Christian F. Tschudin

Protecting Mobile Agents Against Malicious Hosts

A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first problem (a) have been developed. The second problem (b) seems to be much harder: It is the general belief that computation privacy for mobile code cannot be provided without tamper resistant hardware. Furthermore it is doubted that an agent can keep a secret (e.g., a secret key to generate digital signatures). There is an error in reasoning in the arguments supporting these beliefs which we are going to point out. n nIn this paper we describe software-only approaches for providing computation privacy for mobile code in the important case that the mobile code fragment computes an algebraic circuit (a polynomial). We further describe an approach how a mobile agent can digitally sign his output securely.

Towards mobile cryptography

Mobile code technology has become a driving force for recent advances in distributed systems. The concept of the mobility of executable code raises major security problems. In this paper, we deal with the protection of mobile code from possibly malicious hosts. We conceptualize the specific cryptographic problems posed by mobile code, and we are able to provide a solution for some of these problems. We present techniques to achieve non-interactive evaluation with encrypted functions in certain cases and give a complete solution for this problem in important instances. We further present a way in which an agent might securely perform a cryptographic primitive-digital signing-in an untrusted execution environment. Our results are based on the use of homomorphic encryption schemes and function composition techniques.

On software protection via function hiding

Software piracy is a major economic problem: it leads to revenue losses, it favors big software houses that are less hurt by these losses and it prevents new software economy models where small enterprises can sell software on a per-usage basis. Proprietary algorithms are currently hard to protect, both at the technical as well as the legal level. In this paper we show how encrypted programs can be used to achieve protection of algorithms against disclosure. Moreover, using this approach we describe a protocol that ensures - under reasonable conditions - that only licensed users are able to obtain the cleartext output of the program. This protocol also allows to charge clients on a per-usage basis.

Mobile Agent Security

Let’s get mobile! This is the Zeitgeist at the end of this century. The cold war is over and with it disappeared the literally frozen constellation of opposing power blocks. Money is flowing almost freely through a increasingly global economy, data is even more mobile, computer networks at the lowest sea levels as well as in space provide global connectivity to stationary as well as mobile end devices. But mobility is also on a triumphant march into the very core of computers: The JAVA programming language has demonstrated to everybody that software can be mobile too. Today, software mobility is studied at the application layer (Mobile Software Agents) as well as network layer (Active Networks). Indeed, we only see the beginning of a new technology. Consequently, code mobility is subject to intense research. In this chapter we look at one of these research topics that, as everybody agrees, is critical for the success of mobile agent technology: security.

A survey of theories for mobile agents

This paper presents a comparative survey of formalisms related to mobile agents. It describes the π-calculus and its extensions, the Ambient calculus, Petri nets, Actors, and the family of generative communication languages. Each of these formalisms defines a mathematical framework that can be used to reason about mobile code; they vary greatly in their expressiveness, in the mechanisms they provide to specify mobile code based applications and in their practical usefulness for the validation and the verification of such applications. In this paper we show how these formalisms can be used to represent the mobility and communication aspects of two mobile code environments: Obliq and Messengers. We compare and classify the different formalisms with respect to mobility and discuss some shortcomings and desirable extensions. We also point to other emerging concepts in formalisms for mobile code systems.

Active routing for ad hoc networks

Ad hoc networks are wireless multihop networks whose highly volatile topology makes the design and operation of a standard routing protocol hard. With an active networking approach, one can define and deploy routing logic at runtime in order to adapt to special circumstances and requirements. We have implemented several active ad hoc routing protocols that configure the forwarding behavior of mobile nodes, allowing data packets to be efficiently routed between any two nodes of the wireless network. Isolating a simple forwarding layer in terms of both implementation and performance enables us to stream delay-sensitive audio data over the ad hoc network. In the control plane, active packets permanently monitor the connectivity and setup, and modify the routing state.

Open Resource Allocation for Mobile Code

Mobile code technology leads to a new type of “open systems”: instead of applying openness to a standardization process we now require the running systems to become open for foreign code. The question then is how far this technical openness can go for mobile code. The less constraints we impose on hosts running mobile code, the more can the benefits of mobile code be exploited. However, there must necessarily be basic constraints regarding the utilization of resources which are always finite and most of the time will be operated near the saturation point. In this paper we argue in favor of openness even at the level of resource allocation. We link this topic to (open) market models, describe the mechanisms we developed so far for communication messengers and show how they are used to allocate resources in an open way. Finally we present experimental results of validation runs which help us testing these mechanisms.

Apoptosis — the programmed death of distributed services

Active networks enable to deploy new services at run-time by using mobile code. While considerable effort is under way to build active network infrastructures and to understand how to create corresponding services, less is known about how to end them. A particular problem is the coordinated steering of mobile code based services, especially in the case of strong active networks where each data packet is replaced by a mobile program and where a distributed service can consists of a myriad of anonymous active packets. In this paper we introduce the concept of apoptosis for mobile code based services. This term is borrowed from cell biology and designates the programmed cell death. We discuss the need for a self-destruction mechanism inside a distributed mobile service and address the problem of securing such a mechanism against malicious activation, for which a simple solution is shown.

An Active Networks Overlay Network (ANON)

In this paper we report on an overlay network for the Internet that was built to ease the interconnection of active nodes at a global scale. A simple “Active Networks Overlay Network” (ANON) protocol was defined and implemented that enables to create virtual network segments. This overlay abstraction was complemented by simple tools for the automated management of a distributed ANON-based testbed. The HTTP protocol, enhanced with a CGI-script based security protocol (ASD2), is used for code distribution, log file inspection and steering of the active network execution environments. We have set up a global ANON-based ABONE consisting of multiple segments in Europe, the USA, and Japan, enabling the first active packet ever to physically circumnavigate the globe.

A Self-Deploying Election Service for Active Networks

Active networking aims at minimizing the functionality that is built into a data network: Programmable nodes inside the network enable the deployment of new services at run-time. In a bottom-up approach we presume a network void from any functionality and study the problem of deploying and providing a basic, externally defined and non-trivial distributed service. As a test case we use the robust election of a coordinator. Based on the bully algorithm, we implemented an election service that is fully based on active packets. It deploys itself to every reachable active network segment, continuously scans for newly attached nodes and networks and provides a segment wide election service for all attached nodes. The implementation was carried out in the M0 messenger environment and tested in a worldwide active networks testbed. The complete and self-contained initial election service germ fits in less than 1200 Bytes and asserts the ubiquitous presence of this service.