![Page 1: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/1.jpg)
Self-Protecting Mobile Agents
Lee Badger
Brian Matt
Larry Spector
Doug Kilpatrick
Funded by both OASIS and Active Networks Programs
NAI Labs
14 Feb. 2001
![Page 2: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/2.jpg)
Malicious Hosts Problem
• Mobile agents will need to execute on unfriendly hosts, but a host may:– modify an agent’s behavior
– steal an agent’s secrets (if any)
– deny execution
– execute improperly• crash the agent
– lie to an agent
![Page 3: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/3.jpg)
Technical Objectives
• Protect software agents from tampering while allowing:– High mobility.
– Detached operation.
– Extended deployment periods.
– Realistic infrastructure requirements.
![Page 4: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/4.jpg)
Existing Practice
• Limit Mobility to Trusted Places– hardware peripherals, trusted hosts
• Detect Malicious Execution After it Happens– state appraisal (Farmer), detection objects (Meadows),
cryptographic traces (Vigna) , partial result authentication codes (Yee), fault-tolerance techniques (Schneider)
• Prevent Malicious Execution– encrypted functions (Sander, Bazzi), code/data
obfuscation (Collberg, Low, Hohl, Wang)
![Page 5: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/5.jpg)
Time-limited Black Box
Hohl, Fritz, “An Approach to Solve the Problem of Malicious Hosts”
• A host can deny execution, or lie, but it can’t disrupt the programs’ internal consistency for n seconds.
• Can this temporary protection be leveraged into ongoing protection?
SourceSourceCodeCode
PolicyPolicyAA
ObfuscationObfuscationTransformTransform Run for Run for nn seconds seconds Stop.Stop.
ObfuscatedObfuscatedSource codeSource code
![Page 6: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/6.jpg)
Technical Approach (in a nutshell)
agentagent
HostHost
agentletagentlet11
HostHost
agentletagentlet22
HostHost
agentletagentlet33
HostHost
agentletagentletNN
HostHost
......
• DistributionDistribution: replicate agents across multiple, : replicate agents across multiple, unrelatedunrelated hosts. hosts.– Present a moving targetPresent a moving target
• Monitoring/Recovery:Monitoring/Recovery: regenerate corrupted “agentlets.” regenerate corrupted “agentlets.”• Code/data Obfuscation:Code/data Obfuscation: prevent host-based analysis prevent host-based analysis
– Refresh obfuscation before analysis can be completedRefresh obfuscation before analysis can be completed
Traditional AgentTraditional Agent Self-Protecting AgentSelf-Protecting Agent
![Page 7: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/7.jpg)
Strategy
• New features and policy for existing agents.
• No source code required.
• Goal: no manual per-agent work required.
transform tooltransform tool
Obfuscating transformObfuscating transformpolicypolicy
new binary agentnew binary agent(self-protecting)(self-protecting)
DistributionDistributionFunctionsFunctions
OriginalOriginal(binary)(binary)agentagent
Monitor/RecoveryMonitor/RecoveryFunctionsFunctions
![Page 8: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/8.jpg)
Bird’s Eye View
S
a
b
c
d
a
b
c
d
a
b
c
d
a
b
c
d
Useful work Agentletsre-obfuscateeach other
a
b
c
d
a
b
c
d
...
...
...
...Agentletsdispatched
Originator Host First Host Set Second Host Set
Migration
time
...
...
...
...
Protected period 1 Protected period 2
...
...
...
...
![Page 9: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/9.jpg)
Applications of Obfuscation
• “Security through obscurity.” NOT!• Long-lived resistance to analysis. NOT!
– But can increase cost of stealing.• DashO-Pro (www.preemptive.com)• Jcloak (www.force5.com)• Elixir (www.elixirtech.com)• RetroGuard (www.retrologic.com)
• Temporary resistance to analysis.
![Page 10: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/10.jpg)
Obfuscation (trivial to not-so-trivial)
Kinds of ObfuscationKinds of Obfuscation
LayoutLayoutObfuscationObfuscation
DataDataObfuscationObfuscation
ControlControlObfuscationObfuscation
PreventivePreventiveObfuscationObfuscation
Language-Language-BreakingBreakingObfuscationObfuscation
![Page 11: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/11.jpg)
Opaque Predicates
• Opaque predicate: A fact about a program’s state known at obfuscation time that is hard to determine from the code.
