Currently, this bibliography consists of nothing but a flat HTML file, but i plan to move to a bibtech file in the (far) future. Unfortunately, this last sentence holds true forever :-(
Bib: [Kar98] Karnik, Neeran: Security in Mobile Agent Systems, Ph.D. dissertation. Department of Computer Science and Engineering, University of Minnesota, 1998
The advent of the information society creates serious challenges for the privacy of individuals. Due to the drastically improving communication infrastructure, ever larger amounts of ever more precise information become available. The problem with the free availability of this information is not only the risk that the information can be abused by powerful institutions, but also that this can lead to an unconfined mutual surveillance of individuals, which can have adverse effects on society as a whole.
We argue that individuals should be empowered to define for themselves the level of privacy they are comfortable with. This can be achieved by notifying them whenever information on them is created, accessed, or modified and by giving them some control over the use of this information. The notification informs individuals who is using what information on them and allows to detect possible problems with this use. The control allows individuals to resolve most (or at least some) of these problems. Obviously this requires that the individuals can trust the users of information to properly implement these notifications and to offer an effective control. We analyze the concept of trust more closely and distinguish between the optimistic and the pessimistic approach to trust, which can both provide the foundation for the protection of privacy. The former is based on the classical concepts of control and sanctions, while the latter tries to prevent malicious behaviour.
We choose to pursue the pessimistic approach and investigate in technical means that can be used for this purpose. A promising technology is the mobile agent paradigm, which is a new approach to structure distributed applications. Its main idea is to move both the code and the state of an object to another principal for remote execution. This indicates that the mobile agent paradigm also embraces the object-oriented programming paradigm, which allows us to encapsulate a data item and to specify an access control policy on it. Since the mobile agent is physically moved to a remote location that is under the control of a different principal, it needs to be protected from this principal who is responsible for its execution. This problem constitutes the major difficulty for using the mobile agent paradigm for privacy protection and is explored in great detail. Based on the discussion in the relevant literature, we decide on an approach that relies on a trusted and tamper-resistant hardware device, which is developed on a conceptual level.
The approach is further explored in the context of the mobile agent paradigm, where it allows us to realize more elaborate protection goals that may be desirable for the owner of the mobile agent. These are developed in the form of conducts, which regroup the goal, the requirements, as well as a specification of the necessary collaboration to achieve this goal.
Finally, we return to the original problem and describe how the presented technology can be used to improve the protection of privacy. This results in a rather complex framework, in which information on individuals cannot be used freely, but where this use is constrained by the level of privacy desired by the subject of the information. The major problem of this framework is the increased complexity that individuals have to deal with. This problem is addressed with an additional level of indirection that attempts to confine the complexity and to delegate it to trusted experts.
We believe that this approach, despite its complexity, is a viable means to address the urgent problems of privacy protection, which do not lend themselves to simple solutions.
Bib: [Wil99] Wilhelm, Uwe: A Technical Approach to Privacy based on Mobile Agents Protected by Tamper-resistant Hardware. PhD Theses Nr. 1961. Departement D'Informatique, Ecole Polytechnique Federale de Lausanne, 1999.
Proceedings of the 4th WORKSHOP ON MOBILE OBJECT SYSTEMS: Secure Internet Mobile Computations..
Bib: [ST99] Swarup, Vipin; Thayer Fábrega, Javier: Trust: Benefits, Models, and Mechanisms, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 3-18, 1999.
Bib: [Aba99] Abadi, Martin: Protection in Programming Language Translations, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 19-34, 1999.
Bib: [ACF99] Ancona, Massimo; Cazzola, Walter; Fernandez, Eduardo B.: Reflective Authorization Systems: Possibilities, Benefits, and Draw-backs, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 35-50, 1999.
Bib: [Car99] Cardelli, Luca: Abstractions for Mobile Computations, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 51- 94, 1999.
Bib: [HR99] Hennessey, Matthew; Riely, James: Type Safe Execution of Mobile Agents in Anonymous Networks, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 95-116, 1999.
Bib: [NFP99] De Nicola, Rocco; Ferrari, GianLuigi; Pugliese, Rosario: Types as Specifications of Access Policies, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 117-146, 1999.
Bib: [LR99] Leroy, Xavier; Rouaix, François: Security Properties of Typed Applets, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 147-184, 1999.
Bib: [BFI99] Blaze, Matt; Feigenbaum, Joan; Ioannidis, John; Keromytis, Angelos D.: The Role of Trust Management in Distributed Systems Security, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 185-210, 1999.
Bib: [Aur99] Aura, Tuomas: Distributed Access Rights Management with Delegation Certificates, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 211-236, 1999.
Bib: [Bro99] Brose, Gerald: A View Based Access Control Model for CORBA, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 237-252, 1999.
Bib: [Tsch99] Tschudin, Christian: Apoptosis the Programmed Death of Distributed Services, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 253-260, 1999.
Bib: [Yee99] Yee, Bennet S.: A Sanctuary for Mobile Agents, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 261-274, 1999.
Bib: [Rot99] Roth, Volker: Mutual Protection of Cooperating Agents, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 275-288, 1999.
Bib: [Jae99] Jaeger, Trent: Access Control in Configurable Systems, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 289-310, 1999.
Bib: [GB99] Grimm, Robert; Bershad, Brian N.: Providing Policy Neutral and Transparent Access Control in Extensible Systems, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 311-338, 1999.
Bib: [] Jones, Michael B.: Interposition Agents: Transparently Interposing User Code at the System Interface, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 339-368, 1999.
Bib: [HHS99] Hawblitzel, Chris; Hu, Deyu; Spoonhower, Dan: J Kernel: A Capability Based Operating System for Java, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 369-394, 1999.
Bib: [DAB99] van Doorn, Leendert; Abadi, Martín; Burrows, Mike; Wobber, Edward: Secure Network Objects, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 395-412, 1999.
Bib: [EAC99] Edjlali, Guy; Acharya, Anurag; Chaudhary, Vipin: History Based Access Control for Mobile Code, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 413-432, 1999.
Bib: [AAk99] Alexander, D. Scott; Arbaugh, William A.; Keromytis, Angelos D.; Smith, Jonathan M.: Security in Active Networks, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 433-452, 1999.
Bib: [HVH99] Hulaas, J.; Villazón, A.; Harms, J.: Using Interfaces to Specify Access Rights, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 453-468, 1999.
Bib: [WSB99] Wilhelm, Uwe G.; Staamann, Sebastian; Buttyán, Levente: Introducing Trusted Third Parties to the Mobile Agent Paradigm, in: Jan Vitek; Christian Jensen (Eds.): Secure Internet Programming, LNCS 1603, Springer-Verlag, pp. 469-492, 1999.
Abstract: In mobile code systems, programs or processes travel from host to host in order to accomplish their goals. Such systems violate some of the assumptions that underlie most existing computer security implementations. In order to make these new systems secure, we will have to deal with a number of issues that previous systems have been able to ignore or sidestep. This paper surveys the assumptions that mobile code systems violate (including the identification of programs with persons, and other assumptions that follow from that), the new security issues that arise, and some of the ways that these issues will be addressed.
Bib: [Che98] Chess, David M.: Security Issues in Mobile Code Systems, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 1-14. Springer-Verlag, 1998.
Abstract: In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their properties and discuss some possible applications; the primary envisioned use of these constructions is in the creation of mobile agents whose analysis does not reveal their exact purpose.
Bib: [RS98] Riordan, James; Schneier, Bruce: Environmental Key Generation Towards Clueless Agents, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 15-24. Springer-Verlag, 1998.
Abstract: Many programming languages have been developed and implemented for mobile code environments. They are typically quite expressive. But while security is an important aspect of any mobile code technology, it is often treated after the fundamental design is complete, in ad hoc ways. In the end, it is unclear what security guarantees can be made for the system. We argue that mobile programming languages should be designed around certain security properties that hold for all well-formed programs. This requires a better understanding of the relationship between programming language design and security. Appropriate security properties must be identified. Some of these properties and related issues are explored.
Bib: [VS98] Volpano, Dennis; Smith, Geoffrey: Language Issues in Mobile Program Security, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 25-43. Springer-Verlag, 1998.
Abstract: A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first problem (a) have been developed. The second problem (b) seems to be much harder: It is the general belief that computation privacy for mobile code cannot be provided without tamper resistant hardware. Furthermore it is doubted that an agent can keep a secret (e.g., a secret key to generate digital signatures). There is an error in reasoning in the arguments supporting these beliefs which we are going to point out. In this paper we describe software-only approaches for providing computation privacy for mobile code in the important case that the mobile code fragment computes an algebraic circuit (a polynomial). We further describe an approach how a mobile agent can digitally sign his output securely.
Bib: [ST98] Sander, Tomas; Tschudin, Christian F.: Protecting Mobile Agents Against Malicious Hosts, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 44-60. Springer-Verlag, 1998.
Abstract: Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties described in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries.
Bib: [NL98] Necula, George C.; Lee, Peter: Safe, Untrusted Agents Using Proof-Carrying Code, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 61-91. Springer-Verlag, 1998.
Abstract: In this paper, an approach to partially solve one of the most difficult aspects of security of mobile agents systems is presented, the problem of malicious hosts. This problem consists in the possibility of attacks against a mobile agent by the party that maintains an agent system node, a host. The idea to solve this problem is to create a blackbox out of an original agent. A blackbox is an agent that performs the same work as the original agent, but is of a different structure. This difference allows to assume a certain agent protection time interval, during which it is impossible for an attacker to discover relevant data or to manipulate the execution of the agent. After that time interval the agent and some associated data get invalid and the agent cannot migrate or interact anymore, which prevents the exploitation of attacks after the protection interval.
Bib: [Hoh98] Hohl, Fritz: Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 92-113. Springer-Verlag, 1998.
Abstract: In mobile agent systems, program code together with some process state can autonomously migrate to new hosts. Despite its many practical benefits, mobile agent technology results in significant new security threats from malicious agents and hosts. In this paper, we propose a security architecture to achieve three goals: certification that a server has the authority to execute an agent on behalf of its sender; flexible selection of privileges, so that an agent arriving at a server may be given the privileges necessary to carry out the task for which it has come to the server; and state appraisal, to ensure that an agent has not become malicious as a consequence of alterations to its state. The architecture models the trust relations between the principals of mobile agent systems and includes authentication and authorization mechanisms.
