the mobile code paradigm and its security issues l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The Mobile Code Paradigm and Its Security Issues PowerPoint Presentation
Download Presentation
The Mobile Code Paradigm and Its Security Issues

Loading in 2 Seconds...

play fullscreen
1 / 12

The Mobile Code Paradigm and Its Security Issues - PowerPoint PPT Presentation


  • 153 Views
  • Uploaded on

The Mobile Code Paradigm and Its Security Issues. Anthony Chan September 13, 1999. Presentation Outline. Drawbacks of client/server paradigm Classification of mobile code paradigm Mobile code applications and technologies Security concerns of mobile code paradigm

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Mobile Code Paradigm and Its Security Issues' - unity


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
presentation outline
Presentation Outline
  • Drawbacks of client/server paradigm
  • Classification of mobile code paradigm
  • Mobile code applications and technologies
  • Security concerns of mobile code paradigm
  • Attack model of malicious hosts against mobile agents
  • Conclusion
client server paradigm
Client/Server Paradigm
  • The most common paradigm being used for distributed application design
  • Two problems:
    • high network bandwidth requirement (large number of message transfer)
    • requirement for user-computer interactivity
  • Mobile code emerges as a more efficient alternative
classification of mobile code
Classification of Mobile Code

Ghezzi and Vigna’s classification of mobile code paradigms

mobile code applications
Mobile Code Applications
  • Examples of mobile code systems:
    • remote evaluation: rsh utility, SQL queries
    • code on demand: Java applets
    • mobile agents:
      • not common yet, but a lot of platforms for mobile agents being developed worldwide (e.g., Aglets from IBM, Concordia from Mitsubishi)
  • Hurdle: SECURITY
security concerns of mobile code
Security Concerns of Mobile Code
  • A basic requirement:
    • an application developed using the mobile code paradigm can be as secure as the same application developed using the client/server paradigm
    • otherwise mobile code could not be used for security-critical applications, which are very common
security attacks
Security Attacks
  • Actions that compromises security requirements of an application
  • Attacks to Client/server: masquerading, forging, etc.
  • Additional attacks to remote evaluation/code-on-demand: Trojan horses
  • Additional attacks to mobile agents: agent tampering (data/execution)
security mechanisms
Security Mechanisms
  • Mechanisms designed to prevent, detect or recover from security attacks
  • Security mechanisms for client/server:
    • Kerberos, Secure Socket Layer (SSL), etc.
    • very well established
  • Security mechanism for REV/COD:
    • sandboxing and code verification
  • Security mechanism for mobile agents:
    • not established at all
attack model of malicious hosts against mobile agents
Attack model of malicious hosts against mobile agents

Model proposed by Fritz Hohl:

  • Attacks scenarios that can be described:
  • spy out and modify the whole data part of an agent
  • spy out and modify the code part of an agent
  • manipulate the code execution sequence of an agent
  • manipulate the execution environment of an agent

Environment

Read/manipulate

Malicious Host

(Other agents)

Read/manipulate properties; control execution

System call

Agent

a mobile agent application
A mobile agent application

Handheld PC (running Windows CE)

System analyzes the request and asks the server for data

agent

Proxy Server

Get the request from client and send agents to database servers

agent

Databases (Oracle server)

Agents get appropriate data here and bring back to proxy server

Network

Network

agent

agent

SERVER

CLIENT

A Traveling Information Agent system

attacks to the sample agents
Attacks to the sample agents
  • Possible attacks to the system described:
    • a malicious host may spy out and modify data collected by the agent, thus false information is reported to user
    • a malicious host may spy out the code of the agent, thereby get to learn what information the particular user is interested in
    • a malicious host may manipulate the execution sequence of the agent, and make the agent request some information for it illegitimately
    • a malicious host may manipulate the information obtained from the databases, and report false information to the agent
conclusion
Conclusion
  • Mobile code as an alternative to client/server for distributed applications
  • Security as a major hurdle to mobile code
  • Mobile code (especially mobile agents) faces more attacks than client/server do, while the corresponding security mechanisms are not well established
  • An application to illustrate attacks to agents
  • Efforts should be devoted to secure agents