piece of code and include information on the statements executed, input values and �nal state. Vigna also describes ways to reduce the size of traces by recording only the values of the external inputs. A mobile agent system using traces would require all hosts to sign traces of all agent executions if any output from the agent is to be considered valid. This would allow the agent owner to audit agent execution and misbehaving hosts could be punished.
Strengths Traces are very useful to spot host that tampered mobile agents and could be used as proof to a third party that a given execution of an agent was not done correctly.
Drawbacks As most detection methods, traces do not prevent tampering or protect the agents' state from eavesdropping. Both the agents' code, which could reveal its strategies or policies, and state, which could contain sensitive information, are readily available to a malicious host. The computational power to verify the traces may also be equal to the computational power needed to execute the agent. In some cases, the owner's platform may not have enough power to redo the computation to verify it (e.g. mobile devices).
3.4
Time-limited black boxes
Hohl [17] describes the usage of code obfuscation techniques to build time-limited
black boxes, which are constructions that can protect both the agent's state and code for some time. To use time-limited black boxes, the agent owner builds the agent and applies obfuscation techniques to its state and code before releasing it in a mobile agent system. The host executing the agent is thus unable to directly infer the agent's intent from the state and code it receives for execution.
Strengths Since it cannot infer the agent's intents or strategy, a malicious host is unable to manipulate its execution in a meaningful way.
Drawbacks Since it is based on empirical techniques, it is possible to reconstruct the original agent from its obfuscated version. It is also impossible to predict the time necessary to invert the obfuscation. This makes this technique not suitable for agents that carry long-lived sensitive information, be it data (e.g. cryptographic keys) or code (e.g. proprietary techniques). There are more recent code obfuscation techniques [18] that make the complexity of deobfuscation very high (e.g. NP-Hard problems). But those techniques still do not stand against good human decompilers and even the most complex problems may be trivial to solve for small instances. Since most mobile agents have a small code base, it may be easy to deobfuscate them even if these techniques can be proven secure by complexity theory.
4
Combining techniques
In this Section we examine the strengths and drawbacks that arise from some possible pairwise combinations of the techniques presented in the last Section. In this paper, we present only a subset of the possible combinations.
4.1
Blinded-key Signatures and Environmental keys
Environmental keys allow the agent owner to specify some condition that must hold before the agent code is decrypted and executed. This allows the agent owner to control when and where the agent should be executed, while maintaining the agent's code and data con�dential until this condition holds. Once
the condition holds and the agent is decrypted for execution, it is vulnerable to a malicious host, which could change its code or extract sensitive information from the agent. A blinded-key signature scheme would allow an agent to carry a private key, adding more security to environmental-key-based agents.
Strengths The combination of these techniques allows the agent owner to specify when and under which conditions the agent should be executed and allows for the inclusion of private keys in the agent's state. The agent code is protected until it is time for the agent to be executed and the private key is protected from the server by blinding.
Drawbacks While giving a higher level of security for mobile agents, the combination of environmental keys and blinded-key signatures does not address the issues that may arise if the agent server is able to tamper with the agent's code or data (excluding embedded private keys). As an example, a host could be able to devise the agent's negotiation strategy and act accordingly to maximize its pro�ts.
4.2
Blinded-key signatures and Traces
Cryptographic execution traces are a so-called �after the fact� technique. Traces allow the agent owner to verify and prove to some authority that the agent's code was not correctly executed. Traces do not protect agents from eavesdropping and should not be used with agents that carry sensitive information. We see cryptographic execution traces as an auditing (and prosecuting) technique. Used together with blinded-key signatures, execution traces would allow the agent owner to build negotiation agents that have the ability to sign agreements, and the owner would have the means to contest the outcome of the transaction if the traces generated by the agent server are not correct.
Strengths The use of policies are required by the blinded-key signature technique to prevent the agent server from signing arbitrary agreements the agent owner would have to abide by. A simple policy could be that the agent code should be executed correctly, which could be veri�ed by execution traces. This allows the agent owner to code the agent's policy and strategy and be sure that this policy was respected.
Drawbacks The agent server is still able to understand the agent's strategy and behavior by looking at its code. The agent server could determine the threshold values for agent acceptance in a negotiation and thus maximize its pro�ts without tampering with the agent. Also, some policies may be dependent on environmental values, such as time of execution, which cannot be enforced by the agent's code alone, requiring the blinded-key signature TTP to enforce part of the policies determined by the agent owner.
4.3
Environmental Keys and Traces
Environmental keys allow hiding the agent's behavior until execution time, but cannot guarantee the agent's correct execution. They also do not provide agent protection if the agent server can modify the decrypted agent code fast enough to meet all the agent owner's timing policies. Traces can provide an audit trail for the execution of the agent code in clear text, thus allowing the owner to prove whether the agent server misbehaved.
Strengths This combination of techniques greatly reduces the risk of agent tampering. Thus it increases the odds that the agent will be correctly executed while reducing the time frame a malicious agent server would have to analyze the agent code in order to understand its behavior.
Drawbacks This combination of techniques does not protect long-lived secrets carried by the agent, such as cryptographic keys. Also, a fast agent server would be able to understand the agent's behavior and act accordingly to maximize its pro�ts.
