Securing Mobile Agents by Integrity-Based Encryption
of 6
Transcript of Securing Mobile Agents by Integrity-Based Encryption
-
8/11/2019 Securing Mobile Agents by Integrity-Based Encryption
1/6
Securing Mobile Agents by Integrity-Based
Encryption
Jaewon
Lee
t ,
Seong-Min
Hong
and
Hyunsoo
Yoon
Division of Computer Science
Department of Electrical Engineering and Computer Science
Korea Advanced Institute of Science and Technology,
373-1
Guseng-dong, Yuseong-gu, Daejeon
305-701,
Rep. of Korea
Email: [email protected]
. Abstract-The mobile agent parad igm
i s
an important and
prqmising technology to structure distributed applications.
Since
the mobile agent physically moves to a remote host that i s under
the
control
of
a different principal, it needs
to
be protected from
this environment which
is
responsible for
its
execution.
This
probIem constitutes the major dinculty for
using
the mobile
agent paradigm for privacy protection sad is explored in great
detail. In his paper, we provide the methodology of protecting the
mobile agents from unauthorized modification for the program
code or.data by malicious hosts. One important technique is
an integrity-based encryption, by which a mobile agent, while
running
on
the remote host, checks itself to verify that it has no t
been
modi6ed
and conceals some privacy sensitive parts
of the
mobile agent.
Keytuords-Integrity-based encryption, mobile agent protec-
tion malicious host problem
1 .
INTRODUCTION
Mobile agents
are
autonomous
software
entities that
are
able
to migrate across different execution environments. Mobility
and autonomy make permanent connections unnecessary; thus
mobile agents are
suitable for providing low-bandwidth
con-
nections and asynchronous communication [I]. Furthermore,
they provide better support for heterogeneous computing en-
vironments.
Although the mobile agent paradigm extends the capabilities
of traditional ways of remote communication and distributed
computing, i t also raises new
security
issues
[2]. These
are
generally divided into two broad areas: i) protecting the host
from malicious agents and ii) protecting the
agent
from hostile
hosts. The
first
problem has received considerable attention
because of the imm inent threat of comp uter viruses an d Trojan
horses. Current solutions are to
run
mobile code in a sandbox
with fine-grained access control and to apply code signing for
exploiting
a
trust relation with the code producer.
However, unfortunately, solutions for the second problem
are far
less
developed, but
th is
problem needs to be solved
for making the mobile agent metaphor
useful
in
many
con-
texts since the most crucial defect of mobile agent is its
vulnerability to several attacks, in particular, by malicious
hosts.
Until quite recently there was a general belief that the
vulnerability of the mobile agent cou ld be prevented only with
hardware solutions. This belief however
has
been shown
to
be misleading
and is
referred to
the Chess
paradox in the
literature from Sander and Tschudin [3]. They proposed the
use of
encrypted functions, named CBF (Computation with
Encrypted Function), in which
the
user encrypts a function
5,
which is then executed by the host, without the host having
access to s. Although
the
approach is very promising, no
secure implementation has been proposed as yet. In
[4], Volker
Roth summarized some rules and principles of good and
bad practice for designing cryptographic protocols to protect
mobile agents from malicious host. Th e conventional crypto-
graphic protocols
are
not followed thoroughly in the design of
some cryptographic protocols meant
to
protect mobile agents
againstcertain attacks
by
malicious hosts.
In this paper, we present the methodology of protecting
the mobile agents from the malicious hosts trying
to
reverse
engineer
and
to make unauthorized modification,
by
which a
mobile agent, while running, checks itself to verify that it has
not been
modified
and
conceals
some privacy sensitive parts
of
the program.
Our
goal
for
the
mobile
agents protection is
to defend up t o the level of dynam ic modification for program
as
shown in Fig.
1
and can be summarized as following
objectives:
(1) (Integrity)
The
dynamic modification by the malicious
hosts should be detected
by
the mobile agent itself, and
it
helps to cope with some proper reaction.
(2) (Con fiden tiality) The privacy sensitive algorithm which
has been implemented into the mobile agent should be
concealed from the analysis of malicious hosts.
To
fulfill these goals, we propose an integri ty-bused encryp-
fion
scheme, which is composed of self-decrypting and self-
integrity checking methods. It is a new concept of encryption
scheme, which uses
the
program code as
a
key
so
that the used
code fragment can preserve the integrity. In other words, the
encryption will work properly if and only if the integrity of
keyed code holds. The self-decryption makes a mobile agent
- 508
-
-
8/11/2019 Securing Mobile Agents by Integrity-Based Encryption
2/6
et L1:
f Ichecksum
1s
lnvalial
Da
some
countermeasures:
Exit;
Continue
a s n o r m a l c o n a l z ~ o n ;
L1:
Fig. 1.