Bib: [BGS98] Berkovits, Shimshon; Guttman, Joshua D.; Swarup, Vipin: Authentication for Mobile Agents, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 114-136. Springer-Verlag, 1998.
Abstract: Mobile code systems are technologies that allow applications to move their code, and possibly the corresponding state, among the nodes of a wide-area network. Code mobility is a flexible and powerful mechanism that can be exploited to build distributed applications in an Internet scale. At the same time, the ability to move code to and from remote hosts introduces serious security issues. These issues include authentication of the parties involved and protection of the hosts from malicious code. However, the most difficult task is to protect mobile code against attacks coming from hosts. This paper presents a mechanism based on execution tracing and cryptography that allows one to detect attacks against code, state, and execution flow of mobile software components.
Bib: [Vig98] Vigna, Giovanni: Cryptographic Traces for Mobile Agents, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 137-153. Springer-Verlag, 1998.
Abstract: Mobile-agent systems must address three security issues: protecting an individual machine, protecting a group of machines, and protecting an agent. In this chapter, we discuss these three issues in the context of D'Agents, a mobile-agent system whose agents can be written in Tcl, Java and Scheme. (D'Agents was formerly known as Agent Tcl.) First we discuss mechanisms existing in D'Agents for protecting an individual machine: (1) cryptographic authentication of the agent's owner, (2) resource managers that make policy decisions based on the owner's identity, and (3) secure execution environments for each language that enforce the decisions of the resource managers. Then we discuss our planned market-based approach for protecting machine groups. Finally we consider several (partial) solutions for protecting an agent from a malicious machine.
Bib: [GKC98] Gray, Robert S.; Kotz, David; Cybenko, George; Rus, Daniela: D'Agents: Security in a Multiple-Language, Mobile-Agent System, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 154-187. Springer-Verlag, 1998.
Abstract: Aglets are Java-based mobile agents developed at IBM's Tokyo Research Laboratory. This article describes a security model for the aglets development environment that supports flexible architectural definition of security policies.
Bib: [KLO98] Karjoth, Günter; Lange, Danny B.; Oshima, Mitsuru: A Security Model for Aglets, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 1-14. Springer-Verlag, 1998.
Abstract: Many secure applications are emerging using the Java language and running on the Java platform. In dealing with Java security issues, especially when building secure mobile agents on the Java platform, we inevitably depend on the underlying object orientation, such as data encapsulation and type safety. In this paper, we describe three new constructs for signing, sealing (encrypting), and guarding Java objects. These constructs enrich the existing Java security APIs so that a wide range of security-aware applications can be significantly easier to build.
Bib: [GS98] Gong, Li; Schemers, Roland: Signing, Sealing, and Guarding Java Objects, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 206-216. Springer-Verlag, 1998.
Abstract: Safe-Tcl is a mechanism for controlling the execution of programs written in the Tcl scripting language. It allows untrusted scripts (applets) to be executed while preventing damage to the environment or leakage of private information. Safe-Tcl uses a padded cell approach: each applet is isolated in a safe interpreter where it cannot interact directly with the rest of the application. The execution environment of the safe interpreter is controlled by trusted scripts running in a master interpreter. Safe-Tcl provides an alias mechanism that allows applets to request services from the master interpreter in a controlled fashion. Safe-Tcl allows a variety of security policies to be implemented within a single application, and it supports both policies that authenticate incoming scripts and those that do not.
Bib: [OLW98] Ousterhout, >John K.; Levy, Jacob Y.; Welch Brent B.: The Safe-Tcl Security Model, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 217-234. Springer-Verlag, 1998.
Abstract: Today the World Wide Web is considered to be a platform for building distributed applications. This evolution is made possible by browsers with processing capabilities and by programming languages that allow web designers to embed real programs into HTML documents. Downloading and executing code from anywhere on the Internet brings security problems along with it. A systematic and thorough analysis of security flaws in the browsers and related technology is necessary to reach a sufficient level of confidence. This paper presents some preliminary results of ongoing research that has the final goal of developing properties for secure browsers and procedures for secure browsing. The research started by investigating features provided by the standard environment. The paper describes some experimental attacks that have been carried out by exploiting features of Java and JavaScript executed by Netscape Navigator and Microsoft Explorer browsers.
Bib: [DDA98] De Paoli, Flavio; Dos Santos, Andre L.; Kemmerer, Richard A.: Web Browsers and Security, in: Giovanni Vigna (Ed.): Mobile Agents and Security. pp 235-256. Springer-Verlag, 1998.
There are printed proceedings, and electronic versions of the articles and some of the slides. Unfortunately, the printed proceedings does not seem to have a reference (although they used an INRIA cover). The real proceedings consists of
Abstract: We discuss abstractions for protection and the correctness of their implementations. Relying on the concept of full abstraction, we consider several examples relevant to mobile object systems. The main example is the translation of Java classes to an intermediate bytecode language. Other examples are the implementation of procedures by closures and the implementation of private communication channels in terms of cryptographic operations.
(This talk is an adapted and abridged version of one to be given at ICALP 98; a paper on this material will appear in the proceedings of that conference.)
Bib: [Aba98] Abadi, Martin: Protection in programming-language translations: mobile object systems, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, page 77, INRIA, France, 1998.
Bib: [Gra98] Gray, Robert: Mobile Agent Security, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 79 - 80, INRIA, France, 1998.
Abstract: Mobile agents are usually expected to execute in open environments, especially on the Internet. This openness makes mobile agents particularly vulnerable. We describe in this paper a new framework where mobile agents protect their integrity by providing interfaces customized to their interlocutors. We show that this multilevel interface structure is a homogeneous approach for managing secure and implementation-independent interactions in both vertical (i.e. client-furnisher) and horizontal (i.e. intra-service) relationships.
Bib: [HVH98] Hulaas, J.; Villazon, A.; Harms, J.: A Multi-level Interface Structure for the Selective Publication of Services in an Open Environment, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 81 - 92, INRIA, France, 1998.
Abstract: Mobile agents are programs that can be moved, or can move themselves, from one host to another across a network. Hosts accept these programs without knowing in advance how they will behave. Whilst the majority of these agents should be bona fide it is possible that any mobile agent may be concealing some kind of malicious intent, perhaps to steal data or to break into the site. Research at the University of Reading is looking at ways to combat this potential future threat. The research has included the creation of a CPU load balancing demonstration system. The system demonstrates CPU load balancing using mobile agents and how this is affected by the introduction of malicious mobile agents. This paper describes how the CPU load balancing operates and shows how even very simple malicious agents can dramatically affect system performance.
Bib: [GM98] Greenaway, Adam P.; McKee, Gerard T.: A Practical Demonstration of the Effect of Malicious Mobile Agents on CPU Load Balancing, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 93 - 104, INRIA, France, 1998.
Abstract: PrincipalDomain is an administrative scoping construct for establishing security policies based on the principals invoking object services that may entail objects moving around a network to accomplish their task. The privileges attached to the principal determines the privileges of those mobile objects, which effectively defines the access control rules for any resource the object might request. These objects may cooperate by delegating subtasks to other objects. During the process of delegation, when one object (initiator) authorizes another object (delegate) to perform some task, the attached privileges might be passed on from initiator to the delegate to accomplish the task. Support for roles is used to improve manageability by adding an optional level of indirection. Role-based access control and delegation provides a higher level of granularity than approaches limited only to individuals. In this paper, we describe a proposed protection mechanism based on code-executing principals exercising their privileges via role constructs, and building delegation framework over this infrastructure. This mechanism extends current Java security features to support principals, roles and delegation. The framework supports a control API for application developers to specify mechanisms and security policies.
Bib: [NL98] Nagaratnam, Nataraj; Lea, Doug: Role-Based Protection and Delegation for Mobile Object Environments, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 157 - 170, INRIA, France, 1998.
Bib: [JLT98] Jensen, T.; Le Metayer, D.; Thorn, T.:
Coarse-grained Java Security Policies, in: Proceedings of the ECOOP Workshop
on Distributed Object Security and 4th Workshop on Mobile Object Systems:
Secure Internet Mobile Computations, pp 169 - 167, INRIA, France, 1998.
Abstract: Driven by the need for a model of malicious hosts attacking mobile agents, we present in this paper a set of requirements for such a model. Using an existing machine model, namely Random Access Stored Program machines (or RASPS), an attack model that fulfills these requirements is presented. In this model, the components of the execution process can be accessed by the outside. This fact is used by another machine that executes an attack program to control the execution of an agent program. This construction is suitable to demonstrate the problem of malicious hosts and to serve as a basis to prove the protection strength of algorithms that try to protect agents from attacks by malicious hosts.
Bib: [Hoh98] Hohl, Fritz: A Model of Attacks of Malicious Hosts Against Mobile Agents, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 105 - 120, INRIA, France, 1998.
Abstract: Agent-based technology could revolutionize the manner by which distributed computation is performed. The fact that the information returned by an agent to the agent owner cannot be validated by the owner is impeding the widespread adoption of agent-based computing. Our paper addresses this concern by proposing a new type of software assertion to increase observability by providing agent owner's with agent state "snapshots." These snap-shots provide agent owners with: (1) a means to determine whether its agent's results are trustworthy, (2) information to debug a roving agent, (3) a greater ability to meet real-time constraints, and (4) a means to identify hosts systems that are resource-deficient, grant insufficient access rights, or tamper with agents. We present a methodology and tool for selecting and embedding protective assertions into agent code. We also discuss how the information from the assertions is automatically analyzed. Although our proposed assertions are not foolproof, they make it much harder for an agent to be tampered with in ways that are not detectable by the agent's owner. This knowledge is paramount for the utility of an agent-based system.
Bib: [KV98] Kassab, Lora L.; Voas, Jeffrey: Agent Trustworthiness, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 121 - 133, INRIA, France, 1998.
Abstract: Systems that support mobile agents are increasingly being used on the global Internet. An important application that is considered for these agents is electronic commerce, where agents roam the World Wide Web in search of goods for their owners. In these applications, an agent moves along some itinerary in order to search for the best ooeer for the good sought by the user. The problem with this approach is that malicious providers on the agent's itinerary can damage the agent, tamper with the agent so that the agent itself becomes malicious, or forward the agent to any arbitrary provider that might not be on the agent's itinerary.
In this presentation we will primarily address the question how an agent can safely follow some predeo/ned itinerary. We will identify the problem of trust as a major issue in this context and describe a trusted and tamper-proof hardware that can be used to enforce a policy. Based on this policy, we will show how the agent can take advantage of it in order to achieve the desired goal.
Bib: [WS98] Wilhelm, Uwe, G.; Staamann, Sebastian: Protecting the Itinerary of Mobile Agents, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 135 - 145, INRIA, France, 1998.
Abstract: Security is a fundamental precondition for the acceptance of mobile agent systems. In this paper we discuss protocols to improve agent security by distributing critical data and operations on mutually supporting agents which migrate in disjunct host domains. In order to attack agents, hosts must form coalitions. Proper selection of itineraries can minimize the risk of such coalitions being formed.
Bib: [Rot98] Roth, Volker: Secure Recording of Itineraries through Cooperating Agents, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 147 - 154, INRIA, France, 1998.
Bib: [Sud98] Sudmann, Nils P.: Position Paper: Security in Tacoma, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 155 - 156, INRIA, France, 1998.
Abstract: We present a partially-typed semantics for D*, a distributed *-calculus. The semantics is designed for open distributed systems in which some sites may harbor malicious agents. Nonetheless, the semantics guarantee traditional type -safety properties at "good" locations by using a mixture of static and dynamic type-checking.
The run-time semantics is built on the model of an anonymous network where the source of incoming agents is unknowable. To counteract possible misuse of resources all sites keep a record of local resources against which incoming agents are dynamically typechecked.
Bib: [HR98] Hennessy, Matthew; Riely, James: Type-Safe Execution of Mobile Agents in Anonymous Networks, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 171 - 188, INRIA, France, 1998.
Bib: [Swa98] Swarup, Vipin: Mobile Computations and Trust, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, page 189, INRIA, France, 1998.
Abstract: Mobile objects have gained a lot of attention in research and industry in the recent past, but they also have a long history. Security is one of the key requirements and one of the most researched characteristics related to mobility. Resource management has been somewhat neglected in the past, but it is being increasingly addressed, in both the context of security and QoS. In this paper we place a few mobile objects systems in perspective based upon how they address security and resource management. We start with the theoretical model of Actors that supports concurrent mobile objects in a programming environment. Then we describe task migration in Mach, a mobile object system supported at the operating system level. OMG MASIF standardizes a CORBA-based middleware support for mobile objects. Mobile Objects and Agents (MOA) system is a middleware level system based on Java. Active networks project, Conversant, supports object mobility at the communication protocol level. Finally, we include a proposal for large scale agent ensembles. We summarize these projects, comparing their security and resource management, and conclude by deriving a few general observations on how security and resource management have been applied and how they might evolve in the future.
Bib: [MAB98] Milojicic, Dejan; Agha, Gul; Bernadat,Phillipe, Chauhan, Deepika; Guday, Shai; Jamali, Nadeem; Lambright,Dan: Case Studies in Security and Resource Management for Mobile Objects, in: Proceedings of the ECOOP Workshop on Distributed Object Security and 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations, pp 191 - 205, INRIA, France, 1998.
Bib: [Gon97] Gong, Li: Surviveable Mobile Code is Hard to Build.
Accepted paper to the DARPA Workshop on Foundations for Secure Mobile Code
Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/gong.ps
Bib: [FL97] Feigenbaum, Joan; Lee, Peter: Secure Mobile-Code
Applications. Accepted paper to the DARPA Workshop on Foundations for Secure
Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/leefei.ps
Bib: [HR97] Heintze, Nevin; Riecke, Jon: The SLam Calculus:
Programming with Security and Integrity Accepted paper to the DARPA Workshop
on Foundations for Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/nevjon.ps
Bib: [DF97] Dean, Drew; Felten, Edward: Secure Mobile Code: Where
do we go from here?. Accepted paper to the DARPA Workshop on Foundations for
Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/ddean.ps
Bib: [Gor97] Gordon, Andrew: Nominal Calculi for Security and
Mobility. Accepted paper to the DARPA Workshop on Foundations for Secure
Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/gordon.html
Bib: [MT97] Meseguer, José; Talcott, Carolyn: Rewriting Logic and
Secure Mobility. Accepted paper to the DARPA Workshop on Foundations for
Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/meseguer.ps
Bib: [yee97a] Yee, Bennet: A Sanctuary for Mobile Agents. Accepted
paper to the DARPA Workshop on Foundations for Secure Mobile Code Workshop,
26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/bsy.ps
Bib: [LN97] Lee, Peter; Necula, George: Research on Proof-Carrying
Code for Mobile-Code Security. Accepted paper to the DARPA Workshop on
Foundations for Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/necula.ps
Bib: [GHN97] Gunter, Carl; Homeier, Peter; Nettles, Scott:
Infrastructure for Proof-Referencing Code. Accepted paper to the DARPA
Workshop on Foundations for Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/gunter.ps
Bib: [Swa97] Swarup, Vipin: Trust Appraisal and Secure Routing of
Mobile Agents. Accepted paper to the DARPA Workshop on Foundations for
Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/swarup.ps
Bib: [Fou97] Fournet, Cédric: Security within a Calculus of Mobile
Agents?. Accepted paper to the DARPA Workshop on Foundations for Secure
Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/fournet.ps
Bib: [FG97] Focardi, Riccardo; Gorrieri, Roberto: Non
Interference: Past, Present and Future. Accepted paper to the DARPA Workshop
on Foundations for Secure Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/focardi.ps
Bib: [Mea97] Meadows, Catherine: Detecting Attacks on Mobile
Agents. Accepted paper to the DARPA Workshop on Foundations for Secure
Mobile Code Workshop, 26 - 28 March 1997.
http://www.cs.nps.navy.mil/research/languages/statements/meadows.ps
Abstract: Mobile agent paradigm evolves as a promising distributed computing paradigm. Different from the existing paradigms like message passing, remote procedure calls, and distributed objects, mobile agent paradigm offers two properties: client customization, and self-contained-ness. End users virtually install new software on the agent platform by dispatching personalized agents, and the agents are self-contained programs that encompass the whole decision logic delegated by the end users. Mobile agents moving around the network are not safe. The remote hosts that accommodate the agents can initiate all kinds of attacks and attempt to analyze the agents' decision logic, and agents' accumulated data. Among the many security requirements, confidentiality and anonymity are two of the most important issues that have not been solved satisfactorily. This thesis examines these two security requirements. First, we introduce the notion of entropy to measure the intention brought by each agent. By perturbing the associated in- tention spectrum by either adding noisy codes or splitting the agent, we can achieve confidentiality. Second, by modifying the existing approaches in hid- ing the identities and adopting them in mobile agent systems, we can achieve anonymity. For the sake of completeness, open issues related to the protection of mo- bile agents are presented. This gives an account on the challenging problems in security, performance and the side effects to hold secure agent systems. An optimizing protocol to trade off the two contrasting factors - security and per- formance, is also described.
Bib: [Ng00] Ng, Sau-Koon: Protecting Mobile Agents against Malicious Hosts. Master Thesis. Division of Information Engineering, The Chinese University of Hong Kong, June 2000.
Abstract: Cooperating merchants establish a distributed marketplace under the auspices of an independent market authority. Each merchant's server is equipped with a trusted device, a smart card for example, provided by the market authority. The market authority plays the role of a trusted third party for the customer as well as for the merchants. This paper describes protocols that prevent the malicious alteration of the data collected by visiting mobile agents roaming through the marketplace without being detectable by subsequent servers or by the owner of the agent upon its return. Another protocol makes the trusted device a secure execution platform for routines provided by the agent owner.
Bib: [Kar00] Karjoth, Günter: Secure Mobile Agent-Based Merchant Brokering in Distributed Marketplaces. In: Kotz, D.; Mattern, F. (Eds.): Agent Systems, Mobile Agents, and Applications. Proceedings of the Second International Symposium on Agent Systems and Applications and Fourth International Symposium on Mobile Agents, ASA/MA 2000, pp. 44-56. LNCS 1882, Springer-Verlag, 2000
Abstract: Mobile agents have been advocated to support electronic commerce over the Internet. While being a promising paradigm, many intricate problems need to be solved to make this vision reality. The problem of fair exchange between two agents is one such fundamental problem. Informally speaking, this means to exchange two electronic items in such a way that neither agent suffers a disadvantage. We study the problem of fair exchange in the mobile agent paradigm. We show that while existing protocols for fair exchange can be substantially simplified in the context of mobile agents, there are still many problems related to security which remain difficult to solve. We propose three increasingly flexible solutions to the fair exchange problem and show how to implement them using existing agent technology. The basis for ensuring the security properties of fair exchange is a tamper-proof hardware device called a trusted processing environment.
Bib: [PVG00] Pagnia, Henning; Vogt, Holger; Gärtner, Felix; Wilhelm, Uwe: Solving Fair Exchange with Mobile Agents In: Kotz, D.; Mattern, F. (Eds.): Agent Systems, Mobile Agents, and Applications. Proceedings of the Second International Symposium on Agent Systems and Applications and Fourth International Symposium on Mobile Agents, ASA/MA 2000, pp. 57-72. LNCS 1882, Springer-Verlag, 2000
Abstract: This paper investigates one-round secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to information- theoretic security for Alice. It is shown that 1. for honest-but-curious behavior and unbounded Bob, any function computable by a polynomial-size circuit can be computed securely assuming the hardness of the decisional Diffe-Hellman problem; 2. for malicious behavior by both (bounded) parties, any function com- putable by a polynomial-size circuit can be computed securely, in a public-key framework, assuming the hardness of the decisional Diffe- Hellman problem. The results are applied to secure autonomous mobile agents, which migrate between several distrusting hosts before returning to their originator. A scheme is presented for protecting the agent's secrets such that only the originator learns the output of the computation.
Bib: [CCK00] Cachin, Christian; Camenisch, Jan; Kilian, Joe; Müller, Joy: One-round secure computation and secure autonomous mobile agents. In: Ugo Montanari, José P. Rolim, and Emo Welzl (Eds.): Proc. 27th International Colloquium on Automata, Languages and Programming (ICALP), Geneva, volume 1853 of Lecture Notes in Computer Science, pages 512-523. Springer-Verlag, 2000.
Abstract: A major problem of mobile agents is their apparent inability to authenticate transactions in hostile environments. In this paper, we consider a framework for the prevention of agent tampering without compromising the mobility or autonomy of the agent. Our approach uses encrypted functions. We present an RSA implementation which answers affirmatively the open problem on undetachable signatures of Sander and Tschudin.
Bib: [KBC00] Kotzanikolaou, P.; Burmester, M.; Chrissikopoulos, V.: Secure Transactions with Mobile Agents in Hostile Environments. In: Dawson, E.; Clark, A.; Boyd, C. (Eds.): Information Security and Privacy. Proceedings of the 5th Australasian Conference, ACISP 2000. LNCS Vol. 1841, Springer-Verlag, pp. 289-297, 2000
Abstract: In this paper we address the problem of protecting trusted software on untrusted hosts by code obfuscation. We address one aspect of the problem, namely obstructing static analysis of programs. The presence of aliases has been proven to restrict greatly the precision of static data-flow analysis. Meanwhile, effective alias detection has been shown to be NP-Hard. While this represents a significant hurdle for code optimization, it provides a theoretical basis for structuring tamper-resistant programs— the systematic introduction of nontrivial aliases transforms programs to a form that yields data flow information very slowly and/or with little precision. We describe a set of transformations that introduce aliases and further hinder the analysis by a systematic "break-down" of the program control-flow; transforming high level control transfers to indirect addressing through aliased pointers. By doing so, the basic control-flow analysis is made into a general alias analysis problem, and the data-flow analysis and control-flow analysis are made co-dependent. We present a theoretical result which shows that a precise analysis of the transformed program, in the general case, is NP-hard and demonstrate the applicability of our techniques with empirical results.
Bib: [WHK00] Wang, Chenxi; Hill, Jonathan; Knight, John; Davidson, Jack: Software Tamper Resistance: Obstructing Static Analysis of Programs. Technical Report CS-2000-12, Department of Computer Science, University of Virginia, 2000
Abstract: Mobile agents are programs that can migrate from machine to machine in a heterogeneous, partially disconnected network. As mobile agents move across a network, they consume resources. We discuss a system for controlling the activities of mobile agents that uses electronic cash, a banking system, and a set of resource managers. We describe protocols for transactions between agents. We present fixed-pricing and dynamic-pricing policies for resources. We focus on and analyze the sealed-bid second-price auction as a mechanism for dynamic pricing.
Bib: [BKR98] Bredin, Jonathan; Kotz, David; Rus, Daniela: Market-based Resource Control for Mobile Agents. In: Proceedings of Autonomous Agents, ACM, pp. 197-204, 1998
Bib: [GBH98] Greenberg, Michael S.; Byington, Jennifer C.; Harper, David G.: Mobile Agents and Security. IEEE Commun. Mag., July 1998, vol. 36, no. 7, pp. 76-85, 1998
Abstract: This article elaborates on security issues related to mobile code and agent-based systems. In particular, it addresses the problems of (a) how to protect an execution environment against potentially malicious mobile code, and (b) how to protect the mobile code against potentially malicious hosts and execution environments. The article overviews and discusses some technical approaches to address the problems. It concludes with the insight that possible solutions for the problems are not independent, and that some solutions for problem (b) make it more difficult to find appropriate solutions for problem (a).
Bib: [Opp99] Oppliger, Rolf: Security issues related to mobile code and agent-based systems. Computer Communications, Vol. 22, No. 12, July 1999, pp. 1165 - 1170, 1999
Abstract: Mobile agents add a new communication paradigm to traditional network communication mechanisms. In contrast to the classical mechanisms like remote programming, RPC, or client-server systems, mobile agents have specific advantages when used in a heterogeneous networking environment such as the World Wide Web. So far, the pervasiveness of publicly available mobile agent platforms is not given. Offering a seamless integration of mobile agents into the widespread and well-accepted WWW environment is crucial for the success of mobile agents. One of the growing fields of interest in the Web is the area of electronic commerce. Mobile Web-commerce agents could play a prominent role in future electronic commerce scenarios, if the malicious host problem could be solved. Our paper describes the integration of mobile agents into the Web and the use of Java cards to allow a mobile agent to store and transport data securely. This should promote the usage of mobile agents for electronic commerce purposes.
Bib: [Fue99] Fünfrocken, Stefan: Protecting Mobile Web-Commerce Agents with Smartcards. In: Proceedings of the First International Symposium on Agent Systems and Applications / Third International Symposium on Mobile Agents (ASA/MA'99), IEEE Computer Society, pp. 90-102, 1999
Abstract: JavaSeal is a secure mobile agent kernel that provides a small set of abstractions for agent applications. This paper describes the design of these abstractions and their implementation. We address the limitations of the Java security model that had to be overcome, and present a medium-sized e-commerce application that runs over JavaSeal.
Bib: [BV99] Bryce, Ciaran; Vitek, Jan: The JavaSeal Mobile Agent Kernel. In: Proceedings of the First International Symposium on Agent Systems and Applications / Third International Symposium on Mobile Agents (ASA/MA'99), IEEE Computer Society, pp. 103-117, 1999
Abstract: In the world of mobile agents, security aspects are extensively being discussed, with strong emphasis on how agents can be protected against malicious hosts and vice versa. This paper discusses methods for protecting an agent's route information from being misused by sites en route interested in gaining insight into the profile of the agent's owner or in obstructing the owner's original goal. Our methods provide visited sites with just a minimum of route information, but on the other hand allow sites to detect modifying attacks of preceding sites. Though, under noncolluding attacks, all methodes presented provide a similar level of protection, they differ w.r.t. performance and the points of time when an attack can be detected.
Bib: [WSU99a] Westhoff, Dirk; Schneider, Markus; Unger, Claus; Kaderali, Firoz: Methods for Protecting a Mobile Agent's Route. In: M. Mambo, Y. Zheng (Eds.): Information Security. Proceedings of the Second International Workshop, ISW'99, pp. 57-71, 1999
Abstract: In the world of mobile agents, security aspects are extensively being discussed, with strong emphasis on how agents can be protected against malicious hosts and vice versa. This paper discusses a method for concealing an agent's route information from being misused by sites en route to collect profile information of the agent's owner. Furthermore, it is shown that the protected route resists attacks from a single malicious host and from colluding malicious hosts as well.
Bib: [WSU99b] Westhoff, Dirk; Schneider, Markus; Unger, Claus; Kaderali, Firoz: Protecting a Mobile Agent's Route against Collusions. Proceedings of SAC'99, Springer LNCS 1758, 1999
Abstract: To protect mobile agents from attacks by their execution environments, or hosts, one class of protection mechanisms uses "reference states" to detect modification attacks. Reference states are agent states that have been produced by non-attacking, or reference hosts. This paper presents a new protocol using reference states by modifying an existing approach, called "traces". In contrast to the original approach, this new protocol offers a model, where the execution on one host is checked unconditionally and immediately on the next host, regardless of whether this host is trusted or untrusted. This modification preserves the qualitative advantages like asynchronous execution, but also introduces two new problems: input to the execution session on one host cannot be held secret to a second host, and collaboration attacks of two consecutive hosts are possible. The overhead needed for the protocol roughly doubles the cost of the mobile agent execution.
Bib: [Hoh99b] Hohl, Fritz: A Protocol to Detect Malicious Hosts Attacks by Using Reference States. Technical Report Nr. 1999/09, Universität Stuttgart, Fakultät Informatik, 1999
Abstract: To protect mobile agents from attacks by their execution environments, or hosts, one class of protection mechanisms uses "reference states" to detect modification attacks. Reference states are agent states that have been produced by non-attacking, or reference hosts. This paper examines this class of mechanisms and presents the bandwidth of the achieved protection. First, the notion of reference states is introduced. This notion allows to define a protection scheme that can be used to realize a whole class of mechanisms to protect mobile agents. To do so, after an initial analysis of already existing approaches, the abstract features of these approaches are extracted. A discussion examines the strengths and weaknesses of the general protection scheme, and a framework is presented that allows an agent programmer to choose an appropriate protection level using this scheme. An example illustrates the usage of the framework and its overhead.
Bib: [Hoh00] Hohl, Fritz: A Framework to Protect Mobile Agents by Using Reference States. In: Proceedings of the 20th International Conference on Distributed Computing Systems (ICDCS 2000). To appear 2000.
Bib: [Hoh00] Hohl, Fritz: A Framework to Protect Mobile Agents by Using Reference States. Technical Report Nr. 2000/03, Universität Stuttgart, Fakultät Informatik, 2000
Bib: [CL99] Chan, Anthony H.W.; Lyu, Michael R. . In: P.S. Thiagarajan, R. Yap (Eds.): Advances in Computing Science - ASIAN'99. Proceedings of the 5th Asian Computing Science Conference, Phuket, Thailand, December 1999, pp. 371-372, 1999
Abstract: It is obvious that a prerequisite for use of mobile agent systems in many settings is that security is taken care of. A proper trust model is necessary in order to build security. Many security issues arise if the trust model implies that not all hosts are trusted. This paper discusses trust models, examines the security issues, and points at possible directions for solutions in terms of security services, mechanisms, and protocols.
Bib: [SO99] Schelderup, Kristian; Ølnes, Jon: Mobile Agent Security - Issues and Directions. In: H. Zuidweg, M. Campolargo, J. Delgado, A. Mullery (Eds.): Intelligence in Services and Networks. Paving the Way for an Open Service Market. Proceedings of the 6th International Conference on Intelligence and Services in Networks, IS&N'99, Barcelona, Spain, April 1999, pp. - , 1999
Abstract: Agents have been proposed to support applications in large distributed and open systems. Such systems present security problems both for the agents themselves and the machines on which they execute. In this paper, we consider the problem of protecting an agent from the host machine. We consider both hiding the code of the agent from the host (code hiding) and ensuring that the results of the computation are correct (tamper resistance). We propose code padding as a general approach to deal with this problem and, for the special case of agents that calculate polynomials, we present a solution that provides both code hiding and tamper resistance. The solution we present does not suffer from the weaknesses of other proposed solutions.
Bib: [Baz98] Bazzi, Rida A.: Code Hiding for Mobile Agents Security. Technical Report TR 1112998, Department of Computer Science and Engineering, Arizona State University, 1998
Abstract: In order for mobile agents to be accepted as a basic technology for enabling electronic commerce, proper security mechanisms must be developed. Hosts must be protected from malicious agents, agents must be protected from other agents and also agents must be protected from malicious hosts. For solving the first three problems, existing technology from operating systems and distributed systems research can be used. The last problem is new and specific to the mobile agent paradigm and it is much harder to solve. Due to this problem, many say that mobile agents are not ready for the e-commerce systems. In this paper we discuss the security requirements of mobile agents in the context of electronic commerce and analyze how these requirements can be met. We show that, because of the characteristics of e-commerce systems, the security requirements of the agents and their users can be assured in real and open environments as the Internet.
Bib: [MSS99a] Marques, Paulo Jorge Marques; Silva, Luís Moura; Silva, João Gabriel Silva: Security Mechanisms for Using Mobile Agents in Electronic Commerce. In: Proceedings of the 18th IEEE Symposium of Reliable Distributed Systems - Workshop on Electronic Commerce, Lausanne, Switzerland, October 1999.
Abstract: Although mobile agents are a promising technology, the large-scale deployment of agents and the existence of hosts running agencies will not happen until proper security mechanisms are well understood and implemented. When considering global open environments as the Internet, mobile agents can be the victims of attacks by malicious hosts. In this paper, we present a security framework that protects agents from interference of untrusted and potentially malicious hosts. The framework can be used to enable technologies as electronic commerce, using the mobile agent paradigm in a secure and trustful way.
Bib: [MSS99b] Marques, Paulo Jorge Marques; Silva, Luís Moura; Silva, João Gabriel Silva: Establishing a Secure Open Environment for Using Mobile Agents in Electronic Commerce. In: Proceedings of the ASA/MA99 conference, Palm Springs, USA, October 1999
Abstract: This position paper discusses the problem of evaluating a function on an untrusted host, while maintaining the confidentiality of the function. A new non-interactive protocol designed to evaluate a function on an untrusted host is presented. The protocol prevents the disclosure of the function under cryptographic assumptions.
Bib: [LM99b] Loureiro, Sergio; Molva, Refik: Privacy for Mobile Code. In: Proceedings of distributed object security workshop, OOPSLA'99, Denver, November 1999, 1999
Abstract: In the area of electronic commerce the technology of mobile trade agents can be used in market research, buyer-merchant negotiation and on-line auctions. Although the benefits resulting from the use of such intelligent assistants for the end-users are not argued, it is empirically confirmed that Internet buyers and merchants will use them widely, only when convinced that mobile trade agents are secure. This paper presents an agent-oriented model for collecting and evaluating purchase contracts, signed by Internet merchants. It aims to confront the security risks derived from mobile trade agents. The model uses a master - slave distributed agent architecture and proposes the authentication of mobile agents to shopping servers, through agent permission-tokens.
Bib: [KKC99] Kotzanikolaou, Panayiotis: Katsirelos, G.; Chrissikopoulos, V.: Mobile Agents for Secure Electronic Transactions. In: N. E. Mastorakis (Ed.): Recent Advances in Signal Processing and Communications. World Scientific Engineering Society, pp. 363-368, 1999
Bib: [NT98] Neuenhofen, K. A.; Thompson, M.: Contemplations on a secure marketplace for mobile Java agents. K. P. Sycara & M. Wooldridge (Ed.), Proceedings of Autonomous Agents 98, Minneapolis, MN, New York: ACM Press, 1998
Abstract: The technology of mobile agents, where software pieces of active control and storage (called mobile agents) travel the network and perform tasks distributively, is of growing interest as an Internet technology. Similarly, smartcard holders can be considered mobile users as they access the network at various points. Such mobile processing can be employed in large scale census applications in statistics gathering, in surveys and tallying, in reading and collecting local control information, etc. This distributed computing paradigm where local pieces of data are getting accumulated in a mobile unit presents new information security challenges. Here, we point at some problems it poses and suggest solutions. The basic problem considered involves the design of a mobile agent that is capable of traversing an untrusted (curious) network while gathering and securing data from the nodes that it visits. We assume that some subset of the nodes may collaborate to track the agent, and we assume that snapshots of memory are taken at each node at times that are unpredictable to the agent. The data that is gathered must be securely stored within the agent and the adversarial nodes must remain oblivious to what is taken by the agent. In addition, the agent's movement throughout the network should be made difficult to trace. Furthermore, we assume that the agent is limited in storage capacity. To prevent the nodes from getting decryption capability, the agent must carry a public key for (asymmetric) encryption. We present an economical solution that we call ``sliding encryption''. This is a new mode of operation of public key cryptosystems that allows the encryption of small amounts of plaintext yielding small amounts of ciphertext. Furthermore, the encryption is performed so that it is intractable to recover the plaintext without the appropriate private key. We also describe how to modify sliding encryption so that the resulting ciphertexts are hard to correlate, thus making it possible to have mobile agents that are not easy to trace. Sliding encryption is applicable to mobile agent technology and may have independent applications to ``storage-limited technology'' such as smartcards and mobile units.
Bib: [YY97] Young, A.; Yung, M.: Encryption Tools for Mobile Agents: Sliding Encryption, E. Biham (Ed.): Fast Software Encryption. Proceedings of the 4th International Workshop, FSE'97, Haifa, Israel, January 20-22, 1997. LNCS 1267, Springer-Verlag, 1997
Abstract: In open distributed systems of mobile agents, where code from remote sites may run locally, protection of sensitive data and system resources is of paramount importance. We present a capability-based typing system that provides such protection, using a mix of static and runtime typing. We formalize security violations as runtime errors and prove that, using our semantics, runtime errors cannot occur at ``good'' sites, i.e., sites under control of a particular administrative domain.
Bib: [RH98] Riely, J.; Hennessy, M.: Secure Resource Access for Mobile Agents. Submitted. 1998
Abstract: We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for mobile agents in open distributed systems in which some sites may harbor malicious intentions. Nonetheless, the semantics guarantees traditional type-safety properties at "good" locations by using a mixture of static and dynamic type-checking. We show how the semantics can be extended to allow trust between sites, improving performance and expressiveness without compromising type-safety. Thus, the static notions of good and bad should not be used to prevent actions by an agent; rather, some form of dynamic typechecking is necessary.
Bib: [RH99] Riely, J.; Hennessy, M.: Trust and Partial Typing in Open Systems of Mobile Agents. In Conference Record of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, 1999.
Abstract: We describe a typing system for a distributed pi-calculus which guarantees that distributed agents cannot access the resources of a system without first being granted the capability to do so. The language studied allows agents to move between distributed locations and to augment their set of capabilities via communication with other agents. The type system is based on the novel notion of a location type, which describes the set of resources available to an agent at a location. Resources are themselves equipped with capabilities, and thus an agent may be given permission to send data along a channel at a particular location without being granted permission to read data along the same channel. We also describe a tagged version of the language, where the capabilities of agents are made explicit in the syntax. Using this tagged language we define access violations as runtime errors and prove that well-typed programs are incapable of such errors.
Bib: [RH98] Riely, J.; Hennessy, M.: Resource Access Control in Systems of Mobile Agents. In 3rd International Workshop on High-Level Concurrent Languages (HLCL'98), vol. 16(3) of Electronic Notes in Theoretical Computer Science, Elsevier, 1998
Abstract: Mobile agent technologies are getting popular as means for an efficient way to access network resources. Because an application using mobile agents has some unique problems caused by frequent creation, migration and disappearance of mobile agents, a mobile agent platform has to provide not only agents and their execution engines but some functions and mechanisms which are specialized to mobile agent systems. In this paper, we discuss the practical problems occurring in mobile agent environment, that is, agent controllability, resource restrictions and security. To solve these problems, we propose a mobile agent platform, called SFM (Secured Floating Market) Model. This model fulfills the agent controllability by agent control parameters. And this model has the measures against the resource restrictions such as location of resources and agents, processing capability and condition of load. Besides, this model guarantees of some suitable security strength levels for flexible execution of various services and user requirements. We implement the prototype of this model using Aglets.
Bib: [TMW98] Taka, Tomoya; Mizuno, Tadanori; Watanabe, Takashi: A Model of Mobile Agent Services Enhanced for Resource Restrictions and Security. In: Proceedings of the International Conference on Parallel and Distributed Systems (ICPADS'98), 14-16 December, 1998, Taiwan
Abstract: The class loading mechanism is central to the dynamic nature of the Java language. It also plays a critical role in providing security on the Java platform. This paper describes the internals of class loaders, and especially their interaction with the new security architecture in JDK 1.2, the forthcoming Java Development Kit, which provides policy-driven, permission-based, extensible, and fine-grained access control. The discussion also covers the newly introduced class loading delegation mechanism. The paper is aimed at a general audience, thus the discussion is kept at a technically high level without details of the actual Java classes and interfaces.
Bib: [Li98] Gong, Li: Secure Java Class Loading. In: IEEE Internet Computing, Vol. 2, No. 6, November/December 1998, pp. 26-29, 1998
Abstract: This paper presents an overview of the security problems associated with extensible computing models with a focus on protecting a runtime system against external programs. It presents a resource-centric model of security problems and classifies the security problems in terms of resource access and resource consumption problems. The paper then presents various security solutions that have been proposed by constructing a framework, which identifies two key elements - policy specification and enforcement. It then classifies the solutions on the basis of how and when they are applied.
Bib: [HLP98] Hashii, Brant; Lal, Manoj; Pandey, Raju; Samorodin, Steven: Securing Systems Against External Programs. In: IEEE Internet Computing, Vol. 2, No. 6, November/December 1998, pp. 35-45, 1998
Abstract: Mobile code is a term used to describe generalpurpose executables that run in remote locations. The concept is not new. What is new is that Web browsers now have the ability to execute these generalpurpose executables. The executables can be written by anyone and execute on any machine that runs a browser. This means that the same code can execute on any platform regardless of the operating system and hardware architecture. Such functionality is not without costs. From a security perspective, there is nothing more dangerous than a global, homogeneous, generalpurpose interpreter. Sandboxes, code signing, firewalls, and proof-carrying code are all techniques that address the inherent security risks of mobile code. This survey summarizes the relative merits of each.
