C. Bryce, and J. Vitek, "The JavaSeal Mobile Agent Kernel," Proceedings of the First International Symposium on Agent Systems and Applications and Third International Sympo-sium on Mobile Agents (ASA/MA'99), October 1999, pp 103-117.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....important that the general model integrates well with the existing J SEAL2 programming model [5] The J SEAL2 kernel manages a tree hierarchy of nested protection domains , the so called #####. This model of hierarchically organized protection domains stems from the JavaSeal mobile agent kernel [9]. Protection domains encapsulate mobile agents as well as service components . The J SEAL2 kernel ensures that protection domains are completely isolated from each other, there is In this article the term protection domain refers to the concept of a ####### or #### in an operating system, ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In ##### ############# ######### ## ##### ####### ### ############ ############## ############# ######### ## ###### ###### #######, Palm Springs, CA, USA, Oct. 1999.

....into the JSEAL2 mobile agent kernel [3] which requires load time rewriting of mobile objects. J SEAL2 is a secure mobile agent system implemented in pure Java, which supports the hierarchical process model of the Seal Calculus [22] that was first implemented by the JavaSeal mobile agent system [7]. Resource reification in J SEAL2 concerns only memory and CPU resources, since the J SEAL2 design already supports network accounting and the integrating of application specific security policies. In this section we present performance measurements showing that the overhead due to our completely ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications (ASA'99)/Third International Symposium on Mobile Agents (MA'99), Palm Springs, CA, USA, Oct. 1999.

....mobile agents were proposed as an alternative model to the construction of distributed applications in the Internet. A mobile agent is a program that can migrate by the nodes of the network, carrying the state of its execution [17] Aglets [9] Ajanta [14] D Agents [6] Code [11] and JavaSeal [3] are examples of Java mobile agent systems. In Aglets and Ajanta, mobile agent classes are implemented by inheriting from a pre de ned class that comes with these systems. Since Java does not support multiple inheritance, this solution can restrict reuse of code in mobile agents. Moreover, in ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents, 1999.

....security guarantees without requiring any native code or modifications of the underlying Java implementation. J SEAL2 is a micro kernel implemented in pure Java, which supports the hierar chical task model of the Seal Calculus [22] that was first implemented by the JavaSeal mobile object system [7]. The J SEAL2 kernel manages a tree hierarchy of nested tasks, which may be either mobile objects or system services. In J SEAL2 tasks are completely separated from each other. Untrusted tasks are not allowed to directly use certain functions of the JDK, such as file or network IO, but they have ....

Ciarn Bryce and Jan Vitek. The JavaSeal mobile agent kernel. In First Interna- tional Symposium on Agent Systems and Applications (ASA '99)/Third International Symposium on Mobile Agents (MA '99), Palm Springs, CA, USA, October 1999.

....but finally clauses may prevent termination as well. However, the Java compiler maps finally statements to special exception handlers. Thus, it is sufficient to solve the problem with exception handlers that catch ThreadDeath or a superclass thereof. The JavaSeal mobile agent kernel [5] enforces a set of restrictions on exception handlers that may catch ThreadDeath, in order to ensure the termination of such handlers. However, this approach imposes severe restrictions on the programming model. For instance, untrusted agents may not use finally clauses. Furthermore, the ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications (ASA'99)/Third International Symposium on Mobile Agents (MA'99), Palm Springs, CA, USA, Oct. 1999.

....encryption of agent contents. 8 Related Work The Mobile Agent List [15] gives an impression of the variety of current mobile agent systems. A number of systems on this list share with SeMoA a certain bias towards security issues, most notably Mole [16] D Agents [17] Ajanta [18] and JavaSeal [19]. For instance JavaSeal is more rigorous in its separation of agents than our system. The price for the improved separation is paid in terms of reduced performance and a restriction of the Java environment that is available to the seals (agents) Seals communicate by means of synchronous ....

....any other threads attempting to access them. Some of these issues can be dealt with by means of dynamic byte code rewriting [20] as well as extended byte code analysis, restrictions on the visibility of core classes, and minimization of shared classes as described for instance by Bryce and Vitek [19]. We did not yet implement said protective mechanisms though the architecture of SeMoA supports easy integration of filters suitable for this purpose. In summary, a number of shortcomings of Java can be used by malicious agents to launch various DoS attacks. However, in order to do so, agents need ....

C. Bryce and J. Vitek, "The JavaSeal Mobile Agent Kernel," in Proc. First International Symposium on Agent Systems and Applications, and Third International Symposium on Mobile Agents (ASA/MA '99), 1999.

....Logic to discover or establish properties of process algebraic specifications from static analysis. We hope to remedy this in the near future. In terms of a practical realization of process algebraic models, there are three candidates, namely Ambients on top of JOCAML [12] the JavaSeal kernel [5] and Nomadic Pict [24] all of which are relatively experimental in nature. Tools for type systems and logics for process algebra are also few, largely due to the diversity of approaches currently under exploration, although the temporal logic system of [10] seems promising. Acknowledgements ....

Ciaran Bryce and Jan Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications (ASA'99)/Third International Symposium on Mobile Agents (MA'99), Palm Springs, CA, USA, October 1999.

....malicious agents. Albeit, the most challenging issue, the protection of the mobile agents from the execution environments, is still mostly unresolved. Methods based on provably secure languages [28] and proof carrying code [18] have been proposed to provide protection for execution environments. [27] shows how to isolate agents from one another. Protecting the agent from malicious hosts is, in general, more dicult and can be partially solved by approaches like the time limited black box security [8] and the clueless agents [24] concept. Our approach is to provide secure communication ....

J. Vitek and C. Bryce. The JavaSeal Mobile Agent Kernel. In Proc. of ASA/MA'99, October 1999.

....Recently mobile agents were proposed as an alternative model to the construction of distributed applications in the Internet. A mobile agent is a program that can migrate from node to node in the network, carrying the state of its execution [16] Aglets [9] Ajanta [14] Code [10] and JavaSeal [3] are examples of Java mobile agent systems which do not support the programming model proposed in Section 2. In Aglets and Ajanta, mobile agent classes are implemented using a pre defined class that comes with these systems. In Ajanta, after migration, the code of the agent is downloaded on ....

....time. In Code, there is an abstraction, called group, to define the set of objects and classes that is transferred with an agent. The system, however, does not provide support to communication across groups. Thus communication primitives should be implemented at the application level. JavaSeal [3] also provides an abstraction, called seal, to the implementation of mobile agents. Similar to containers, seals have a set of objects and classes but programmers cannot add or remove classes from seals. In JavaSeal, synchronous message passing via channels is the only inter agent communication ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents, 1999.

....our resource control model. For details regarding J SEAL2, see the web pages at http: www. jseal2.com . J SEAL2 is a micro kernel implemented in pure Java, which supports the hierarchical process model of the Seal Calculus [33] that was first implemented by the JavaSeal mobile object system [9]. The J SEAL2 kernel manages a tree hierarchy of nested protection domains 1 , which may be either mobile objects or service components. Each mobile object and service executes in a protection domain of its own, called a sealed object or seal for short. In J SEAL2 mobile objects and service ....

C. Bryce and J. Vitek. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications (ASA'99)/Third International Symposium on Mobile Agents (MA'99), Palm Springs, CA, USA, Oct. 1999.

....be used for offering location services and show how they constraint flexibility. To overcome this problem we present a design pattern [5] 16] that help designers to make flexible use of such mechanisms. Our ideas and thoughts are the outcome of our experience on the implementation of JavaSeal [13][14] and HyperNews [17] 18] 19] systems. HyperNews is an agent based system that runs on top of the Java based agent kernel JavaSeal. It is a system for the electronic distribution of newspaper articles. The actors in this system are: Information Providers: These are either article producers or ....

C. Bryce, J. Vitek, "The JavaSeal Mobile Agent Kernel", also in this report, pp.

.... A capability based system is suggested in work by Hagimont and Ismail [31] and protection of an agent application is researched in [64] A new capability based system was developed by Shapiro et al. 67] Bryce and Vitek developed a mobile agent kernel that addresses Java security limitations [16]. Security of mobile agents has been presented in a book by Vigna [76] A book by Bradshaw represents a good source of information on agents in general [13] Chess discusses security among other features of mobile agents [18] 6. Conversant Conversant is an active network prototype being built ....

C. Bryce, and J. Vitek, "The JavaSeal Mobile Agent Kernel," Proceedings of the First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents (ASA/MA'99), October 1999, pp 103-117. 40

....of mobile code is called mobile agents 2 [Whi94, CHK97] These are program instances that are able to move self directed through a network to locally perform a task in behalf of their sender. Different mobile agent platforms have been proposed e.g. for the programming languages Java [LO98, VB99, Fn98] and Tcl [Gra98] The term agent is also occupied by other research communities, namely the artificial intelligence research (intelligent agents) MJ99] and the software engineering community (software agents) WJ99] Both communities have influenced the mobile agent research, so a mobile ....

....spoof other peoples traffic. This architecture is the basis for service delivery control with mobile code. Since the architecture is non intrusive and only relies on basic agent mechanisms such as authentication and an execution sand box, we believe that state of the art agent technology [LO98, VB99, Fn98, Gra98] can provide most parts of such a platform, and that such a platform can be deployed in the Internet. The only missing key component is thus the T component (and the agents themselves) The next two sections describe two specific applications of the platform. 4 Controlling a Virtual ....

Jan Vitek and Ciaran Bryce. The JavaSeal mobile agent kernel. In Proc Symposium on Agent systems (ASA '99) and Applications and Symposium on Mobile Agents (MA '99), October 1999.

....the most challenging issue, the protection of the mobile agents from the execution environ 12 IEEE ASA MA 2000 ments, is still mostly unresolved. Methods based on provably secure languages and proof carrying code [9] have been proposed to provide protection for execution environments. JavaSeal [16] shows how to isolate agents from one another. Protecting the agent from malicious hosts is, in general, more dicult and can be partially solved by approaches like the time limited black box security and clueless agents [15] Our approach is to provide secure communication channels for the agents ....

J. Vitek and C. Bryce. The JavaSeal Mobile Agent Kernel. In Proc. ASA/MA'99, pages 103-116, October 1999.

....system is a mobile agent system that runs over Java 2 and which offers the ability to displace Java programs (agents) between network hosts. One of the key goals of the system is security: agents run on the platform are isolated from each other and can only communicate via system provided channels [9]. Implementing JavaSeal taught us much about the problems in implementing secure systems over Java. There is no support for resource control, aliasing is still a big security risk, agents need a simple communication infrastructure and there is too much happening inside of the JVM over which we ....

C. Bryce and J. Vitek. The Javaseal Mobile Agent Kernel. In D. Milojevic, editor, Proceedings of the 1st International Symposium on Agent Systems and Applications, Third International Symposium on Mobile Agents (ASAMA'99), pages 176--189, Palm Springs, May 9--13, 1999. ACM Press. C. Razafimahefa and C. Bryce 129

....prevent illegal subclassing, the loader must record the final modifiers in each class already loaded, and verify that further classes loaded do not violate final constraints. The loader must also remove private modifiers from classes BC . This rewriting approach was used by loaders in the JavaSeal [6] system to remove catchs of ThreadDeath exceptions, since catching these exceptions would allow an applet to ignore terminate signals from its parent. The re writing approach does not work for system classes, as these are loaded and linked by the basic system loader. System classes These classes ....

....two problems. First, they cannot be redefined in subclasses. Second, objects referenced by static variables could be shared between protection domains without an access control check taking place. In a fully fledged implementation of protection domains, classes should not be shared between domains [6] to avoid undetected sharing between domains. In the object space implementation, the bridge generator signals an error when an it receives an object of a user class that contains static methods. The problem of static variables is looked at in [8] This proposal strengthens isolation between ....

