self-protecting mobile agents lee badger brian matt larry spector doug kilpatrick funded by both...
Post on 29-Dec-2015
219 Views
Preview:
TRANSCRIPT
Self-Protecting Mobile Agents
Lee Badger
Brian Matt
Larry Spector
Doug Kilpatrick
Funded by both OASIS and Active Networks Programs
NAI Labs
14 Feb. 2001
Malicious Hosts Problem
• Mobile agents will need to execute on unfriendly hosts, but a host may:– modify an agent’s behavior
– steal an agent’s secrets (if any)
– deny execution
– execute improperly• crash the agent
– lie to an agent
Technical Objectives
• Protect software agents from tampering while allowing:– High mobility.
– Detached operation.
– Extended deployment periods.
– Realistic infrastructure requirements.
Existing Practice
• Limit Mobility to Trusted Places– hardware peripherals, trusted hosts
• Detect Malicious Execution After it Happens– state appraisal (Farmer), detection objects (Meadows),
cryptographic traces (Vigna) , partial result authentication codes (Yee), fault-tolerance techniques (Schneider)
• Prevent Malicious Execution– encrypted functions (Sander, Bazzi), code/data
obfuscation (Collberg, Low, Hohl, Wang)
Time-limited Black Box
Hohl, Fritz, “An Approach to Solve the Problem of Malicious Hosts”
• A host can deny execution, or lie, but it can’t disrupt the programs’ internal consistency for n seconds.
• Can this temporary protection be leveraged into ongoing protection?
SourceSourceCodeCode
PolicyPolicyAA
ObfuscationObfuscationTransformTransform Run for Run for nn seconds seconds Stop.Stop.
ObfuscatedObfuscatedSource codeSource code
Technical Approach (in a nutshell)
agentagent
HostHost
agentletagentlet11
HostHost
agentletagentlet22
HostHost
agentletagentlet33
HostHost
agentletagentletNN
HostHost
......
• DistributionDistribution: replicate agents across multiple, : replicate agents across multiple, unrelatedunrelated hosts. hosts.– Present a moving targetPresent a moving target
• Monitoring/Recovery:Monitoring/Recovery: regenerate corrupted “agentlets.” regenerate corrupted “agentlets.”• Code/data Obfuscation:Code/data Obfuscation: prevent host-based analysis prevent host-based analysis
– Refresh obfuscation before analysis can be completedRefresh obfuscation before analysis can be completed
Traditional AgentTraditional Agent Self-Protecting AgentSelf-Protecting Agent
Strategy
• New features and policy for existing agents.
• No source code required.
• Goal: no manual per-agent work required.
transform tooltransform tool
Obfuscating transformObfuscating transformpolicypolicy
new binary agentnew binary agent(self-protecting)(self-protecting)
DistributionDistributionFunctionsFunctions
OriginalOriginal(binary)(binary)agentagent
Monitor/RecoveryMonitor/RecoveryFunctionsFunctions
Bird’s Eye View
S
a
b
c
d
a
b
c
d
a
b
c
d
a
b
c
d
Useful work Agentletsre-obfuscateeach other
a
b
c
d
a
b
c
d
...
...
...
...Agentletsdispatched
Originator Host First Host Set Second Host Set
Migration
time
...
...
...
...
Protected period 1 Protected period 2
...
...
...
...
Applications of Obfuscation
• “Security through obscurity.” NOT!• Long-lived resistance to analysis. NOT!
– But can increase cost of stealing.• DashO-Pro (www.preemptive.com)• Jcloak (www.force5.com)• Elixir (www.elixirtech.com)• RetroGuard (www.retrologic.com)
• Temporary resistance to analysis.
Obfuscation (trivial to not-so-trivial)
Kinds of ObfuscationKinds of Obfuscation
LayoutLayoutObfuscationObfuscation
DataDataObfuscationObfuscation
ControlControlObfuscationObfuscation
PreventivePreventiveObfuscationObfuscation
Language-Language-BreakingBreakingObfuscationObfuscation
Opaque Predicates
• Opaque predicate: A fact about a program’s state known at obfuscation time that is hard to determine from the code.
• Two basic manufacture techniques– Exploit difficulty in alias analysis (proven NP-
complete).• E.g., embed graph operations
– Exploit difficulty in concurrency.• E.g., embed threading
Obfuscation “Strength”
• Potency: Difficulty for a human to reverse engineer. !(software engineering practices)
• Resilience: Difficulty of writing a tool to reverse the obfuscation.
• Cost: Space/time costs.
• Stealth: Ease of spotting obfuscation mechanisms. Ease of spying out the policy.
From Douglas Low’s thesis.From Douglas Low’s thesis.
What We’ve Done So Far
• Surveyed obfuscation tools.• Chose base technologies: Java, IBM Aglets,
ANTLR.• Developed an initial toolkit/testbed.• Formulated a strategy to transfer technology.• Developed initial tools:
– spi and spmod
• First incremental step in agent transformation.
Aglet System Architecture
• Aglets Runtime Layer
– Security Manager
– Cache Manager
– Persistence Manager
Aglet Architecture
• Communications Layer – ATP, CORBA RMI etc.
Aglet System Security Model
• Sandbox aglets to protect hosts.
• Server-server authentication.
• Signed aglets.
• Express agent preferences, to be honored by servers.– Don’t run too long here.
– Restrict me (from calling specific methods, or accessing resources)!
MethodsAglet Events As the event occurs After the event
occursCreation onCreationCloning onCloneDispatching onDispatching onArrivialRetraction onReverting onArrivialDisposal onDisposingDeactivation onDeactivatingActivation onActivationMessaging handleMessage
Server A
Server B
SecondaryStore
Classes
Aglet Aglet
Clone
Dispatch
Retract
Create Dispose
Aglet Life Cycle
Tool-based Approach
• Transformation plugs into life-cycle events.– Therefore, transformation can be generic.
• No source code required.• Often, no manual per-agent work required.
Spmod toolSpmod tool
spma commandsspma commands(policy)(policy)
new binary agentnew binary agent(self-protecting)(self-protecting)
““doner” functions,doner” functions, and variablesand variables(and maybe policy)(and maybe policy)
OriginalOriginal(binary)(binary)agentagent
DemoDemo
What “Policy” Means Here
• Obfuscation potency, resilience, stealth, cost.• Self-monitoring granularity.• Replication level.• Non-collusion itinerary rules.• Obfuscation refresh rate.• Distribution of sensitive state.• Phone-home flee-home thresholds.• And more...
Feb. 28, 2001Policy Specification and Architecture Report
April 30, 2001Prototype Distributed Agent Generation Tool
Administrative Info (Milestones)
Dec. 15, 2002Distributed, Self-Healing Obfuscated Agentlet Prototype
March 15, 2002Obfuscated Agentlet Prototype
March 14, 2000Start Date
March 15, 2003End Date
2001200120002000 20022002 20032003
Jan. 15, 2003Final Report
Nov. 15, 2001Obfuscation Techniques Evaluation Report
Technology Transfer
• DARPA programs: Active Networks, systems such as Ultra Log.
• Open Source distribution.
• Java.
• Tool-based approach on binary files: no source needed!
• Explore application to NAI products that employ agents.
The End!The End!
top related