The Sanctuary mobile code system includes security mechanisms for
protecting mobile agents from malicious servers as well as mechanisms for
protecting mobile agent servers from malicious mobile code. To protect remotely
executed mobile code, we integrate several key approaches: (1) security
attributes certification to enable mobile code to avoid nodes in the
agent-server network that are untrustworthy, as determined by user-centric
security policies; (2) forward secure cryptography to improve detection of
malicious tampering by servers; and (3) defining separate roles for agent
author and agent owner, which justifies restricted delegation and external
reference monitors with owner-provided agents to limit potential damage caused
by buggy or compromised agent code. Simply put, we enable mobile code to avoid
trouble when possible, and to detect trouble when it is unavoidable. We
examine security-aware itinerary planning as a means to supplement these
approaches, and describe our analysis of this problem. Our server uses well
known approaches to defend itself from malicious code, and custom extensions
that address the security needs of the mobile code itself. This paper
describes our mechanisms and how they are integrated into the Sanctuary mobile
code system.
Pre-2018 CSE ID: CS2002-0731