Bennet S. Yee. A sanctuary for mobile agents. In Secure Internet Programming, pages 261--273, 1999. 7  Home/Search   Document Details and Download   Summary   Related Articles   Check

....protocols are intended to ensure properties like secrecy, authentication, anonymity, integrity or non repudiability. Initially proposed for securing communications, they have been more recently proposed for protecting the computation results of free roaming mobile agents doing comparison shopping [26]. Experience shows that even simple protocols are dicult to set correctly [14] Their correctness clearly needs to be checked by mechanical tools. But this cannot be an easy task. For instance, secrecy has been shown undecidable even under very weak assumptions [8] And correctness is always with ....

....certify in Isabelle the correctness of some of the protocols proposed by Asokan, G ulc u and Karjoth in [2] for protecting the computation results of free roaming agents. These protocols tolerate collusion between servers and un xed itineraries. They formalize and extend protocols proposed by Yee [26]. Application areas of these protocols include comparison shopping, bidding and network routing [5] Following the authors, we will use the vocabulary of comparison shopping, hence using the word shop to denote a server, and the word o er to denote the answer of a shop to an agent s request. ....

[Article contains additional citation context not shown here]

B. Yee. A sanctuary for mobile agents. In Proc. of the 4th ECOOP Workshop on Mobile Object Systems, LNCS 1603, 1998. 16

....out the data from an agent and using them in other similar agents. On the other hand, as recognized by the various protocol authors, the proposed mechanisms are not resistant to all the kinds of tampering: typically, truncations of the collected data in some cases cannot be detected (e.g. [1, 2, 3, 4, 7, 10]) Moreover, some of the proposed protocols have been designed specifically for particular application domains and work correctly only if certain environment assumptions hold (e.g. 1, 2, 3] In some cases (e.g. 10] the protocols have been specified only in an informal, incomplete way. The ....

.... of the collected data in some cases cannot be detected (e.g. 1, 2, 3, 4, 7, 10] Moreover, some of the proposed protocols have been designed specifically for particular application domains and work correctly only if certain environment assumptions hold (e.g. 1, 2, 3] In some cases (e.g. [10]) the protocols have been specified only in an informal, incomplete way. The main goal of this paper is to put together the underlying ideas of various proposals that appeared in the literature, and the related criticisms, and to formally define a protocol that incorporates them and does not ....

[Article contains additional citation context not shown here]

B. S. Yee. A sanctuary for mobile agents. In J. Vitek and C. Jensen, editors, Secure Internet Programming: Security Issues for Mobile and Distributed Objects, volume 1603 of Lecture Notes in Computer Science, pages 261--273. Springer-Verlag, Berlin Germany, 1999.

....techniques may not be su#cient anymore. Much research e#ort has been devoted on protecting servers from untrusted and potentially malicious mobile code. On the converse, mobile code must 5 be protected from potentially malicious servers that might try to modify it or other sensible private data [Yee99, FGS96, ST98]. Locality The distribution of resources (at low level) should be as transparent as possible to the end user, who, however, should be aware of the fact that an interaction with a procedure service on a remote computer requires much more time than an operation on the local computer. Additionally, ....

B.S. Yee. A Sanctuary For Mobile Agents. In Vitek and Jensen [VJ99], pages 261--273. Also Technical Report CS97-537, University of California at San Diego. 53

....or agents can be moved over the di erent sites of a net. Malicious agents could seriously damage hosts and compromise their integrity, and may tamper and brainwash other agents. On the other hand, malicious hosts may extract sensible data from agents, change their execution or modify their text [16, 12]. The exibility of the shared tuple space model opens possible security holes; it basically provides no access protection to the shared data. Indeed there is no way to determine the issuer of an operation to the tuple space and there is no way to protect data: a process may (even not ....

.... key (in asymmetric encryption the private key must be kept secret) Thus, a fundamental requirement is that mobile code and mobile agents must not carry private keys when migrating to a remote site ( Software agents have no hopes of keeping cryptographic keys secret in a realistic, ecient setting [16]) This implies that the above introduced operations ink and readk cannot be used by a mobile agent executing on a remote site, because they would require carrying over a key for decryption. For mobile agents it is then necessary to supply a ner grain retrieval mechanism. For this reason we ....

B. Yee. A Sanctuary For Mobile Agents. In Vitek and Jensen [15], pages 261-273.

....being used. The dynamic loading of the LC is similar to the popular Java Applet model of mobile code. The motivation for limiting our design to this basic model is to avoid introducing the additional system complexity and security liabilities characteristic of more general mobile code mechanisms [7,24]. 3.2 Handling Requests Associated with each Customizer is a set of Web sites called its Domain of Applicability (DA) A Customizer will only operate on requests to (and responses from) sites in its DA. When the LC Server receives an HTTP request from the browser, it can determine if a ....

