next up previous
Next:  Security Architecture Up: Security Requirements for Management Previous:  Relation Attacks

 Security Requirements

  Regarding the various attacks it is possible to develop a defense strategy for each kind of attack. But this approach has the drawback that any new attack requires a new defense strategy and the security system always `lags behind' the attacker. The more promising approach is to develop a security architecture which implements a more abstract view on attacks. The OSI security architecture [#!iso10181-1!#,#!iso7498-2!#] may be regarded as a basis, but it must be adapted to particular characteristics of agent systems. The first step towards such an architecture is to deduce a conceptual view on counteractions against classes of attacks: security requirements. In order to satisfy these requirements several components and services have to be identified and integrated in a security architecture for a mobile agent based management system. Such an architecture is able to prevent complete classes of attacks and even future attacks belonging to one of these classes.

The organizational model together with the threat analysis gives a view onto entities. It is essential for a secure management system to be able to identify the subjects and objects representing the participating entities. The security requirement is authentication. Mobile agents are a new kind of access to systems that need closer attention. Some available access control devices like fingerprint scanners may improve control of access to humans but they will not work for mobile agents. Authentication is very fundamental, because most of the following security requirements presuppose the ability to identify subjects and objects unambiguously.

Authorization is necessary to bind rights to subjects. For that purpose rights and permissions must be described. Access control must then enforce rights and restrictions at run-time. Each object in the system offers interfaces which can be used by subjects. Access control prevents illegal access of objects. Certain management tasks require that a mobile agents is able to delegate rights and permissions to other entities, a concept for delegation of these rights is necessary. Security management with the aid of mobile agents can be carried out if such a concept is available.

Each information channel representing a relation between entities may need protection. The security requirement confidentiality is satisfied if such a channel is only accessible by authorized participants.

The aim of a lot of attacks is to alter code, data or messages or to replay/replicate messages or MAs. Detecting such alterations, manipulations, replays and misordering can assure the integrity of objects. Being able to establish and enforce resource constraints can prevent another big group of attacks: resource abuse and denial-of-service. The security requirement non-repudiation means that it is possible to prove that a certain subject has done a critical or sensitive action. Even a third party can prove who caused this action.

To prevent the circumvention of legal interfaces and to restrict rights the sandboxing concept is used. A sandbox is a very restricted environment for code execution which only can be left in a controlled manner.

Some attacks (e.g. manipulating an MA by an AS) seem very hard or even impossible to be prevented. If it is not possible to restrain these attacks technically an organizational solution is necessary, e.g. a trust relation between two entities that a particular kind of attack will not happen.

The following list summarizes security requirements (in bold) and attacks which can be prevented by services implementing these requirements. Some attacks are listed several times. This means either that more than one requirement covers the attack or that more services implementing the requirements are necessary to prevent a single attack.

Authentication: Masquerade, theft of rights, repudiation, replication, replay, redirection, denial-of-execution, denial-of-service, resource misuse

Authorization and Access: Theft of rights, denial-of-service, resource misuse

Confidentiality: Eavesdropping, theft of rights

Integrity: Theft of rights, replication, delay, replay, redirection, alteration, execution trace manipulation

Non-Repudiation: Repudiation

Resource-Constraints: Denial-of-service, resource misuse

Sandboxing: Circumvention Attack

next up previous
Next:  Security Architecture Up: Security Requirements for Management Previous:  Relation Attacks
Copyright Munich Network Management Team