Information Technology Reference
In-Depth Information
receiving side must make sure the code is not harmful to run. In remote evaluation, the code receiving
side is the remote side, while it is the local side in code-on-demand.
Mobile agent,
on the other hand, is the most challenging area of mobile code security, due to the
autonomy of agents. Mobile agent security is usually divided into two aspects:
host security
and
agent
security
.
Host security deals with the protection of hosts against malicious agents or other hosts, while
agent security deals with the protection of agents against malicious hosts or other agents. For host se-
curity, the security fortress model can still apply. However, it hardly applies to agent security, due to
the lack of trusted hardware with which to anchor security (Tschudin, 1999). There are two branches
of new possible attacks to agents:
1.
Data tampering:
A host or another agent may modify the data or execution state being carried
by an agent for malicious purpose.
2.
Execution tampering:
A host may change the code executed by an agent, or rearrange the code
execution sequence for malicious purpose.
Security Mechanisms
Security mechanisms are mechanisms designed to prevent, detect or recover from security attacks. We
see from the previous section that the main security challenges of the client/server paradigm are the
mutual trust building between clients and servers, plus the protection of messages in transit. These prob-
lems can be satisfactorily solved by cryptographic techniques such as
security protocols
and
message
encryption
.
These mechanisms are already extensively employed in existing client/server applications.
A lot of details can be found in Schneier (1996) and Stallings (1999).
As there are more possible attacks to mobile code paradigms, more mechanisms are required to
secure mobile code applications. We see from a previous section that the main additional challenge to
security of mobile code paradigms is the verification of the received code. One significant approach to
this problem is the
sandbox model
.
In the sandbox model, the code or agent received from a remote side
can only access a dedicated portion of system resources. Therefore, even if the received code or agent
is malicious, damage would be confined to the resources dedicated to that code or agent.
While the sandbox technique is well known and generally accepted for host security, there is yet no
good mechanism for agent security. Some approaches have been proposed, and they can be classified
into two categories. The first category is agent-tampering detection. These techniques aim at detect-
ing whether an agent's execution or data have been tampered with along the journey. Some possible
approaches are
range verification,
,
timing information
,
addition of dummy data items and code
,
and
cryptographic watermarks
(Tschudin, 1999). Another category is agent-tampering prevention. These
techniques aim at preventing agent code or data being tampered with. Two representative approaches
are the
execution of encrypted functions
(Sander & Tschudin, 1998) and
time-limited black-boxes
(Hohl,
1998). These approaches are enlightening in the way they open new areas in computer security. Yet
they provide limited protection to agents for the time being. Agent protection is still in its early stage,
compared with the maturity of protection for hosts and client/servers, and efforts should be spent on
improving the already-proposed mechanisms, or developing new protection mechanisms.
Search WWH ::
Custom Search