B. S. Yee, "A Sanctuary for Mobile Agents," DARPA Workshop on Foundations for Secure Mobile Code, Monterey, CA, USA, March 1997.

....1996] or possibly hosts with a good reputation [Rasmusson and Jansson, 1996] The second category is pragmatic; it consists of solutions to a single part of the malicious host problem. These consist of agents detecting when they have been modified [Vigna, 1997] and proof verification techniques [Yee, 1997]. The third class consists of assuming that there is special, tamper proof hardware available, see for example [Yee, 1997] or [Wilhelm et al. 1998] The final category uses software methods to obscure the code from the host. Approaches include obfuscation [Hohl, 1998b] Ng, 2000] mobile ....

....of solutions to a single part of the malicious host problem. These consist of agents detecting when they have been modified [Vigna, 1997] and proof verification techniques [Yee, 1997] The third class consists of assuming that there is special, tamper proof hardware available, see for example [Yee, 1997] or [Wilhelm et al. 1998] The final category uses software methods to obscure the code from the host. Approaches include obfuscation [Hohl, 1998b] Ng, 2000] mobile cryptography [Sander and Tschudin, 1998, Sander and Tschudin, 1997] and using environmental conditions to hide parts of the code ....

Yee, B. (1997). A sanctuary for mobile agents. In DARPA Workshop on Foundations for Secure Mobile code. Available from http://www.cs.nps.navy. mil/research/languages/statemensts/bsy. ps.

....such techniques may not be sucient anymore. Much research e ort has been devoted on protecting servers from untrusted and potentially malicious mobile code. On the converse, mobile code must be protected from potentially malicious servers that might try to modify it or other sensible private data [15, 16, 17]. A collection of papers about security in Internet programming can be found in [11] Locality: the distribution of resources (at low level) should be as transparent as possible to the end user, who, however, should be aware of the fact that an interaction with a procedure service on a remote ....

.... the focus of our work, we just want to point out that both Aglets and RMI rely on Java security architecture for supplying customizable security mechanisms (e.g. security managers and access policies) To study in depth security aspects of mobile agents, we refer the interested reader to, e.g. [14, 16, 15, 17]. Persistence of mobile agents is also a key concept: when a server shuts down, the agent (its state and code) must be saved on the server s disk in order to be restarted when server reboots. For this reason, in our ight booking Aglets based implementation, we catch the dispose event generated ....

B.S. Yee. A Sanctuary For Mobile Agents. In Vitek and Jensen [11], pages 261-273. Also Technical Report CS97-537, University of California at San Diego.

....code. This may seem a bit arti cial since one might like to model security more symmetrically. Nonetheless, it is a useful distinction for now. The code security problem seems quite intractable, given that mobile code is under the control of a host. For some proposals and a discussion, see [25, 26, 40]. In the remainder of this paper, we treat only the host security problem. 1 Host Security Our view of the problem is that mobile code is executed on a host which must be protected from privacy and integrity violations. As far as privacy goes, the This material is based upon activities ....

Bennet S. Yee. A sanctuary for mobile agents. In Proc. 1997 Foundations for Secure Mobile Code Workshop, pages 21-27, Monterey, CA, March 1997. 19

....or agents can be moved over the different sites of a net. Malicious agents could seriously damage hosts and compromise their integrity, and may tamper and brainwash other agents. On the other hand, malicious hosts may extract sensible data from agents, change their execution or modify their text [35, 27]. The flexibility of the shared tuple space model opens possible security holes; it basically provides no access protection to the shared data. Indeed there is no way to determine the issuer of an operation to the tuple space and there is no way to protect data: 1. a process may (possibly ....

....be expected to accomplish their task within a specific amount of time. Moreover, inconsistencies could arise in case successful decryption acknowledgments arrive after the timeout has expired. Software agents have no hopes of keeping cryptographic keys secret in a realistic, efficient setting [35]. 3 Implementation KLAVA [5, 6] is deployed as an extensible Java package, Klava, that defines the classes and the run time system for developing distributed and mobile code applications according to the programming model of KLAIM. In KLAVA processes are instances of subclasses of class ....

