Table Of ContentMonotonicity and Partial Results Protection for Mobile Agents(cid:0)
BennetYee†
September20, 2002
Abstract
Remotelyexecutingmobilecodeintroducesaplethoraofsecurityproblems. Thispaperexaminesthe“external
agentreplay”attack,identifiesthenotionofone-wayprogramstatetransitions,describestheuseofmonotonicvari-
ablesasapracticalmethodfordetectingtheseattacks,examinesthemoregeneralproblemstatemodificationattacks,
andintroducestheuseof“resultsverificationvectors”toprotectagentsfromattack.
1 Introduction and Motivation
Whiletheremoteexecutionofcodeeliminatesmostofthecommunicationslatencyduetomultiplemessageround-
trips needed for repeated, possibly long distance/high latency RPCs, its attraction is greatly diminished by critical
security needs: without knowing whether malicious servers have subverted the remote computation or have spied
on the agent, howcan users trust the obtained results? Though recent theoretical advances [2, 8] show that remote
execution can be efficiently verified in principle, the need for reductions via Cook’s theorem makes their practical
infeasibilityobvious.
Mobileagents—aformofmobilecode—arevulnerabletoattackfromtheserversuponwhichtheyrun.Adishon-
estservercansubvertamobileagent’sexecutioninmanyways. Justasaservercanlietoclientprogramsinresponse
toanRPCrequest,agentserversuponwhichmobileagentsruncanlietoagentsinresponsetoservicerequests.Agent
serverscandomuchmorethansimplylietoagents,however,andthismakesthemobileagentsecurityproblemmuch
moreinterestinganddifficult.1 Anagentserverisapowerfuladversary: itcanexaminetheinternalstateofamobile
agent,itcanalterthatstate,itcanevensubverttheagent’sexecutiononaninstruction-by-instructionbasis. (Note,of
(cid:1) ThisresearchwasfundedinpartbytheNationalScienceFoundation,CAREERAwardCCR-9734243; andtheOfficeofNavalResearch,
AwardN00014-01-1-0981.
†UniversityofCalifornia,[email protected]
1IftheagentmerelymigratedtoanagentserverlocatednearertheRPCservicetolowerlatencycosts,theRPCservermightbehonestbuthave
itsmessagessubvertedbytheagentserver.
1
course,thatthestatemaybeencryptedorotherwiseprotected,sotheservermaynot“understand”theinternalstateor
knowhowtomodifyitprofitably.)Indeed,theservercanchoosetonotruntheagentatall,butinsteadmakechanges
totheagent’sstateinamannernotprescribedbytheagent’scode,orcreateanewstateoutofthinairandpassitto
thenextserverasifitwerelegitimatelycomputed.
When an agent migrates among the hosts in its itinerary, it may carry data—results derived while executing on
earlier servers—into a dishonest server where that data is maliciously modified prior to being carried out to other
normal,honestservers. Ofcourse,ingeneralwedonotknowwhichoftheserverswereactuallydishonest,andone
armofamulti-prongedmobileagentsecuritydefenseistoenablethedetectionofsuchmodifications.
In this paper, we examine the state modification de-
tection problem introduced and addressed in earlier works
Client
[12, 32, 17, 33, 24], define two classes of agent replay at-
Home Server
tacks and describe how such replay attacks can invalidate
cryptographicprotocolsdesignedforprotectingtheresultsof
partialcomputations,examinethegeneralnotionofone-way (a)RPCsrequiremanyroundtrips
state transitions and focus on how it can be used to protect
autonomousmulti-hopagents,inparticular,againstagentre- Client
Client
play attacks. (We do not, however, address the question of Home Server
serverslyingtoagents.)
The next section describes the state modification attack.
(b)Migrationhasonlyoneroundtrip
Next, Section 3 explains the one-way state transition ap-
Figure1: RPCversusmigration.
proachforprotectingmulti-hopagentsandanalyzesitssecu-
Whenanagentmigratestoaserver,theRPCsbecome
rity properties. We discussthe use offorwardsecuresigna-
localrequestsanddonotexperiencelargenetworkla-
turestoprotectpartialresultsinSection4,andthenexamine
tencies.
an alternative means of protecting partial results—a results
verification vector—which provides security even when there are multiple colluding hosts in an agent’s itinerary.
Section 6 explains the earlier approaches to detecting state modifications, discusses their drawbacks when multiple
maliciousserversareinvolved,andexaminesothersecuritytechniquesthatfitintotheone-waystatetransitionframe-
work. Section7concludeswithasummaryandsomefuturedirections.
2
2 Agent Model and State Modificaton Attacks
Mobileagentsautonomouslymigratetoremoteserversandperformsomecomputationsateachserver. Inourmodel,
theprimaryreasonformigrationistoimprovecommunicationefficiencybyco-locatingthecomputationwithsomere-
sourcethatisavailableateachofthetargetservers.Withoutmigration,repeatedremoteaccessestothatresourcewould
haveresultedinmultipleRPCsandmultiplerequest/responseroundtrips—insteadofpayingforthecommunications
latency many times, agent migration enables efficient, low latency accesses at the cost of a single communications
roundtripdelay.Figure1showsthelong-distanceroundtripreductionofusingmigrationoverRPCs.
We assume that distributed computation exhibit remote
resource access locality—each of many remote resource is
Server 2 Server 3
accessed repeatedly and in different phases of the computa-
tion. This motivatesthe use of agentsthat have a migration
Server 1 Server 4
itinerary,alistofserversthatitvisitsinturn. Figure2illus-
tratesanagentthatvisitssixservers.
Server 6 Server 5
When an autonomous agent migrates to a server, it car-
Home
ries with it the results of computation performed at earlier
servers,andperformsqueriestosomeresourcecontrolledby
Figure2:Migratingagentsvisitseveralserversinturn.
theserverwhileitisthere. Wemodelthisasfollows.Lety
i0
(cid:0)
bethestatethatisinputtoserverS.Basedonthatstate,theagentcodegeneratesaqueryq (cid:1)y totheserverresource
i i i0
(cid:0) (cid:2)
R. Theserver’sresponseisx R (cid:1)q (cid:1)y . Theagentcodecomputesthenextstate,y f (cid:1)x y . Ifadditional
i i1 i i i0 i1 i i1 i0
(cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2) (cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2)
resource queries are desired, the agent generates q (cid:1)y , obtains response x R (cid:1)q (cid:1)y , and computes a next
i i1 i2 i i i1
(cid:0) (cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2)
statey f (cid:1)x y ,andsoon. Afterk queries,theagentcodedecidesthatnofurtherqueriesareneeded(q (cid:1)y
i2 i i2 i1 i i iki
(cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) (cid:0) (cid:2)
returns a special stop symbol “ ”) and f is applied one last time, and the resulting state y y f (cid:1) y is
(cid:6) i i (cid:3) i(cid:0)ki(cid:7) 1 (cid:3) i (cid:6) (cid:5) i(cid:0)ki(cid:2)
senttothenextserveraspartoftheagentmigration.2 (Notethatk 0ispossible,inwhichcasetheagentissimply
i
(cid:3)
usingcomputecyclesontheserver.) Wedenotebyy y theagent’sinitialstate. Figure3showsthisprocessin
0 10
(cid:3) (cid:0)
aschematicfashion. Wethinkofy astheagent’sstateaftervisitingserverS;itcontainsthe(partial)resultsderived
i i
therewhichmaybeusedasinputstolatercomputationsdoneatthenextorsubsequentservers.Iftheserverishostile,
itmayreadorwritetheagent’smemoryarbitrarily—modifyy, orthefunctionsq,or f. Ofcourse, theservermay
i i i
notunderstandwhatitreadsorwrites,e.g.,ifthememorycontainsencryptedvalues,anditsmodificationsmightbe
detectedlater. This would be thecase if thememoryvalues arecryptographicallyauthenticatedusing digitalsigna-
2Wecancollapsethemultipleroundsofqueriestooneifthequeriescanincludefunctionalvalues(orTuringmachineencodings)asquery
parameters;thiswouldsimplifythenotationbyusingaformofmobilecode(!),butobscurestheprocess.
3
turesorpartialresultsauthenticationcodes(PRACs)[32,6,25]associatedwiththem.InSections4and5,wewillsee
severalproposedcryptographictechniquesthataimtoprotectthesepartialresults.
... yi,j fi yi,j+1 fi ... yi,ki fi
qi Ri qi Ri qi
yi+1,0 fi+1 yi+1,1 fi+1 ...
q R q R
i+1 i+1 i+1 i+1
Figure3: Multi-hopAgentComputationModel
Inadditiontobeingmulti-hop,theagentmakesmultipleroundsofqueriestotheserver-sideresourcesoneachserver.
Hereeachrowofcomputationisperformedonadifferentserver.
(cid:1)(cid:0)
Notethat in thismodel, anagentserverdoes nothaveto compromisetheresource (R(cid:1) )in order tosubvertthe
(cid:2)
agent’s computation. Indeed, the agent server and the resource may be embodied in machines that are physically
locatedneareachother(andsolowlatencyRPCsarepossiblebetweenthem)butindifferentadministrativedomains
andtheRPCservicemayverywellbehonest.ToobtaintheeffectoftheRPCservicelyingtotheagent,theagentserver
(cid:2)(cid:0) (cid:3) (cid:3)
cansubvertthequeryinput,i.e.,subvertingq(cid:1) sothattheobtainedansweristoadifferentquery:x R (cid:1)q (cid:1)y ,
i j i i i j(cid:4) 1
(cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2)
(cid:3)
orsubvertthecomputationofthenextstatey f (cid:1)x y fromthecorrectresourceresponsex R (cid:1)q (cid:1)y .
i j i i j i j(cid:4) 1 i j i i i j(cid:4) 1
(cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2)
Generallywewillassumethattheimplementationsofq and f areimmutablecodethatiscryptographicallysigned
i i
bytheagent’sauthororowner,sowhiletheirexecutionmaybesubvertedonadishonestserver,anycodesubversion
cannotpersisttohonestservers—butthemutablestatey issubjecttoattack.IntheSanctuarysecuritymodel[14],an
i
agent’scodeandtheinitialconfigurationy arecryptographicallysignedbytheagent’sowner,andchangestoeither
0
would be detectedwhenthe agentarrivesatan honestserver. The signedconfigurationistypically carried with the
agent to later servers, where the agentcode will use the configuration to guide—and limit—its actions. We are not
concernedwiththeconfigurationinthispaper,sowewillleaveitembeddediny alongwithwhateverauthenticators
i
areused.
4
2.1 Agent ReplayAttacks
2.1.1 AgentMigrationModels
Mobileagentsystemsmayimplement“strongmigration”or“weakmigration”. Inessence,strongmigrationsystems
allow agents to migrate mid-computation—the “place” of the computation (see Section 3.1) is changed as a side-
effectofsomesystemrequest,andtheentireagentinternalstate(possiblyexcludingexternalreferences)ismovedto
thenewmachine. Inweakmigrationsystems,the agentsarerestartedfromscratchonthenewserverwithdifferent
initializationmessages;theagentprogrammersmusttakecaretocreatetheappropriateinitializationmessagessothe
nextincarnationoftheagentwillcontinuefromwherethepreviousincarnationleftoff.
Witheitherformofmigration,theagentsystemimplementsmigrationbytransmittingtheagents’executionstate.
Instrongmigrationsystemsthisstateisautomaticallyextractedbythesystem;inweakmigrationsystemstheexplicit
state extraction is the duty of the agent programmer. The extracted state is then sent to the destination host as a
parameterofthemigrationrequest.
2.1.2 AgentMigrationandReplay
Serversreceivethe stateofthe migratingagent—abstractlya closureinthe strong migrationmodel—performsome
computation, and that computation generates the “next state”—another closure—to be passed to the next server in
the agent’s itinerary. The message containing the agent state, whether a closure or a hand-crafted representation of
the agent’s state, exists in some I/O buffer. Servers are free to copy its value, in essence checkpointing the agent.
Becausetheabilitytocheckpointandrestoreagentstateisinherentinmobileagentsystems,maliciousservershave
theabilitytorerunanagentanarbitrarynumberoftimes. Whilewewouldliketobeabletoprovideagentswith“at
most once” execution semantics for executing on servers occuring only once in the agents’ itinerary, the ease with
whichcheckpointsareusedwouldseemtomakethisimpossible.
Thererunningofagentsisanalogoustomessagereplayattacksthatoccurinthecommunicationssecuritycontext.
Replaycanoccurevenifthemaliciousserverperformsnocodeanalysis,justasanattackerinthenetworkcanreplay
interceptedmessagesevenifthemessagesareencrypted. Innetworking,“timetolive”fields, sequencenumbers,or
noncesareusedtodetectandeliminateduplicatemessages. Wewillseebelow(Section3)asecureagentduplication
detectionmechanismthatexpandsontheseconcepts.
Wedivideagentreplayattacksintotwoclasses: internalagentreplayattacksandexternalagentreplayattacks.
2.1.3 InternalAgentReplayAttack
5
Wedefineaninternalagentreplayattacktooccurwhenadis- Replay!
honestserverS repeatedlyrunsanagentwithdifferentquery
i
Server 2 Server 3
(cid:3)
requests qi(cid:1)yi j(cid:4) 1 0 (cid:0) j (cid:0) ki to obtain favorable responses
(cid:0) (cid:2) (cid:5)
(cid:3) (cid:3)
x R (cid:1)q (cid:1)y orwithmodificationstotheagent’snext-
i j i i i j(cid:4) 1
(cid:0) (cid:3) (cid:0) (cid:2) (cid:3) Server 1 Server 4
state computation y f (cid:1)x y until the output state
i j i i j i j(cid:4) 1
(cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2)
variable yi j 0 (cid:0) j ki satisfies some desirability predicate
(cid:0) (cid:5) (cid:1)
Server 6 Server 5
d(cid:1)y ,i.e.,theservercanevolveitsattackuntilasatisfactory
i j
(cid:0) (cid:2)
Home
outputstatey isobtained. Runsoftheagentwithunsatis-
iki
(cid:0)
factoryoutputstatesaresimplydiscarded.Figure4illustrates
Figure4: InternalAgentReplayAttack
this attack. Note that only onedishonest server is involved,
andtherearenoexternallyobservableeventsthatoccurwhichwouldmakeinternalreplaysobservable.
Agentscannot “remember” having ranbefore on the dishonestserver: in resettingthe agent to its earlierarrival
statetheserveralsowipesoutallmemoryofpreviousruns. Whatevermemoryisusedtoholdthisstateinformation
mustthereforebeexternaltotheagent,andindeedexternaltothedishonestserver. Onemightimaginethatanagent
canprevent—ordetect—internalagentreplayattacksbystoringinsomesecureexternalmemorythatexecutionhas
commencedandabortingifthisisnotthefirstandonlytimethatthishasoccurred.Withoutobfuscatedcode,however,
the dishonest server can alter the execution of agent—e.g., by temporarily modifying the agent’s code—so that the
checksoftheexternalmemoryvaluesarebypassed.
(cid:1)(cid:0) (cid:1)(cid:0)
Note that S does not need to “understand” q (cid:1) or f (cid:1) ; it merely needs to be able to compute the desirability
i i i
(cid:2) (cid:2)
(cid:2)(cid:0)
predicate d(cid:1) to mount thisattack. Generally, code obfuscation is impossible[4], though perhaps obfuscating very
(cid:2)
restrictedyetusefulclassesoffunctionsisstillpossible.Currentlyonlyverylimitedclassesoffunctionsareknownto
work[27].
Internal agentreplay attacks only makessense for the dishonestserver if the servercan compute its desirability
predicate. Thismeansthatiftheresultofthecomputationisencryptedsomehow(e.g.,[8]),serverswouldbeunable
(cid:2)(cid:0)
to computed(cid:1) onthe agentstateto gain(probabilistic) advantageoverhonestly runningthe agent. The encrypted
(cid:2)
function schemes proposed thus far, however, impose heavy performance penalties and are impractical. Practically
speaking,then,internalreplayattacksseemimpossibletopreventordetect.
2.1.4 ExternalAgentReplayAttack
We define an external agent replay attack to occur when two or more dishonest servers repeatedly run an agent—
throughoneormorehonestserversbetweenthem—untiltheoutputstatevariablesatisfiessomedesirabilityproperty.
6
Figure5illustratesthisprocess.Notethatthecaseoftwoormoreadjacentcolludingdishonestservers—e.g.,withno
honestserversbetweenthemintheagentsitinerary—maybeanalyzedbyessentiallycollapsingthedishonestserver
nodesintoone,i.e.,treatingtherunofdishonestserversasasingledishonestserver. Thiskindofattackisessentially
aninternalreplayattackandisthusimpossibletodetect.
Forexternalreplaysthatinvolveoneormoreintermediate
honest server, the situation is not as bleak. We will see in
Server 2 Server 3
Section 3 solutions where the bracketedhonestserver helps
indetectingexternalagentreplayattacks.
Server 1 Server 4
Replay!
2.2 State Modification
Server 6 Server 5
Supposetheattackerunderstandstheagent’scodeordatalay-
Home
out. Suchanattackermay,inprinciple,bemerelyintercept-
ingandmodifyingmessagesinthenetwork,orshemaybea
Figure5: ExternalAgentReplayAttack
maliciousserver that is in an agent’sitinerary. Here, know-
ing the agent’scodeor data layout is analogousto knowing
partialinformationabouttheplaintextthatcorrespondtoencryptedmessages,andtheabilitytochangethatstatecorre-
spondstothe“malleability”oftheencryptedmessage[11]. Securemobileagentsystemstransfertheagentstateover
encryptedandauthenticatedchannels[26,32],soanattackerwithonlynetworkaccessshouldbeunabletomodifya
migratingagent’sstate.
Theremainingthreatiscompromisedordishonestagentservers. Sincecodeobfuscationis,ingeneral,impossi-
ble[4]andsecureremotecomputationbyreductiontocircuits[8]appearstobetooexpensive,wewouldliketofind
alternativepracticalmethodsforprotectingamulti-hopagent’sexecution. First,letusdescribeasimpleprototypical
attackscenario. Figure6sketchesthecodeofanagentwhichobtainsacommandwhileononeserverforittoperform
oneoftwoactionswhenatalaterserver.
WhiletheagentisrunningonServer,itobtainsadditionalconfigurationinstructions,perhapsinteractivelyfrom
1
itsuser,onwhatto dolaterwhenonServer. Thedecision(orthedatarequiredtomakethedecision)isembedded
k
in the statey1,y2, ... etc carried to later servers, but to highlight it we separate it out as an extra boolean variable
searchOrDelete. The threat, of course, is that an intermediate server betweenServer andServer is untrustworthy,
1 k
andcanalterthebooleanflagsearchOrDelete. Notethatsanitychecksondatastructuressuchasstateappraisal[12]
cannot possibly detect if data values—e.g., thesearchOrDeleteflag—has been changed. Furthermore, those partial
resultsauthenticationcodeswhichrequireencryptingtheresults[25]wouldmakesearchOrDeleteunavailableforuse
7
Agent(Statey )
in
migrate(Server1);
x=R(query(y ));//Server istrusted
in 1
searchOrDelete=predicate(x);
y =f(x,y );
1 in
migrate(Server2);
... /*booleansearchOrDeletemodified? */
migrate(Serverk);
if(searchOrDelete)
result=findAllFilesContaining(g(y ));
in
else
result=deleteAllFilesContaining(g(y ));
in
Figure6: Agentflag: Place-Of-SetversusPlace-Of-Usevulnerability
SpaceofpossiblefutureexecutionshouldbeconstrainedwhentheflagsearchOrDeleteisset. Sincetheflagissetat
adifferentserverfromwhentheflagisused,intermediatedishonestservershavetheopportunitytochangeitsvalue
inappropriately.Declaringvariablefinaldoesnothelp.
atalaterserver.Wewillrevisitthisscenariowhenwediscussourproposedsolutions.
3 One-Way State Transitions and Monotonicity
One way to look at the agent replay attacks is that we wish to enforce state transition—and time—monotonicity.
This isa diametricallyoppositegoal tothat usuallyencounteredin distributedsystemswherethe abilityto rollback
computationisoftendesirable[16]. Withexternalagentreplayattacks,wedetectwhenadishonestserverrollsback
anagentandgenerateanappropriateerror.
Thekeyobservationinpreventingthereplayofmobileagentsovertheiritinerarybymaliciousserversisthatagents
cannotdependonstatethattheycarry.Agentstateissubjecttothecontrolofmaliciousservers:thereplayingmalicious
servercanobviouslyresettheagentstatetoanearlierobservedone,evenifovertstatetamperingisimpossibledueto
carefulsanitychecking,stateappraisal,orhavingtheagentcomputewithencryptedvalues.
Ifanagentcannotrelyonitsownrecordofwhathasoccurred,whatcanitrelyon? Someexternallymaintained
state is needed. We can rely on an outside party accessed via the network (when the agent is running on an honest
server, at least; see Section 6.1.2), or we can rely on the honest servers on the replayed itinerary to maintain state.
The former case uses a model similar to that in the cooperating agents idea [22, 23], but uses it to solve a slightly
different problem: we detect inconsistent agent internal state transitions, rather than just deviations from the agent
itinerary or inconsistent final results after computing in disjoint sets of possibly dishonest host. Furthermore, it is
immaterial whether we use a trusted server rather than another agent. In a distributed system where high speed
8
systemsmakecommunicationscostadominantfactorinthejob’stimetocompletion,schemessuchasthelatterone
avoidsadditionalcommunicationsstepsandthusismoredesirable. Beforewediscussthesetwoapproachesinmore
detail,wefirstdefinewhatwemeanbyaone-waystatetransition.
3.1 Notation
InordertoanalyzewhathappensinmobileprogramssuchasthatinFigure6,wemustuseaslightlymoreconcrete
(cid:1)(cid:0) (cid:0)
abstractionofanagentprogram’sexecution. Insteadofconsistingofmonolithicnextstatefunctions f (cid:1) ,wemust
i
(cid:5) (cid:2)
useamodelthatcanincorporatenotionsofregisters,programcounters,andmemorycontentswrappedtogetherina
statevariable. Whileweonlyinformallydescribetheagent’scomputationbelow,howtodescribeitinformalmodels
suchasTuringmachinesortheRAMmodelshouldbeclear.
Theagent—executingmobile program—consistsofaninternal stateanda placeorlocationwhereitisrunning.
Weassumethatthemigrationprocessmerelychangestheplace;theinternalstateispreserved. Wethinkoftheplace
asrepresentingpropertiesofwheretheagentisrunning,includingthenamespacesinwhichexternalresourcenames
are resolved. The internal stateconsists ofvalues—memorycontents—soall externalresources are manipulatedby
name.
Thestatetransitionsthatweareconcernedwitharethosethatinvolvechangestothemobileagent’sinternalstate.
First,wedefinethestatetransitiongraph.
Definition1 AstatetransitiongraphisagraphG (cid:1)V E whereV s:sisaprogramstate and(cid:1)s t E V V,
(cid:3) (cid:5) (cid:2) (cid:3)(cid:1)(cid:0) (cid:2) (cid:5) (cid:2)(cid:4)(cid:3) (cid:5) (cid:6)
andthereisatransitionfromstatestot insomeexecutionoftheprogram.
A state transition (cid:1)s t E occurs whenever there is a state change, e.g., control flow transfer, an ALU operation,
(cid:5) (cid:2)(cid:7)(cid:3)
or memory modification, that occurs from s to t due to the execution of a single instruction in some execution of
the mobile agent’s code. At a fine enough granularity, even a noop causes a state transition, since the program
countervaluechanges. Wearedeliberatelyimpreciseaboutthegranularityofthestatesinthismodel,sinceitwillbe
convenienttousethisnotationatdifferentlevelsofabstractionofthemobileagentexecution.
Definition2 A path exists from s tot, denoted s t, when there exists j 0 n where s s, s t, and i
0 n
(cid:8) (cid:3) (cid:5)(cid:10)(cid:9)(cid:10)(cid:9)(cid:11)(cid:9)(cid:4)(cid:5) (cid:3) (cid:3) (cid:12) (cid:3)
0 n 1: (cid:1)s s E.
i i 1
(cid:5)(cid:11)(cid:9)(cid:10)(cid:9)(cid:11)(cid:9)(cid:4)(cid:5) (cid:13) (cid:5) (cid:7) (cid:2)(cid:14)(cid:3)
Whens t,wealsosaythatt isreachablefroms. Whennopathexists(ors t),wesaythatt isunreachablefrom
(cid:8) (cid:8)(cid:15)
s.
Definition3 Aone-waystatetransitionexistsfromstot if (cid:1)s t E andt s. Wedenotethisbys t.
(cid:5) (cid:2)(cid:14)(cid:3) (cid:8)(cid:15) (cid:16)
9
One-way state transitions are interesting to us because their occurence implies an irreversable state change in the
(mobile)program—theagententersaportionofthestatespacefromwhichitshouldneverescape. Intheexampleof
Figure6,oncesearchOrDeleteissetbyevaluatingpredicate(cid:1)x ,itsvaluedoesnotchangeandwhattheagentwilldo
(cid:2)
onServer shouldbefixed.
k
Definition4 Astatexisinconsistentwithaone-waystatetransitions t ift x.
(cid:16) (cid:8)(cid:15)
(cid:3) (cid:3) (cid:3)
Definition5 Aone-waystatetransitions t isinconsistentwithasecondone-waystatetransitions t ift t .
(cid:16) (cid:16) (cid:8)(cid:15)
(cid:3) (cid:3) (cid:3) (cid:3)
Definition6 Twoone-waystatetransitionss t ands t aremutuallyinconsistentift t andt t.
(cid:16) (cid:16) (cid:8)(cid:15) (cid:8)(cid:15)
3.2 ExternalState TransitionVerification
By using a program running on an external machine or a secure coprocessor [31] to monitor the execution state
transitions,wecandetectexternalagentreplayandsomestatemodificationattacks. Thisexternalprogrammaybea
standardserviceavailableatmany(orall)serversoranother(cooperating/monitoring)agent.
The idea here is that the remote service implements a state transition inconsistency detection (STID) algorithm,
which records and monitors one-way state transitions that occur during the execution of the agent. As the agent
programmakesstatetransitions,messagesaresenttothemonitor,whichthencanraiseanalarmifanyinconsistencies
aredetected.
Foreachagentinstance(id),thedetectormaintainsamonotonicbitbs t 0 1 associatedwitheveryone-way
(cid:0) (cid:3) (cid:0) (cid:5) (cid:2)
statetransitions t intheagent’scode:
(cid:16)
Whentheagentstarts,allthebitsarecreatedandcleared.
(cid:1)
Whentheagentreportsthats t hasoccurred,welookforstatetransitioninconsistencies:
(cid:1)
(cid:16)
– Examineb . Ifitisalreadysetthenanagentreplayattackhasbeendetected.
s t
(cid:0)
(cid:3) (cid:3)
– Examine allbits b wheres t isinconsistent with s t . If anyare set, thena statemodification
s(cid:2) t(cid:2)
(cid:0) (cid:16) (cid:16)
attackhasbeendetected.
Ifnoattackisdetected,setb .
(cid:1) s t
(cid:0)
Thesalientpropertyisthattheseone-waystatetransitionmonitoringbitsaremonotonic: onceset,theycanneverbe
cleared. Themonotonicityoftheirvaluemirrortheone-waynatureofthestatetransition.
InorderforSTIDtocorrectlydetectinconsistencies,theagentmustbeproperlyauthenticated.Sinceagentscannot
efficientlyusecryptographickeysonaserverwithoutthatserveralsogainingunfetteredaccesstothosekeys,notethat
10
Description:We will revisit this scenario when we discuss our proposed solutions. Our results verification vector provide a similar service to that of Ajanta's TargetedState mechanism [18], Springer-Verlag, Berlin Germany, December 2000.
