J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In Mobile Object Systems. Towards the Programmable Internet. Second International Workshop, MOS '96, number 1222 in Lecture Notes in Computer Science, pages 177--199, Linz, Austria, July 1997.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....share of resources, denying them to other programs. In this paper, we focus on two problems: resource access control and resource consumption control. Note that our focus is protecting a runtime system against external programs. We do not address the problem of protecting the communication medium [14] or protecting an external program from runtime systems. Furthermore, we do not address the problem of correctly identifying the source of a mobile program (authentication) The rest of this paper is organized as follows: In Section 2, we describe the two security problems in detail. In Section 3, ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In Mobile Object Systems. Towards the Programmable Internet. Second International Workshop, MOS '96, number 1222 in Lecture Notes in Computer Science, pages 177--199, Linz, Austria, July 1997.

....Agent System Tahiti Agent System Resources Internal objects and Aglets Region missing Table 1. Realization of the Abstract Model in Aglets 3. 2 Authorization Attacks in Aglets Some attacks have already been identified by developers [11] or have been theoretically shown in research papers [16]. So this paper only describes attacks that were novel at the time of the tests. Code repository attacks. Starting with the access control list, an attack to obtain a reference to the code repository of the Aglets system was attempted. The code repository is not directly accessible by the agent ....

J. Vitek, M. Serrano, and D. Thanos. Security and Communications in Mobile Object Systems. In J. Vitek and C. Tschudin, editors, Mobile Object Systems: Towards the Programmable Internet, LNCS 1222. Springer-Verlag, April 1997.

....is that mobile agents are to execute autonomously in inherently open and dynamic environments, which moreover may be characterized as: Vulnerable: Their openness makes them an easy target for direct attacks. The security issues in mobile agent systems have been classified into five categories [1]: 1) transfer security, 2) authentication and authorization, 3) host system security, 4) computational environment security, and (5) mobile agent system security. We are interested in the second and especially the fifth aspects of security, which cover the problems related to initiating and ....

....electronic cash validation [17] reliable communication [16] Hence mobile agents do not only interact as peers, but there also clearly exists a necessity of layering services in order to build higher level abstractions. Inter agent communication mechanisms may be classified into four categories [1]: shared memory (as in the Messenger paradigm [11] and sometimes in [3] generative communication (as in the Secure Object Spaces of [1] datagrams (as in Agent Tcl [14] and procedure method invocations (as in Telescript [15] and Java) The work described in this paper is based on the ....

[Article contains additional citation context not shown here]

J. Vitek, M. Serrano and D. Thanos, Security and Communication in Mobile Object Systems, in Mobile Object Systems: Towards the Programmable Internet, Second International Workshop, MOS'96, Linz, Austria, Selected Presentations and Invited Papers, J. Vitek and C. Tschudin (eds), LNCS vol. 1222, July 1996.

.... machine from malicious external agents [59] ffl design of bytecode for enabling efficient execution for heterogeneous environment [3, 23] ffl dynamic compilation, dynamic code generation for efficient execution of mobile agents, ffl theories for mobile agents to retain security properties [49, 73, 97], and ffl application of mobility for quality of service (QoS) 77] workflow [15] and Internet chat [80] In addition to the vastitude of relevant research fields, there is a terminological and conceptual confusion concerning its fundamental component. The mobilityrelated terms carry two ....

Jan Vitek, Manuel Serrano, and Dimitri Thanos. Security and Communication in Mobile Object Systems. In Mobile Object System: Towards the Programmable Internet, volume 1222 of Lecture Notes in Computer Science, pages 177--199, 1996. 88 CHAPTER 5. CONCLUSION

....significantly from the traditional distributed objects paradigm and open a whole new world of considerations, especially in the area of security. For this reason, this work doesn t cover mobile agent systems. Discussions of strongly mobile technologies can be found in [CGPV96, Kat96, SBH96, Vig97, VST96, Vit96] The use of mobile code, especially on the Internet, raises serious security concerns. Because users are not always aware that remote code is being linked with their applications, and because such code has potential access to all of the machine resources, security mechanisms have to be ....

Jan Vitek, Manuel Serrano, and Dimitri Thanos. Security and communication in mobile object systems. In Proceedings of the Second International ECOOP Workshop on Mobile Object Systems, volume LNCS 1222, Linz, Austria, July 1996. Springer.

....and decryption. Figure 10. Con ning a type in a di erent package 22 J. VITEK AND B. BOKOWKSI 7. Related Work The original impetus for the work presented here comes from diculties of implementing secure and reliable systems in Java. Some of these diculties can be attributed to aliasing [38, 26]. Con ned types follow up on work on exible alias protection [6] in which we tried to control aliasing at the level of individual objects. Related work can be divided into literature on alias control and on security; we review both topics in the following two subsections. 7.1. Alias Control ....

Vitek J, Serrano M, Thanos D. Security and communication in mobile object systems. In Objects at Large, Tsichritzis D (ed.). University of Geneva, 1997.

