extend the trusted environment of an agent’s home
host to other hosts. The user may digitally sign an
agent on its home host before it moves onto a second
platform, but this resembles a limited protection.
The next host receiving the agent can rely on this
signature to verify the source and integrity of the
agent’s code, data, and state information provided
that the private key of the user has not been
compromised. For some applications, such minimal
protection may be adequate through which agents do
not accumulate state. For other applications, these
simple schemes may prove inadequate. For example;
the Jumping Beans agent system addresses some
security issues by implementing a client- server
architecture, whereby an agent always returns to a
secure central host first before moving to any other
platform (Ad Astra 1998, Negm 2003, and Negm
2004).
Some other category of attacks on the agent
involves tampering by its executing visited hosts.
As such, if that server is corrupted or becomes
malicious, the agent's state is vulnerable to
modification (Farmer 1996). Although a lot of
research has been done in this area, one of the
remaining problems is the presence of a nontrusted
malicious host that attacks mobile agents, for
example; a travel agency’s agent system might
modify the best offer the agent has collected, so that
its own offer appears to be the cheapest one. Also,
the travel agency might change the list of travel
agencies that the agent is going to visit to increase
its chances to propose a better offer and/or get the
prices of other travel agencies before making its
offer to the agent. All of these attacks involve
eavesdropping and tampering and yet all the
published schemes represent a simple mechanism of
protection that can not guarantee secure transactions
for the agents.
3 PROTECTION MECHANISM
AND ITS IMPLEMENTATION
Several In the current research we implement a
mechanism by which tampering of sensitive parts of
the state can be detected, stopped, and reported to
the Master Agent (MA). The framework is
composed of different modules.
First the initialization module, this module
includes two coordinating entities MA and Slave
Agents (SAs). The user resides on its own platform
and/or on a server to create the MA acquiring only
that MA must exclusively reside on a secure trusted
host. Then the MA creates SAs on another host (or
the same MA host) in which being created on a
secure host is not a must. Next MA defines tasks
and subtasks to the SAs to achieve based on the user
preferences. Then the SAs move from host to host
to finish the tasks (and/or subtasks) given from the
MA (that includes a central knowledge-base and a
central management components.).
The second module is the Constraints Module
that contains conditions and rules for each agent to
follow. This module presents the first line of
defense in which the characteristic details and
operational parameters of the visited host are listed.
The third Module is the Encryption Module,
presenting the second line of defense to afford the
security for the agents’ states. The encryption
module contains two parts. The startup part, allows
the user to declare which part of the agent as a read-
only in which any tampering with the read-only
objects can be detected. The second part is a secure
storage container, that allows the agent to create an
append-only container by which the agent can check
in data (when executed) and store it in the container,
so no one can delete or modify it without detection.
3.1 The Initialization Module
The concept of MA-SA was first introduced by
Buschmann in 1996 to support fault tolerance,
parallel computation and computational accuracy
(Buschmann 1996). Also Lange demonstrated in
1997 that it is also applicable to support tasks at
remote destinations and extended it to fit mobile
agents (White 1997). The MA-SA concept is
interacting as follows: the MA creates SAs, then the
master delegates the subtasks to the SAs, and finally
after the slaves have returned the results, the master
combines the results. The master can assign more
than one task at a time and the slaves can execute
them concurrently. A major benefit of this
abstraction is the exchangeability and the
extensibility in which decoupling the SA from the
MA and creating an abstract slave class allows to
exchange the slaves’ implementation without
changes in the master’s code.
Depending on the MA-SA concept, we built up a
system to facilitate a solution to the mobile agent
security problem. To achieve this, confidential data
is contained in a secure place that is the MA host (or
heavily protected if carried by the SAs). Then the
SA must carry essential data to fulfill the task
assigned by the MA (Tripathi 1999).
Tables 1 and 2 present the two listings of the
pseudo code implementation of MA and SA. First,
the doTask() method is called so the MA moves to
the first host where it uses its strategies to split the
tasks into subtasks. Then the MA assigns subtasks
to the SAs. Afterwards it waits for the results which
will be returned by the SAs.
WEBIST 2005 - WEB SECURITY
390