[Article contains additional citation context not shown here]

C. Bryce and J. Vitek. The Javaseal Mobile Agent Kernel. In D. Milojevic, editor, Proceedings of the 1st International Symposium on Agent Systems and Applications, Third International Symposium on Mobile Agents (ASAMA'99), pages 176--189, Palm Springs, May 9--13, 1999. ACM Press.

.... provides dynamic access control mechanisms based on call stack inspection to verify the privileges of the (transitive) caller of the current method [11] Another scheme is to use objects as capabilities [23] by interposing a restricted proxy object between the user and the target ( 12] see also [15, 41, 37]) 3 Neither kind of protection mechanisms is sufficient in itself. On the one hand, dynamic checks are errorprone as it is easy to forget one check and there is no guarantee that all potentially dangerous operations that can be invoked by untrusted code are protected by access checks. On the ....

....for encryption and decryption. g g Figure 10: Confining a type in a different package 16 7 Related Work The original impetus for the work presented here comes from difficulties of implementing secure and reliable systems in Java. Some of these difficulties can be attributed to aliasing [38, 37]. Confined types follow up on work on flexible alias protection [29] in which we tried to control aliasing at the level of individual objects. Related work can be divided into literature on alias control and on security; we review both topics in the following two subsections. 7.1 Alias Control ....

J. Vitek and C. Bryce. The JavaSeal mobile agent kernel. In First International Symposium on Agent Systems and Applications and Third International Symposium on Mobile Agents (ASA/MA'99), October 1999.

.... and believability security properties with the aid of two examples: an Internet auction room [20] and Internet newspaper service [18] Section 3 presents the agent security framework, in the form of a small language, and Section 4 overviews its implementation in a Java based mobile agent system [6]. Section 5 discusses related work and Section 6 concludes. 2 Background This section outlines the main design choices for the security infrastructure. Section 2.1 gives an overview of the mobile agent paradigm. The two example applications are outlined in Section 2.2. We explain why these ....

....isolate agents by running each agent in a different type space, e.g. 12] This approach means that an attempt by an agent to reference an object in another agent provokes a type error. However, basic Java classes are shared by all agent type spaces and can be used to bypass the typing security [6]. Another kind of attack comes from agents over consuming resources, with the intent of launching denial of service attacks. A second security concern with the agent paradigm is the malicious host problem [26] An agent is under complete control of its host, which may steal or modify agent ....

[Article contains additional citation context not shown here]

C. Bryce and J. Vitek. The javaseal mobile agent kernel. In D. Milojevic, editor, Proceedings of the 1st International Symposium on Agent Systems and Applications, Third International Symposium on Mobile Agents (ASAMA'99), pages 176--189, Palm Springs, May 9--13, 1999. ACM Press.

....of running multiple agents, Figure 1. An agent is a multithreaded program which can interact with the place and with other co located agents. The key issue is how to structure and regulate communication between agents. Our experience with JavaSeal has shown that message passing is cumbersome [5]. An agent that arrives in a foreign environment might not know the naming conventions of that environment; it is more convenient for that agent to specify the attributes of the resources that it needs rather than actual names hence the utility of generative communication. Further, since agents ....

....and used in a main stream programming language such as Java. 4 An Implementation of SecOS in Java This section describes an implementation of SecOS in Java 2. We show that the model can be efficiently and securely implemented. Though the model was conceived for the JavaSeal mobile agent system [5], the implementation is independent of that platform. We also discuss several problems that have to be addressed when implementing a Linda like model securely in an objectoriented programming language. This section is organized as follows. We overview the SecOS API and give an example of its use ....

[Article contains additional citation context not shown here]

C. Bryce and J. Vitek. The javaseal mobile agent kernel. In D. Milojevic, editor, Proceedings of the 1st International Symposium on Agent Systems and Applications, Third International Symposium on Mobile Agents (ASAMA'99), pages 176--189, Palm Springs, May 9--13, 1999. ACM Press.

No context found.

C. Bryce, and J. Vitek, "The JavaSeal Mobile Agent Kernel," Proceedings of the First International Symposium on Agent Systems and Applications and Third International Sympo-sium on Mobile Agents (ASA/MA'99), October 1999, pp 103-117.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC