Survivability of Mobile Code Land Warfare Requirements for IMPACT Agent Systems IMPACT Symposium -12 August 1999 University of Maryland at College Park LTC Paul Walczak U.S. Army Research Lab (301) 394-3862 DSN 290 pwalczak@arl.mil Outline • • • • • • Our definitions... Why ARL is pursuing agent technology INFOSURV perspective Agent system survivability/security Insight for resolving security concerns Agent-based security/survivability • Mobile code is a program that traverses a network during its lifetime and executes at the destination machine(s). • IMPACT: software agent is a program that can : – specify what services it provides – specify required input from customers – specify service customers and use terms/conditions – specify the when and how it uses services from other agents – understand specifications provided by other agents • A mobile software agent is a program that can specify its services, service inputs and conditions, accepted customers, and can negotiate services provided by other agents, while executing on target hosts across a network. Global Perspective / Impetus • As processes become increasingly distributed, yet interdependent, mobile code will play an increasingly important role in coordinating and controlling events that lead to desired outcomes. Warfare Systems • Control of disparate systems and devices • Data manipulation • Composed Trustworthiness – Security (policy, IDR, prevent agents)* – Reliability – Performance Survivability [An overarching requirement: /|\ a collection of / | \ emergent properties] / | \ / | \ / | \ / | \ / | \ / | \ / | \ / | \ / | \ Security Reliability Performance [Major subrequirements] /|\ /|\ /|\ / | \ / | \ / | \ / | \ / | \ / | \ / | \ / | \ / | \ [Subtended Inte- Conf- Avail FT Fail RT NRT Avail requirements: grity id'ity * |\ modes /\ /|\ * FT=fault tolerance /| |\ |\ | \ /| \/ /|\ RT=real-time / | | \ | \ | \ / | Prior- / | \ NRT=non-real-time] / # | \ | \ # ities / MLI No MLS Dis- MLA \ No / [More detailed / change | cret- | \ change / requirements] / /| | ion- | \ / / / | | ary | * Unified * / / | | | | availability X Sys Data X X requirements /| |\ [X = Shared components of MLX!!] / | | \ [* = Reconvergence of availability] / | | \ [# = Reconvergence of data integrity] Hierarchy of Survivability Requirements Survivability Relationships Implicit in Mobile Software Systems Survivability of the Host Protection for hosts from foreign code Protection of hosts from malicious agents Survivability of the Agent Protection of agents from malicious hosts Protection against malicious agentization Protection of agents from other agents Agent privacy Survivability of the Network Agent termination Protection of a group of hosts from malicious agents Agent based countermeasures to security risks Violated Security Assumptions *CHESS • Identity Assumption • Identifiable and generally trusted sources • “do no harm” - use with the intent of accomplishing authorized results • one security domain corresponding to each user • administrative boundaries • program runs entirely on one machine *Chess, David M., "Security in Mobile Code Systems" in G. Vigna (Ed.) Mobile Agents and Security Vigna, Giovanni (Editor) Springer, 1998. Challenges for Mobile Code Security *CHESS • • • • • • • Determining originator of incoming code deciding trustworthiness of code’s originator deciding how much to trust originator if it foreign protecting systems x-scale against malicious programs preventing uncontrolled replication of mobile code objects protecting mobile programs themselves Authentication in mobile code systems *Chess, David M., "Security in Mobile Code Systems" in G. Vigna (Ed.) Mobile Agents and Security Vigna, Giovanni (Editor) Springer, 1998. Meeting Security Challenges for Mobile Code Systems *Neumann • controls to prevent unanticipated effects • repeated re-authentication, validation • revocation or cache deletion as needed *Neumann, Peter G., "Practical Architectures for Survivable Systems and Networks," Army Research Lab Contract DAKF11-97-C0200, 1999. Requisite Agent System Security Services *IMPACT • Authentication of agents • Network security services to ensure agent communications • Agent Privacy *Data-Security in Heterogeneous Agent Systems, VS et al, 14 Feb 1998 Current Agent-based Approaches for IA • Vulnerability Assessment (ARL) • Intrusion Detection (many) • Active, Intelligent Networks (NSA, DARPA, Telcordia...) Conclusion • • • • • composable architectures configuration management middleware practical education DC Agent SIG