Security and Privacy in Mobile Agent Systems

Agents are autonomous programs which try to reach their goals in changing environments. Mobile agents open new dimensions to software design and extend the traditional agent technology. They are considered to have great potential for internet based electronic markets. The owner of an agent can instruct it to visit many hosts in a network, and carry out some tasks for him. When the instructions have been carried out, the agent returns to its home and delivers the results it collected during its journey to its owner.

However, mobility raises new security threats for all parties involved. Both the visited hosts and the agents are exposed to serious dangers from the opposite side - the mobile agent can attack the host and the host can attack the mobile agent. A visit from an agent is a security risk for the visited host: e.g. a malicious agent can have some undesired functionality such as a Trojan and try to obtain unauthorized access to resources, such as reading private information or even altering or deleting it. It can also disrupt operations of the host platform and execute a denial of service attack against the host. There are also various possibilities for malicious hosts to attack agents and the agent owners. These attacks can focus on the extraction of private information, stealing digital goods, modifying agent data, or even destroying the agent.

In the last years we have analyzed many of the security threats and proposed some solutions, especially for protecting agents against malicious hosts. But protecting a host against a malicious agent is also quite a demanding task: The main problem with mobile agents from a host’s point of view is that one can never know what mobile agents are going to do within the host computer. Some host protecting techniques have been proposed in the literature, but none of them provide enough protection with regard to preventing attacks from malicious agents. Most of them are a-posteriori signature-based detection methods, i.e. hosts only accept agents signed by their owner, and if something illegal happens, the source of “evil” can be identified.

However, the permanent use of digital signatures opens tracing possibilities for agents and compromises the privacy of their originating host. Integrating strong security mechanisms in a mobile agent system usually implies the possibility to trace the actions of an agent belonging to some owner and to build a profile of its actions. Therefore, designing practical privacy mechanisms in a mobile agent application whilst simultaneously maintaining some security goals is a challenging task.

We have developed some techniques to protect the privacy of the agents and their originating hosts providing some kind of anonymity. However it is more important that these techniques also allow the revocation of anonymity should something illegal occur, therefore ensuring that accountability is also guaranteed. We call this kind of privacy “accountable privacy” or “fair privacy”. To achieve these goals, the cryptographic primitives, digital pseudonyms, group signatures, and ring signatures can be used.

The proposed solutions for  accountability as mentioned above have some advantages and disadvantages with regard to the security and  efficiency of the scheme, so that a specific technique can be chosen according to the given mobile agent application.