Annotated Bibliography on Mobile Agent Security


Wayne A. Jansen
National Institute of Standards and Technology


This annotated bibliography introduces many of the important papers on the security of mobile agent systems.  The intention is not to create a comprehensive catalogue of all the available papers on the subject, but to list those containing key ideas or interesting viewpoints.  The papers are organized beginning with overview or survey material, then those describing specific techniques that respectively protect an agent and its execution environment (i.e., the agent platform), and onto those describing security-oriented mobile agent systems.  For articles that do not fit easily into these categories, there are additional groupings on intrusion detection, protection mechanisms, and the catchall other.


Besides a short summary of each paper, wherever possible, a URL is provided to the web page from where the paper can be accessed, as well as one directly to the paper itself.  This is intended to facilitate browsing among collections of related papers that are not included here and increase the usefulness of this bibliography.  Because the dynamic nature of the Web, pages often change unexpectedly and with some frequency.  If one of the links provided below fails, try locating the desired paper through the ResearchIndex web service at


General Overview


Jonathan T. Moore
Mobile Code Security Techniques
University of Pennsylvania
Department of Computer and Information Science
Technical Report MS-CIS-98-28, May 1998


This paper looks at mobile code security from two perspectives: protecting host from malicious code and protecting mobile code from malicious hosts.  It provides a categorization and survey of the various techniques that have been employed to secure agents and agent platforms.  Countermeasures to malicious code include safe interpreters, fault isolation, and code verification, while countermeasures to malicious hosts include detecting tampering and preserving security.  Examples for each of the countermeasures are reviewed, but no attempt is made to combine or extend these techniques into a broader protection framework.


William Farmer, Joshua Guttman, and Vipin Swarup
Security for Mobile Agents: Issues and Requirements
Proceedings of the Nineteenth National Information Systems Security Conference
Baltimore, Md., pp. 591-597, October 1996


This paper provides a good overview of the threats associated with using mobile agents and the countermeasures that can be applied using conventional techniques employed in distributed systems.  The authors also identify extensions in two areas: safe agent development languages stripped of harmful operations, and applications specific appraisal functions used to test the validity of an agent’s state.


Michael S. Greenberg, Jennifer C. Byington, and David G. Harper
Mobile Agents and Security
IEEE Communications Magazine, pp. 76-85, July 1998


The paper provides an overview of mobile agent security.  It first categorizes the type of attacks on such systems according to the resulting outcome: damage, denial of service, breach of privacy, harassment and social engineering.  It then reviews the security techniques that have been proposed and/or used to protect hosts from agents: authenticating credentials, access mediation, code verification, audit, and limits on various computational resources, and then techniques to protect agents from hosts: replication and voting, persistence, redirection, sliding encryption, trail obscuring, code obfuscation, encrypted data manipulation, and state appraisal functions.  The authors conclude with the observations that the existing techniques are largely based on an information fortress model and therefore flawed since a clear security perimeter doesn’t exist in an agent environment.  Some suggestions for further development of agent security are also given.


David Chess, Benjamin Grosof, Colin Harrison, David Levine, Colin Parris, and Gene Tsudik
Itinerant Agents for Mobile Computing
IEEE Personal Communications
vol. 2, no.5, October 1995, pp.34-49

The paper provides a good overview of mobile computing with itinerant agents including the motivation behind them, typical applications for their use, a framework and functional structure, and associated security issues.  For the latter item, the paper summarizes different approaches for handling both stateful and stateless agents following fixed and loose itineraries vs. freely roaming.


A. Fuggetta, G.P. Picco, and G. Vigna
Understanding Code Mobility
IEEE Transactions on Software Engineering, 24(5), May 1998


The authors provide a comprehensive review of systems that support code mobility.  They provide a detailed classification of mobility mechanisms to improve understanding of the associated technology.  The notions of weak and strong mobility are introduced and elaborated upon with examples drawn from existing mobile code systems.  A conceptual framework is built up around three aspects: technology, design paradigm, and application.


Rolf Oppliger
Security Issues Related to Mobile Code & Agent-based Systems
NetSec’99 Conference, June 1999


The paper gives a recent summary of vulnerabilities and solutions to applying mobile code and mobile agent technology.  The discussion is organized along the dual lines of protecting the execution environment and protecting the mobile code.


Protecting Agents from Attack


Thomas Sander and Christian Tshudin
Protecting Mobile Agents Against Malicious Hosts
submitted to LNCS on Mobile Agent Security, November 11, 1997


The goal of Computing with Encrypting Functions is to determine a method whereby mobile code can safely compute cryptographic primitives, such as a digital signature, even though the code is executed in untrusted computing environments and operates autonomously without interactions with the home platform.  The approach is to have the agent platform execute a program embodying an enciphered function without being able to discern the original function; the approach requires differentiation between a function and a program that implements the function.


Although the idea is straightforward, the trick is to find appropriate encryption schemes that can transform arbitrary functions as intended.  The authors propose investigating algebraic homomorphic encryption schemes as one possible candidate.  Their initial results look promising, and hopefully will form the basis for discovering other classes of functions.  The technique, while very powerful, does not prevent denial of service, replay, experimental extraction, and other forms of attack against the agent.


Fritz Hohl
A Model of Attacks of Malicious Hosts Against Mobile Agents
Proceedings of the Fourth Workshop on Mobile Object Systems (MOS ’98):
Secure Internet Mobile Computations, June 1998


The author indicates that only two approaches currently exist to solve the agent vulnerability problem: mobile cryptography (see Sander and Tschudin) and time limited blackbox protection (reviewed here).  The problem with mobile code reduces essentially to one of ownership, whereby the owner of the agent platform is different from the owner of the agent.  A comprehensive list of attacks is identified.  The paper reviews blackbox protection whereby the agent code is converted via obfuscating functions into other agents that are difficult to analyze.  The obfuscating functions must be provably strong, sufficient for withstanding attacks during a specified time period.  Based on a set of requirements drawn from the attacks identified earlier, the paper develops a semi-formal attack model for mobile agents.  The model is based on a theoretical model of computation called Random Assess Stored Program (RASP) machines, which are equivalent to Turing machines.


Volker Roth
Secure Recording of Itineraries through Cooperating Agents
Proceedings of the ECOOP Workshop on Distributed Object Security and
Fourth Workshop on Mobile Object Systems: Secure Internet Mobile Computations
pp. 147-154, INRIA, France, 1998


A very simple protection scheme is proposed in this paper: when moving between agent platforms, an agent conveys the last platform, current platform, and next platform information to the cooperating peer through an authenticated channel.  The peer maintains a record of the itinerary and takes appropriate action when inconsistencies are noted.  Attention is paid so that an agent avoids platforms already visited by its peer.  The rationale behind this scheme is founded on the assumption that only a few agent platforms are malicious, and even if an agent encounters one, the platform is not likely to collaborate with another malicious platform being visited by the peer.  Therefore, by dividing up the operations of the application between two agents, certain malicious behavior of an agent platform can be detected.  The scheme can be generalized to more than two cooperating agents.  Some drawbacks mentioned include the cost of setting up the authenticated channel and the inability of the peer to determine which of the two platforms is responsible if the agent is killed.


Giovanni Vigna
Protecting Mobile Agents through Tracing
Proceedings of the Third  ECOOP Workshop on Mobile Object Systems
Jyvälskylä, Finland, June 1997


The focus of this paper is the protection of agents from the actions of a malicious host, through detection.  The goal is to be able to detect unauthorized modifications of an agent through the faithful recording of the agent's behavior during its execution on each agent platform.  The technique requires each platform involved to create and retain a non-repudiatable log or trace of the operations performed by the agent while resident there, and to submit a cryptographic hash of the trace upon conclusion as a trace summary or fingerprint. The technique also defines a secure protocol to convey agents and associated security related information among the various parties involved, which may include a trusted third party to retain the sequence of trace summaries for the agent's entire itinerary.  If any suspicious results occur, the appropriate traces and trace summaries can be obtained and verified, and a malicious host identified.


The approach has a number of drawbacks, the most obvious being the size and number of logs to be retained, and the fact that the detection process is triggered occasionally, based on suspicious results or other factors.  Other more subtle problems identified include the lack of accommodating multi-threaded agents and dynamic optimization techniques.  While the goal of the technique is to protect an agent, the technique does afford some protection for the agent platform, providing that the platform can also obtain the relevant trace summaries and traces from the various parties involved.


F.B. Schneider
Towards Fault-Tolerant and Secure Agentry
Proceedings Eleventh International Workshop on Distributed Algorithms
Saarbucken, Germany, September 1997


This paper has two distinct parts.  The first describes a technique for ensuring a mobile agent arrives safely at its destination by using replication and voting.  An agent replicates at each node, which also screens that arriving agents are intact (e.g., carry valid credentials).  Only a subset of the replica agents that are considered valid is propagated onto the next stage.  One of the protocols presented requires forwarded agents to convey the accumulated signature of all the forwarding nodes.  The technique is similar to itinerary recording, but extended with fault tolerant capabilities.  The approach seems appropriate for applications where agents can be duplicated without problems (e.g., message delivery).  One obvious drawback is the additional resources consumed by replicate agents.  The second part of the paper is more theoretical and focused on mechanisms to enforce a security policy at a node.  A class of recognizers, finite state automata that accept only secure transitions, are defined, and shown to support well know MAC and DAC security policies.  Comparisons with sandboxing and proof carying code techniques are also given.


A. Young and M. Yung
Sliding Encryption: A Cryptographic Tool for Mobile Agents
Proceedings Fourth International Workshop on Fast Software Encryption
FSE ’97, 1997


As an agent travels about and collects information, it must securely store that information within itself.  In addition, the agent may want to retain itinerary information with a secure audit record.  Typically, only small amounts of information need to be secured at each node visited.  The focus of the paper is on protecting accumulated information; other related security threats are not addressed.  The scenario envisioned is one in which the agent encrypts the information using a public key it carries and later, when it returns to it point of origination, the information is decrypted using the private key maintained there.  Unfortunately, the key size and resulting ciphertext may be far greater in size than the information collected.  The paper presents a scheme for enciphering small amounts of data that is storage efficient.  The authors also point out that multi-precision code for encryption needed by an agent can be made relatively small (less than five thousand bytes).


James Riordan and Bruce Schneier
Environmental Key Generation Towards Clueless Agents
G. Vinga (Ed.), Mobile Agents and Security
Springer-Verlag, Lecture Notes in Computer Science No.1419, 1998


Environmental Key Generation describes a scheme for allowing an agent to take predefined action when some environmental condition is true.  The approach centers on constructing agents in such a way that upon encountering an environmental condition (e.g., string match in search), a key is generated, which is used to unlock some executable code.  The environmental condition is hidden through either a one way hash or public key encryption of the environmental trigger.  That way a platform or an observer of the agent cannot discover anything by viewing its code.


The technique is akin to the way in which passwords are maintained in modern operating systems (e.g., the hash of a password is stored) and used to determine whether login attempts are valid.  One weakness of this approach is that a platform that completely controls the agent could simply modify the agent to print out the executable code instead of executing it.  Another drawback is that an agent platform typically limits the capability of an agent to execute code created dynamically, since it is considered an unsafe operation.


Fritz Hohl
Time Limited Blackbox Security: Protecting Mobile Agents from Malicious Hosts
G. Vinga (Ed.), Mobile Agents and Security, pp. 92-113
Springer-Verlag, Lecture Notes in Computer Science No.1419, 1998


The author gives a detailed overview of the threats stemming from an agent encountering a malicious host as motivation for Blackbox Security.  The strategy behind this technique is simple -- scramble the code in such a way that no one is able to gain a complete understanding of its function (i.e., specification and data), or to modify the resulting code without detection.  A serious problem with the general technique is that there is no known algorithm or approach for providing Blackbox protection.  However, the paper cites Computing with Encrypted Functions as an example of an approach that falls into the Blackbox category, with certain reservations concerning the limited range of input specifications that apply.


A time limited variation of Blackbox protection is introduced as a reasonable alternative, whereby the strength of the scrambling does not necessarily imply encryption as with the unqualified one, but relies mainly on obfuscation algorithms.  Since an agent can become invalid before completing its computation, obfuscated code is suitable for applications that do not convey information intended for long-lived concealment.  The examples given for pure obfuscation algorithms seem rather trivial and potentially ineffective.  One promising method relies on a trusted host to trigger the execution of an agent’s code segment.  It is not strictly speaking a pure obfuscation algorithm, however, since code is redistributed to a trusted host, which is not part of the originally proposed scheme.  The method does, however, indicate a possible relationship between Environmentally Generated Keys and Obfuscated Code techniques.  One serious drawback to this technique is the lack of an approach for quantifying the protection interval provided by the obfuscation algorithm, thus making it difficult to apply in practice.


Bennet S. Yee
A Sanctuary for Mobile Agents
Technical Report CS97-537
University of California in San Deigo, April 28, 1997


This paper provides some interesting scenarios as motivation or explanation of techniques for securing the agent system.  The categories covered include fault tolerant and cryptographic approaches.  One intriguing technique presented to detect tampering by malicious hosts is to use partial result authentication codes (PRAC) applied by the agent at each platform visited.  The technique requires the agent and its owner to maintain or incrementally generate a list of secret keys used in the PRAC computation.  When a key is applied, the agent destroys it before moving onto the next platform, guaranteeing forward integrity.  The forward integrity property ensures that if one of the servers visited is malicious, the previous set of partial results remains valid.


The authentication of the results can be made a publicly verifiable process through use of public key cryptography and digital signatures, while maintaining forward integrity.  The author notes that perfect forward integrity could also be achieved using a trusted third party that performs digital timestamping.  This technique is similar to others that require each host sign partial results along the way.  Neither approach prevents malicious behavior by the platform.  One difference, with PRACs, however, is that this technique is platform independent and can be applied in the design of an appropriate agent application.  The paper also contains a theoretical approach to summarizing the results of execution traces maintained at a server, for transmission to a verifier.


G. Karjoth, N. Asokan, and C. Gülcü
Protecting the Computation Results of Free-Roaming Agents
Second International Workshop on Mobile Agents
Stuttgart, Germany, September 1998


Karjoth and his associates devised a platform-oriented technique for encapsulating partial results, which reformulates and improves upon the PRAC technique proposed by Yee.  The approach is to construct a chain of encapsulated results that binds each result entry to all previous entries and to the identity of the subsequent platform to be visited.  Each platform digitally signs its entry using its private key, and uses a secure hash function to link results and identities within an entry.  Besides forward integrity, the encapsulation technique also provides confidentiality by encrypting each piece of accumulated information with the public key of the originator of the agent.  Moreover, the forward integrity is stronger than that achieved with PRAC, since a platform is unable to modify its entry in the chain, should it be revisited by the agent, or to collude with another platform to modify entries, without invalidating the chain.  A variant of this technique, which uses message authentication codes in lieu of digital signature, is also described.


