The JavaSeal Mobile Agent Kernel

Mobile agents show promise as a new distributed programming paradigm in which locality plays a central role—programs that are able to move closer to their data can overcome limitations of connectivity, latency or bandwidth. Mobility also enables distributed systems to evolve; for instance, the deployment of a new service over a network can be programmed as part of the service itself. Of course, moving programs introduces new challenges. One of these is related to program structure: How much of a computation should be moved? Where are the boundaries between mobile and immobile entities drawn? A second challenge is to provide security guarantees: How can the actions of mobile agent be controlled? And what kinds of security properties can we realistically expect to enforce? We answer these questions within the framework of the JavaSeal mobile agent system kernel. JavaSeal provides several abstractions for constructing agent systems in Java. Our basic building block is the seal which is a nested encapsulated computation fragment with sharply delineated boundaries. Strands are sequential threads of computation bound to a seal. Capsules transfer passive seals and objects over communication channels; Traffic over channels is regulated by portals. We argue that these abstractions are sufficient to program secure mobile agent systems. An electronic commerce application built over our kernel is used as a demonstrator.

[1]  Li Gong Java Security Architecture (JDK1.2) , 1997 .

[2]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[3]  Godmar Back Patrick Tullmann Leigh Stoller Wilson C. Hsie Lepreau Java Operating Systems : Design and Implementation , 1998 .

[4]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[5]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[6]  Dejan S. Milojicic,et al.  MASIF: The OMG mobile agent system interoperability facility , 1998, Personal Technologies.

[7]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX ATC.

[8]  Jan Vitek,et al.  Mobile object systems : towards the programmable internet : Second International Workshop, MOS '96, Linz, Austria, July 8-9, 1996 : selected presentations and invited papers , 1997 .

[9]  Jan Vitek,et al.  Connned Types , 1999 .

[10]  David M. Chess,et al.  Security Issues in Mobile Code Systems , 1998, Mobile Agents and Security.

[11]  Jan Vitek,et al.  Security and Communication in Mobile Object Systems , 1996, Mobile Object Systems.

[12]  Gul A. Agha,et al.  ACTORS - a model of concurrent computation in distributed systems , 1985, MIT Press series in artificial intelligence.

[13]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[14]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[15]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[16]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[17]  Aaron Kershenbaum,et al.  Mobile Agents: Are They a Good Idea? , 1996, Mobile Object Systems.

[18]  Thomas Anderson,et al.  Interposition as an Operating System Extension Mechanism , 1997 .

[19]  Danny B. Lange,et al.  A Security Model for Aglets , 1997, IEEE Internet Comput..

[20]  Robert S. Gray,et al.  Agent Tcl: a Exible and Secure Mobile-agent System , 1996 .

[21]  Luca Cardelli,et al.  Abstractions for Mobile Computation , 1999, Secure Internet Programming.

[22]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[23]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[24]  Levente Buttyán,et al.  On the Problem of Trust in Mobile Agent Systems , 1998, NDSS.

[25]  Gul Agha,et al.  A actor-based architecture for customizing and controlling agent ensembles , 1999, IEEE Intell. Syst..

[26]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[27]  Mike Hibler,et al.  The persistent relevance of the local operating system to global applications , 1996, EW 7.

[28]  John K. Ousterhout,et al.  The Safe-Tcl Security Model , 1998, USENIX Annual Technical Conference.

[29]  Danny B. Lange,et al.  Programming and Deploying Mobile Agents with Java Aglets , 1998 .

[30]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[31]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[32]  Fritz Hohl,et al.  Mole – Concepts of a mobile agent system , 1999, World Wide Web.

[33]  Nicholas Carriero,et al.  Applications experience with Linda , 1988, PPEALS '88.

[34]  Giovanni Vigna,et al.  Cryptographic Traces for Mobile Agents , 1998, Mobile Agents and Security.

[35]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[36]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[37]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[38]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[39]  Joel H. Saltz,et al.  Sumatra: A Language for Resource-Aware Mobile Programs , 1996, Mobile Object Systems.

[40]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[41]  Silvano Gai,et al.  Exploiting Code Mobility in Decentralized and Flexible Network Management , 1997, Mobile Agents.

[42]  Jan Vitek,et al.  Confined types , 1999, OOPSLA '99.

[43]  Kurt Rothermel,et al.  Disseminating mobile agents for distributed information filtering , 1999, Proceedings. First and Third International Symposium on Agent Systems Applications, and Mobile Agents.

[44]  Deyu Hu,et al.  J-Kernel: A Capability-Based Operating System for Java , 2001, Secure Internet Programming.

[45]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[46]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[47]  Todd Fine,et al.  Assuring Distributed Trusted Mach , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[48]  Christian F. Tschudin,et al.  Protecting Mobile Agents Against Malicious Hosts , 1998, Mobile Agents and Security.

[49]  Danny B. Lange,et al.  Programming and Deploying Java¿ Mobile Agents with Aglets¿ , 1998 .

[50]  Anand R. Tripathi,et al.  Agent Server Architecture for the Ajanta Mobile-Agent System , 1998 .

[51]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[52]  Eric Jul Object mobility in a distributed object-oriented system , 1990 .

[53]  Jan Vitek,et al.  Secure composition of insecure components , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[54]  Jean-Henry Morin,et al.  HyperNews: a MEDIA application for the commercialization of an electronic newspaper , 1998, SAC '98.

[55]  Graham Glass,et al.  ObjectSpace Voyager - The Agent ORB for Java , 1998, WWCA.

[56]  Jan Vitek,et al.  A Coordination Model for Agents Based on Secure Spaces , 1999 .

[57]  Jean-Henry Morin,et al.  Commercialization of electronic information , 1999, Proceedings IEEE International Conference on Multimedia Computing and Systems.

[58]  Danny B. Lange,et al.  Mobile agents with Java: The Aglet API , 1998, World Wide Web.