Trivial
attacks;
bold face denotes malicious modifications
enable to decrypt the own parts of a encrypted code. The
decryption key
is
computed by hashing
the
integrity sensitive
parts
of
a program,
so
it does not need to store
the
decryption
key in a secure container or database, Furthermore, we can
also preserve the integrity of those parts which are involved
as a decryption key as well as the encrypted fragm ents without
the notable routines.
We adopt the identity-based encryption ( B E ) scheme
S ]
to
build a decryption key from an
arbitrary
string which is the
result of hashing the integrity sensitive parts of the program.
The idea
of
identity-based cryptography was first formulated
by 'Shamir [ 6 ] in
1984.
However, .the most significant and
practical scheme in this field is probably the IBE cheme by
Boneh and Franklin [ 5 ]
171.
The typical difference between
IBE
and
our scheme
is the
usage
and
secrecy
for
the keys.
III BE
s well as the general public key encryption schemes,
the encryption key
is
publicly opened
to
the arbitrary parties
and the decryption key is privately secured within an owner's
environment.'
However, we focus he cryptographic primitives to guaran-
tee the program integrity while the confidentiality is subsidiary,
since the encrypted program codes should
be
exposed in de-
crypted form to computing environment due to the characteris-
tics of mod em general-purposed compu ter architecture.
So,
on
the contrary, we publicly throw
the
decryption key and conceal
the encryption key on the software manufacturer. Note that it
may seem to be similar to digital signature, but digital signa-
ture can provide only the
proof
of illegitimated modification.
As shown in Fig. I , the judgement and reaction, without the
preparation for holding an integrity, can be tampered, either.
In addition, by the inherent element of master-key which
is
generated from Key Generation Center
(KGC)
in
IBE we
utilize this property to distinguish the responsibility of security
management. With our scheme, neither specialized compiler
nor
hardware is needed and additional implementation in the
source code is minimal, so it makes efficient to use in practice.
The rest of,this paper is organized as follows. Several previ-
ous
researches in security of the mobile agents are discussed in
section 2. We describe
our
integrity-based encryption scheme
in section
3. In
section
4
we analyze the security of our
scheme. Finally, section 5 gives conclusions and some open
problems:
2 . RELATEDRESEARCHES
The security problems in the mobile agent system are
concerned with the protection of the
two
primary com ponents:
the mobile agent and the agent platform in which the mobile
agent
runs
its aims. In this section, w e consider the previous re-
searches
to
solve the
malicious
hosr
problem,
which addresses
the issues of protecting the mobile agents from malicious
hosts. The
most
researches to response the malicious host
problem can be classified as shown in Fig. 2. The first broad
class
is
the
tamper deleelion.
Tamper detection [8], [9]
can
be accomplished by means of the verification of computation
results and the tracing of execution logs. However, it may be
useless where the communication
is
blocked or there
is
no
way
of
returning. Hence, we focus
our
attention
on
tamper
prevention. Secondly, tomper prevenfion, furthermore can be
characterized into passive prevention and active prevention
according to the attitude o f prevention against tampering via
reverse engineering.
Reverse engineering i s the process
of
analyzing a subject
system
1)
to identify the system's components and their
interrelationships and 2)
to
create the representations of
a
system in another
form or
at a higher level of abstraction
[ IO] .
It is
usually accompanied with
a
static
or
dynamic analysis.
The static analysis
is
a
program
analysis without an execution
of a given program. Tools to carry out a static analysis are
the deco mpiler and deassembler. We can easily translate every
native code into assembly language with a deassembler, and
then carry out a static -anaIysis with the o utput co de from
a decompiler. The dynamic analysis
is
a program analysis
with
an
execution of a given program. Debuggers are useful
.enough to carry
out
a dynamic analysis since they enable an
adversary to execute the program in step-by-step manner. With
the
dynamic analysis,
a
perpetrator has complete control of
the platform
so
that he may substitute hardware or system
software and may .observe any communications channel that
he wishes. In
an
abso lute, sense, this kind
of
attacks
is
impossible to prevent on the current. computing a rchitecture
[I
I]. Furthermore, it
is
impractical to consider the attacks by a
malicious host acco mpa nyin g the surface attack , i.e., denial
o f service, random modifications of the program or its output
as well as replay attacks [3].
2. I Passive Prevenfion
Pussive
prevenfion
is an effort to make an adversary avoid
tampering which
is
founded
'upon
the static analysis. Obhsca-
tion [12]-[14] is
a
major example of passive prevention, and
it attempts to thwart reverse engineering by making it hard to
understand the behavior
of
a program
through
static analysis.
Also, software watermark and fingerprint
[15], 1161
can be
introduced in the s o h a r e and rendered highly undetectable
through code obfuscation transformations to allow tracking of
misused program copies by providing an additional deterrent
to
tampering. However, i t may be effective for the cases that
decompilation of binary code produces
some
high level of
human recognition such
as
Java. Moreover, the overhead
of
obfuscation techniques can be significant both in terms of
-
509
-
-
8/11/2019 Securing Mobile Agents by Integrity-Based Encryption
3/6
Protecting
Mobile Agents
Tamper-Detection
Ta
mper-Prevention
Data Execution Active Passive
Verification
Tracing Prevention Prevention
Fig.
2. Category of
mobile
agent protection
code size increase and execution time overhead, and they
require specialized compiler and may result in degradation of
performance. While
our
approach does more than o bfuscation,
as
it prevents illegal copying of software, we argue that hiding
part of the software is an effective way to obfuscate the
software.
2.2 Active Preverdion
I) Encypied
compufution:
Sander and Tschudin
[3]
pro-
posed the concept
of
an encrypted fimction, named
CEF
(Computation with Encrypted Function). They used a homo-
morphic cryptosystem to protect the mobile code. This method
protects computations o f polynomials by en crypting constants
and
transforming code to produce output in
the
encrypted
form; In contrast,
our
approach
is
applicable to m ore general
computations such as non-polynom ial computations involving
complex control flow. Although
CEF
is very promising, no
secure and practical implementation
has
been proposed as yet.
2) Softwnre encryption: The
basic idea
is
to encrypt the
software or at least parts of it. The goals of encrypting the
s o h a r e a r e t wofo ld . T he first is to avoid the unauthorized
execution of the software without the key. The second
is
to
forbid access to the complied binary code, and it is more
useful
to avoid
any
reverse engineering and any illegitimated
modification in the code.
The decryption key coutd be different for each user. The
decryption could take place at the installation of the software
or at each run and in the mem ory only, The major problem of
software encryption is to h ide key in the software tself or the
secure device, i.e., hardw are dongle or smart card.
3) Mobile cvprography: In [4] Volker Roth summarized
some rules and principles o f good and bad practice for de-
signing cryptographic protocols to protect mo bile agents from
malicious host. T he conventional cryptographic protocols are
not followed thoroughly in the design of
some
cryptographic
protocols
meant to protect mobile agents against certain at-
tacks by
malicious
hosts.
The current restrictions of the mobile cryptography ap-
proach are: t ) random programs cannot be used as the input
specification; currently only polynomial and rational functions
can be used for this purpose
2)
the interaction model
of
the
agent suffers the restriction that cleartext data can be sent only
to trusted hosts.
2.3 Data Protection
It
is
imperative that a data collecting and encrypting m obile
agent co nceals its decryption capability, thus the most
re-
searches for data security in the mobile agent paradigm imply
the use of public key cryptography [17] . The gathered data is
made accessible exclusively to the ow ner
who
dispatches the
mobile agent to perform a certain task when the gathered data
is
retumed to him. The corresponding private decryption key
is not contained within the m obile agent,,and is kept,secret by
the owner.
3 . O U R INTEGRITY-BASEDNCRYPTION
S C HE M E S
3 . Basic
Idea
In this paper, we propose an integrity-based encryption
scheme to protect the mobile agents against malicious hosts.
It is a variant class of an asymmetric key encryption scheme
in which the private encryption key is kept by the mobile
agent owner and the public decryption key
is
so computed
from the program code string
as
to preserve the integrity of
both the p articipated
code
fragments
as
a
key
and
an
encrypted
code segments. The scheme adjusts
the
Boneh-Franklin
IBE
scheme in a natural way and the reasons of adopting the
IBE scheme for ours are twofold. First, we take advantage
of the characteristic that the
TEiE
makes
an arbitrary
string
as
the encryption key. Our integrity-based encryption scheme
uses some ffaction
of
program code strings
as
corresponding
decryption key for other encrypted parts of the program code,
which
is
the implementation
of
confidential algorithm. In this
way, we can preserve the integrity of both,keyed and encrypted
parts of a program code. Second, by the inherent element of
master-key
which
is
generated from
KGC
in IBE we utilize
this property to improve the resiliency against several attacks.
3.2 An Integrity-Bused Encryption Scheme
We begin by giving mme definitions similar to those given
in
171,
[lS].
In
our
scheme,
a
mobile agent code is classified
into two classes, i.e., an algorithm private and an integrity
sensitive class o f code, denoted by
M
and
1
espectively.
A plaincode
M , E M
is encrypted into a
ciphercode
C,
C
using the owners secret encryption key
d i .
Note that two code
sets
of
M
and
C
are semantically identical. The hash value
Q , of 1;
E
1 s used to compute a corresponding decryption
key for dectypting C;.
Di
is a decryption routine
for
Ci and
we separate each decryption routine in order to strengthen the
security even though the code size is slightly increased.
The typical differences between
IBE
and our scheme are
the
usage
and secrecy
for
the key pair. In the
IBE as
well
as
the general public key encryption schemes, the encryption key
is publicly opened to the arbitrary parties and the decryption
key
is
privately
secured within
owners
environment. However,
on the contrary, we publicly throw the decryption key and
conceal the encryption key on the owner side. T h e reason
is that the encrypted program codes should be exposed in
decrypted
form
to foreign hosts due to the characteristics
of
modem general-purposed computer architecture. The mobile
agent owner encrypts some part of a program code with his
-
510 -
-
8/11/2019 Securing Mobile Agents by Integrity-Based Encryption
4/6
(a
Unprotected
mobile
agent
(d)
Executable
state
System :
Memory
replacement
.....
2
b)
Ready-@launch
mobile agent
(c) Self-integrity cbcck
and
rclf.dnryption
Fig.
3.
Procedural Row
and
basic memory layout
secret encryption key
and
then, in foreign hosts, the agent
itself decrypts the encrypted cod e with decryption key which is
compu ted from the integrity-protected fragment of the mobile
agent code. In this manner, if a malicious host tries to modify
the protected code, the mobile agent
will
malhnction and he
cannot achieve his intention.
Hashing: Set MAC; = Y f I ~ l ~ ~ ~ ~ ~ ~ ~ I ~ j )here I E 2, 1 1
denotes the concatenation of two strings and H
:
{O, l}* + ' { O , l } n is
the one-way and collision-
resistant
hash
function.
Admissible
pairings: Let GI nd
Gz
be two groups
of
order
q
for some large prime
q.
We
will call
6
an
admis-
sible pairing if C :
6 1
x GI
U is
a map with
the following properties:
(1) Bilinear:
t? aP,bQ
? P , ) O b for all P, Q E
(2)
Non-degenerate: Th e map d oes not send all
(3)
Computable: There
is an
efficient
algorithm to
S o u r c e s e tu p : The mobile agent code
i s
classified and delim-
ited into two categories
M
and
1.
Encryption
setup:
Given
a security parameter
k E
f
and
G
be
a
3ilinear Diffie-Hellman
(BDH) [7]
parameter
generator,
KGC
runs the algorithm as
follows:
( I )
Run
Q
on
input
k to
generate a prime
q
two
groups
GI ,&
of order q and an admissible
bilinear map C : G 1 x G I + 62. hoose a
random generator P E
6 1 .
GI and all a , b
E
Z.
pairs in GI C
to
the identity in Gz.
compute
@(
, ) for any P, E C
(2) Pick a random s E Z; and set pUb= sp.
(3)
Choose a cryptographic hash function
HI
(0 , l ) ' -+
G;.
Choose a cryptographic hash
function
H2
:
@ 2 4 (0,1)
for
some
n.
The
security analysis will view HI,
2
as random
oracles.
The plaincode space is
M
E
(0,
I} . The cipher-
code space
isC =
G ;
x (0,l) .
The system parame-
t e r s
are params
=
( 4 ,
G I ,
Gz
6,
R. ,
P,
Ppuar 1 , H a ) .
The
master-key
is
s E Z
E x t r a c t :
For a
given string MAC;
E (0,l) '
the algo-
rithm
does: (1)
computes a decryption key
Q, =
H I MAC;)
E
Gy,
and
(2)
sets an encryption key
d;
to
be d; =
sQ
here
s
s the master-key.
Encrypt:
As shown in Fig.
3
(a) and (b), encryption
is
proceeded by external utility, which
is
operated by
the agent owner. To encrypt
Mi
E
M
under the
encryption key d do the following: (1) compute
Q, = H (MAC,)
E
C;, (2) choose a random
T f E; , and
(3)
set the ciphercode
to
be
c;=
( T P p y b ,
Mi
69
H z ( g : ) )
where
g;
= i (d , ,P) E G.;
After finishing the encryption, a mobile agent is
ready to launch
on
network.
Decrypt:
After a mobile ag ent is launched toward the foreign
hosts, the protection
is
kept by itself. Likewise, C;
which is encrypted by an external utility should be
decrypted by the self-decryption as
folIows.
In the
beginning of execution
Ci,
it has to be decrypted
into plaincode
M ;
by agent code itself, as shown in
Fig.
3
(c) and (d). Decryption of
C, is
performed
by
decrypting routine D; mbedded in
a
mobile agent
program. Let
C;
=
{V;,Vi)
E
C
be
a
ciphercode
encrypted using the encryption key
d i .
To decrypt
C, sing the decryption key Qi E S ; compute:
K
a3
H Z i Q i , l l i ) )
=
Ma
This produces
the
original ex ecutable code M ; since
; ( Q i 7
VI
= ? ( i ) r p p u b ) i( i? sp)
= e( ,
P)
= C(d,,P) =
g;
3.3
SeJf-InntegrityCheck
We provide an integrity checking method, which ca n be
o p
erated without the: extemal
help. The
key
point of our integrity
checking method is that the checking is not explicitly formed
within the program,
so
an ad versary will have difficulty in
analyzing the protected
program.
It
is
indeed
the
side effect of
an integrity-based encryption schem e since decrypting
C,
with
the decryption key which
is
extracted from
I i will
naturally
help
to
protect the integrity
of
1;
y causing malfunction in
case of tampering
1,.
Before the execution
of
C;, it should be decrypted into
the executable plaincode M, within the memory by self-
decryption explained above, since the general-purposed CPU
cannot dispatch and e xecute the encrypted instruction. Due to
- 5 1 1 -
-
8/11/2019 Securing Mobile Agents by Integrity-Based Encryption
5/6
- ecrypi
Usdaskey
Fig.
4.
Memory layout
of
the
protected
code
computing the decryption
keys
from the hash values which
are.
calculated with the collision-resistant and one-way hash
function
N(),
t is hard to find I;, uch that X ( 1 : )
=
N ( 1 ; ) .
Therefore, if 1; as been tampered into 1;by a malicious host,
decryption
key
will be
Q:
=
H l ( X ( I i ) )
Q i
so
Ci cannot
be properly decrypted into
M i
and the program execu tion will
be terminated. It will spontaneously disturb an adversary
in
his
attack and herefore, preserve the integrity of 1i.
The decrypting routine Di
is
also critical component in
the security of our scheme., An attacker may discover the
important information like the boundary of
1 r
the integrity
dependency of each fragment. Furthermore, after he tam pers I
into I : , he may modify Di to decrypt Ci with saved image of
I instead
of
the fresh
I : :
The integrity of Di can be protected
by encryption or keying with other fragments
of
a program,
i.e., D;
C, r
D; I,,i
j
s an example of Dz which
is included in CJ
in
Fig. 4.
3 .4 Da a Profecrion
It is
important
to
preserve the confidentiality and integrity
of the data acquired and carried
by
free-roaming agents aswell
as securing the mobile code. The most common approach to
protect data is applying the public key encryption scheme with
the agent owner's pu blic key and the digital signature with the
private signing key of the remote hosts
[43,
[19], [ZO]
or its
variations [21].
In
the model in which a mobile agent program
T proceeds the computation autonomously and independently
of the mobile agent owner
0
he message
m,
that
is
the
computation result in the remote host H , for
i
= 1,. ..
I
i s
encrypted as mi)^^ with the owner's public key KO and
signed
as {WL~}~,- I
with the private signing key
St-
of the
host Hi.
However, without the code analysis and modification, it is
feasible for the nlalicious
host
H ,
to
forge the encfyption key
by simple substitution
KO
ith K , in order that the other hosts
may encrypt secret data with his public key since a public key
is embedded in the,mobile code as an individual data object
which is easily revealed. The following hosts H, 1,.
. , ,H I ,
will naively encrypt their results as
{ m j } ~ .
or
z
+
I
5 j5
k