....control what code is using memory and CPU resources, one cannot control who is using this code. The primary goal of this security architecture is to protect the virtual machine from the programs running on top of it. There are ways to circumvent Java security. We identified a few in earlier work [36], here we focus on those related to three JavaSeal security properties. Confinement: The difficulty in obtaining confinement is that the JVM is one very large shared data structure. There are numerous covert and storage channels for domains to communicate thanks to shared library classes. Java ....

J. Vitek, M. Serrano, and D. Thanos. Security and Communication in Mobile Object Systems. In Mobile Object Systems: Towards the Programmable Internet , volume 1222 of Lecture Notes in Computer Science. Springer-Verlag, April 1997.

....for encryption and decryption. g g Figure 10: Confining a type in a different package 16 7 Related Work The original impetus for the work presented here comes from difficulties of implementing secure and reliable systems in Java. Some of these difficulties can be attributed to aliasing [38, 37]. Confined types follow up on work on flexible alias protection [29] in which we tried to control aliasing at the level of individual objects. Related work can be divided into literature on alias control and on security; we review both topics in the following two subsections. 7.1 Alias Control ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.

....genKeyPair( is invoked on it, providing two instances of PubKeyWriter and PrivKeyWriter, respectively. 7 Related Work The original impetus for the work presented here comes from diculties of implementing secure and reliable systems in Java. Some of these diculties can be attributed to aliasing [41, 40]. Con ned types follow up on work on exible alias protection [30] in which we tried to control aliasing at the level of individual objects. Related work is divided between literature on alias control and security; we review both topics in the following two subsections. 7.1 Alias Control ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.

....and CPU resources, one cannot control what applet is using this code. It is clear that the primary goal of Java s security architecture is to protect the virtual machine from the applets and programs running over it. There are ways to circumvent Java security. We identified a few in earlier work [35], here we focus on those related to the three JavaSeal security properties. Confinement: The difficulty in obtaining confinement is that the JVM is one very large shared data structure. There are numerous covert and storage channels for domains to communicate due to shared library classes. In ....

J. Vitek, M. Serrano, and D. Thanos. Security and Communication in Mobile Object Systems. In Mobile Object Systems: Towards the Programmable Internet, volume 1222 of Lecture Notes in Computer Science. Springer-Verlag, April 1997.

....genKeyPair( is invoked on it, providing two instances of PubKeyWriter and PrivKeyWriter, respectively. 7 Related Work The original impetus for the work presented here comes from diculties of implementing secure and reliable systems in Java. Some of these diculties can be attributed to aliasing [41, 40]. Con ned types follow up on work on exible alias protection [30] in which we tried to control aliasing at the level of individual objects. Related work is divided between literature on alias control and security; we review both topics in the following two subsections. 7.1 Alias Control ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.

....is invoked on it, providing two instances of PubKeyWriter and PrivKeyWriter, respectively. 7 Related Work The original impetus for the work presented here comes from difficulties of implementing secure and reliable systems in Java. Some of these difficulties can be attributed to aliasing [41, 40]. Confined types follow up on work on flexible alias protection [30] in which we tried to control aliasing at the level of individual objects. Related work is divided between literature on alias control and security; we review both topics in the following two subsections. 7.1 Alias Control ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.

....Objects [14] are a version of this approach; the guarded object is hidden within an encapsulating object. Wallach et al. discuss two software protection mechanisms for Java: stack introspection and controlled namespaces [43] The failings of these approaches have been mentioned in section 3 and in [41]. The J Kernel offers capabilities though with tighter guarantees [19] A protection domain in the J Kernel is also a name space, implemented using a class loader. Communication between domains is achieved by invoking a method on a capability object which acts as a mini RMI stub. Parameters are ....

J. Vitek, M. Serrano, and D. Thanos. Security and Communication in Mobile Object Systems. In Mobile Object Systems: Towards the Programmable Internet, volume 1222 of Lecture Notes in Computer Science. Springer-Verlag, April 1997.

....fundamental level, the problem with JDK is that the shared kernel interface (comprised of the JDK core classes) is too big to reason with, and there are no checked primitives to mediate access to the kernel s protection domain. 4 The JavaSeal experiment JavaSeal is micro kernel for agent systems [38, 39, 40] which has been implemented at the University of Geneva. The implementation and agent languages are both Java, the system was originally implemented for JDK 1.1.5 and later ported to JDK 1.2. The current implementation comprises 75 classes, and 10 000 lines of sparsely commented Java code. ....

J. Vitek, M. Serrano, and D. Thanos. Security and communication in mobile object systems. In D. Tsichritzis, editor, Objects at Large. University of Geneva, 1997.

....for implementing access control. In e#ect, the type system prevents access to operations not explicitly listed in an object s interface. The danger with this model is that, as there are no strong protection domains between entities, it surprisingly easy to open an aggregate object to attacks [39]. Aliasing plays an important role here as it can be exploited to gain access to the trusted parts of an abstraction. A case in point is the recent defect in an implementation of SUN s digital signatures for Java applets which permitted any applet to become trusted, simply because an alias to the ....

Jan Vitek, Manuel Serrano, and Dimitri Thanos. Security and communication in mobile object systems. In J. Vitek and C. Tschudin, editors, Mobile Object Systems: Towards the Programmable Internet., LNCS 1222. Springer-Verlag, April 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC