Survivability of Mobile Code

advertisement
Survivability of Mobile Code
Land Warfare Requirements for IMPACT Agent Systems
IMPACT Symposium -12 August 1999
University of Maryland at College Park
LTC Paul Walczak
U.S. Army Research Lab
(301) 394-3862 DSN 290
pwalczak@arl.mil
Outline
•
•
•
•
•
•
Our definitions...
Why ARL is pursuing agent technology
INFOSURV perspective
Agent system survivability/security
Insight for resolving security concerns
Agent-based security/survivability
• Mobile code is a program that traverses a network during its lifetime and
executes at the destination machine(s).
• IMPACT: software agent is a program that can :
– specify what services it provides
– specify required input from customers
– specify service customers and use terms/conditions
– specify the when and how it uses services from other agents
– understand specifications provided by other agents
• A mobile software agent is a program that can specify its services,
service inputs and conditions, accepted customers, and can negotiate
services provided by other agents, while executing on target hosts
across a network.
Global Perspective / Impetus
• As processes become increasingly
distributed, yet interdependent, mobile
code will play an increasingly important
role in coordinating and controlling
events that lead to desired outcomes.
Warfare Systems
• Control of disparate systems and devices
• Data manipulation
• Composed Trustworthiness
– Security (policy, IDR, prevent agents)*
– Reliability
– Performance
Survivability
[An overarching requirement:
/|\
a collection of
/ | \
emergent properties]
/ | \
/
|
\
/
|
\
/
|
\
/
|
\
/
|
\
/
|
\
/
|
\
/
|
\
Security
Reliability
Performance
[Major subrequirements]
/|\
/|\
/|\
/ | \
/ | \
/ | \
/ | \
/ | \
/ | \
/
|
\
/
|
\
/
|
\
[Subtended
Inte- Conf- Avail FT Fail RT NRT Avail requirements:
grity id'ity
*
|\ modes /\ /|\
*
FT=fault tolerance
/|
|\
|\
| \
/|
\/
/|\
RT=real-time
/ |
| \
| \ | \ / | Prior- / | \
NRT=non-real-time]
/ #
| \
| \
#
ities /
MLI No MLS Dis- MLA \
No
/
[More detailed
/ change | cret- |
\ change
/
requirements]
/
/|
| ion- |
\
/
/
/ |
| ary
|
* Unified *
/
/ |
|
|
|
availability
X Sys Data X
X
requirements
/|
|\
[X = Shared components of MLX!!]
/ |
| \
[* = Reconvergence of availability]
/ |
| \
[# = Reconvergence of data integrity]
Hierarchy of
Survivability
Requirements
Survivability Relationships Implicit in Mobile Software Systems
Survivability of the Host
Protection for hosts from foreign code
Protection of hosts from malicious agents
Survivability of the Agent
Protection of agents from malicious hosts
Protection against malicious agentization
Protection of agents from other agents
Agent privacy
Survivability of the Network
Agent termination
Protection of a group of hosts from malicious agents
Agent based countermeasures to security risks
Violated Security Assumptions
*CHESS
• Identity Assumption
• Identifiable and generally trusted sources
• “do no harm” - use with the intent of accomplishing
authorized results
• one security domain corresponding to each user
• administrative boundaries
• program runs entirely on one machine
*Chess, David M., "Security in Mobile Code Systems" in G. Vigna (Ed.) Mobile Agents and Security
Vigna, Giovanni (Editor) Springer, 1998.
Challenges for Mobile Code Security
*CHESS
•
•
•
•
•
•
•
Determining originator of incoming code
deciding trustworthiness of code’s originator
deciding how much to trust originator if it foreign
protecting systems x-scale against malicious programs
preventing uncontrolled replication of mobile code objects
protecting mobile programs themselves
Authentication in mobile code systems
*Chess, David M., "Security in Mobile Code Systems" in G. Vigna (Ed.) Mobile Agents and Security Vigna,
Giovanni (Editor) Springer, 1998.
Meeting Security Challenges for Mobile Code Systems
*Neumann
• controls to prevent unanticipated effects
• repeated re-authentication, validation
• revocation or cache deletion as needed
*Neumann, Peter G., "Practical Architectures for Survivable Systems and Networks," Army Research
Lab Contract DAKF11-97-C0200, 1999.
Requisite Agent System Security Services
*IMPACT
• Authentication of agents
• Network security services to ensure
agent communications
• Agent Privacy
*Data-Security in Heterogeneous Agent Systems, VS et al, 14 Feb 1998
Current Agent-based Approaches for IA
• Vulnerability Assessment (ARL)
• Intrusion Detection (many)
• Active, Intelligent Networks (NSA,
DARPA, Telcordia...)
Conclusion
•
•
•
•
•
composable architectures
configuration management
middleware
practical education
DC Agent SIG
Download