[Article contains additional citation context not shown here]

B. Yee. A Sanctuary For Mobile Agents. In J. Vitek and C. Jensen, editors, Secure Internet Programming: Security Issues for Distributed and Mobile Objects, number 1603 in LNCS, pages 261-273. Springer-Verlag, 1999. Also Technical Report CS97537, University of California at San Diego. 15

....Notable advances were made with regard to items 1 and 2. Karjoth et al. 4] introduced the notion of strong forward integrity and proposed protocols for protecting the computation results of free roaming agents. Their work is an extension of partial result authentication codes introduced by Yee [15]. Roth and Jalali proposed an agent structure that supports access control and authentication of mobile agents [6] Agent authentication and state appraisal is covered by Berkovits et al. 1] Sander and Tschudin [7] introduced the notion of mobile cryptography and devised approaches for ....

....authenticated identity of the host the agent came from as well as the local host s identity are provided to the hosted agent. Yee already pointed out that if an agent is running on an honest server, both these answers (for the peer identity and the local host s identity) will be correct. [15]. We assume that a host is honest unless it may successfully attack an agent on its own, or with the help of other hosts on this agent s itinerary. In other words, we assume that hosts do not randomly introduce lies. 3 Tracing Loose Routes A simple yet effective attack on a mobile agent is to ....

YEE, B. S. A sanctuary for mobile agents. In Secure Internet Programming [14], pp. 261-- 273.

....example in [36] the author presents a technique which tries the problem of malicious host via messing up code in combination with a life time 3.7. CURRENT STATE OF THE ART 27 restriction. It should be impossible to modify or spy out data of the agent before the life time is exceeded. In [41] and [58] the authors suggest to use detection objects which are dummy data items or attributes which will not be modified to detect malicious modifications and if the detection object have not been modified, then one can have reasonable confidence that legitimate data also has not been corrupted [41] ....

Bennt S. Yee. A Sanctuary for Mobile Agents. Position Paper, April 28 1997.

No context found.

Bennet S. Yee. A sanctuary for mobile agents. In Secure Internet Programming, pages 261--273, 1999. 7

No context found.

Yee, B.S. "A sanctuary for mobile agents". In Secure Internet Programming: Security Issues for Distributed and Mobile Objects, Springer Verlag, Lecture Notes in Computer Science, LNCS, pages 261--273, Berlin, Germany, 1999.

No context found.

Bennet S. Yee. A sanctuary for mobile agents. In Secure Internet Programming, pages 261--273, 1999.

No context found.

B. Yee. A sanctuary for mobile agents. In Proceedings of the 4th ECOOP Workshop on Mobile Object Systems, Lecture Notes in Computer Science 1603, 1998.

No context found.

S. Y. Bennet, "A sanctuary for mobile agents", in Secure Mobile Code Workshop. Monterey CA: DAR A, 1997, pp. 21-27.

No context found.

Bennet S. Yee. A sanctuary for mobile agents. In Secure Internet Programming, pages 261--273, 1999.

No context found.

B. S. Yee. A sanctuary for mobile agents. Technical Report CS97-537, University of California at San Diego, Apr. 1997. 3.6.1

No context found.

Bennet Yee. A sanctuary for mobile agents. In Jan Vitek and Christian Jensen, editors, Secure Internet Programming: Security Issues for Mobile and Distributed Objects, number 1603 in LNCS, pages 261--274. SpringerVerlag, Berlin, 1999.

No context found.

Bennet Yee. A sanctuary for mobile agents. In Jan Vitek and Christian Jensen, editors, Secure Internet Programming: Security Issues for Mobile and Distributed Objects, number 1603 in LNCS, pages 261--274. SpringerVerlag, Berlin, 1999.

No context found.

Bennet S. Yee. A Sanctuary for Mobile Agents. In Secure Internet Programming, pages 261--273, 1999. 256

No context found.

Yee Bennet S.: A Sanctuary for Mobile Agents. Proceedings of the DARPA workshop on foundations for secure mobile code, Monterey CA, USA (1997)

No context found.

Bennet S. Yee. A sanctuary for mobile agents. In Secure Internet Programming, volume 1603 of Lecture Notes in Computer Science, pages 261--273. SpringerVerlag Inc., New York, NY, USA, 1999. 16

No context found.

B. S. Yee, "A sanctuary for mobile agents," in Secure Internet Programming, vol. 1603 of Lecture Notes in Computer Science, pp. 261--273, New York, NY, USA: Springer-Verlag Inc., 1999.

No context found.

B. Yee, "A Sanctuary for Mobile Agents", in Secure Internet Programming, Jan Vitek and Christian Jensen (Eds.), LNCS 1603, Springer-Verlag, pp. 261-274, 1999

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC