|
Things that Go Bump in the Net This is a brief look at some of the more colorful characters in the menagerie of network security threats, with an emphasis on how they relate to agent-based systems. The Massively Distributed Systems group in IBM Research conducts research into these and other emergent concerns in future distributed systems. ---------------------------------------------------------------------------- Trojan horses A Trojan horse is a program that does something that the programmer intended, but the user would not approve of if he knew about it in advance. Because most current security systems are based primarily on user-level privilege rather than program-level privilege, any program that you run can read any object you have read-access to, write to any object that you have write-access to, and execute any program or command that you are authorized to execute. A Trojan horse concealed in a random game program downloaded from your favorite newsgroup can read any file you have read access to, and mail it anywhere in the world. It can erase, or just shuffle around a few bytes in, any file you can write to. It can send obscene messages to the White House, or post embarassing things to random newsgroups. And it can copy itself into any program that you have write access to (see Viruses and Worms below). In a mobile-agent system, it is critical to ensure that arriving agents execute in a controlled environment, and are able to do only those things that they are authorized to do. Agents should be trusted only as far as the least-trusted entity that may have been able to alter the program or internal state of the agent; secure authentication methods (such as digital signatures) must be used carefully when it is necessary to establish the real author or sender of an agent. See Itinerant Agents for Mobile Computing for some related security considerations in these sorts of systems. ---------------------------------------------------------------------------- Viruses and Worms A virus is a program (generally a Trojan horse) that spreads, by making copies of iteslf in one way or another. In the microcomputer environment, viruses generally spread by writing copies of themselves into other programs, or into boot records of disks and diskettes. (For more information on computer viruses in PC-compatible machines, see the IBM Computer Virus Information Center.) A worm in a networked environment is generally a self-sufficient program that spreads by spawning copies of itself on other hosts in the network. One famous worm caused great disruption on the Internet in 1988. There is no hard line between viruses and worms; in general, if the spreading entity is a self-sufficient program, it will be called a worm, whereas if it embeds itself inside other programs or boot code, it will be called a virus. Can a virus spread between agents in a mobile-agent system? So far, the consensus seems to be that there is no particular reason to allow one agent to alter the code of another already-existing agent. If the agent infrastructure does not allow this, no virus will be able to spread from agent to agent. On the other hand, if the infrastructure accidentally or purposely does allow one agent to alter another, inter-agent viruses will be possible. Are worms possible in mobile-agent systems? If one agent can create another agent, the possibility of runaway worm reproduction exists. Agent reproduction must be controlled in one way or another to limit the possibility; if agents can create other agents, they must be charged in some scarce currency, or limited in how large their tree of descendants can get, or otherwise kept from having children and grandchildren without bound. ---------------------------------------------------------------------------- Flash Crowds The term Flash Crowd was first used by Larry Niven, in a science fiction short story. In the story, cheap local teleportation has become possible; now, the sites of attractive news stories are instantly innundated with rubberneckers teleporting in to watch. As systems become more interconnected and more powerful, we have the equivalent of cheap teleportation; if a Web site becomes known as particularly interesting, its usage curve can go exponential, causing network bottlenecks and server crashes. In networks of agents, a vast number of similarly-programmed agents, like a horde of similarly-programmed trading programs causing a market crash, can cause network congestion and server overload. And if the agents all adopt similar fallback strategies in response to overload, the flash crowd can migrate from server to server on the net, leading to surging hard-to-remedy travelling overloads. ---------------------------------------------------------------------------- Weeds, Freeloaders and Flying Dutchmen A weed is a program (or anything else in a system) that does no one any good, but that uses such a small amount of resources that it's often not cost-effective to do anything about it. Eventually, weeds start to accumulate, and it's time to get out the clippers. Or the herbicide. A freeloader is a program that uses some system or server resources to survive and possibly benefit its creator, without paying for them. Servers may provide some minimal service for free, in order to attract paying customers, or unintentionally, as an unintended effect of complex cost structures; there may be ways to arrange for some transaction charges, especially small ones, to be lost in the shuffle. A freeloader exploits these sorts of things to operate free of charge. Named for the legendary ghost-ship, a Flying Dutchman is a freeloader that manages to become effectively immortal, without paying for the resources that it uses to survive. A Flying Dutchman may move from host to host, never quite using enough resources to be killed; it may spawn a copy of itself on another host just before it is terminated, ensuring an unending gene-line. A Zombie is similar to a Flying Dutchman; it is a program that has been terminated, but continues to consume some resources anyway, due to (sometimes infinite) delays in cleaning up all the resources associated with it. Zombies can sometimes get enough resources to do actual processing; more often, they exist only as the undead owners of various kinds of space. A single freeloading or immortal program will not in itself damage a distributed system, and we anticipate that a typical agent-based system will tolerate a low level of freeloading. An analogy is to physical stores, which will tolerate a certain number of people coming in to get out of the rain and using the restrooms, on the chance that they may eventually buy something. Uncontrolled, a large number of weeds can waste significant amounts of system resources; distributed systems will need the ability to monitor this sort of activity, and impose controls if it gets out of hand. Requests from known freeloaders may be charged for, even in cases that are normally free. Intelligent monitoring processes may be needed to identify and terminate intentionally or accidentally immortal programs that are serving no useful purpose. Other sorts of weeds will no doubt require other sorts of solutions; the unexpected is likely. ---------------------------------------------------------------------------- The Usual Suspects As well as these new and somewhat speculative threats, most of the traditional computer-security worries, such as basic access control, authentication, secure encryption, and so on, also apply to network and agent security. IBM Research has various other security-related projects. Or follow this link for some good leads on both traditional and non-traditional computer security topics in the rest of the universe. ---------------------------------------------------------------------------- David Chess, chess@watson.ibm.com Thanks to Gene Spafford at Purdue, whose talk "Viruses, Worms, and Things that go Bump in the Net" may have inspired the title for this page; tricky things, replicators! ----------------------------------------------------------------------------