Sergio Loureiro, Refik Molova and Alain Pannetrat
Secure Data Collection with Updates
Proceedings of the Workshop on Agents on Electronic Commerce – First Asia Pacific Conference on Intelligent Agent Technology
December 1999, pp. 121-130


This paper extends the earlier work in encapsulating partial results collected by agents through an authentication code mechanism, by allowing hosts to update their previous submitted data.  The approach may be more suitable for applications where a host is revisited by an agent and given an opportunity to revise an earlier input, such as in a distributed auction or a stock market application.


Protecting Agent Platforms from Attack


William Farmer, Joshua Guttman, and Vipin Swarup
Security for Mobile Agents: Authentication and State Appraisal
Proceedings of the Fourth European Symposium on Research in Computer Security (ESORICS ’96), September 1996, pp.118-130


This paper focuses on a mechanism to protect against attacks launched through modifications of an agent’s state information.  The mechanism, called state appraisal, can serve a multitude of purposes: to protect a host from attack, to protect misuse of an agent, to maintain critical state invariants, and to control privileges of an agent.  The authors categorize the main principals associated with mobile agents: the authors who create them, the senders who launch them to work on their behalf, and interpreters who execute them.  The general idea is that authors and senders of agents each prepare state appraisal functions for the agents they respectively create and launch, such that the function calculates the maximum permissions to be accorded an agent based on its current state.  By signing the agent, an author and sender each signify that the agent essentially speaks for them.  While appraisal functions for obvious attacks may be easily formulated, more subtle attacks may be significantly harder to foresee and detect.  The developers of the technique indicate that in practice it may not always be possible to distinguish normal results from deceptive alternatives.


Joann J. Ordille
When Agents Roam, Who Can You Trust?
Proceedings of the First Conference on Emerging Technologies and Applications in Communications
Portland, Oregon, May 1996


The paper provides good overview of the multi-hop problem, working upwards from one-hop and two-hop boomerang agents.  The paper also outlines a method of reducing risk by maintaining with an agent, a path history the platforms visited.  Computing a path history requires each agent platform to add a signed entry to the path, indicating its identity and the identity of the next platform to be visited, and to supply the complete path history to the next platform.  The next platform can then determine whether it trusts the previous agent platforms that the agent visited, either by simply reviewing the list of identities provided or by individually authenticating the signatures of each entry in the path history.  While the technique does not prevent a platform from behaving maliciously, it serves as strong deterrent, since the platform's signed path entry is non-repudiatable.  One drawback is that path verification becomes more costly as the path history increases.  The paper also points out that in some practical situations the agent, once its code is authenticated, can be completely trusted regardless of where it has been (e.g., agent does not acquire state, is signed, and delivers a service to each platform visited).


Volker Roth and Mehrdad Jalali-Sohi
Access Control and Key Management for Mobile Agents
Special Issue Data Security in Image Communication and Networks, 22(3)
Computers & Graphics, 1998


After a brief overview of the various techniques that have been proposed for mobile agent security, the paper delves into an area that has received little attention: a general scheme for protecting both the static and dynamic components of a mobile software agent.  The scheme centers on a logical hierarchical structure of information that comprises an agent.  The main division is among immutable elements such as class files, policy, and related public key certificates, and mutable elements such as class instances, heap storage, and related public key certificates.  The idea is to allow initially an owner or developer to protect the immutable elements of the agent, and subsequently the agent platforms to protect the mutable elements associated with any incremental computation that occurs.  The approach allows portions of the hierarchy to be protected by through public key encryption and digital signature, in a flexible manner that is capable of supporting a wide variety of protection policies.  The authors give a general policy various parties involved in the implementation and use of agents would need to follow, and suggest a way of realizing the implementation through extensions to the Java Archive (JAR) format.


George C. Necula.
Proof-Carrying Code
Proceedings of the Twenty-fourth Annual ACM Symposium on Principles of Programming Languages (POPL ’97)
Paris, France, January 1997


The approach taken by Proof Carrying Code, obligates the code producer (e.g., the author of an agent) to prove formally that the program possess safety properties previously stipulated by the code consumer (e.g., security policy of the agent platform).  The code and proof are sent together to the code consumer where the safety properties can be verified.  A safety predicate, representing the semantics of the program, is generated directly from the native code to ensure that the companion proof does in fact correspond to the code.  The proof is structured in a way that makes it straightforward to verify without using cryptographic techniques or external assistance.  Once verified, the code can run without further checking.  Any attempts to tamper with either the code or the safety proof result in either a verification error or, if the verification succeeds, a safe code transformation.  The theoretical underpinnings of Proof Carrying Code are based on well-established principles from logic, type theory, and formal verification.  There are, however, some potentially difficult problems to solve before the approach is considered practical.  They include a standard formalism for establishing security policy, automated assistance for the generation of proofs, and techniques for limiting the potentially large size of proofs that in theory can arise.  In addition, the technique is tied to the hardware and operating environment of the code consumer, which may limit its applicability.


