Monotonicity and Partial Results Protection for Mobile Agents(cid:0) BennetYee† September20, 2002 Abstract Remotelyexecutingmobilecodeintroducesaplethoraofsecurityproblems. Thispaperexaminesthe“external agentreplay”attack,identifiesthenotionofone-wayprogramstatetransitions,describestheuseofmonotonicvari- ablesasapracticalmethodfordetectingtheseattacks,examinesthemoregeneralproblemstatemodificationattacks, andintroducestheuseof“resultsverificationvectors”toprotectagentsfromattack. 1 Introduction and Motivation Whiletheremoteexecutionofcodeeliminatesmostofthecommunicationslatencyduetomultiplemessageround- trips needed for repeated, possibly long distance/high latency RPCs, its attraction is greatly diminished by critical security needs: without knowing whether malicious servers have subverted the remote computation or have spied on the agent, howcan users trust the obtained results? Though recent theoretical advances [2, 8] show that remote execution can be efficiently verified in principle, the need for reductions via Cook’s theorem makes their practical infeasibilityobvious. Mobileagents—aformofmobilecode—arevulnerabletoattackfromtheserversuponwhichtheyrun.Adishon- estservercansubvertamobileagent’sexecutioninmanyways. Justasaservercanlietoclientprogramsinresponse toanRPCrequest,agentserversuponwhichmobileagentsruncanlietoagentsinresponsetoservicerequests.Agent serverscandomuchmorethansimplylietoagents,however,andthismakesthemobileagentsecurityproblemmuch moreinterestinganddifficult.1 Anagentserverisapowerfuladversary: itcanexaminetheinternalstateofamobile agent,itcanalterthatstate,itcanevensubverttheagent’sexecutiononaninstruction-by-instructionbasis. (Note,of (cid:1) ThisresearchwasfundedinpartbytheNationalScienceFoundation,CAREERAwardCCR-9734243; andtheOfficeofNavalResearch, AwardN00014-01-1-0981. †UniversityofCalifornia,[email protected] 1IftheagentmerelymigratedtoanagentserverlocatednearertheRPCservicetolowerlatencycosts,theRPCservermightbehonestbuthave itsmessagessubvertedbytheagentserver. 1 course,thatthestatemaybeencryptedorotherwiseprotected,sotheservermaynot“understand”theinternalstateor knowhowtomodifyitprofitably.)Indeed,theservercanchoosetonotruntheagentatall,butinsteadmakechanges totheagent’sstateinamannernotprescribedbytheagent’scode,orcreateanewstateoutofthinairandpassitto thenextserverasifitwerelegitimatelycomputed. When an agent migrates among the hosts in its itinerary, it may carry data—results derived while executing on earlier servers—into a dishonest server where that data is maliciously modified prior to being carried out to other normal,honestservers. Ofcourse,ingeneralwedonotknowwhichoftheserverswereactuallydishonest,andone armofamulti-prongedmobileagentsecuritydefenseistoenablethedetectionofsuchmodifications. In this paper, we examine the state modification de- tection problem introduced and addressed in earlier works Client [12, 32, 17, 33, 24], define two classes of agent replay at- Home Server tacks and describe how such replay attacks can invalidate cryptographicprotocolsdesignedforprotectingtheresultsof partialcomputations,examinethegeneralnotionofone-way (a)RPCsrequiremanyroundtrips state transitions and focus on how it can be used to protect autonomousmulti-hopagents,inparticular,againstagentre- Client Client play attacks. (We do not, however, address the question of Home Server serverslyingtoagents.) The next section describes the state modification attack. (b)Migrationhasonlyoneroundtrip Next, Section 3 explains the one-way state transition ap- Figure1: RPCversusmigration. proachforprotectingmulti-hopagentsandanalyzesitssecu- Whenanagentmigratestoaserver,theRPCsbecome rity properties. We discussthe use offorwardsecuresigna- localrequestsanddonotexperiencelargenetworkla- turestoprotectpartialresultsinSection4,andthenexamine tencies. an alternative means of protecting partial results—a results verification vector—which provides security even when there are multiple colluding hosts in an agent’s itinerary. Section 6 explains the earlier approaches to detecting state modifications, discusses their drawbacks when multiple maliciousserversareinvolved,andexaminesothersecuritytechniquesthatfitintotheone-waystatetransitionframe- work. Section7concludeswithasummaryandsomefuturedirections. 2 2 Agent Model and State Modificaton Attacks Mobileagentsautonomouslymigratetoremoteserversandperformsomecomputationsateachserver. Inourmodel, theprimaryreasonformigrationistoimprovecommunicationefficiencybyco-locatingthecomputationwithsomere- sourcethatisavailableateachofthetargetservers.Withoutmigration,repeatedremoteaccessestothatresourcewould haveresultedinmultipleRPCsandmultiplerequest/responseroundtrips—insteadofpayingforthecommunications latency many times, agent migration enables efficient, low latency accesses at the cost of a single communications roundtripdelay.Figure1showsthelong-distanceroundtripreductionofusingmigrationoverRPCs. We assume that distributed computation exhibit remote resource access locality—each of many remote resource is Server 2 Server 3 accessed repeatedly and in different phases of the computa- tion. This motivatesthe use of agentsthat have a migration Server 1 Server 4 itinerary,alistofserversthatitvisitsinturn. Figure2illus- tratesanagentthatvisitssixservers. Server 6 Server 5 When an autonomous agent migrates to a server, it car- Home ries with it the results of computation performed at earlier servers,andperformsqueriestosomeresourcecontrolledby Figure2:Migratingagentsvisitseveralserversinturn. theserverwhileitisthere. Wemodelthisasfollows.Lety i0 (cid:0) bethestatethatisinputtoserverS.Basedonthatstate,theagentcodegeneratesaqueryq (cid:1)y totheserverresource i i i0 (cid:0) (cid:2) R. Theserver’sresponseisx R (cid:1)q (cid:1)y . Theagentcodecomputesthenextstate,y f (cid:1)x y . Ifadditional i i1 i i i0 i1 i i1 i0 (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2) (cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) resource queries are desired, the agent generates q (cid:1)y , obtains response x R (cid:1)q (cid:1)y , and computes a next i i1 i2 i i i1 (cid:0) (cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2) statey f (cid:1)x y ,andsoon. Afterk queries,theagentcodedecidesthatnofurtherqueriesareneeded(q (cid:1)y i2 i i2 i1 i i iki (cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) (cid:0) (cid:2) returns a special stop symbol “ ”) and f is applied one last time, and the resulting state y y f (cid:1) y is (cid:6) i i (cid:3) i(cid:0)ki(cid:7) 1 (cid:3) i (cid:6) (cid:5) i(cid:0)ki(cid:2) senttothenextserveraspartoftheagentmigration.2 (Notethatk 0ispossible,inwhichcasetheagentissimply i (cid:3) usingcomputecyclesontheserver.) Wedenotebyy y theagent’sinitialstate. Figure3showsthisprocessin 0 10 (cid:3) (cid:0) aschematicfashion. Wethinkofy astheagent’sstateaftervisitingserverS;itcontainsthe(partial)resultsderived i i therewhichmaybeusedasinputstolatercomputationsdoneatthenextorsubsequentservers.Iftheserverishostile, itmayreadorwritetheagent’smemoryarbitrarily—modifyy, orthefunctionsq,or f. Ofcourse, theservermay i i i notunderstandwhatitreadsorwrites,e.g.,ifthememorycontainsencryptedvalues,anditsmodificationsmightbe detectedlater. This would be thecase if thememoryvalues arecryptographicallyauthenticatedusing digitalsigna- 2Wecancollapsethemultipleroundsofqueriestooneifthequeriescanincludefunctionalvalues(orTuringmachineencodings)asquery parameters;thiswouldsimplifythenotationbyusingaformofmobilecode(!),butobscurestheprocess. 3 turesorpartialresultsauthenticationcodes(PRACs)[32,6,25]associatedwiththem.InSections4and5,wewillsee severalproposedcryptographictechniquesthataimtoprotectthesepartialresults. ... yi,j fi yi,j+1 fi ... yi,ki fi qi Ri qi Ri qi yi+1,0 fi+1 yi+1,1 fi+1 ... q R q R i+1 i+1 i+1 i+1 Figure3: Multi-hopAgentComputationModel Inadditiontobeingmulti-hop,theagentmakesmultipleroundsofqueriestotheserver-sideresourcesoneachserver. Hereeachrowofcomputationisperformedonadifferentserver. (cid:1)(cid:0) Notethat in thismodel, anagentserverdoes nothaveto compromisetheresource (R(cid:1) )in order tosubvertthe (cid:2) agent’s computation. Indeed, the agent server and the resource may be embodied in machines that are physically locatedneareachother(andsolowlatencyRPCsarepossiblebetweenthem)butindifferentadministrativedomains andtheRPCservicemayverywellbehonest.ToobtaintheeffectoftheRPCservicelyingtotheagent,theagentserver (cid:2)(cid:0) (cid:3) (cid:3) cansubvertthequeryinput,i.e.,subvertingq(cid:1) sothattheobtainedansweristoadifferentquery:x R (cid:1)q (cid:1)y , i j i i i j(cid:4) 1 (cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2) (cid:3) orsubvertthecomputationofthenextstatey f (cid:1)x y fromthecorrectresourceresponsex R (cid:1)q (cid:1)y . i j i i j i j(cid:4) 1 i j i i i j(cid:4) 1 (cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) (cid:0) (cid:3) (cid:0) (cid:2)(cid:4)(cid:2) Generallywewillassumethattheimplementationsofq and f areimmutablecodethatiscryptographicallysigned i i bytheagent’sauthororowner,sowhiletheirexecutionmaybesubvertedonadishonestserver,anycodesubversion cannotpersisttohonestservers—butthemutablestatey issubjecttoattack.IntheSanctuarysecuritymodel[14],an i agent’scodeandtheinitialconfigurationy arecryptographicallysignedbytheagent’sowner,andchangestoeither 0 would be detectedwhenthe agentarrivesatan honestserver. The signedconfigurationistypically carried with the agent to later servers, where the agentcode will use the configuration to guide—and limit—its actions. We are not concernedwiththeconfigurationinthispaper,sowewillleaveitembeddediny alongwithwhateverauthenticators i areused. 4 2.1 Agent ReplayAttacks 2.1.1 AgentMigrationModels Mobileagentsystemsmayimplement“strongmigration”or“weakmigration”. Inessence,strongmigrationsystems allow agents to migrate mid-computation—the “place” of the computation (see Section 3.1) is changed as a side- effectofsomesystemrequest,andtheentireagentinternalstate(possiblyexcludingexternalreferences)ismovedto thenewmachine. Inweakmigrationsystems,the agentsarerestartedfromscratchonthenewserverwithdifferent initializationmessages;theagentprogrammersmusttakecaretocreatetheappropriateinitializationmessagessothe nextincarnationoftheagentwillcontinuefromwherethepreviousincarnationleftoff. Witheitherformofmigration,theagentsystemimplementsmigrationbytransmittingtheagents’executionstate. Instrongmigrationsystemsthisstateisautomaticallyextractedbythesystem;inweakmigrationsystemstheexplicit state extraction is the duty of the agent programmer. The extracted state is then sent to the destination host as a parameterofthemigrationrequest. 2.1.2 AgentMigrationandReplay Serversreceivethe stateofthe migratingagent—abstractlya closureinthe strong migrationmodel—performsome computation, and that computation generates the “next state”—another closure—to be passed to the next server in the agent’s itinerary. The message containing the agent state, whether a closure or a hand-crafted representation of the agent’s state, exists in some I/O buffer. Servers are free to copy its value, in essence checkpointing the agent. Becausetheabilitytocheckpointandrestoreagentstateisinherentinmobileagentsystems,maliciousservershave theabilitytorerunanagentanarbitrarynumberoftimes. Whilewewouldliketobeabletoprovideagentswith“at most once” execution semantics for executing on servers occuring only once in the agents’ itinerary, the ease with whichcheckpointsareusedwouldseemtomakethisimpossible. Thererunningofagentsisanalogoustomessagereplayattacksthatoccurinthecommunicationssecuritycontext. Replaycanoccurevenifthemaliciousserverperformsnocodeanalysis,justasanattackerinthenetworkcanreplay interceptedmessagesevenifthemessagesareencrypted. Innetworking,“timetolive”fields, sequencenumbers,or noncesareusedtodetectandeliminateduplicatemessages. Wewillseebelow(Section3)asecureagentduplication detectionmechanismthatexpandsontheseconcepts. Wedivideagentreplayattacksintotwoclasses: internalagentreplayattacksandexternalagentreplayattacks. 2.1.3 InternalAgentReplayAttack 5 Wedefineaninternalagentreplayattacktooccurwhenadis- Replay! honestserverS repeatedlyrunsanagentwithdifferentquery i Server 2 Server 3 (cid:3) requests qi(cid:1)yi j(cid:4) 1 0 (cid:0) j (cid:0) ki to obtain favorable responses (cid:0) (cid:2) (cid:5) (cid:3) (cid:3) x R (cid:1)q (cid:1)y orwithmodificationstotheagent’snext- i j i i i j(cid:4) 1 (cid:0) (cid:3) (cid:0) (cid:2) (cid:3) Server 1 Server 4 state computation y f (cid:1)x y until the output state i j i i j i j(cid:4) 1 (cid:0) (cid:3) (cid:0) (cid:5) (cid:0) (cid:2) variable yi j 0 (cid:0) j ki satisfies some desirability predicate (cid:0) (cid:5) (cid:1) Server 6 Server 5 d(cid:1)y ,i.e.,theservercanevolveitsattackuntilasatisfactory i j (cid:0) (cid:2) Home outputstatey isobtained. Runsoftheagentwithunsatis- iki (cid:0) factoryoutputstatesaresimplydiscarded.Figure4illustrates Figure4: InternalAgentReplayAttack this attack. Note that only onedishonest server is involved, andtherearenoexternallyobservableeventsthatoccurwhichwouldmakeinternalreplaysobservable. Agentscannot “remember” having ranbefore on the dishonestserver: in resettingthe agent to its earlierarrival statetheserveralsowipesoutallmemoryofpreviousruns. Whatevermemoryisusedtoholdthisstateinformation mustthereforebeexternaltotheagent,andindeedexternaltothedishonestserver. Onemightimaginethatanagent canprevent—ordetect—internalagentreplayattacksbystoringinsomesecureexternalmemorythatexecutionhas commencedandabortingifthisisnotthefirstandonlytimethatthishasoccurred.Withoutobfuscatedcode,however, the dishonest server can alter the execution of agent—e.g., by temporarily modifying the agent’s code—so that the checksoftheexternalmemoryvaluesarebypassed. (cid:1)(cid:0) (cid:1)(cid:0) Note that S does not need to “understand” q (cid:1) or f (cid:1) ; it merely needs to be able to compute the desirability i i i (cid:2) (cid:2) (cid:2)(cid:0) predicate d(cid:1) to mount thisattack. Generally, code obfuscation is impossible[4], though perhaps obfuscating very (cid:2) restrictedyetusefulclassesoffunctionsisstillpossible.Currentlyonlyverylimitedclassesoffunctionsareknownto work[27]. Internal agentreplay attacks only makessense for the dishonestserver if the servercan compute its desirability predicate. Thismeansthatiftheresultofthecomputationisencryptedsomehow(e.g.,[8]),serverswouldbeunable (cid:2)(cid:0) to computed(cid:1) onthe agentstateto gain(probabilistic) advantageoverhonestly runningthe agent. The encrypted (cid:2) function schemes proposed thus far, however, impose heavy performance penalties and are impractical. Practically speaking,then,internalreplayattacksseemimpossibletopreventordetect. 2.1.4 ExternalAgentReplayAttack We define an external agent replay attack to occur when two or more dishonest servers repeatedly run an agent— throughoneormorehonestserversbetweenthem—untiltheoutputstatevariablesatisfiessomedesirabilityproperty. 6 Figure5illustratesthisprocess.Notethatthecaseoftwoormoreadjacentcolludingdishonestservers—e.g.,withno honestserversbetweenthemintheagentsitinerary—maybeanalyzedbyessentiallycollapsingthedishonestserver nodesintoone,i.e.,treatingtherunofdishonestserversasasingledishonestserver. Thiskindofattackisessentially aninternalreplayattackandisthusimpossibletodetect. Forexternalreplaysthatinvolveoneormoreintermediate honest server, the situation is not as bleak. We will see in Server 2 Server 3 Section 3 solutions where the bracketedhonestserver helps indetectingexternalagentreplayattacks. Server 1 Server 4 Replay! 2.2 State Modification Server 6 Server 5 Supposetheattackerunderstandstheagent’scodeordatalay- Home out. Suchanattackermay,inprinciple,bemerelyintercept- ingandmodifyingmessagesinthenetwork,orshemaybea Figure5: ExternalAgentReplayAttack maliciousserver that is in an agent’sitinerary. Here, know- ing the agent’scodeor data layout is analogousto knowing partialinformationabouttheplaintextthatcorrespondtoencryptedmessages,andtheabilitytochangethatstatecorre- spondstothe“malleability”oftheencryptedmessage[11]. Securemobileagentsystemstransfertheagentstateover encryptedandauthenticatedchannels[26,32],soanattackerwithonlynetworkaccessshouldbeunabletomodifya migratingagent’sstate. Theremainingthreatiscompromisedordishonestagentservers. Sincecodeobfuscationis,ingeneral,impossi- ble[4]andsecureremotecomputationbyreductiontocircuits[8]appearstobetooexpensive,wewouldliketofind alternativepracticalmethodsforprotectingamulti-hopagent’sexecution. First,letusdescribeasimpleprototypical attackscenario. Figure6sketchesthecodeofanagentwhichobtainsacommandwhileononeserverforittoperform oneoftwoactionswhenatalaterserver. WhiletheagentisrunningonServer,itobtainsadditionalconfigurationinstructions,perhapsinteractivelyfrom 1 itsuser,onwhatto dolaterwhenonServer. Thedecision(orthedatarequiredtomakethedecision)isembedded k in the statey1,y2, ... etc carried to later servers, but to highlight it we separate it out as an extra boolean variable searchOrDelete. The threat, of course, is that an intermediate server betweenServer andServer is untrustworthy, 1 k andcanalterthebooleanflagsearchOrDelete. Notethatsanitychecksondatastructuressuchasstateappraisal[12] cannot possibly detect if data values—e.g., thesearchOrDeleteflag—has been changed. Furthermore, those partial resultsauthenticationcodeswhichrequireencryptingtheresults[25]wouldmakesearchOrDeleteunavailableforuse 7 Agent(Statey ) in migrate(Server1); x=R(query(y ));//Server istrusted in 1 searchOrDelete=predicate(x); y =f(x,y ); 1 in migrate(Server2); ... /*booleansearchOrDeletemodified? */ migrate(Serverk); if(searchOrDelete) result=findAllFilesContaining(g(y )); in else result=deleteAllFilesContaining(g(y )); in Figure6: Agentflag: Place-Of-SetversusPlace-Of-Usevulnerability SpaceofpossiblefutureexecutionshouldbeconstrainedwhentheflagsearchOrDeleteisset. Sincetheflagissetat adifferentserverfromwhentheflagisused,intermediatedishonestservershavetheopportunitytochangeitsvalue inappropriately.Declaringvariablefinaldoesnothelp. atalaterserver.Wewillrevisitthisscenariowhenwediscussourproposedsolutions. 3 One-Way State Transitions and Monotonicity One way to look at the agent replay attacks is that we wish to enforce state transition—and time—monotonicity. This isa diametricallyoppositegoal tothat usuallyencounteredin distributedsystemswherethe abilityto rollback computationisoftendesirable[16]. Withexternalagentreplayattacks,wedetectwhenadishonestserverrollsback anagentandgenerateanappropriateerror. Thekeyobservationinpreventingthereplayofmobileagentsovertheiritinerarybymaliciousserversisthatagents cannotdependonstatethattheycarry.Agentstateissubjecttothecontrolofmaliciousservers:thereplayingmalicious servercanobviouslyresettheagentstatetoanearlierobservedone,evenifovertstatetamperingisimpossibledueto carefulsanitychecking,stateappraisal,orhavingtheagentcomputewithencryptedvalues. Ifanagentcannotrelyonitsownrecordofwhathasoccurred,whatcanitrelyon? Someexternallymaintained state is needed. We can rely on an outside party accessed via the network (when the agent is running on an honest server, at least; see Section 6.1.2), or we can rely on the honest servers on the replayed itinerary to maintain state. The former case uses a model similar to that in the cooperating agents idea [22, 23], but uses it to solve a slightly different problem: we detect inconsistent agent internal state transitions, rather than just deviations from the agent itinerary or inconsistent final results after computing in disjoint sets of possibly dishonest host. Furthermore, it is immaterial whether we use a trusted server rather than another agent. In a distributed system where high speed 8 systemsmakecommunicationscostadominantfactorinthejob’stimetocompletion,schemessuchasthelatterone avoidsadditionalcommunicationsstepsandthusismoredesirable. Beforewediscussthesetwoapproachesinmore detail,wefirstdefinewhatwemeanbyaone-waystatetransition. 3.1 Notation InordertoanalyzewhathappensinmobileprogramssuchasthatinFigure6,wemustuseaslightlymoreconcrete (cid:1)(cid:0) (cid:0) abstractionofanagentprogram’sexecution. Insteadofconsistingofmonolithicnextstatefunctions f (cid:1) ,wemust i (cid:5) (cid:2) useamodelthatcanincorporatenotionsofregisters,programcounters,andmemorycontentswrappedtogetherina statevariable. Whileweonlyinformallydescribetheagent’scomputationbelow,howtodescribeitinformalmodels suchasTuringmachinesortheRAMmodelshouldbeclear. Theagent—executingmobile program—consistsofaninternal stateanda placeorlocationwhereitisrunning. Weassumethatthemigrationprocessmerelychangestheplace;theinternalstateispreserved. Wethinkoftheplace asrepresentingpropertiesofwheretheagentisrunning,includingthenamespacesinwhichexternalresourcenames are resolved. The internal stateconsists ofvalues—memorycontents—soall externalresources are manipulatedby name. Thestatetransitionsthatweareconcernedwitharethosethatinvolvechangestothemobileagent’sinternalstate. First,wedefinethestatetransitiongraph. Definition1 AstatetransitiongraphisagraphG (cid:1)V E whereV s:sisaprogramstate and(cid:1)s t E V V, (cid:3) (cid:5) (cid:2) (cid:3)(cid:1)(cid:0) (cid:2) (cid:5) (cid:2)(cid:4)(cid:3) (cid:5) (cid:6) andthereisatransitionfromstatestot insomeexecutionoftheprogram. A state transition (cid:1)s t E occurs whenever there is a state change, e.g., control flow transfer, an ALU