Security in Large-Scale Open Distributed Multi-Agent Systems 107 Security in Large-Scale Open Distributed Multi-Agent Systems 06 Security in Large-Scale Open M.A. Oey, M.Warnier and F.M.T. Brazier Distributed Multi-Agent Systems M.A.Oey,M.WarnierandF.M.T.Brazier DelftUniversityofTechnology TheNetherlands 1. Introduction Designing large-scale distributed multi-agent systems that operate in open environments, suchastheInternet,createsnewchallenges,especiallywithrespecttosecurityissues.Agents are autonomous, pro-active, communicative, goal-directed, often capable of learning, and sometimes mobile (8). Mobile agents traverse the network to access services and resources theyneedtoachievethegoalstheypursue. Thepotentialofmobileagenttechnologyinsec- torssuchasE-Commerce(17;18),E-Health(29)andE-Governance(10;52)iswellrecognized. Inthesesectors,securityissuessuchasauthentication,authorization,privacy,andcopyright areofutmostimportance.Dataaccesscontrolismandatory:bymovingagentstothelocation atwhichdataisstored,dataaccessandprocessingcanbedonelocallyandcontrolled. Manysecurityrequirementsneedtobeaddressedforlarge-scaledistributedmulti-agentsys- temsinopenenvironments. Thefocusofthischapterliesonsecurityrequirementsspecific foragentsystemsratherthansecurityrequirementsfordistributedcomputersystemsingen- eral. Section2identifiesthemostrelevantsecurityrequirementsforagentsystems. Thisset ofrequirementsisaminimumthatneedstobefulfilledforsecureagentsystemsinopenen- vironments. Sections3through7discussthesecurityrequirementsandpossiblesolutionsin detail. ThesolutionsareillustratedwithinthecontextoftheAgentScape(20)agentplatform. Thisplatformhasbeenchosenasithasbeenspeciallydesignedtobeusedinalarge-scale, distributed,openenvironment.However,similarimplementationsofthesesolutionsarepos- sibleinotheragentplatforms. The chapter closes with an overview of a number of well-known agent platforms, such as AgentScape (20), Ajanta (23), SeMoA (41), and JADE (5) with its security extensions JADE- S(34)andS-Agent(16).Thediscussionfocusesonwhattechniquestheseagentsystemshave usedtosolvesomeofthediscussedsecurityrequirements. 2. SecurityIssuesinAgentSystems Anagentsystem, aspecifictypeofdistributedcomputersystem, needstoaddressnotonly securityrequirementsrelatedtodistributedcomputersystems, butalsomulti-agentsystem specificsecurityrequirements.Thissectionidentifiesaminimumsetofsecurityrequirements specifictomulti-agentsystemsthatneedstobefulfilledforittooperatesecurelyinanopen environment. www.intechopen.com 108 Autonomous Agents 2.1 PrincipalsinanAgentSystem Conceptually, multi-agent systems are distributed, networked, computer systems in which agentownersruncommunicatingagentsthataccessresourcesonhosts,eachofwhichruns an agent platform (i.e., an instance of an agent middleware) that is under the control of a platformadministrator.1 Theboldtermsarethemajorprincipalsinamulti-agentsystem. Eachoftheseprincipalsfacessecuritythreats.Asecureagentsystemmustprotecttheseprin- cipalsandtheircommunicationwithotherprincipalsagainstsecuritythreats. Forexample, securecommunicationisneededtoprotectthecommunicationbetweentwoagents,butalso betweentwoplatformsandbetweenanagentandaplatformortheagent’sowner.Inalarge- scale,distributedsystem,suchastheInternet,communicationisusuallyoverlongdistances andcanbeinterceptedormonitored. Inaclosedenvironment,allprincipalsinanagentsys- temareknowninadvanceandusuallytrusted,therefore,securitymeasuresareoftenimplicit. However,inamoreopenenvironment,moreexplicitsecuritymeasuresareneededtoguard againstsecuritythreats. Traditionally, security threats are described using the terms confidentiality, integrity, and availability:theCIA-triad(46).Confidentialityreferstotheabilitytopreventaccessbythose thatarenotauthorized. Integrityreferstotheabilitytopreventanyunauthorizedmodifica- tion. Availabilityreferstokeepingresourcesaccessibleatalltimestoauthorizedparties. A prerequisiteforguardingconfidentiality,integrity,andavailabilityisidentitymanagement(9), which encompasses naming and authentication. Naming is the ability to identify each in- dividual principal in an agent system. Authentication is the ability to verify a principal’s identity. Forexample,reliableauthenticationisneededasmaliciouspartiesmaywanttoim- personatecertainprincipalsinordertogainaccesstothatprincipal’sprivileges. Thenextsectionslookatsecuritythreatsinanagentsystemfromtheviewpointofthetwo mostimportantstakeholdersinanagentsystem: theagentownerandtheagentplatform’s administrator. 2.2 SecurityThreatsfortheAgent’sOwner Anagentperformsitsactionsonbehalfofitsowner,whichisusuallyalegalentity,suchasa humanoranorganization: theagentowner. Themainsecurityconcernsforanagentowner areconfidentialityandintegrityofhisagent,anydataitcarries,andanycommunicationto andfromtheagent. Confidentialityisdirectlyrelatedtoguardingtheprivacyofanagent’s owner. For example, in an e-health environment, agents acting on behalf of patients carry privacy-sensitiveinformationthatshouldnotberevealedtoothers. Agentmobilityintroducesextrasecurityrisks,asagentsrunonhoststhatareoutofthecon- troloftheagent’sowner. Forexample, maliciouspartiescanstartagentplatformswiththe intenttoeavesdropormanipulateagentsthattheyhost.Thismalicioushostproblemishard tosolve,asplatformsingeneralhavefullcontrolovertheagentsthatrunonthem. Themost effectivesolutionsinvolvetheuseoftrustedhardware. Unfortunately,thesesolutionsareusu- allyalsothemorecostlysolutionstoimplement. Software-onlysolutionsgivelessprotection but are more practical to implement. The malicious host problem exists foremost in open environments. It is reasonable to assume that in closed environments all hosts are trusted tobehavewellandthatadequateauthorizationmechanismshavebeeninstalledtoprevent unauthorizedusersoftheplatformtohaveaccesstoanagent’sprivatedata. 1Thetermagentplatformormiddlewarereferstosoftwarerunningonhoststosupportagents;agentsystem referstothewholesystemofagents,agentowners,agentplatforms,platformadministrators,etc. www.intechopen.com Security in Large-Scale Open Distributed Multi-Agent Systems 109 Availabilityofanagentisarequirementforanagentownerthatcanbeimplementedbyan agentownerhimself,possiblysupportedbyaplatform.Forexample,tomakeanagentmore fault tolerant, an agent owner can start two (or more) copies of an agent and send them to differentplatforms,sothatifoneagentdies,theothercancontinue,keepingtheagentavail- abletoitsowner. Alternatively,anagentownercantrustaplatformownertotakeadequate measurestoguaranteetheavailabilityofanagentplatform. 2.3 SecurityThreatsforthePlatform’sAdministrator Ahost’sadministratorcanrunanagentplatform(i.e.,aninstanceoftheagentmiddleware) onhishost. Anagentplatformenablesvisitingagentsto(paid)accesstoahost’sresources. Themainsecurityconcernsforanagentplatform’sadministrator(whoisnotnecessarilythe same as the host’s administrator) are confidentiality, integrity, and availability of the agent platform,itsresources,andanycommunicationfromandtotheagentplatform. Inopenenvironments,aplatformmustpreparefordeliberateattacks,fromoutside,aswell asinside.Mobilemaliciousagentscanfirstmigratetoaplatformandtrytoattackaplatform fromtheinside. Attackstypicallyincludegainingunauthorizedaccesstoahost’sresources or accessing the data of other agents running on that host. To protect against the threat of maliciousagentsaresourceaccesscontrolmechanismmustbeinstalledthatenforcesanau- thorizationmechanismthatdetermineswhoisallowedtoaccesswhichresourceandtowhat extent. A typical resource in an agent system that may be the target of availability threats is the lookupservice. Thelookupserviceisadatabasethatkeepstrackofthecurrentlocationsof allagentsinanagentsystem.Anagentsystemneedsthisinformation,forexample,todeliver messagestoagentssentfromotheragents. Inanopenenvironment,anattackercouldstart an agent platform, join the agent community and subsequently fill the lookup service with falseinformationaboutlocationsofagents. Thisattackrenderstheinformationinalookup serviceuselessandconsequentlyparalyzesanagentsystemasawhole. Thisspecificattack isaform ofaDenial-of-Serviceattackandillustrates thenecessityofasecurelookupser- vicewhichguaranteesthecorrectnessofitsinformation.Withoutit,aplatformadministrator cannotguaranteetheavailabilityoftheagentplatform. 2.4 Summary The next list summarizes the security requirements discussed in this section. Each require- mentiseitheraprerequisiteforsecurityorisassociatedwithathreattooneofthetwomain principalsinanagentsystem:agentownerorplatformadministrator. • Prerequisite: NamingandAuthentication–theabilitytoverifytheidentityofprinci- pals. • Prerequisite: Communication Security – confidentiality and integrity of data sent be- tweenagents,services,hosts,etc.mustbeguaranteed. • Agentowner:MaliciousHostprotectinganagent’sconfidentialityandintegrityevenif itrunsonamalicioushost. • Platform administrator: Malicious Agent – protecting a host’s confidentiality and in- tegrityfrommaliciousagents. • Platformadministrator:SecureLookupService–guardingtheinformationinthelookup service. www.intechopen.com 110 Autonomous Agents Thissetofsecurityrequirementsformsabareminimumforagentsystemsinopenenviron- ments. In addition to these security requirements other requirements common to all dis- tributedcomputersystemsneedtobeaddressed,suchasfaulttolerance,availability,backups, traceability, etc. For agent systems in specific domains more stricter security requirements may apply as well. For example, in privacy sensitive environments anonymity may be an importantrequirement. The remainder of this chapter focuses on the specific security requirements in order. Each requirement is discussed in more detail and one or more possible solutions are presented. Sections 3 and 4 discuss the prerequisites naming and authentication, and communication security. Next,Section5focusesonthemainsecuritythreattoanagentowner:themalicious host. Finally, Sections 6 and 7 look at threats to a platform administrator and discuss the maliciousagentandasecurelookupservice. 3. NamingandAuthentication Asmentionedabove,identitymanagementisanimportantsecurityrequirementinanopen, distributedagentsystem. Theabilitytonameprincipalsandauthenticatethemisanimpor- tantpartofidentitymanagement. 3.1 Naming Beforeauthenticationcanbedone, principalsinanagentsystemmustfirsthavea(unique) identifier: a name. This name does not have to be human-readable; it can be a meaning- lessstring,aslongasitismachine-readable. Inprinciple,namescanbestatic,whichmeans theydonotchangeoverthelifetimeofaprincipal, ordynamic. Forhumansandorganiza- tionsstaticnamesareamorelogicalchoice,howeverfor(mobile)agentsinanagentsystem, dynamic names have their use. For example, agent names could contain a reference to the location where an agent resides (location-dependent names, see also Section 7), which makes locatingtheagenttrivial.However,fortheremainderofthischapteritisassumedthatprinci- palshavegloballyuniqueidentifiers(GUIDs),whicharestaticnames.Thetermglobaldoes notnecessarilyhavetoimplythattheidentifierisuniqueintheuniverse,butitsufficesthat theidentifierisuniquewithinaninstanceofarunningagentsystem. Itcanbeassumedthat inanyagentsystem,somethingsimilartoGUIDsisusedtonameprincipals. Another property of naming is whether principals can have more than one name. For ex- ample, ifanagenthasmultiplenames, itcanusethesenamesaspseudonyms. Pseudonyms canbeusedtoimplementanonymity(51): anagentcanuseadifferentpseudonymforeach interactionwithanotheragent. Toillustrate,AgentScape(20)(seeSection8)actuallyhastwonamingschemes. First,agents areidentifiedinternallybyGUIDs,whicharekeptprivatetothemiddleware.Second,agents areexternallyvisiblethroughtheir(static)handles.Eachagentcanhavemorethanonehandle atatime,whichallowsthemtoimplementaformofanonymityaseachhandleisapseudonym. Notethatnamingisnotsufficientforauthenticationasthereisnomechanismtoverifythata namecorrespondstothecorrectprincipal.Authenticationisdiscussedinthenextsection. 3.2 Authentication:aPublicKeyInfrastructure Manywaysofauthenticationareknownandusedintheworld. Onewell-knownmethodis the use of username and password combinations. Only if the correct password issupplied istheuserauthenticated. AmoreelaborateschemerequiresaPKI,aPublicKeyInfrastruc- ture,thatusesasymmetrickeyencryptionalsoknownaspublic-keycryptography(27).Every www.intechopen.com Security in Large-Scale Open Distributed Multi-Agent Systems 111 principal(agent,user,host,etc.) thatneedstobeabletobeauthenticatedcreatesakey-pair, consistingofapublicandaprivatekey.Thesekeyshavethepropertythatdataencryptedwith onekeycanbedecryptedbytheother,andgivenonekeyitiscomputationallyinfeasibleto derivetheotherkey. Everyprincipalpublishesitspublickeytotheworld,butkeepsitsown privatekeyprivate. Theidentityofaprincipalcannowbeverifiedbycheckingwhetherthe principalcancorrectlydecryptamessageencryptedwiththeprincipal’spublickey.Onlythe realownerofthatpublic-privatekeypaircandecryptthemessageassumingtheprivatekey hasbeenkeptprivate.Whetherthepublickeyisindeedthepublickeyofthecorrectprincipal andnotofanimposterimpersonatingthatprincipalusingitsowngeneratedkeypairisthe taskofthePKI. Thepublickeyinfrastructureisusedtosecurelypublishpublickeysofprincipals. Apublic key is published together with the corresponding principal’s personalia. This combination iscalledacertificate. Thiscertificateisalso(digitally)signed(25)byaCertificateAuthority (CA),afterithasverifiedthatthepublickeyandprincipalareindeedlegitimate,which,for example, involves showing a passport to an official of the CA. All principals publish their publickeyintheformofsignedcertificates. AnyonewhotruststhesigningCAcanusethat certificateandbeconfidentthatthepublickeyandtheprincipalbothstatedinthecertificate arevalidandbelongtoeachother.Inshort,anagentsystemisabletosolvetheauthentication problembyusingaPKI,whereallprincipalscreateapublic/privatekeypairandatrustedCA signsallcorrespondingcertificates. Forcompleteness,signingacertificateisdonebyaddinganencryptedversionofthecertificate (actually, ahashofit)tothecertificate. EncryptionisdonewiththeprivatekeyoftheCA, whichmeansthateveryonecanverifythesignaturewiththepublickeyoftheCA,butnobody canforgethesignature.ThepublickeyoftheCAisassumedtohavebeendistributedsecurely toallparticipants. NotethatsafelydistributingthecertificatesofahandfulofCAsismore feasiblethandistributingthecertificatesofallparticipants. In AgentScape, a public key infrastructure is installed. Agent owners, locations, and hosts havepublicandprivatekeypairs.Thisensuresthatlocationsandhostscanmutuallyauthen- ticateandsetupsecurecommunicationchannels,usingSSL(seeSection4). 3.3 LinkinganAgentanditsOwner In many situations, an agent must be uniquely and undeniably linked to its owner (e.g., a humanororganization). Thislinkispartofauthenticatinganagentandisnecessary,forex- ample,tochargetheownerifagentsmakepurchasesonthewebortohelpdetermineliability whenever agents misbehave. This section discusses, in the context of agent based systems, howagentscanbe‘bound’totheirowner. Asmentionedbefore,itisassumedthatanagentcanbeidentifiedbyaGUID.Conceptually, an agent consists of meta-data, (executable) code, and data that an agent has ‘found’ on a particularhost. Themeta-dataofanagentcontainsatleastthefollowing: theGUIDofthis agent,thenameofthisagent’sowner,andasigned(bytheowner)hashofthisagent’scode. Thesignatureensuresthatagentandownerareboundtoeachother. Forauthenticationto succeed,itisimportantthatthepublickeyofanagentownerisstoredinaPKI. Forexample,inAgentScape,whenanagentisinjected,theagentplatformchecksiftheagent codeisindeedsigned. IfverificationissuccessfultheagentobtainsaGUIDandahandleis returned to the agent owner. Assuming the owner keeps this handle secret, it can be used to communicate between agent and owner. Next, the injected agent is started by the agent platform. If the agent misbehaves in some way, the owner can be contacted and be held www.intechopen.com 112 Autonomous Agents responsible for the agent’s actions. The agent injection procedure is similar in other agent systems. 4. CommunicationSecurity Indistributedagentsystemscommunicationismanifold. The(distributed)componentsthat makeuptheagentsystem’smiddlewareneedtocommunicatewitheachothertomaintaina runningagentplatform, andtheagentsthemselvescommunicatewitheachother, with(ex- ternal) services, and with the platform. Confidentiality of communication between agents, services,hosts,etc. mustbeguaranteed. Threatscanbeexternalorinternal. Externaleaves- droppersmaywanttolisteninonagentstofindoutprivacy-relatedinformation,maywant todisrupttheagentplatform,ormaywanttoimpersonateotheragentsorservices,etc. 4.1 CommonSecurityAttacks Many types of attacks are known that target communication channels. Two very common attacksareman-in-the-middleattacksandreplayattacks. Thissectionbrieflyexplainsthese twoattackstoillustratethekindofattackspossibleoncommunicationchannels. Forclarity, thenamesAlice, Bob, andMallory, whicharecommonlyusedincryptography, areusedto explainthesesecurityattacks. With a man-in-the-middle attack, an attacker (Mallory) tries to put himself in between the communicationpathoftwoothers(BobandAlice). WhenBobtriestocontactAlice,Mallory stepsinposingasAlice,andforwardstherequesttoAlice,butnowpretendingtobeBob.As aresult,BobandAliceboththinktheyaretalkingprivatelytoeachother,whileinfactMallory is able to intercept all data that is sent by them. This form of attack succeeds if Mallory is abletoimpersonateBobandAlicesuccessfully. Areplayattackisathreatwhereanattacker deliberatelyresendsordelaysmessagesthatweresentpreviously.Sincetheattackerdoesnot alter messages, the receiving party does not have any reason to refuse incoming messages, unlessithastheabilitytodetectthatamessageisaresentcopyoranolddelayedmessage. To see the effect of a replay attack, consider the consequences of a message that contains a money-transferorderforanonlinebankapplication. 4.2 Encryption Acommontechniquetoguaranteeconfidentialityandintegrityofcommunicationisencryp- tion. Twowell-knowntechniquesareSSL-basedcommunication(32)andIPsec(26). SSLis widelyusedtoprovidesecureconnectionstowebservers(e.g., thehttpsprotocol). Alldata sent over a connection between two parties is encrypted with a shared-key. The key is ex- changedinahand-shakephaseduringthesetupoftheconnection. Authentication, thatis, the method to ensure that a party actually is who he/she claims to be, usually involves a certificatesignedbyatrustedthirdparty(i.e.,acertificateauthority)whombothcommuni- catingpartiestrust. Afterthehand-shakesuccessfullycompletes,bothpartiescanbeassured thattheircommunicationremainsconfidential. Inagentsystems,thesetupoftheencrypted SSL-connectionisusuallydonebytheagentmiddleware. Asaconsequence,theagentmid- dleware’sinternalcommunicationisalsosecure. Inaddition,allagent-to-agentcommunica- tion is automatically encrypted transparently, under the assumption that communication is supportedbytheagentmiddleware,whichisalmostalwaysthecase. TheothertechniqueisIPsec. ThisprotocolusesencryptionatamuchlowerlevelthanSSL does. SSLusesencryptionattheapplicationlevel,whichmeanstheencryptionisperformed www.intechopen.com Security in Large-Scale Open Distributed Multi-Agent Systems 113 bytheapplication,anagentplatform.Incontrast,IPsecisperformedbytheunderlyingoper- atingsystem. Theadvantageofthistechniqueisthatbothagentapplicationdevelopersand agentsystemdevelopershavesecurecommunicationavailabletothemautomatically. How- ever,mostagentplatformsprovidetheirownsecurecommunication(usuallyviaSSL)asitis relativelysimpletoimplementandtheythendonothavetorelyontheunderlyingoperating systemtosupportIPsec. For example, AgentScape currently supports SSL-based communication between hosts and locations. This provides the basis for hosts/locations to authenticate each other. Further- more, allmessagestransmittedbetweenhosts/locations, includingmigrationofagents, are encryptedtoensureconfidentiality.ThePKIisusedtolinkhost/locationidentitiesinasecure manner. 5. MaliciousHosts Toanagentowner,protectinganagent’scodeandthedataithasacquiredwhiletraversinga networkishismainsecurityconcern.Especially,whenagentsareusedinopenenvironments such as the Internet, where agents execute outside the control of the agent’s owner. Hosts on which an agent resides may be malicious, yet temporarily have complete control of the agent’sruntimeenvironment. Itisofteninfeasibletodeterminethetrustworthinessofhosts inadvanceinopenenvironments. Unfortunately, in practice, it is almost impossible to protect a migrating agent if it runs on hoststhatareoutsidethecontrolofanagent’sowner. Suchamalicioushostcanviewand alteranagent’s(internal)state,orevendeletetheagentaltogether.However,somehardware and software solutions exist that try to provide security guarantees or at least allow others to detect that an agent has been tampered with by a malicious host. Below some of these solutionsarediscussed. Inprinciple,protectingagentsfrommalicioushostsrequires(39): 1. Protectingtheintegrityofthemigrationpathofanagent 2. Protectingtheintegrityoftheagent’sdataand(binary)code 3. Ensuringconfidentialityoftheagent’sdata 4. Ensuringintegrityoftheagent’scontrolflow Themigrationofanagentfromonehosttoanotheriscalledamigrationstep. Amigration pathisasequenceofmultiplemigrationstepsthatidentifiesallthehosts,inorder,anagent hasvisited. Inprinciple, theintegrityofthemigrationpath(item1, above)formsthebasis fordetectingmalicioushostsand/orpreventingthemfromdoinganyharm. Forexample,a numberoftechniques(6;22;39;43)haveintegrityofagentmigrationpathsasapremise,and canbeusedtodetecttamperingwiththeagent(items2&4). Solutionstoprotectanagent’s migration paths are discussed in more detail at the end of this section (Section 5.5). Before that,somesolutionstoprotectanagent’sintegrity,confidentiality,andcontrolflowarebriefly presented. 5.1 TrustedHardware Atechniquethatinprinciplecanofferthemostprotectionisusingtrustedhardware(Trusted Computing(49)). Trustedhardware, suchastheTrustedPlatformModule(TPM),provides guaranteesofthehardware’sbehavior.ATPMisapieceofhardwarewithinacomputerthat cannot be tampered with. It can perform cryptographic functions and store cryptographic www.intechopen.com 114 Autonomous Agents keyssecurely. SoftwaremanufacturerscanuseaTPMtoguaranteeusersthattheirsoftware running on a host has not been tampered with. A TPM can create a hash of the hardware andsoftwareofacomputerandcheckwhetheranythinghasbeenmodified. Agentscanuse thisinformationtodetectwhethertotrustahostornot,dependingonwhethertheytrustthe softwaremanufacturerwhocreatedtheagentmiddlewarerunningonthehost. AnotheruseofaTPMisforanagenttoletcertaincriticaloperationsbeperformedbyaTPM. An agent sends any input encrypted to the TPM, the TPM then operates on the data and sendstheresultbacktotheagent. Theresultisencryptedinsuchawaythatonlytheagent’s ownercandecryptitaftertheagentreturnstoitsowner.Unfortunately,bothusesoftheTPM requirespecializedhardware.Requiringallcomputerstohavespecializedhardwarerestricts theuseofitforagentsystemsinanopenenvironment.Therefore,theremainderofthissection focusesonsoftware-onlytechniques. 5.2 ProtectinganAgent’sIntegrity Anagentneedstoprotectbothit’sagentcodeaswellasanydataitcarries. Asmentioned before,withouttrustedhardware,anagentcannotprotectthisdatafrombeingmodifiedbya malicioushost. However,itispossibleforanagenttodetect,afteramigrationfromapoten- tiallymalicioushost,whetherthathosthasmadeanyunwantedmodificationstotheagent’s codeand/oranydatathattheagentcarried.Thesolutionistheuseofdigitalsignatures. To protect an agent’s code, the agent carries a signature from the agent owner over a hash of the agent’s code. After migration, an agent platform checks whether the agent owner is authorized(trusted)torunagentsandwhetherthesignedhashintheagentmatchestheactual hashoftheagent’scodeitreceived. Ifnot, thentheagenthasbeenmodifiedandtheagent platform can notify the agent’s owner and refuse to start the agent. Since only the agent ownercangeneratethissignature,amalicioushostcannotmodifytheagent’scodewithout beingdetected. Thedatathatanagentcarriescanbeprotectedasfollows.Ahashiscalculatedofeachpieceof datathatneedstobeprotected.Thenallthesehashesarestoredinatabletogetherwithsome meta-dataoneachpieceofdata,suchasitslocationwithinanagent.Thistableisthensigned andstoredwithintheagent. Ifamalicioushostmodifiesorremovesapartoftheprotected dataorthetable,thesignaturewillnotmatchandthemodificationwillbedetectablebythe agentortheagentowner. Unfortunately, an agent cannot carry its own private key to sign data, because a malicious hostwouldthenalsohaveaccesstoitandbeabletofakesignatures. Consequently,anagent cannot sign its own data. Instead, an agent owner or a trusted third party should sign the table. Theagenthastomigratetotheagentowner’shostortothetrustedthirdparty’shost firsttogetthesignature. Migrationtoatrustedhostmakesthisschemealittlecumbersome. If,however,themigrationpathofanagentcanbesecurelytracked(migrationpathintegrity), othersolutionsbecomepossible(6;22;39;43). 5.3 ProtectinganAgent’sConfidentiality Toprotectamalicioushostfromreadingconfidentialdatathatanagentcarries,itissufficient to encrypt that data with the public key of the agent’s owner, which ensures that only the agent’sownercanreadthedataaftertheagenthasreturnedtotheowner. Encryptioncanbe donebyanagentitselfonthe(trusted)hostwhereithasacquiredthedata. Unfortunately, afterencryptionanagentitselfdoesnothaveaccesstothedataeither. Ifitneedsaccessto www.intechopen.com Security in Large-Scale Open Distributed Multi-Agent Systems 115 encrypteddataandittruststhehostitison,itcansetupasecureconnectiontotheagent’s ownerandaskittodecryptthedata. 5.4 ProtectinganAgent’sControlFlow Unfortunately,protectinganagent’scontrolflowonamalicioushostisvirtuallyimpossible without dedicated trusted hardware. Basically, an agent would need to control (or at least monitor) the runtime environment of the host on which it runs, which is impossible as the hostcontrolsit. Forexample,amalicioushostcoulddenyorlimitaccesstoresourcesthatan agenthaspreviouslynegotiatedfor.Iftheagentdoesnotcheckforthis,itwouldnevernotice thefraud.Evenworse,evenifanagentchecksforfraud,areallymalicioushostcouldchange thecontrol-flowoftheagenttoskipthischeck. Thebestanagentcandoistousethetechniquesdescribedabovetoprotecttheconfidentiality andintegrityofthedataitcarries,toatleastdetectwhethertheagenthasbeentamperedwith. Theagentcanthencanredoitsoperationagainatamoretrustedhostaftermigration. 5.5 ProtectinganAgent’sMigrationPath Onefundamental(andunsolvable)problemforagentmigrationisthatamalicioushostcan alwaysdeleteanagentinitsentirety. Thiscanneverbeprevented. However,itispossibleto detectwhichhostdeletedanagent. Theonlythingthatisneededforthisisthepreservation oftheintegrityofthemigrationpathofanagent.Anagentownercanthensimplyfollowthe migrationpathofanagentandconcludewhichhostdeletedtheagent. Ofcourseforthisto work,amalicioushostshouldnotbeabletoforgethemigrationhistoryofanagent. Oncea malicioushostisidentifiedassuch,thehostcanbeputonablacklist,therebypreventingfur- thermaliciousbehaviorofthehostinquestion. Themainfocusofthissectionisthedetection ofbreachesofintegrityinmigrationpathsofmobileagents. Thehostonwhichanagentisinitialized,isassumedtobetrustedbytheagent’sowner. This hostcanbetracedbyallotherhostsatanyarbitrarymomentintime. Hostsareassumedto havefullcontrolovertheagentstheyrun. Theconsequenceofthisassumptionisthathosts areabletoreadandalterinformationstoredinsideagents.Althoughagentscandecidetoonly migratetotrustedhosts,thatis,hoststhathaveavalid(signed)certificate,atrustrelationship doesnotgivefullguaranteeswithrespecttoahost’sbehaviorandintentions. Anumberofsolutionsexisttoprotecttheintegrityofanagent’smigrationpath. Apossible solutionusesacentralizedtrustedthirdparty(TTP)(15)toauthorizeandkeeptrackofmi- grationpathsofagents.Thetrustedthirdpartycanbephysicallylocatedelsewhereanddoes nothavetobepartoftheagentsystemitself.However,allusersofanagentsystemmusttrust thatthetrustedthirdpartyisnotmaliciousandcannotbecompromised. Securecommuni- cation channels (see Section 4) to the TTP and digital signatures (25) (see also 5.2) are used to secure the migration protocol against fraud. Unfortunately, malicious hosts can simply migrateanagentbetweenthemwithoutinformingtheTTP.Furthermore,acentralizedTTP