G. Necula and P.Lee
Safe Kernel Extensions Without Run-Time Checking
Proceedings of the Second Symposium on Operating System Design and Implementation (OSDI '96)
Seattle, Washington, October 1996, pp.229-243


This paper describes a mechanism called Proof Carrying Code, which allows safe execution of a binary supplied by an untrusted source.  It also discusses how the technique was used to implement traffic filters that are guaranteed to be safe.  The resulting implementations are also shown to be faster than counterparts develop using other techniques, including software fault isolation and safe languages.


Matt Blaze, Joan Feigenbaum, and Jack Lacy
Decentralized Trust Management
Proceedings of the 1996 IEEE Symposium on Security and Privacy
IEEE Computer Society Press, pp. 164-173, Oakland, CA, May 1996


The authors define trust management as a multifaceted problem that includes the formulation of security policies, generation of security credentials, validation of credentials with regard to particular sets of policies, and establishing trusted third parties.  The paper attempts to use this perspective in developing a comprehensive approach to resolving trust issues.


David Chess, Benjamin Grosof, Colin Harrison, David Levine, Colin Paris, and Gene Tsudik.
Itinerant Agents for Mobile Computing
IBM Research Report RC 20010, IBM, March 1995


This is an early version of the IEEE Personal Communications paper described earlier in the overview section.


Colin Harrison, David Chess and Aaron Kershenbaum
Mobile Agents: Are They a Good Idea?
IBM Research Report, March 1995, T.J. Watson Research Center


The paper weighs the advantages and disadvantages of mobile agents when compared with client-server and other forms of distributed computing.  It points out that although in nearly all applications satisfactory alternatives to mobile agents can be devised, a mobile agent framework address all situations in a unified manner.  The one notably exception is remote real-time control of processes to avoid delays in network latency.


Mobile Agent Systems


Joseph Tardo and Luis Valenta
Mobile Agent Security and Telescript
Proceedings of IEEE COMPCON '96
Santa Clara, California, February 1996


Telescript is one of the earliest examples of a mobile agent system that incorporates significant security features.  The authors describe the security model at several levels: object runtime safety, process safety and security, system safety, and network security.  Most security features of Telescript are discretionary.  Agents are written in a safe scripting language whose interpreter serves as a reference monitor, mediating all access to objects.  The language includes public and private modifiers for encapsulating operations and data.  Upon creation and a various point in its life cycle, an agent can be issued a permit, which encodes its access rights, resource consumption quotas, etc.  Agents travel between regions using a secure authenticated channel.  A place can check an incoming agent's authority and deny entry to the agent or restrict its access rights.  The system can terminate agents that exceed their quotas, and raise exceptions if they attempt unauthorized operations.


Robert SGray
Agent Tcl: A Flexible and Secure Mobile-Agent System
Proceedings of the Fourth Annual Tcl/Tk Workshop (TCL 96)
pp. 9-23, July 1996


The paper describes Agent Tcl an agent system designed to support agents written in various languages, but at the time focused on mainly on the Tcl scripting language.  Agent Tcl relies on Safe Tcl’s padded cell mechanism to provide a secure execution environment (i.e., reference monitor) for the agent, by limiting its access to only “safe” commands.  This approach is advanced as an improvement over more the ad hoc approach taken in Telescript.  In addition, Agent Tcl relies on PGP for source authentication, and confidentiality during transfers.  Before departing, agents are signed with the private key of the sending platform and encrypted with the public key of the receiving platform.  Eventually, static parts of the agent could also be encrypted with the owner’s private key upon creation of the agent.


Robert S. Gray and David Kotz and George Cybenko and Daniela Rus
D'Agents: Security in a Multiple-Language, Mobile-Agent System
Giovanni Vigna, editor, Mobile Agent Security
Lecture Notes in Computer Science, Springer-Verlag, 1998


This paper provides a more up-to-date look at the Agent Tcl system, now known as D’Agents.  Besides Tcl, D’Agents also supports agents written in Java and Scheme; hence, the change in name.  The original security features, described by Gray in an earlier paper, appear to largely in place with only some minor refinements.  The paper does go into significant detail and provides numerous examples.


Ghnter Karjoth, Danny B. Lange, and Mitsuru Oshima
A Security Model for Aglets
IEEE Internet Computing, August 1997, pp. 68-77


The paper gives a short introduction to the Aglets agent system and security issues surrounding agent systems.  The Aglets system is implemented on top of Java and relies heavily on the security features offered by that programming system.  Agents are serialized Java objects that move among aglet-enabled hosts in a computer network where they execute.  When an agent moves, it takes along its program code as well as its data, relying on an event-based scheme to suspend and resume execution at predetermined points. 


Any entity whose identity can be authenticated is referred to as a principal.  Principals can be human or machine entities, and include an agent, the manufacturer of an agent, the owner of an agent, a context, a context manufacturer, a context master, a domain, a domain authority.  A security policy is enforced through authenticated principals.  Any principal can specify policy for an agent.  A strict hierarchy of security policies, which does not include some principals, is mandated: Manufacturer < Owner < Context Master < Domain Authority.  Policy is specified using permissions, which are used to control access to resources and constrain their consumption.   Permissions are both positive and negative, and generally follow the policy file definitions of JDK 1.2.


Neeran Karnik
Security in Mobile Agent Systems
Ph.D.  Dissertation, Department of Computer Science
University of Minnesota, October 1998


The dissertation describes a secure agent system, Ajanta and the approach used to make the system secure.  The document also provides a good overview of other agent systems.   The design of Ajanta relies on the security of the platform and employs the full gamut of conventional security techniques within the runtime system to achieve its security: platforms perform mutually authentication, agents are isolated into protection domains, and an agent’s code is transferred securely among platforms and trusted code servers.  The design also allows for fine grain control over resources consumed by an agent.  An interesting approach was devised to protect agents from tampering by allow agents to maintain read only, append only, and targeted (only-for-eyes-of) categories of state information, whose modification can be detected.  Ajanta is implemented using Java and the design of its security mechanisms are based on the Java security model.


Srilekha Mudumbai, Abdeliah Essiari, William Johnston
Anchor Toolkit: A Secure Mobile Agent System
Submitted to the Mobile Agents 99 Conference, October 1999


The paper describes a mobile agent system called the Anchor Toolkit, which provides for the secure transmission and management of mobile agents.  The toolkit provides agent protection by dispatching agents between hosts through encrypted channels.  The mobile agent hosts are required to sign the agent's persistent state before dispatching them to the next platform.  The signed persistent state can be used later to detect potential problems with the agent's state.  The toolkit uses another security tool developed by the authors, called Akenti, to provide access control to a mobile agent hosts' resources.  Akenti uses public/private key signed certificates to express user identity, resource use-conditions, and user attributes.  Akenti makes access control decisions for each trusted agent and allows execution only after it authenticates the agents, the server that dispatched the agent, and all the hosts the agents visited on it way to attain its current state.  This scheme relies on a level of trust between mobile agent platforms to make access control decisions in order to mitigate the risk associated with accepting mobile agents.


Holger Peine
Security Concepts and Implementation in the Ara Mobile Agent System
Proceedings of the Seventh IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Stanford University, June 1998


Ara is an agent platform supporting the development of agents written various interpreted languages.  The key element of the design is the Ara core interface, which allows various language interpreters to be incorporated into the system. The Ara runtime system together with the agents and their interpreters execute as a single application process on a host operating system.  The core system maintains independent execution and isolation of any interpreter that runs on top of it.  The interpreter is in turn expected to maintain safe execution and memory access.


Ara recognizes three security-related principals: the user of an agent, the agent manufacturer, and the host system, each capable of signing the immutable part of an agent (e.g., code and passport).  Agents themselves are not considered security relevant principals within Ara.  All relevant information regarding an agent’s identity, user, and manufacturer is contained in a passport.  A passport travels with an agent and remains constant over the lifetime of an agent.  The passport also contains the maximum global resource amounts that an agent can consume.  Besides the passport, an agent also conveys with it a number of security attributes, such as that for maintaining a history of the hosts visited by the agent.  Secure connections via SSL provide for peer authentication, integrity (including replay), and confidentiality.


Mobile Agents in Intrusion Detection


Karima Boudaoud, Houda Labiod
MA-NID: a Multi-Agent System for Network Intrusion Detection
Proceedings of ICIS-99 – Eight International Conference on Intelligent Agents
Denver, Colorado, June 1999


The paper outlines an architecture, called Multi Agent Network Intrusion Detection (MA-NID), that provides a flexible means of integrating intelligent agents into a network environment.  It explores the application of Distributed Artificial Intelligence to intrusion detection in the form of a multi-agent system.  Rather than a centralized decision manager approach, MA-NID agents, located in specific network entities, work autonomously and cooperatively to perform intrusion detection.  Agents, having both knowledge-based cognitive abilities for reasoning and stimulus-response reactive capacities for rapid reaction, are envisaged.


Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni
An Architecture for Intrusion Detection using Autonomous Agents
 Department of Computer Sciences, Purdue University
Coast TR 98-05, 1998


The Autonomous Agents for Intrusion Detection (AAFID) effort employs a hierarchical architecture of agents. At the root of the hierarchy are monitors, which provide global command and control and perform analysis of information flowing from lower level nodes. At the leaves are agents which collection event information. The agents reside on special purpose agent platforms, called transceivers.  Transceivers perform command and control of locally running agents and the analysis or reduction processing of the information received from the agents.  Transceivers feed processed information onto monitors.  Agents appear to be static once they are deployed to a transceiver, but also replaceable through reconfiguration.  AAFID is in many ways a classical IDS hierarchy with agents used mainly as a means for structuring the intrusion detection collection component into a set of lightweight software components, which can be easily reconfigured.


