Skip to main content

Security in Agent Systems

1.4 Programs to Strangers

If I've written an agent that embodies a clever stock-trading algorithm that I just invented, how willing should I be to send it off into the net to execute? System administrators need to protect their systems against malicious agents; can we also offer the writers and users of itinerant agents some protection against malicious servers? The obvious encryption techniques can prevent anyone but the intended recipient server from reading the agent. But what if the intended recipient itself is not completely trusted? What if I want to have my agent run on some server that I saw advertised in the personals column? This is a difficult problem for a number of reasons. The server must be able to read the agent's code, and any data that it uses, in order for the agent to execute; so the agent will have a hard time guarding any secret data or algorithms. It can use public-key encryption to encrypt information found on one server, to protect that information from servers that it may run on in the future, but only at the cost of no longer being able to read that information itself. It can deliver it, and it can read it once it arrives at a place where the corresponding private key is available to it, but while it is travelling in untrusted places, all the secret information that it carries must be hidden from it. If the agent is to be able to learn from experience, the server must also be able to change the agent's data before sending it on. While the author of a piece of agent code can digitally sign the code itself, the agent's data and process-state information cannot be signed in advance; if we knew what it was going to do in advance, there'd be no reason to send it out! The main entity that can sign an agent's state information is the server that the agent was on when it reached that state. So an agent that has been roaming around on a network through a number of hops may have a program signed by one principal, and a record of state-changes signed by a number of intermediate servers. It may be a complex task to determine how much such an agent should be trusted, especially if some of the entities that have signed it are unknown. To make matters worse, since the agent itself cannot carry any secrets, such as private cryptographic keys, it cannot itself sign any messages it might want to send, or changes it might want to make in itself, since that would give any server who watched it execute the ability to forge that signature on other objects. Research in this area of agent security is just starting [8], and it is likely to remain an interesting field for some time.

[ Top of Page | Previous Page | Next Page | Table of Contents ]

 

  back to index