Bib: [RG98] Rubin, Aviel D.; Geer, Daniel E.: Mobile Code Security. In: IEEE Internet Computing, Vol. 2, No. 6, November/December 1998, pp. 30-34, 1998
Bib: [MF98] McGraw, Gary; Felten, Edward W.: Mobile Code and Security. In: IEEE Internet Computing, Vol. 2, No. 6, November/December 1998, pp. 26-29, 1998
Abstract: We describe the security architecture of the Ara mobile agent platform, after reviewing the relevant aspects of comparable systems. The Ara model features few principals, a simple authentication and encryption API, and a simple but highly customizable authorization scheme. One system may contain many virtual places, each establishing a domain of logically related services under a common security policy governing all agents at this place. Agents are equipped with allowances limiting their resource accesses, both globally per agent life time and locally per place. Various aspects of the implementation of this model are discussed, and finally the situation and limitations of Ara and other systems are summarized.
Bib: [Pei98] Peine, Holger: Security Concepts and Implementation for the Ara Mobile Agent System. In Proceedings of the 7th IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, June 17-19th, Stanford University, USA, 1998
Abstract: The Seal calculus is a calculus of mobile computations designed for programming secure distributed applications over large scale open networks. The calculus is a distributed variant of the ss-calculus that incorporates agent mobility as well as strong protection mechanisms. Linear, revocable, capabilities control access to resources and ensure that agents may only use resources that have been allocated to them. Capabilities are also used to protect agents from the hosts on which they execute.
Bib: [VC99] Vitek, Jan; Castagna, Giuseppe: Towards a calculus of secure mobile computations. In Workshop on Internet Programming Languages, Chicago, IL, 1998.
Abstract: This paper scratches the surface of the problem of classifying the attacks that a mobile computation can be subjected to in an open network. The discussion is based on a simplified version of the Seal calculus. We show how the impact of these attacks on the semantics of the calculus and on the notion of observational equivalence.
Bib: [VC99] Vitek, Jan; Castagna, Giuseppe: Mobile Computations and Hostile Hosts. In: Proceedings of the 10th JFLA, Avoriaz, France, January 1999.
Bib: [SV99] Sewell, Peter; Vitek, Jan: Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.
Abstract: The Seal calculus is a distributed process calculus with localities and mobility of computational entities called seals. Seal is also a framework for writing secure distributed applications over large scale open networks such as the Internet. This paper motivates our design choices, presents the syntax and reduction semantics of the calculus, and demonstrates its expressiveness by examples focused on security and management distributed systems.
Bib: [VC99] Vitek, Jan; Castagna, Giuseppe: Seal: A framework for secure mobile computations. In: Internet Programming Languages, 1999.
Bib: [CMS99] Corradi, Antonio; Montanari, Rebecca; Stefanelli, Cesare: Mobile Agents Integrity in E-commerce Applications. In: Proceedings of the 19th IEEE International Conference on Distributed Computing Systems Workshop, pp. 59 - 64, 1999
Abstract: The Mobile Agent paradigm seems to be a promising and innovative technology for developing applications in open, distributed and heterogeneous environments because it can overcome some of the limits of traditional Client/Server approaches. Many application areas, such as e-commerce, mobile computing, network management and information retrieval can benefit from the application of the MA technology. The widespread use of mobile agents is currently mainly limited by the lack of security, a requirement that should be faced when dealing with the Internet untrusted environment. The paper focuses on the problem of ensuring the integrity of agents in these environments and presents a range of solution strategies. In particular, it describes and compares two different approaches to achieve agent integrity. The first one makes use of a Trusted Third Party entity, while the second one is based on a distributed protocol that does not assume any secure collaborating entity. The two solutions suite different areas, and we have integrated them in a flexible support for a wide range of applications, called Secure and Open Mobile Agent (SOMA).
Bib: [CCM99] Cremonini, M.; Corradi, A.; Montanari, R.; Stefanelli, C.: Mobile Agents and Security: Protocols for Integrity. In: Proceedings of the Second IFIP WG 6.1 International Working Conference on Distributed Applications and Interoperable Systems (DAIS'99), 1999
Abstract: The Mobile Agent (MA) technology is gaining importance in the distributed manage-ment of networks and services for heterogeneous environments. MA-based management systems could represent an interesting alternative to traditional tools built upon the client/server model, either SNMP- or CMIP- based. Two main requirements currently limit the acceptance of MA solutions for management: the need of interoperability and the request for security. Without security, management systems cannot suit global un-trusted environments, such as the Internet; without interoperability, they cannot interact with existing tools and legacy systems. The paper describes an MA-based management system with security and interoperability as the two main design objectives. It is an open management framework that grants interoperability by providing compliance with CORBA, the most diffused standard in the area of Object-Oriented components. In ad-dition, it is based on a thorough security model and provides a wide range of tools and mechanisms to build and enforce flexible security policies.
Bib: [BCS99] Bellavista, P.; Corradi, A.; Stefanelli, C.: An Open Secure Mobile Agent Framework for Systems Management. In: Journal of Network and Systems Management (JNSM), Special Issue on "Mobile Agent-based Network and Service Management", September 1999
Abstract: The Mobile Agent technology is suitable for applications in open, distributed and heterogeneous environ-ments such as the Internet and the Web, because it can overcome some limits of traditional approaches. The paper describes a Secure and Open Mobile Agent (SOMA) programming environment with two main design objectives that are security and interoperability. On the one hand, SOMA is based on a thorough security model and provides a wide range of tools and mechanisms to build and enforce flexible security policies. On the other hand, the SOMA framework can interoperate with differ-ent application components designed with different programming styles. SOMA grants interoperability by closely considering compliance with CORBA, the most diffused standard in the area of Object-Oriented components. SOMA has been adopted as a platform to develop several distributed applications in the area of network and sys-tems management, CSCW, and distributed and heteroge-neous information systems.
Bib: [BCS99] Bellavista, P.; Corradi, A.; Stefanelli, C.: A Secure and Open Mobile Agent Programming Environment. In: Proceedings of the Fourth International Symposium on Autonomous Decentralized Systems (ISADS '99), pages 238-245, IEEE Computer Society Press, 1999
Abstract: Mobile Agents have achieved wide interest for distributed applications because of their flexibility and capacity of adapting to very different scenarios, a common situation over the Internet. The rapid growth of the area has forced to focus more on rapid prototyping than on other aspects that are still only partially faced. The paper addresses two main concepts connected with the Mobile Agent model: locality abstractions and security. We propose a Mobile Agent environment that introduces the idea of locality to achieve the enforcement of both abstraction and security. The use of this model permits to develop Internet applications that answer both requirements in an integrated way. The paper describes the MA environment and presents some results of its implementation in the Java language. An application for distributed monitoring is an example of the capacity of rapid prototyping.
Bib: [CCS98] Corradi, A.; Cremonini, M.; Stefanelli, C.: Locality Abstractions and Security in a Mobile Agent Environment. In: Collaboration in Presence of Mobility, Conference Proceedings of WET ICE '98, IEEE Computer Society Press, 1998
Bib: [Tsc99] Tschudin, Christian: Mobile Agent Security. In: Matthias Klusch (Ed.): Intelligent information agents: agent based information discovery and management in the Internet, pp. 431 - 446, Springer-Verlag. 1999
Abstract: An approach to protect mobile agents from malicious hosts' "read attack" is presented. Mostly written in script languages, mobile agents are plain enough for malicious parties to read and to analyze. The malicious hosts would gain more simply by reading the content of the mobile agent, analyzing the accumulated information carried by the mobile agent, and offering information to excel other nonmalicious hosts. We label this unfair situation as "read attacks" hoisted by the malicious hosts. To combat, an approach called Intention Spreading is presented to show the theoretical feasibility to lessen such an "attack". Our approach is shown to provide more flexibility over the existing approaches. An implementation possibility is also demonstrated.
Bib: [NC99] Ng, Sau-Koom; Cheung, Kwok-Wai: Protecting Mobile Agents against Malicious Hosts by Intention Spreading. In: H. Arabnia (ed.), Proc. 1999 Int. Conf. on Parallel and Distributed Processing Techniques and Applications (PDPTA'99), CSREA, 1999
Abstract: This paper presents an original approach to the problem of function hiding based on Error Correcting Codes and evaluates the security of this approach. The novelty of the technique consists in using Error Correcting Codes to hide functions instead of encrypting data vectors. This protocol mainly deals with the issue of secure evaluation of functions in potentially hostile environments.
Bib: [LM99] Loureiro, Sergio; Molva, Refik: Function Hiding Based on Error Correcting Codes. In Manuel Blum and C. H. Lee (Eds.): Cryptographic Techniques and E-Commerce. Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce(CrypTEC '99), City University of Hong Kong Press, 1999
Abstract: Mobile agent technology offers a new computing paradigm in which a program, in the form of a software agent, can suspend its execution on a host computer, transfer itself to another agent-enabled host on the network, and resume execution on the new host. The use of mobile code has a long history dating back to the use of remote job entry systems in the 1960's. Today's agent incarnations can be characterized in a number of ways ranging from simple distributed objects to highly organized software with embedded intelligence. As the sophistication of mobile software has increased over time, so too have the associated threats to security. This report provides an overview of the range of threats facing the designers of agent platforms and the developers of agent-based applications. The report also identifies generic security objectives, and a range of measures for countering the identified threats and fulfilling these security objectives.
Bib: [JK99] Jansen, Wayne; Karygiannis, Tom: Mobile Agent Security. NIST Technical Report, National Institute of Standards and Technology, 1999
Abstract: A mobile agent is an object that which can autonomously migrate in a distributed system to perform tasks on behalf of its creator. Security issues in regard to the protection of host resources, as well the agent themselves, raise significant obstacles in practical applications of the agent paradigm. This paper describes the security architecture of Ajanta, a Java-based system for mobile agent programming. This architecture provides mechanisms to protect server resources from malicious agents, agent data from tampering by malicious servers or communication channels during its travel, and protection of name service data and the global namespace. We present here a proxy based mechanism for secure access to server resources by agents. Using Java's class loader model and thread group mechanism, isolated execution domains are created for agents at a server. An agent can contain three kinds of protected objects: read-only objects whose tampering can be detected, encrypted objects for specific servers, and a secure append-only list of objects. A generic authentication protocol is used for all client-server interactions when protection is required. Using this mechanism, the security model of Ajanta enforces protection of name spaces, and secure execution of control primitives such as agent recall or abort. Ajanta also supports communication between remote agents using RMI, which can be controlled if required by the servers' security policies.