Guy Helmer, Johnny S. K. Wong, Vasant Honavar, and Les Miller
Intelligent Agents for Intrusion Detection
Proceedings of the IEEE Information Technology Conference
Syracuse, NY, pp. 121-124, September 1998


The paper describes how mobile agent technology is used to allow various types of intelligent agents that employ classifier algorithms to travel among collection points, referred to as data cleaners, and uncover suspicious activities.  The architecture is hierarchical, with a data warehouse at the root, data cleaners at the leaves, and classifier agents in between.  A classifier agent specializes on a specific category of intrusion and is capable of collaborating with agents of another category to determine cooperatively the severity level of an activity deemed suspicious.  By moving the computational analysis to each collection point, the costly movement of information to an aggregation unit is avoided.  The resulting arrangement is also less likely to be vulnerable to attack, since static aggregation units are avoided.


M.Asaka, S.Okazawa, A.Taguchi, and S.Goto
A Method of Tracing Intruders by Use of Mobile Agents
Proceedings of the Ninth Annual Internet Society Conference
INET'99, San Jose, California, June 1999


The Intrusion Detection Agent (IDA) system relies on mobile agents to trace intruders among the various host involved in an intrusion.  The architecture can be viewed as a hierarchical structure, with a central manager at the root and a variety of agents at the leaves.  A sensor is a static agent that resides at a node in search of events that may relate to an intrusion.  Upon discovery of such information, the sensor notifies the manager who dispatches a tracing agent to the host.  The tracing agent initiates a information-gathering agent to collect related information at the host, before moving onto any site identified as a suspected point of origination.  The information-gathering agent returns to the manager with its results and logs the information on a bulletin board used for integrating the information collected about the intrusion from various agents.  The tracing agent eventually returns to the manager when it exhausts all routes or ends up at the final point of origination.  Possible duplication caused by multiple sensors detecting the same intrusion is resolved through a message board at each monitored host.  The developers indicate that the resulting system is an efficient and effective way for detecting intrusions.


Frincke, D., Don Tobin, Jesse McConnell, Jamie Marconi, Dean Polla
A Framework for Cooperative Intrusion Detection
National Information Systems Security Conference, pp. 361-373, October 5-8, 1998


The paper describes a prototype intrusion detection system, Hummingbird, which is designed as a distributed system for managing misuse data.  So called Hummer agents are assigned to a single host or set of hosts and interact with one another using various structured relationships (i.e., manager, subordinate, and peer).  The prototype emphasizes collaboration among agents and the use of local policy to govern interactions among agents within different domains.


W. Lee, S.J. Stolfo, and K. Mok
A Data Mining Framework for Building Intrusion Detection Models
IEEE Symposium on Security and Privacy, May 1999


The Java Agents for Meta-Learning (JAM) project applies meta-learning to distributed data mining, using intelligent agents.  The design has two key components: local fraud detection agents that learn how to detect fraud and provide intrusion detection services within a single corporate information system, and a secure, integrated meta-learning system that combines the collective knowledge acquired by individual local agents.  Data mining, like neural network and other single-point learning applications, does not engender knowledge sharing among agents.  The meta-learning approach attempts to overcome this limitation by integrating a number of separately learned classifiers embodied as remote agents.


Michael Conner, Chirag Patel, Mike Little
Genetic Algorithm/Artificial Life Evolution of Security Vulnerability Agents
Army Research Laboratory (ARL) Federal Laboratory 3rd Annual Symposium on Advanced Telecommunications & Information Distribution Research Program (ATIRP)
February 1999


Work being done by the Army on the Advanced Telecommunications/Information distribution Research Program (ATIRP) addresses computer vulnerability assessment, not intrusion detection.  However, intrusion detection modules could easily be substituted for vulnerability assessment modules to create a rudimentary IDS.  A central dispatcher launches agents to one or more target nodes to test for known vulnerabilities and report back results.  Agents are composed dynamically using a genetic algorithm, which continually attempts to maximize the likelihood of discovering existing vulnerabilities.  The gene pool from which agents evolve consists of Java code fragments that correspond to a detection technique and have been designed for composition with other fragments.  The architecture also has significant security capabilities, based on cryptographic signatures and public key certificates.


Gregory B. White, Eric A. Fisch and Udo W. Pooch
Cooperating Security Managers: A Peer Based Intrusion Detection System
IEEE Network, pp. 20-23, January/February 1996


Cooperating Security Managers is an IDS with a fully distributed design, where information flows from any node to any other intrusion detection node.  This is accomplished by consolidating all IDS functions, collection, aggregation, and command and control, into a single security management component residing on every monitored system.  Any significant events occurring at one system that stem from a connection originating from another are reported back to the system manager of the originating system by the security manager at the system where the event occurred.  In situations where the originating system of the connection is an intermediate node in a communication chain, the system manager is obliged to report onward to the next system manager in the chain.  Because of the potential for unconstrained communication flow, network structures, in general, tend to suffer from communications inefficiency when taken to the extreme (i.e., everyone directly communicating with everyone else).  However, they compensate for this inefficiency with flexibility in function.


Miscellaneous Protection Mechanisms


R. Wahbe, S. Lucco, T. Anderson
Efficient Software-Based Fault Isolation
Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles
ACM SIGOPS Operating Systems Review, pp. 203-216, December 1993


This paper gives an overview of a method of isolating application modules into distinct fault domains enforced by software.  Security is enforced by transforming untrusted modules so they cannot escape their fault domain.  The technique, called sandboxing, is highly efficient compared with using hardware page tables to maintain separate address spaces for modules, when modules are communicating frequently among fault domains.  It is also ideally suited for situations where most of the code falls into one domain that is trusted, since modules in trusted domains incur no execution overhead.


Dan S. Wallach and Edward W. Felten
Understanding Java Stack Inspection
Proceedings of 1998 IEEE Symposium on Security and Privacy,

Oakland, California, May 1998


The authors demonstrate a correspondence between access control decisions based on stack inspections corresponds to the construction of a proof in a particular logic system, a belief logic designed to reason about access control.  Type safety ensures, for example, that pointers are not treated as integers and vice-versa.  In Java, the non-bypassablity of the virtual machine is achieved by restricting only the virtual machine to system calls.


Dan S. Wallach, Dirk Balfanz, Drew Dean, and Edward W. Felten
Extensible Security Architectures for Java
Proceedings of the Sixteenth Symposium on Operating Systems Principles
Saint-Malo, France, pp. 116-128, October 1997


The paper looks at a number of software based protection schemes for protection mobile code.  Three different extensible security models involving capabilities, extended stack introspection, and name space management are described in detail and evaluated against a common set of criteria.  The relative strengths and weakness of each approach result in no clear winner.  Nevertheless the paper is a very good overview of how such extensions may eventually be incorporated into Java.


Leebdert van Doorn et ali
Secure Network Objects
Symposium on Security and Privacy
IEEE Computer Society, pp. 211-221, 1996


The authors describe a method and implementation of providing security for objects distributed across a network.  The technique relies on the security of the runtime systems involved and adds conventional identity based security encapsulation mechanisms to the client and server runtime systems.  The implementation illustrates a rather seamless extension of security capabilities into an object model.


John K. Ousterhout, Jacob Y. Levy, and Brent B. Welch
The Safe-Tcl Security Model
Technical Report SMLI TR-97-60, Sun Microsystems, 1997


Probably the best known of the safe interpreters for script-based languages is Safe Tcl, which was used in the early development of the Agent Tcl system.  Safe Tcl employs a padded cell concept, whereby a second “safe” interpreter pre-screens any harmful commands from being executed by the main Tcl interpreter.  The term padded cell refers to this isolation and access control technique, which provides the foundation for implementing of the reference monitor concept.  More than one safe interpreter can be used to implement different security policies, if needed.  However, constructing policy-based interpreters requires skill to avoid overly restrictive or unduly protected computing environments.


Pekka Niklander, and Jonna Partanen,
Distributed Policy Management for JDK 1.2
Proceedings of the 1999 Network and Distributed Systems Security Symposium
pp. 91-102, February 1999


The authors describe a method for enhancing the Java language environment with policy expression and processing via Simple Public Key Infrastructure (SPKI) certificates.  SPKI certificates are a proposed alternative to using X.509 certificates, emphasizing key, rather than individual, identities.  The motivation for the enhancement was to make it possible to distribute Java security policy management fully in a way that does not affect the local configuration.  They accomplished this by assigning permissions to class files bundled within a JAR file, using SPKI certificates as the container for issued permissions.  The approach relies completely on the contents of validated certificate chains for determining the permissions for a protection domain of a given class.  While the focus is on client-server type applications, because of the method’s flexibility and grounding in Java, it could be extended for use in Java-based agent systems.


Other Related Papers


B.Steensgaard and E. Jul
Object and Native Code Thread Mobility Among Heterogeneous Computers
Proceedings of the Fifteenth ACM Symposium on Principles of Operating Systems
pp. 68-78, December 1995


The authors discuss their prototype implementation of full object and thread mobility among heterogeneous computers, whereby threads execute at the native code level.  The approach relies on the ability to transform machine independent code to a machine dependent representation at specific points in the program.


J.M. Smith
A Survey of Process Migration Mechanisms
Operating Systems Review, 22(3), ACM Special Interest Group on Operating Systems, pp. 28-40, July 1988


The paper contains an overview of mechanisms for process migration, providing insight on their motivation, design, and implementation.  It provides a good historical overview of the work conducted on this subject during the early ‘80s.



 Updated February 2001