1 / 51

Application Security Models for Mobile Agent Systems

Application Security Models for Mobile Agent Systems. The 1 st International Workshop on Security and Trust Management (STM’05) Sept 15, 2005 Milan, Italy. Department of Computer Science Florida State University. J. Todd McDonald Alec Yasinsac. Overview. Motivation

grady
Télécharger la présentation

Application Security Models for Mobile Agent Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security Models for Mobile Agent Systems The 1st International Workshop on Security and Trust Management (STM’05) Sept 15, 2005 Milan, Italy Department of Computer Science Florida State University • J. Todd McDonald • Alec Yasinsac

  2. Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions

  3. Motivation • Defining Security • Requirements = Confidentiality, integrity, authentication… • Mechanisms = Enforce security requirements • Defining Trust • Subjective non-Boolean expectation of behavior • Non-reflexive, changing, context-driven • Acquired or delegated • Using Trust with Mobile Agent Security • Consider all mobile agent principals • Link requirements to mechanisms • Reason about trust for generic mechanisms • Initialize trust model based on context

  4. Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions

  5. The Big Picture

  6. Agent Host Code developer Application owner Host manager PRINCIPALS TRUST RELATIONSHIPS Defining Mobile Agent Trust

  7. Defining Mobile Agent Trust

  8. Defining Mobile Agent Trust • Hosts and Agents • ax→ EH[i] • EH[i] → ax • ax→ TH[i] • TH[i] → ax • DH → ax • ax → DH • ax→ ay • People to Hosts/Agents • AO → CD • AO → DH • AO → EH[i] • CD → AO • CD → DH • CD → EH[i] • DH → CD • DH → AO • EH[i]→ CD • EH[i]→ AO • Dispatching/ Execution Hosts • DH → EH[i] • EH[i] → DH • EH[i]→ EH[j] • Trusted Hosts • DH → TH[i] • TH[i] → DH • EH[i] → TH[j] • TH[j] → EH[i] • TH[i]→ TH[j]

  9. Defining Mobile Agent Trust • Simplifying Assumptions • A ≈ CD • Agents are UNIQUE INSTANCES of agent code • Code developers write agent code • DH ≈ AO • Applications owners use agent code • The host that dispatches an agent • The user that owns the application • HM ≈ Host owner, systems manager, user • All aspects of physical execution environment

  10. Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions

  11. Security Requirements + Mechanisms • Idea: • use stronger mechanisms for less trusted/unknown principals • weaker mechanisms for more trusted/known principals • Corollary: • application environment determines trust levels • trust levels dictate initial security requirements DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Trust remains constant Stronger/most reliable Harder to deploy/implement

  12. Execution Tracing (Vigna/Tan-Moreau) Security Requirements + Mechanisms Agent Non-repudiation Host Non-repudiation Agent Execution Integrity Agent State Integrity Agent Code Integrity DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Stronger/most reliable Harder to deploy/implement

  13. Execution Tracing (Tan-Moreau) Security Requirements + Mechanisms Agent Availability Host Availability DETECTION PREVENTION Detection of violations alter trust Weaker/less reliable Easier to deploy/implement Stronger/most reliable Harder to deploy/implement

  14. Formalizing Trust Relationships EHO EH AO A CD DH DHO EH EHO What does knowing the true identity of DH do for you?

  15. Defining Trust-Enhanced Security A • Actions decrease trust • Trust affects • Allowed security mechanisms • Itinerary • Policy • Code distribution EH A ? TH DH EH

  16. AO (DH) → EH Code privacy Code integrity State integrity State privacy Agent availability Agent anonymity Host authenticity Host non-repudiation EH → EH State integrity State privacy Host authenticity Host non-repudiation Host anonymity EH → AO (DH) Host data privacy Host anonymity Agent state authenticity Agent non-repudiation EH → A (CD) Agent code safety Host availability Host integrity Agent code authenticity Agent code integrity Requirements Among Principals

  17. Defining Trust-Enhanced Security • Trust in the Agent Life Cycle • Creation/Development: Binding trust to code developer • Ownership: Binding trust to application owner • Dispatching: Binding trust to dispatching host • Execution: Binding trust to prior hosts + dispatcher • Migration: Binding trust to next host • Termination: Binding trust of application result to entire set of execution hosts + network

  18. Defining Trust-Enhanced SecurityApplication Owners Acquire Trust Regarding Executing HostsExecutingHosts Acquire Trust Regarding Application Owners [DH] { PAST EH } [ CURRENT EH ] { FUTURE EH} [DH] Application 1 INITIAL TRUST TRUST ACQUISITION → FINAL TRUST [DH] { PAST EH } [ CURRENT EH ] { FUTURE EH} [DH] Application 2 INITIAL TRUST TRUST ACQUISITION → FINAL TRUST

  19. Defining Trust-Enhanced Security • Trust decisions for agent • Which security mechanism do I require? • Which hosts can I migrate too? • Which code parts can I distribute? • Trust decisions for host • Which security mechanism do I use? • Do I allow agent access to resource X? • Do I authorize agent to do Y? • Do I share my policy information?

  20. Defining Trust-Enhanced Security AO AO EH EH A A CD CD F = K L = ND T = S F = UK L = ND T = E Before migration? Decision is whether or not to MIGRATE to the host At host? Decision is whether or not to EXECUTE on host

  21. Defining Trust-Enhanced Security • Trusted Third Parties (Trusted Hosts) • Increase/decrease trust among one or more principles • Based on their services: • Allow hosts to trust agents more/less • Allow agents to trust hosts more/less • Allow hosts to trust other hosts more/less • May provide implementation or PART of a particular security mechanism

  22. Overview • Motivation • Defining mobile agent trust • Defining trust-enhanced security • Defining application security models • Military model • Trade model • Neutral-services model • Questions

  23. Defining Application Security Models • Essence of Military Model • “Maginot” line • Dispatching Hosts  Executing Hosts • Trusted Hosts ≠  • Only “known” principles allowed • Static (ordered/unordered) itineraries • “Centralized” management domain • Overarching management of code • Members of C (codebase) known a priori • Safety of C (codebase) evaluated a priori • Single and multiple agent applications

  24. Defining Application Security Models Military Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown

  25. Defining Application Security Models • Variance of StrongMilitary Model • ALL execution hosts are equipped with tamper-proof hardware • Have equivalent trust levels as that of trusted host (highly trusted)

  26. Defining Application Security Models • Essence of Trade Model • E-commerce: buyers/sellers • Dispatching Hosts ∩Executing Hosts =  • Trusted Hosts =  • Unknown principles • Dynamic and static itineraries • Single agent applications • No infrastructure for code management • Members and safety of C (codebase) not known a priori

  27. Defining Application Security Models Trade Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown

  28. Questions

  29. Defining Application Security Models • Essence of Neutral Services Model • Databases: One-of-many service providers • Dispatching Hosts ∩Executing Hosts =  • Trusted Hosts ≠ OR Trusted Hosts = • Communities of “unknown” principles with common trust levels • Static or dynamic itineraries • Single and multiple agent applications

  30. Defining Application Security Models Neutral Services Model • HT = Highly trusted • T = Trusted • ND = Non-determined • U = Untrusted • HU = Highly untrusted • k = Known • uk = Unknown

  31. Related Works • Trust: Distributed, Decentralized, Ad-hoc • Gambetta (1990) • Yahalom, Klein, Beth (1993) • Rasmusson and Jansson (1996) • Blaze, Feigenbaum, Lacy (1996) • Grandison and Sloman (2000) – Survey • Kagal et al. (2001) • Cahill et al. (2003) • Capra (2004) • Burmester and Yasinsac (2004)

  32. Related Works • General mobile agent security • McDonald, Yasinsac, Thompson (2005) • Claessens, Preneel, Vandewalle (2003) • Bierman and Cloete (2002) • Jansen & Karygiannis (2000) • Chess (1998) • Mobile agent security and trust • Tripathi, Ahmed, Karnik (2001) • Tan and Moreau (2001) • Robles & Borrell (2002) • Patrick (2002) • Lin et al. (2004)

  33. Formalizing Trust Relationships • Trust notions: • peer / collaborative / trusted / honest • competitive / malicious / adversarial • neutral • not trusted • but not dishonest

  34. Formalizing Trust Levels • Trust notions • Unidirectional: The trust one way is not necessarily the corresponding trust the other way • Limited: Specific only to a given security objective (you could be trustworthy in one respect but not another) • Specific: Trust can encompass entire sets of agents/hosts or deal with specific hosts and specific agents and specific people • Goal: Given initial trust relationships, derive new ones according to rules

  35. Formalizing Trust Relationships • Initial Assumptions for Principles • 1..* Agents (A) ≈ Code Developer (CD) • 1 Dispatching Host (DH) ≈ Application Owner (AO) • Servers ≈ Server Owner/Manager • Agents are uniquely identifiable

  36. The Trust Algorithm AO A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH EH F = K L = ND T = S

  37. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH DH F = K L = ND T = S TRUST TUPLES

  38. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host DH TH TRUST TUPLES

  39. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host TH TH TRUST TUPLES

  40. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host TH EH TRUST TUPLES

  41. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH TH TRUST TUPLES

  42. The Trust Algorithm A Before migration? Decision is whether or not to migrate TO the host At host? Decision is whether or not to execute ON host EH DH TRUST TUPLES

  43. Formalizing Trust Relationships [Principle] [Trust Level] → [Foreknowledge] [Principle] [Timeliness] with (O) • P = { p1, p2 }: p1, p2  { DH | EH | TH | A } • F = { K | UK } • K = known, UK = unknown • Associate? Acquaintance? Third-hand? • TL = { HT | T | UK | U | HU } • HT = Highly trusted • T = Trusted • UK = Unknown • U = Untrusted • HU = highly untrusted • O: Security Objective • Set of 1 or more?

  44. Defining Mobile Agent Trust • Trustworthiness of the agent code might be expressed in terms of three requirements: • Authentication of the code’s designer and the code’s identity • Integrity verification that code received is the same as code transmitted by an application owner • Probabilistic proofs that code meets some predefined security policy or safety requirements

  45. Defining Mobile Agent Trust EHO EH AO A CD DH DHO EH EHO

  46. Requirements Among Principals • EH → AO (DH) • Host data privacy • Host anonymity • Agent state authenticity • Agent non-repudiation

  47. Requirements Among Principals • EH → A (CD) • Agent code safety • Host availability • Host integrity • Agent code authenticity • Agent code integrity

  48. Requirements Among Principals • EH → EH • State integrity • State privacy • Host authenticity • Host non-repudiation • Host anonymity

  49. Defining Mobile Agent Trust • Hosts and Agents • ax→ EH[i] • EH[i] → ax • ax→ TH[i] • TH[i] → ax • DH → ax • ax → DH • ax→ ay

  50. Defining Mobile Agent Trust • People to Hosts/Agents • AO → CD • AO → DH • AO → EH[i] • CD → AO • CD → DH • CD → EH[i] • DH → CD • DH → AO • EH[i]→ CD • EH[i]→ AO Application Owner = AO; Code Developer = CD

More Related