Trust Management for Mobile Agents


William M. Farmer, Joshua D. Guttman, and Vipin Swarup
Affiliation: MITRE
Abstract: Currently, distributed systems employ models in which processes are statically attached to hosts. Threats, vulnerabilities, and countermeasures for these systems have been studied extensively and sophisticated security architectures have been designed. Mobile agent technology extends this model by including mobile processes, i.e., processes which can autonomously migrate to new hosts. Although numerous benefits are expected, this extension results in new security threats from malicious agents and hosts [1]. A primary added complication is this: As an agent traverses multiple machines that are trusted to different degrees, its state can change in ways that adversely impact its functionality.

We are developing a mobile agent security architecture [2] that extends an existing distributed system security architecture with special mechanisms that provide security in the presence of migrating stateful agents. The basic principals of this architecture are authors of programs, the programs themselves, senders of agents, the agents themselves, and interpreters that execute agents. Crucial events in an agent's life are the creation of the underlying program, creation of the agent, migration of the agent to a new execution site, remote procedure calls, and termination of the agent. These events cause complex trust relationships between principals, e.g., the trust placed by authors and senders in agents, the trust placed by an agent in the interpreters that execute it, and the trust placed by an interpreter in the agents it is executing. When an agent requests an operation on a resource, the interpreter uses its access rules and these trust relationships to derive authorization for the request.

We have used the theory of authentication of Lampson et al [3] to formalize the trust relationships in a generic mobile agent system and are designing our security architecture based on this work. For instance, a fundamental invariant in our system is that an interpreter "speaks for" the agents it is executing. Thus an agent must trust the interpreters that execute it. Trust is managed by controlling the principals under which the agent executes as it migrates between interpreters. Agent creation and migration can use either handoff or delegation semantics and the protocols ensure that the above invariant is maintained.

A novel aspect of our architecture is a "state appraisal" mechanism that protects against attacks via agent state modification and that enables an agent's privilege to be dependent on its current state. Checking the integrity of an agent's state is difficult since the state can change during execution and hence cannot be signed. Our agents carry a state appraisal function that checks whether the agent's state meets expected state invariants; the function returns a set of permits based on the agent's current state.

Our emphasis is on agents written by known software developers and our architecture seeks to protect mobile agent applications, their users, and the hosts that support them. As a concrete application of our techniques, we are securing an intrusion protection system that we are implementing using mobile agents ("cybercops").

[1] "Security for Mobile Agents: Issues and Requirements", William M. Farmer, Joshua D. Guttman, and Vipin Swarup; To appear in the Proceedings of the National Information Systems Security Conference (NISSC), October 1996.

[2] "Security for Mobile Agents: Authentication and State Appraisal", William M. Farmer, Joshua D. Guttman, and Vipin Swarup; To appear in the Proceedings of the European Symposium on Research in Computer Security (ESORICS), September 1996.

[3] "Authentication in Distributed Systems: Theory and Practice", Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wobber; ACM Transactions on Computer Systems, 10(4), pp 265-310, Nov 1992.

For more information, contact swarup@mitre.org.