5
All techniques together
In the previous Section, we showed that combining protection techniques may increase the security of mobile agents while some important drawbacks remained, making them unsuitable for some applications. We now examine the security properties of combining all the techniques introduced in Section 3. Let us �rst list the individual contributions of each technique to the overall security of a mobile agent:
Blinded-key Signatures Allows for the protection of private keys carried by the agent which can be autonomous even to sign legally binding agreements.
Environmental key generation Makes it possible to enforce a policy that prescribes the environmental conditions for the agent to execute. Speci�cally, allow the agent owner to specify a time frame for the agent code and data do be decrypted.
Cryptographic execution traces Generate an important audit trail for the agent owner to verify if the agent was executed correctly. This audit trail could be required before the agreements signed by the agent are considered legal.
Time-limited blackboxing Protect the agent code and data for some limited time. Increases the di�culty of tampering with or eavesdropping the agent. Taking into account all those contributions, we envision a mobile agent system that: 1. Uses time-based environmental keys to specify the time when the agent will be executed, while protecting the agent code and state until this time.
2. Uses black boxes for the decrypted agent code to protect any sensitive information carried by the agent while it is executing. 3. Enforces the use of cryptographic traces to validate all actions executed by mobile agents. Any result from an agent execution is considered invalid until a valid trace is presented. 4. Protects private keys carried by the agent as blinded-keys to guarantee their privacy even if the protection techniques fail.
5.1
Protocol
Algorithm 1 describes the protocol to be used with the combination of techniques described above, which is an extension of the protocol proposed in [14]. This protocol starts after the agent and the host have reached an agreement and the agent has provided the host with a blinded-key signature of this agreement. Since the protocol uses blinded-key signatures, it requires the use of a notary (see Section 3.1). In this protocol, the agent ID will have been agreed between the Notary and the agent owner during the �rst phase of the blinded-key signature protocol (see [14]) and the host ID has been assigned to the agent server by the Notary. We assume a P ublic Key Infrastructure is available. The protocol will require both the agent and the host to sign the agreement, and the host to sign the traces generated by the agent's execution. The notary is responsible for verifying all signatures and to build statements of their validity so the host can verify the transaction was valid and the agent can carry all information needed by its owner to verify the validity of the transaction. After the protocol has been executed, the host and the agent receive enough information to verify the transaction and the owner can ask the notary for the execution trace to verify it. If any problem is detected on the trace, the owner should contact the notary for enacting of possible legal or disciplinary actions. In cases where the host does not provide the agent with a valid signature of the agreement or the notary's statement of the transaction's outcome, the agent's owner may later request them to the notary.
Algorithm 1 Validation protocol
agent → host: agreement, blinded-key signature, agent ID host → notary: agreement, blinded-key signature, agent ID, host ID, host signature of the agreement, trace, host signature on trace notary: checks signatures, saves trace notary → host: signed statement of the validity of the blinded-key signature, signed statement of the validity of the host's signatures host: checks notary's signature, checks if blinded-key signature is valid host → agent: notary's signed statement of the validity of the host's signature agent: stores notary's statement
5.2
Remaining problems
The combined techniques presented above greatly increases the security of mobile agents but still fails to consider some attacks and implementation drawbacks. The main class of attacks not dealt in the discussion above is the class of denial of service attacks. This means that the agent server can still refuse to execute the agent or to grant the agent access to some resources, including the environmental values the agent may need to decrypt and activate its code. A denial of service attack could lead to poor performance or even malfunction of an agentbased system if the agent is to perform some task which is vital to the system. Coordinated denial of service attacks, in which many agent servers refuse to execute one or more agents, could lead to the failure of the system even if it uses a fault-tolerant approach. In some systems, agent servers could use black lists to avoid executing known malicious agents. Black list poisoning, which is the inclusion of some agent's identi�cation in the list with a malicious purpose, could lead to a widespread denial of service to the agent, which could lead to system malfunction. None of the techniques presented above prevents replay attacks, in which a malicious server executes the same agent multiple times. Such a malicious server could treat the agent as a black box and map di�erent inputs to the agent to di�erent outputs and try to increase its understanding of the agent. An external TTP could avoid validating multiple results from a single agent, but cannot fully detect replay attacks. We also did not include techniques aiming at protecting partial results carried by agents, as those of Wang et al. and Bellare and Yee [18,19], since the use of those techniques could con�ict with the use of environmental keys. The study of the interactions of environmental keys and blackboxing with partial result protection techniques will be object of future work. The main implementation drawback of the combination of these techniques is the interaction of black boxes with the generation of execution traces. Although it is clear that the code generated by blackboxing techniques can be used to generate traces, it is not clear if the optimizations needed by tracing techniques to become practical will work correctly or will give any improvement when used with obfuscated code. Another issue is how e�ective the obfuscation techniques used to generate black boxes are when used on agents with a small code. Even the obfuscation which are provably hard to defeat [18], have their e�ectiveness dependent of the size of the codebase. Since the most usual mobile agent applications use mostly small agents, the e�ectiveness of blackboxing techniques may be reduced. Further study is needed also to assess how the protocol of Section 5.1 impacts the performance of a mobile agent system. We conjecture that this performance cost will not make the use of such a protocol impractical, and that it will be acceptable given the security gains it brings to the system. We have plans for a complete implementation of the system proposed here and of Protocol 1.