Bib: [KT99] Karnik, Neeran; Tripathi, Anand: Security in the Ajanta Mobile Agent System, Technical Report, Department of Computer Science, University of Minnesota, May 1999.
Abstract: Concordia provides a robust and highly reliable framework for the development and execution of secure, mobile agent applications. Concordia incorporates many advanced security and reliability features beyond the basic functionality found in other mobile agent systems.
Concordia provides a rich security model that can be used to allow or deny access to system resources down to a very fine level of granularity and that protects agents and the information they carry from tampering or unauthorized access. The system utilizes transactional message queuing to provide reliable network transmissions. Further, Concordia uses proxy objects and a persistent object store to insulate applications from system or network failures. This paper discusses the design and implementation of these features.
Bib: [WPW98] Walsh, Tom; Paciorek, Noemi; Wong, David: Security and Reliability in Concordia. In Proceedings of the 31st Annual Hawaii International Conference on System Sciences (HICSS31). 1998
Abstract: It is obvious that a prerequisite for use of mobile agent systems in many settings is that security is taken care of. A proper trust model is necessary in order to build security. Many security issues arise if the trust model implies that not all hosts are trusted. This paper discusses trust models, examines the security issues, and points at possible directions for solutions in terms of security services, mechanisms, and protocols.
Bib: [SO99] Schelderup, Kristian; Olnes, Jon: Mobile Agent Security - Issues and Directions. In H. Zuidweg, M. Campolargo, J. Delgado, A. Mullery (Eds.): Intelligence in Services and Networks. Paving the Way for an Open Service Market. Proceedings of the 6th International Conference on Intelligence in Services and Networks (IS&N'99), Springer-Verlag, LNCS 1597, pp.155-167, 1999
Bib: [YWL98] Yi, X.; Wang, X.F.; Lam, K.Y.: A Secure Intelligent Trade Agent System. In: Trends in Distributed Systems '98: Electronic Commerce, Hamburg, Germany, LNCS, Springer-Verlag, Vol. 1402 June 3-5 1998
Bib: [WYL98] Wang, X.F.; Yi, X.; Lam K.Y.; Okamoto, E.: Secure
information gathering agent for Internet Trading. 11th Australian Joint
Conference on Artifical Intelligence (AI'98), Brisbane, Australia, 13 July
1998, Springer-Verlag Lecture Notes in Artificial Intelligence, Vol. 1544,
edited by Chengqi Zhang and Dickson Lukose, Springer-Verlag Publishers, pp.
183 -- 194, 1998.
http://www.comp.nus.edu.sg/~wangxiao/dai98.ps
Bib: [YWY98] Yi, X.; Wang, X.F.; Yi, X.; Lam, K.Y.: A Secure
Auction-like Negotiation Protocol for Agent-based Internet Trading. 17th IEEE
Symposium on Reliable Distributed Systems, Purdue University 20-23 October
1998, IEEE Press.
http://www.comp.nus.edu.sg/~wangxiao/ieee.ps
Abstract: A mobile agent is an autonomous computer program which can migrate from machine to heterogeneous machine. An agent server which receives a mobile agent can easily make a copy of the mobile agent, because a mobile agent is just a program consisting of code and data. We define a mobile agent clone as the copied agent. It is impossible to distinguish between a mobile agent clone and its original agent. This causes problems connected with agent authentication, unexpected multiple transactions, and other security issues. In this paper, we investigate the problems caused by mobile agent clones and we design a protocol, which detects agent clone executions and identifies the clone generating agent server. Finally, we prove the correctness of the protocol formally, through Coloured Petri Nets.
Bib: [Bae98] Baek, Jusung: A design of a protocol for detecting a mobile agent clone and its correctness proof using Coloured Petri Nets. Technical Report TR-DIC-CSL-1998-002, Info.&Comm., K-JIST, 1998. http://atom.kjist.ac.kr/~jsbaek/pub/tr-dic-1998-02.ps
Abstract: For protecting mobile agents from attacks by malicious hosts, some current approaches try to create a blackbox out of an unprotected agent. A blackbox is a special mobile agent whose internals - code and data - are principally "invisible" for attackers. Although allowing a high degree of security, even blackboxes can be attacked by means of testing attacks. A blackbox testing attack executes an agent several times with different input parameters. After each execution, the attacker observes the effect, either explicit results like output values or characteristic "activity patterns". This paper presents a protocol that prevents testing attacks against blackbox protected mobile agents. The protocol exploits the fact that input data can be used as a sort of challenge. It uses registries, i.e. services on other, trusted nodes. It is shown that the presented protocol has a reasonable overhead compared to a non-migrating alternative.
Bib: [HR98] Hohl, Fritz; Rothermel, Kurt: A Protocol Preventing Blackbox Tests of Mobile Agents. Accepted paper for the 11. Fachtagung "Kommunikation in Verteilten Systemen" (KiVS'99). To appear.
Abstract: In this article we identify security threats and requirements for software agents in the context of an electronic market. A short description of our own agent system AMETAS is given. It provides an infrastructure for a general multi-purpose agent system. We explain which security facilities need to be employed and how some of them were implemented in AMETAS.
Bib: [ZMG98] Zapf, Michael; Müller, Helge; Geihs, Kurt: Security Requirements for Mobile Agents in Electronic Markets, in: Lamersdorf, W.; Merz, M. (Eds.):Trends in Distributed Systems for Electronic Commerce. Proceedings of the International IFIP/GI Working Conference, TREC'98, pp 205 - 217, Springer-Verlag, 1998
Abstract: In this paper, a secure intelligent trade agent system is developed. In this system, an intelligent trade agent can be authenticated and supplied certain authorized agent execution environment for it to run by a host. The owner of a malicious intelligent trade agent is easily dug out. A host can only legally modify the information relative to it in the agent because the owner of the agent can be conscious of any little unauthorized modification made by any host. The secure intelligent trade agent system has two extra features: 1. The payment in the system is anonymous to servers (e.g. shops, companies). 2. It is convenient for the system to charge. So far, any security weakness in the secure intelligent trade system has not been found yet.
Bib: [YWL98] Yi, X.; Wang, X. F.; Lam, K. Y.: A Secure Intelligent Trade Agent System, in: Lamersdorf, W.; Merz, M. (Eds.):Trends in Distributed Systems for Electronic Commerce. Proceedings of the International IFIP/GI Working Conference, TREC'98, pp 218 - 228, Springer-Verlag, 1998
Abstract: Technical enforcement of intellectual property (IP) rights often conflicts with the ability to use the IP. This is especially true when the IP is data, which may easily be copied while it is being accessed. As electronic commerce of data becomes more widespread, traditional approaches will prove increasingly problematic. In this paper, we show that the mobile agent architecture is an ideal solution to this dilemma: by providing full access to the data but charging for the transmission of results back to the user -- results-based billing -- we resolve the access versus protection conflict. We define new requirements for agent frameworks to implement results-based billing: "data-aware accounting" and "data-tight sandboxing", which, along with the common requirements such as authentication, authorization, agent self-monitoring, and efficiency, provide the mechanisms by which database owners can effectively grant users access to their intellectual property.
Bib: [BY98] Belmon, Stephane G.; Yee, Bennet S.: Mobile Agents and Intellectual Property Protection, in: Kurt Rothermel, Fritz Hohl (Eds.): Mobile Agents, Proceedings of the Second International Workshop, MA'98. pp 172-182. Springer-Verlag, Germany, 1998
Abstract: Mobile code technology is gaining growing importance for example for electronic commerce applications. To come to a widespread use of mobile agents a lot of security aspects have to be seriously considered and security problems have to be solved to convince potential users of this technology. So far, most work concerning security in the area of mobile code was done to protect hosts from malicious agents. However, in the very recent literature approaches are discussed which lead to different levels of security for the mobile agent against attacks by dishonest hosts. A central problem consists in the integrity of computation: In order to pro,t from mobile agent technology, techniques have to be used which guarantee the correctness of the results returned by a mobile agent to its originator. In this paper we explain a general approach to cope with the integrity problem by supplementing computation results with very short proofs of correctness which can a posteriori be checked by the originator of the mobile code to verify whether the result is reliable or not.
Bib: [BMW98] Biehl, Ingrid; Meyer, Bernd; Wetzel, Susanne: Ensuring the Integrity of Agent-Based Computations by Short Proofs, in: Kurt Rothermel, Fritz Hohl (Eds.): Mobile Agents, Proceedings of the Second International Workshop, MA'98. pp 183-194. Springer-Verlag, Germany, 1998
Abstract: When mobile agents do comparison shopping for their owners, they are subject to attacks of malicious hosts executing the agents. We present a family of protocols that protect the computation results established by free-roaming mobile agents. Our protocols enable the owner of the agent to detect upon its return whether a visited host has maliciously altered the state of the agent, thus providing forward integrity and truncation resilience. In an environment without public-key infrastructure, the protocols are based only on a secret hash chain. With a public-key infrastructure, the protocols also guarantee non-repudiability.
Bib: [KAG98] Karjoth, G.; Asokan, N. ; Gülcü, C.: Protecting the Computation Results of Free-roaming Agents, in: Kurt Rothermel, Fritz Hohl (Eds.): Mobile Agents, Proceedings of the Second International Workshop, MA'98. pp 195-207. Springer-Verlag, Germany, 1998
Abstract: Software piracy is a major economic problem: it leads to revenue losses, it favors big software housesthat are less hurt by these losses and it prevents new software economy models where small enterprises can sell software on a per-usage basis. Proprietary algorithms are currently hard to protect, both at the technical as well as the legal level. In this paper we show how encrypted programs can be used to achieve protection of algorithms against disclosure. Moreover, using this approach we describe a protocol that ensures - under reasonable conditions - that only licensed users are able to obtain the cleartext output of the program. This protocol also allows to charge clients on a per-usage basis. These results are applied to a special class of functions for which we obtain a secure and computationally feasible solution: the key point is to encrypt functions such that they remain executable. We further show how to robustly fingerprint the resulting programs. Our approach is fully software based and does not rely on tamper resistant hardware.
Bib: [ST98a] Sander,Tomas; Tschudin,Christian: On Sofware Protection via Function Hiding. In: D. Aucsmith (Ed.): Information Hiding II. Proceedings of the Second International Workshop, IH'98. Springer-Verlag, Germany, 1998
Abstract: Mobile code technology has become a driving force for recent advances in distributed systems. The concept of mobility of executable code raises major security problems. In this paper we deal with the protection of mobile code from possibly malicious hosts. We conceptualize on the specific cryptographic problems posed by mobile code. We are able to provide a solution for some of these problems: We present techniques how to achieve "non-interactive computing with encrypted programs" in certain cases and give a complete solution for this problem in important instances. We further present a way how an agent might securely perform a cryptographic primitive, digital signing, in an untrusted execution environment. Our results are based on the use of homomorphic encryption schemes and function composition techniques.
Bib: [ST97a] Sander,Tomas; Tschudin,Christian: Towards Mobile
Cryptography. Technical Report 97-049, International Computer Science
Institute, Berkeley. 1997.
http://www.icsi.berkeley.edu/~sander/publications/tr-97-049.ps
Abstract: A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first problem (a) have been developed. The second problem (b) seems to be much harder: It is the general belief that computation privacy for mobile code cannot be provided without tamper resistant hardware. Furthermore it is doubted that an agent can keep a secret (e.g., a secret key to generate digital signatures). There is an error in reasoning in the arguments supporting these beliefs which we are going to point out. In this paper we describe software-only approaches for providing computation privacy for mobile code in the important case that the mobile code fragment computes an algebraic circuit (a polynomial). We further describe an approach how a mobile agent can digitally sign his output securely.
Bib: [ST98] Sander,Tomas; Tschudin,Christian: Protecting Mobile
Agents Against Malicious Hosts. To be published. 1998.
http://www.icsi.berkeley.edu/~sander/publications/MA-protect.ps
Bib: [ST97b] Sander,Tomas: On the Cryptographic Protection of Mobile
Code. Talk at the Workshop on Mobile Agents and Security, Oct. 27--28, UMBC.
1997.
http://www.icsi.berkeley.edu/~sander/publications/talk-baltimore.ps
Bib: [Hoh97] Hohl, Fritz: An approach to solve the problem of
malicious hosts. Universität Stuttgart, Fakultät Informatik, Fakultätsbericht
Nr. 1997/03
http://www.informatik.uni-stuttgart.de/cgi-bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ncstrl.ustuttgart_fi/TR-1997-03/TR-1997-03.bib
Bib: [Yee97b] Yee, Bennet:A Sanctuary for Mobile Agents. Technical
Report CS97-537. Computer Science Department, University of California in San
Diego, USA.
http://www-cse.ucsd.edu/users/bsy/pub/sanctuary.ps
Bib: [Sch97] Schneider, Fred: Towards Fault-tolerant and Secure
Agentry. Invited Paper to the 11th International Workshop on Distributed
Algorithms, Saarbrücken, Germany, Sept. 1997.Also available as TR94-1568 ,
Computer Science Department, Cornell University, Ithaca, New York.
http://cs-tr.cs.cornell.edu:80/Dienst/Repository/2.0/Body/ncstrl.cornell%2fTR97-1636/postscript
In this article, we present our security model for the IBM Aglets Workbench, a Java-based environment for building mobile agent applications. We detail both the security model and the corresponding security architecture that represents a framework for the inclusion of security services in future releases of the AWB. This work therefore represents an additional step toward the comprehensive security model required for widespread commercial adoption of mobile agent systems to occur.
Bib: [KLO97] Karjoth, Günter; Lange, Danny; Oshima, Mitsuru :A
Security Model for Aglets, in: IEEE Internet Computing, Vol. 1, No. 4, July -
August 1997
http://computer.org/internet/ic1997/w4068abs.htm
Bib: [Fuj97] Fujitsu Laboratories, Japan: Agent Security Model.
WWW-Page. 1997
http://www.fujitsu.co.jp/hypertext/free/kafka/security.html
Bib: [Vig97] Vigna, Giovanni: Protecting Mobile Agents through
Tracing Accepted paper for the Mobile Object Systems ECOOP Workshop'97. To
appear.
http://cuiwww.unige.ch/~ecoopws/ws97/papers/vigna.ps.gz
Bib: [Wil97] Wilhelm, Uwe: Cryptographically Protected Objects. A
french version appeared in the Proceedings of RenPar'9, Lausanne, CH
http://lsewww.epfl.ch/~wilhelm/Papers/CryPO.ps.gz
Bib: [Gra96] Gray, Robert: Agent Tcl: A flexible and secure mobile
agent system. In Proceedings of the Fourth Annual Tcl/Tk Workshop, pages 9-23,
Monterey, Cal., July 1996
http://www.cs.dartmouth.edu/~agent/papers/tcl96.ps.Z
Bib: [IBM95] IBM Corporation:Things that Go Bump in the Net.
WWW-Page.
http://www.research.ibm.com/massive/bump.html
Bib: [CGH95] Chess, David; Grosof, Benjamin; Harrison, Colin;
Levine, David;Paris, Colin; Tsudik, Gene: Itinerant agents for mobile
computing. IBM Research Report RC 20010, IBM, March 1995.
http://www.research.ibm.com/massive/rc20010.ps
Bib: [CHK97] Chess, David; Harrison, Colin; Kershenbaum, Aaron:
Mobile agents: Are they a good idea?. In Jan Vitek; Christian Tschudin (eds.):
Mobile Object Systems: Towards the Programmable Internet, pages 25-45.
Springer-Verlag, April 1997. Lecture Notes in Computer Science No. 1222.
http://www.research.ibm.com/massive/mobag.ps (1994 version)
Bib: [Shi95] Browne, Shirley: Need for a Security Profile for Agent
Execution Environments. Position Paper for 1995 CIKM Workshop on Intelligent
Information Agents.
http://www.cs.umbc.edu/~cikm/iia/submitted/viewing/browne.html
Bib: [FGS96a] Farmer, William; Guttman, Joshua; Swarup, Vipin:
Security for Mobile Agents: Authentification and State Appraisal. Fourth
European Symposium on Research in Computer Security (ESORICS 96), (Pages
118-130).
Bib: [FGS96b] Farmer, William; Guttman, Joshua; Swarup, Vipin:
Security for mobile agents: Issues and requirements. In Proceedings of the
19th National Information Systems Security Conference, pages 591-597,
Baltimore, Md., October 1996
Bib: [Ord96] Ordille, Joann: When agents roam, who can you trust?.
In: Proc. of the First Conference on Emerging Technologies and Applications in
Communications, Portland, May 1996
http://cm.bell-labs.com/cm/cs/doc/96/5-09.ps.gz
Bib: [Vit97] Vitek, Jan: Secure object spaces. In Max Mühlhaüser
(Ed.): Special Issues in Object-Oriented Programming. Workshop Reader of the
10th European Conference on Object-Oriented Programming (Ecoop'96). pp
340-347. dpunkt.verlag, 1997
Bib: [VST97] Vitek, Jan; Serrano, Manuel; Thanos, Dimitri: Security and Communication in Mobile Object Systems. In Jan Vitek; Christian Tschudin (eds.): Mobile Object Systems: Towards the Programmable Internet, pages 177-199. Springer-Verlag, April 1997. Lecture Notes in Computer Science No. 1222.
Bib: [TV96] Tardo, Joseph; Valente, Luis: Mobile Agent Security and
Telescript. In: IEEE Proceedings of COMPCON '96.
Bib: [KTM97] Kato, Kazuhiko; Toumura, Kunihiko; Matusbara, Katsuya;
Aikawa, Susumu;Yoshida, Jun; Kono, Kenji; Taura, Kenjiro;Sekiguchi, Tatsurou:
Protected and Secure Mobile Object Computing in PLANET. In Max Mühlhaüser
(Ed.): Special Issues in Object-Oriented Programming. Workshop Reader of the
10th European Conference on Object-Oriented Programming (Ecoop'96). pp
320-326. dpunkt.verlag, 1997
http://cuiwww.unige.ch/ecoopws/ws96/2.ps.gz
Bib: [Kat97] Kato, Kazuhiko: Safe and Secure Execution Mechanisms for Mobile Objects. In Jan Vitek; Christian Tschudin (eds.): Mobile Object Systems: Towards the Programmable Internet, pages 201-211. Springer-Verlag, April 1997. Lecture Notes in Computer Science No. 1222.
Bib: [MRS96] Minsky, Yaron; van Renesse, Robbert; Schneider, Fred;
Stoller, Scott: Cryptographic support for fault-tolerant distributed
computing. In Proceedings of the Seventh ACM SIGOPS European Workshop, pages
109-114, Connemara, Ireland, September 1996.
http://www.cs.uit.no/DOS/Tacoma/tacoma.webpages/SIGOPS.ft-agents.ps
Bib: [San97] Sander, Tomas: Security!or "How to Avoid to Breath Life
in Frankensteins Monster". Talk at the ICSI Workshop 1997 on Auto Mobile Code
Documentation. 1997
http://www.icsi.berkeley.edu/~tschudin/amc/workshop97/security.html
Bib: [Gra96d] Gray, Robert: Security in Mobile-Agent Systems.
Presentation at the University of Leiden, 1996.
http://www.cs.dartmouth.edu/~rgray/present/leid96.eps.Z
Bib: [OSF96] OSF: Web agent security and accounting. WWW-Page.
http://www.osf.org/www/Active_Props/secure_agents.html
Bib: [Gon97] Gong, Li: Java Security Architecture (JDK1.2). Sun
Microsystems internal paper, 1997.
http://java.sun.com/products/jdk/preview/docs/guide/security/api/proposal.html
Bib: [EHM96] Erdos, Marlena; Hartman, Bret; Mueller, Marianne:
Security Reference Model for the Java Developer's Kit 1.0.2 . WWW Page.
http://java.sun.com/security/SRM.html