operation, (cid:5) (cid:2)(cid:7)(cid:3) or memory modification, that occurs from s to t due to the execution of a single instruction in some execution of the mobile agent’s code. At a fine enough granularity, even a noop causes a state transition, since the program countervaluechanges. Wearedeliberatelyimpreciseaboutthegranularityofthestatesinthismodel,sinceitwillbe convenienttousethisnotationatdifferentlevelsofabstractionofthemobileagentexecution. Definition2 A path exists from s tot, denoted s t, when there exists j 0 n where s s, s t, and i 0 n (cid:8) (cid:3) (cid:5)(cid:10)(cid:9)(cid:10)(cid:9)(cid:11)(cid:9)(cid:4)(cid:5) (cid:3) (cid:3) (cid:12) (cid:3) 0 n 1: (cid:1)s s E. i i 1 (cid:5)(cid:11)(cid:9)(cid:10)(cid:9)(cid:11)(cid:9)(cid:4)(cid:5) (cid:13) (cid:5) (cid:7) (cid:2)(cid:14)(cid:3) Whens t,wealsosaythatt isreachablefroms. Whennopathexists(ors t),wesaythatt isunreachablefrom (cid:8) (cid:8)(cid:15) s. Definition3 Aone-waystatetransitionexistsfromstot if (cid:1)s t E andt s. Wedenotethisbys t. (cid:5) (cid:2)(cid:14)(cid:3) (cid:8)(cid:15) (cid:16) 9 One-way state transitions are interesting to us because their occurence implies an irreversable state change in the (mobile)program—theagententersaportionofthestatespacefromwhichitshouldneverescape. Intheexampleof Figure6,oncesearchOrDeleteissetbyevaluatingpredicate(cid:1)x ,itsvaluedoesnotchangeandwhattheagentwilldo (cid:2) onServer shouldbefixed. k Definition4 Astatexisinconsistentwithaone-waystatetransitions t ift x. (cid:16) (cid:8)(cid:15) (cid:3) (cid:3) (cid:3) Definition5 Aone-waystatetransitions t isinconsistentwithasecondone-waystatetransitions t ift t . (cid:16) (cid:16) (cid:8)(cid:15) (cid:3) (cid:3) (cid:3) (cid:3) Definition6 Twoone-waystatetransitionss t ands t aremutuallyinconsistentift t andt t. (cid:16) (cid:16) (cid:8)(cid:15) (cid:8)(cid:15) 3.2 ExternalState TransitionVerification By using a program running on an external machine or a secure coprocessor [31] to monitor the execution state transitions,wecandetectexternalagentreplayandsomestatemodificationattacks. Thisexternalprogrammaybea standardserviceavailableatmany(orall)serversoranother(cooperating/monitoring)agent. The idea here is that the remote service implements a state transition inconsistency detection (STID) algorithm, which records and monitors one-way state transitions that occur during the execution of the agent. As the agent programmakesstatetransitions,messagesaresenttothemonitor,whichthencanraiseanalarmifanyinconsistencies aredetected. Foreachagentinstance(id),thedetectormaintainsamonotonicbitbs t 0 1 associatedwitheveryone-way (cid:0) (cid:3) (cid:0) (cid:5) (cid:2) statetransitions t intheagent’scode: (cid:16) Whentheagentstarts,allthebitsarecreatedandcleared. (cid:1) Whentheagentreportsthats t hasoccurred,welookforstatetransitioninconsistencies: (cid:1) (cid:16) – Examineb . Ifitisalreadysetthenanagentreplayattackhasbeendetected. s t (cid:0) (cid:3) (cid:3) – Examine allbits b wheres t isinconsistent with s t . If anyare set, thena statemodification s(cid:2) t(cid:2) (cid:0) (cid:16) (cid:16) attackhasbeendetected. Ifnoattackisdetected,setb . (cid:1) s t (cid:0) Thesalientpropertyisthattheseone-waystatetransitionmonitoringbitsaremonotonic: onceset,theycanneverbe cleared. Themonotonicityoftheirvaluemirrortheone-waynatureofthestatetransition. InorderforSTIDtocorrectlydetectinconsistencies,theagentmustbeproperlyauthenticated.Sinceagentscannot efficientlyusecryptographickeysonaserverwithoutthatserveralsogainingunfetteredaccesstothosekeys,notethat 10
Description: