A Secure Mobile Agents Platform Leila Ismail College of IT United Arab Emirates University P.O.Box 17551, Al-Ain, United Arab Emirates Email: leila@uaeu.ac.ae Abstract—Mobile Agents is a new paradigm for dis- tributed computing where security is very essential to the acceptance of this paradigm in a large scale distributed en- vironment. In this paper, we propose protection mechanisms for mobile agents. In these mechanisms, the authentication of mobile agents and the access control to the system resources are controlled by the mobile-agents platform. Each agent defines its own access control policy with regard to other agents using an Interface Definition Language (IDL), thus enforcing modularity and easing programming task. An evaluation of these mechanisms has been conducted. The measurements give the overhead involved by the proposed protection mechanisms to the performance of mobile agents. An important advantage of our protection mechanisms are transparency to agents and the portability of non- secure applications onto a secure environment. A mobile agent system and the protection mechanisms have been implemented. Our experiments have shown the feasibility and the advantages of our mechanisms. Index Terms—Mobile agents, security, authentication, ac- cess control I. I NTRODUCTION Mobile-agents technology has emerged to build dis- tributed computing over the Internet [1]. A mobile agent is a process with its own code and data that can migrate in the network from one node (called agent server) to another to perform a specific task on behalf of their users. Mobile agents representing different users on a global network can meet and interact with other agents while migrating in the network. A mobile-agents platform is a distributed middleware that is responsible to create, execute, migrate, send, receive and destroy mobile agents. It also provides communication facilities between mobile agents ( [2], [3]). As mobile agents are intended to be used over large- scale distributed systems [4], security becomes an essen- tial issue to resolve. When received over the network by host servers, a mobile agent must not access resources which it does not have authorization to. Receiving hosts need to have the assurance that a received mobile agent is not malicious. Also, other mobile agents running on the host servers need to have the assurance of whom they are communicating with and consequently give appropriate access rights. Received by host servers, a mobile agent can invoke objects exported either by the servers, or by other agents running on these servers. In this context, protection has become an extremely important issue: nobody will use the mobile-agent paradigm if there are no protection mechanisms which assure the host server and other agents running on this server that the mobile agent will not damage information of the server and of the other agents. Java [5] is probably the best known runtime environment which provides facilities for implementing mobile-code based applications and protection mechanisms. The Java compiler generates a bytecode which is interpreted by the Java virtual machine, thus enabling code transfer between heterogeneous hosts. From protection perspectives, the main advantage of Java is the implementation of a sand- box [6] which limits the instructions and consequently the resources used by a mobile code. The Java sandbox is responsible for protecting a number of resources at a number of levels: memory, file system and disk. The memory is protected because the java language is type- safe, which means that the Java language does not allow the use of virtual addresses. The file system and the disk are protected through the use of an access control mech- anism based on a policy file. However, the language does not provide mechanisms for mobile agents and servers to define different rights for different mobile agents based on authentication, and to allow these rights to evolve dynamically during communication and execution, and to move with agents during migration. To allow dynamic exchange of access rights in a flex- ible way between cooperating agents, we have proposed that agents use capabilities for access control ( [7], [9]). In this initial proposal of protection, the mobility character- istic of an agent was not considered. In particular, when moving from one server host to another, an agent needs to carry its capabilities with it and to export them for other agents running on the destination server. An evaluation of feasibility and advantages in a real mobile-agents system was not done. Furthermore, to exchange initial capabilities, mobile agents must authenticate each others. An initial capability could include the minimum access rights to be given to the agent. More capabilities can be granted dynamically while agents are communicating. Our recent work on network authentication for a mobile- agents system [10] authenticates the sender network node of the mobile agent and does not include fine-grained au- thentication of mobile agents so that different capabilities can be granted to different authenticated agents coming from the same network node. In this paper, we propose protection mechanisms, where mobile agents can define and grant different access JOURNAL OF COMMUNICATIONS, VOL. 3, NO. 2, APRIL 2008 1 © 2008 ACADEMY PUBLISHER