• Two basic manufacture techniques– Exploit difficulty in alias analysis (proven NP-
complete).• E.g., embed graph operations
– Exploit difficulty in concurrency.• E.g., embed threading
![Page 12: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/12.jpg)
Obfuscation “Strength”
• Potency: Difficulty for a human to reverse engineer. !(software engineering practices)
• Resilience: Difficulty of writing a tool to reverse the obfuscation.
• Cost: Space/time costs.
• Stealth: Ease of spotting obfuscation mechanisms. Ease of spying out the policy.
From Douglas Low’s thesis.From Douglas Low’s thesis.
![Page 13: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/13.jpg)
What We’ve Done So Far
• Surveyed obfuscation tools.• Chose base technologies: Java, IBM Aglets,
ANTLR.• Developed an initial toolkit/testbed.• Formulated a strategy to transfer technology.• Developed initial tools:
– spi and spmod
• First incremental step in agent transformation.
![Page 14: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/14.jpg)
Aglet System Architecture
• Aglets Runtime Layer
– Security Manager
– Cache Manager
– Persistence Manager
Aglet Architecture
• Communications Layer – ATP, CORBA RMI etc.
![Page 15: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/15.jpg)
Aglet System Security Model
• Sandbox aglets to protect hosts.
• Server-server authentication.
• Signed aglets.
• Express agent preferences, to be honored by servers.– Don’t run too long here.
– Restrict me (from calling specific methods, or accessing resources)!
![Page 16: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/16.jpg)
MethodsAglet Events As the event occurs After the event
occursCreation onCreationCloning onCloneDispatching onDispatching onArrivialRetraction onReverting onArrivialDisposal onDisposingDeactivation onDeactivatingActivation onActivationMessaging handleMessage
Server A
Server B
SecondaryStore
Classes
Aglet Aglet
Clone
Dispatch
Retract
Create Dispose
Aglet Life Cycle
![Page 17: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/17.jpg)
Tool-based Approach
• Transformation plugs into life-cycle events.– Therefore, transformation can be generic.
• No source code required.• Often, no manual per-agent work required.
Spmod toolSpmod tool
spma commandsspma commands(policy)(policy)
new binary agentnew binary agent(self-protecting)(self-protecting)
““doner” functions,doner” functions, and variablesand variables(and maybe policy)(and maybe policy)
OriginalOriginal(binary)(binary)agentagent
![Page 18: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/18.jpg)
DemoDemo
![Page 19: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/19.jpg)
What “Policy” Means Here
• Obfuscation potency, resilience, stealth, cost.• Self-monitoring granularity.• Replication level.• Non-collusion itinerary rules.• Obfuscation refresh rate.• Distribution of sensitive state.• Phone-home flee-home thresholds.• And more...
![Page 20: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/20.jpg)
Feb. 28, 2001Policy Specification and Architecture Report
April 30, 2001Prototype Distributed Agent Generation Tool
Administrative Info (Milestones)
Dec. 15, 2002Distributed, Self-Healing Obfuscated Agentlet Prototype
March 15, 2002Obfuscated Agentlet Prototype
March 14, 2000Start Date
March 15, 2003End Date
2001200120002000 20022002 20032003
Jan. 15, 2003Final Report
Nov. 15, 2001Obfuscation Techniques Evaluation Report
![Page 21: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/21.jpg)
Technology Transfer
• DARPA programs: Active Networks, systems such as Ultra Log.
• Open Source distribution.
• Java.
• Tool-based approach on binary files: no source needed!
• Explore application to NAI products that employ agents.
![Page 22: Self-Protecting Mobile Agents Lee Badger Brian Matt Larry Spector Doug Kilpatrick Funded by both OASIS and Active Networks Programs NAI Labs 14 Feb. 2001](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56649e6a5503460f94b677de/html5/thumbnails/22.jpg)
The End!The End!