formsasinglepointoffailureandcanbecomeaperformancebottleneckforlarge-scaleagent systems. MultipleTTPscanbeusedtoimprovescalability. Forexample,inthehomebased approach,eachagentusesitsowninitial(trusted)hostasitsTTP.Alternatively,Roth(39)uses co-operatingagentsthatuseeachotherasTTP. Adecentralizedsolutiontosecurethemigrationpathofanagentissignaturechaining(45), whichstoresanagent’smigrationpathinanagentitself,togetherwithanagent’scodeand data. Digitalsignaturesareusedtoprotectthemigrationpathagainsttamperingbyamali- cioushost. Inthismethod,eachhostaddsthenextmigrationsteptothemigrationpaththat www.intechopen.com 116 Autonomous Agents wasalreadystoredintheagentandsignstheentirepath,includingthesignaturesofprevi- ous hosts inthe migration paths. By signing the entire migration path the signatures ofall participating hosts are chained together. Each new migration step adds another connected linktothesignaturechain.Unfortunately,verifyinglongsignaturechainsiscomputationally intensive,andamalicioushostcanremovearbitrarycyclesfromamigrationpathifanagent (accidentally)visitsthesamemalicioushostforasecondtime(45). Anotherscalablesolutionthatusesthenotionofdistributedtrusttosecuremigrationpaths isdescribedin(53). Inthissolution, otherhostsinthemigrationpathauthorizeandcheck eachfollowingmigrationstep.Increasingthenumberofhostsrequiredtoauthorizeamigra- tionmakesthemigrationprotocolmoreresistanttoco-operatingmalicioushosts. Spreading trustovermultiplehostsinanagentsystemclearlyhasbenefitsintermsofscalabilityandit strengthensthesecuritymechanism,asa‘singlepointoffailure’nolongerexists. Orthogo- nally,adedicatedtrustmodelthatcandistinguishthe–relative–trustworthinessofhostsin multipleagentsystemscanbeofmuchadditionalvalue.Reputationandtrustmodels(1)have beenstudiedinthecontextofagentsystemsby,forexample,(19;36). 6. MaliciousAgents Theprevioussectiondiscussesthemalicioushostproblem. Thissectionfocusesonthecom- plementary problem: malicious agents. Just as agent owners want to protect their agents againstpotentiallymalicioushosts,sodoplatformadministratorswanttoprotecttheirhosts againstpotentiallymaliciousmigratingagents.Maliciousagentstypicallyattempttogainac- cesstoresourcesonahosttheyarenotauthorizedtouse. Suchaccessincludesattemptsto accessprivatedataofthehost,privatedataofotheragents,ortouseadditionalcomputational resourcesthathavenotbeennegotiated. Fortunately,thereareanumberoftechniquesthat aplatformadministratorcanapplytoreducethethreatofmaliciousagentsandcontroltheir accesstoahost’sresources.Thissectiondiscussesafewofthesetechniquesandsubsequently focusesonthesubjectonhowtoconfigureandmanageaccesstoresourcesforagents. 6.1 SandboxingAgents Mostsolutionstosecuringhostsfrommaliciousagentsentailmonitoringeveryactionthatan agentattemptsonahost. WheneveranagentmakesacalltothemiddlewareAPI,itisinter- ceptedbyasecuritymanager.Thesecuritymanagerchecksthesystempolicytodetermineif anaction,suchasmigrationandresourceaccess,shouldbeallowedordenied.Forexample,a hostcoulddecidethatitdoesnotallowagentstouseremoteweb-services(i.e.,notrunningon thelocalhost). Everyattempttocontactaremoteweb-servicewillbeblockedbythesecurity manager. ManyagentplatformsareJava-based(14),andinJavaoneoftheprimarysolutionstowards securing mobile code is to execute any remote code in a protection domain or sandbox. A sandboxlimitsthesetofoperationsthattheremotecodemaycall. Forexample,sandboxing typicallyrestrictsnetworkaccessaswellasaccesstothelocalfilesystem.Javaprovidesagent systemprogrammersthetoolstodefinesandboxesbyusingasecuritymanagerand/orcustom classloaders.InJavatheactualsandboxisenforcedandimplementedbytheunderlyingJVM, forinterpretedscriptinglanguagessuchasPythonandSafe-Tclthesandboxisimplemented bytheinterpreter.ForCorC++(binarycode)agentsare‘jailed’(50). Sandboxing and jailing are examples of solutions with which agents are run in contained environments limiting the amount of damage they can cause to the systems on which they run. Analternativesolutionistoonlyrunagentsoftrustedowners. Whomtotrustisupto www.intechopen.com