The Sanctuary project at UCSD is building a secure infrastructure for mobile agents, and examining

This paper addresses the protection of mobile code against cheating and potentially malicious hosts. We point out that the recent approach based on computing with "encrypted functions" is limited to the case where only the code originator learns the result of the computation and the host running the code must not notice anything at all. We argue that if the host is to receive some output of the computation, then securing mobile code requires minimal trust in a third party. Tamper-proof hardware installed on each host has been proposed for this purpose. In this paper we introduce a new approach for securely executing (fragments of) mobile code that relies on a minimally trusted third party. This party is a generic independent entity, called the secure computation service, which performs some operations on behalf of the mobile application, but does not learn anything about the encrypted computation. Because it is universal, the secure computation service needs to be only minimally trusted and can serve many different applications. We present a protocol based on tools from theoretical cryptography that is quite practical for computing small functions.

To protect mobile agents from attacks by their execution environments, or hosts, one class of protection mechanisms uses "reference states" to detect modification attacks. Reference states are agent states that have been produced by non-attacking, or reference hosts. This paper examines this class of mechanisms and presents the bandwidth of the achieved protection. First, the notion of reference states is introduced. This notion allows to define a protection scheme that can be used to realize a whole class of mechanisms to protect mobile agents. To do so, after an initial analysis of already existing approaches, the abstract features of these approaches are extracted. A discussion examines the strengths and weaknesses of the general protection scheme, and a framework is presented that allows an agent programmer to choose an appropriate protection level using this scheme. An example illustrates the usage of the framework and its overhead. 1. Introduction Mobile agents are program inst...

Web services arein creasin gly bein g adopted as a viable mean s to access Web-based application . This has been en - abled by the tremen3 us stan3 rdization e#ort to describe, advertise, discover, an d in voke Web services. Digital government (DG) is a ma or application domain for Web services. It aims at improvin g govern men t-citizen in teraction s usin g in formation an commun cation techn logies. Govern5 n t agen cies collect, store, process,an d sharein formation about million s of citizen s who have di#eren t preferen ces regardin g their privacy. Thisn aturally raises an umber of legalan d techn ical issues that must be addressed to preserve citizen s' privacy through the con trol of the in formation flow amon gst di#eren ten tities (users, Web services, DBMSs). Solution s addressin g this issue are stillin their in fan cy. They con sist, essen tially, of en forcin g privacy by law or by self-regulation . In this paper, we propose a n w techn cal approach for preservin privacyin governPE t Web services. Our design is based d mobile privacy preserving agents. This work aims at establishin the feasibility an d provable reliability of techn ology-based privacy preservin solution for Web service in rastructures.

. The notion of trust is presented as an important component in a security infrastructure for mobile agents. A trust model that can be used in tackling the aspect of protecting mobile agents from hostile platforms is proposed. We dene several trust relationships in our model, and present a trust derivation algorithm that can be used to infer new relationships from existing ones. An example of how such a model can be utilized in a practical system is provided. 1

hkvt99r @ ecs.soton.ac.u k

. To protect mobile agents from attacks by their execution environments, or hosts, one class of protection mechanisms uses "reference states" to detect modification attacks. Reference states are agent states that have been produced by non-attacking, or reference hosts. This paper presents a new protocol using reference states by modifying an existing approach, called "traces". In contrast to the original approach, this new protocol offers a model, where the execution on one host is checked unconditionally and immediately on the next host, regardless of whether this host is trusted or untrusted. This modification preserves the qualitative advantages like asynchronous execution, but also introduces two new problems: input to the execution session on one host cannot be held secret to a second host, and collaboration attacks of two consecutive hosts are possible. The overhead needed for the protocol roughly doubles the cost of the mobile agent execution. 1 Introduction Mobile ag...

Over the past years, mobile agent technology has attracted considerable attention, and a significant body of literature has been published. To further develop mobile agent technology, reliability mechanisms such as fault tolerance and transaction support are required. This article aims at structuring the field of fault-tolerant and transactional mobile agent execution and thus at guiding the reader to understand the basic strengths and weaknesses of existing approaches. It starts with a discussion on providing fault tolerance in a system in which processes simply fail. For this purpose, we first identify two basic requirements for fault-tolerant mobile agent execution: (1) non-blocking (i.e., a single failure does not prevent progress of the mobile agent execution) and (2) exactly-once (i.e., multiple executions of the agent are prevented). This leads us to introduce the notion of a local transaction as the basic building block for fault-tolerant mobile agent execution and to classify existing approaches according to when and by whom the local transactions are committed. In a second part, we show that transactional mobile agent execution additionally ensures execution atomicity and present a survey of existing approaches. In the last part of the

This paper aims to examine the benefits the introduction of trusted computing can bring to the mobile agent paradigm, with a specific emphasis on mobile agent security. 1

Mobile Agent (MA) technology raises significant security concerns and requires a thorough security framework with a wide range of strategies and mechanisms for the protection of both agent platform and mobile agents against possibly malicious reciprocal behavior. The security infrastructure should have the ability to flexibly and dynamically offer different solutions to achieve different qualities of security service depending on application requirements. The chapter presents the security threats that typically arise in MA applications and describes the proposed currently available countermeasures to protect both nodes and mobile agents. In addition, the chapter surveys the state-of-the-art research activities about integrated security supports in MA systems and identifies open research issues and on-going research work. 1 Security: a Missing Link for Mobile Agents Acceptance The convergence of the Internet with wireless communications have raised new challenges in the support of user and terminal mobility, in facing heterogeneity, and in adapting to the dynamic changes in the network infrastructure [1]. The new scenario seems a suitable application area for computing paradigms that exploit the notion of code mobility, defined as the capability to