Towards the Safe Use of Dynamically Transformed Itinerant Software Mike Jochen, Anteneh Addis Anteneh, and Lori L. Pollock University of Delaware Newark, DE 19716, USA Email: {jochen,anteneh,pollock}@cis.udel.edu Lisa M. Marvel U.S. Army Research Laboratory Aberdeen Proving Ground, MD 21001, USA Email: marvel@arl.army.mil ABSTRACT Mobile code and agent-based technology is being actively investigated for use within military systems. The use of mobile code in these systems could greatly benefit future defense capabilities; however, one must first establish confidence in the secure deployment and use of mobile code before widespread acceptance of this technology occurs. This is particularly true when a mobile code is permitted to evolve or modify as it moves through a network. Dynamic program transformation or evolution can enable more efficient computation of long running programs on constrained resource hosts by optimizing the computation for the current runtime input, state, and environment. This technology can also potentially provide dynamically updated or modified program functionality. Tradi- tional mobile code validation methods such as checksums and digital signatures will be unable to efficiently meet the security needs of this itinerant, evolving software. New validation methods must be constructed in order to allow future mobile codes to avail themselves of the advantages dynamic program modification may provide while mitigating potential security risks. We are developing a framework and prototype system to validate mobile, dynamically-transforming code in a manner which enables the system to restrict how the code can trans- form as it passes through the network. This system will permit modifications to the code based on a user-defined program transformation policy. In this paper, we present the details for our framework to control dynamic program transformation. This framework is the first step towards making dynamically- transforming software a viable technology for future defense systems. Index Terms— Mobile code, Dynamic program transfor- This material is based upon work supported by the National Science Foundation under Grant No. CCR-0219559. Prepared through collaborative participation in the Communica- tions and Networks Consortium sponsored by the U. S. Army Re- search Laboratory under the Collaborative Technology Alliance Pro- gram, Cooperative Agreement DAAD19-01-2-0011. The U. S. Gov- ernment is authorized to reproduce and distribute reprints for Gov- ernment purposes notwithstanding any copyright notation thereon. mation, Integrity, Program analysis, Computer security I NTRODUCTION AND MOTIVATION Mobile code and mobile agent systems can potentially provide a wealth of new functionality, services, and benefits to future defense systems [1]–[3]. The adaptabil- ity and functionality of such systems can be increased by utilizing code or agents which evolve or modify during their execution lifetime within a network of computation nodes. Some examples of such capabilities include active networks, intelligent/autonomous agents, automated worm/virus recovery, and intelligent sensor networks [4], [5]. Before mobile code/mobile agent use is considered, one must first establish confidence in the secure deployment and use of such technology [6]–[9]. Failure to do so could result in catastrophic loss or damage to system resources, assets, or capabilities. Traditional mobile code validation methods such as checksums and digital signatures [10]–[12] will be un- able to efficiently meet the security needs of itinerant, dynamically-evolving software; the original signature or checksum becomes invalid immediately after this soft- ware evolves or is modified. New methods for validation must be developed in order to allow mobile codes to avail themselves of the advantages dynamic program modifi- cation may provide while mitigating potential security risks in an efficient manner. This paper explores the kinds of changes that can occur in a mobile code. Changes are classified according to the nature of the change, and the potential ability to detect or to restrict that class of program change. We have used these classifications to guide the design of a framework and prototype system to validate mobile, dynamically-evolving code in a manner which enables the system to restrict how the code can transform as it passes through the network. Our framework will permit modifications to the code based on a user defined security