6
Conclusions
In this paper we have shown how the deployment of di�erent mobile agent protection techniques can be used together to increase the level of security o�ered by mobile agent systems. We discussed the strengths and weaknesses of several combinations of protection techniques, showing that, although literature on the subject does contain a good number of ideas, it is not yet mature enough. Even the combination of the four techniques presented in this paper still lacks protection against some important classes of attacks against mobile agents. As a new research area, mobile agent security still requires a good deal of work and new paradigms, specially in understanding and responding to threats to mobile agents and in formalizing security requirements for mobile agents. Practical formal methods would also be useful to make secure mobile agent systems closer to application designers.
References 1. Uto, N., Dahab, R.: Survey sobre segurança de sistemas de agentes móveis. Technical Report IC-01-08, Instituto de Computação - Unicamp, Campinas, SP, Brazil (2001) 2. Chess, D.M.: Security issues in mobile code systems. In Vigna, G., ed.: Mobile Agents and Security. Number 1419 in Lecture Notes in Computer Science. SpringerVerlag (1998) 1�14 3. Sander, T., Tschudin, C.F.: Protecting mobile agents against malicious hosts. In Vigna, G., ed.: Mobile Agent Security. Number 1419 in Lecture Notes in Computer Science. Springer-Verlag (1998) 4. Meadows, C.: Detecting Attacks on Mobile Agents. In: DARPA Workshop on Foundations for Secure Mobile Code, Monterey, California, USA (1997) 5. Schneider, F.B.: Towards Fault-tolerant and Secure Agentry. In Mavronicolas, M., Tsigas, P., eds.: 11th International Workshop, WDAG '97, Proceedings. Volume 1320 of Lecture Notes in Computer Science., Saarbrücken, Alemanha, Springer (1997) 1�14 6. Yee, B.S.: A Sanctuary for Mobile Agents. In Vitek, J., Jensen, C.D., eds.: Secure Internet Programming, Security Issues for Mobile and Distributed Objects. Volume 1603 of Lecture Notes in Computer Science., Springer (1999) 261�273 7. Karnik, N.: Security in Mobile Agent Systems. PhD thesis, Department of Computer Science and Engineering � University of Minnesota, Minneapolis, USA (1998) 8. Karjoth, G., Asokan, N., Gülcü, C.: Protecting the Computation Results of FreeRoaming Agents. In Rothermel, K., Hohl, F., eds.: Mobile Agents, Second International Workshop, MA '98, Proceedings. Volume 1477 of Lecture Notes in Computer Science., Stuttgart, Germany, Springer (1998) 195�207 9. Corradi, A., Cremonini, M., Montanari, R., Stefanelli, C.: Mobile Agents and Security: Protocols for Integrity. In Kutvonen, L., König, H., Tienari, M., eds.: Proceedings of the 2nd IFIP WG 6.1 International Working Conference on Distributed Applications and Interoperable Systems (DAIS '99), Helsinki, Finland, Kluwer Academic Publishers (1999) 177�190 10. Wilhelm, U.G.: A Technical Approach to Privacy based on Mobile Agents Protected by Tamper-resistant Hardware. PhD thesis, École Polytechnique Fédérale de Lausanne (1999)
11. Fünfrocken, S.: Protecting Mobile Web-Commerce Agents with Smartcards. In: First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents, ASA/MA '99, Proceedings, Palm Springs, California, USA, IEEE Computer Society Press (1999) 90�102 12. Bond, M., Anderson, R.: API-level attacks on embedded systems. Computer 34 (2001) 67�75 13. Cachin, C., Camenisch, J., Kilian, J., Müller, J.: One-round secure computation and secure autonomous mobile agents. In: Proceedings of ICALP'2000. (2000) 14. Ferreira, L.C., Dahab, R.: Blinded-key signatures: securing private keys in mobile agents. In: Proceedings of SAC'2002 - ACM Symposium on Applied Computing, Madrid, Spain (2002) 15. Riordan, J., Schneier, B.: Environmental key generation towards clueless agents. Lecture Notes in Computer Science 1419 (1998) 15�24 16. Vigna, G.: Protecting mobile agents through tracing. In: Third Workshop on Mobile Object Systems, Jyvalskyla, Finland (1997) 17. Hohl, F.: Time limited blackbox security: Protecting mobile agents from malicious hosts. In Vigna, G., ed.: Mobile Agent Security. Number 1419 in Lecture Notes in Computer Science. Springer-Verlag (1998) 18. Wang, C., Davidson, J., Hill, J., Knight, J.: Protection of software-based survivability mechanisms. In: International Conference of Dependable Systems and Networks, Goteborg, Sweden (2001) 19. Bellare, M., Yee, B.S.: Forward integrity for secure audit logs. Technical report, UC at San Diego, Dept. of Computer Science and Engineering (1997)
