Access control for mobile agents

Michele Bugliesi, Giuseppe Castagna, Silvia Crafa
2004 ACM Transactions on Programming Languages and Systems  
Boxed Ambients are a variant of Mobile Ambients that result from dropping the open capability, and introducing new primitives for ambient communication. The new model of communication is faithful to the principles of distribution and location-awareness of Mobile Ambients, and complements the constructs in and out for mobility with finer-grained mechanisms for ambient interaction. We introduce the new calculus, study the impact of the new mechanisms for communication o typing and mobility, and
more » ... ow that they yield an effective framework for resource protection and access control in distributed systems. 0164-0925/99/0100-0111 $00.75 2 · Bugliesi M., Castagna G., and Crafa S. ity, communication by shared location, and authorization to move based on acquisition of names and capabilities. The ability or inability to cross boundaries, which is conferred by the capabilities in and out, is at the core of the security model underlying MA. Permission to cross ambient boundaries is given by making the name available to the clients requesting access. Names are thus viewed as passwords, or cryptokeys: when embedded in a capability, an ambient name provides the pass that enables the access to, or else the cryptokey that discloses the contents of that ambient. While MA's model of security is suggestive, and powerful for its simplicity, it does not appear to be fully adequate for modeling realistic access control policies. Security in MA entirely depends on the ability by the naming-based authorization mechanism to filter out unwanted clients: an authorization breach could grant malicious agents full access to all the resources located inside the ambient boundary. An assessment of security and access control in ambient-based calculi is the main motivation for the present paper. The focus of our analysis is on mandatory (i.e., system-wide) access control policies (MAC) within a multilevel security system. In particular, the emphasis is on the specific aspects of MAC policies related to confidentiality, and their different implementations as military security (no read-up, no write-down) and commercial security (no read-up, no write-up). For other calculi of mobility in the literature, notably for Dπ [Riely and Hennessy 1998 ] and KLAIM [De Nicola et al. 1998 ], an in-depth study of these aspects has already been conducted [Hennessy and Riely 2002b; 2002a; ]. Instead, to our knowledge, no attempt in this direction has been made for MA-based calculi. Our analysis, detailed in the first part of the paper, points out the shortcomings of MA as a formal basis for reasoning about these concepts. In fact, the main difficulties come far ahead of any formal reasoning, because the very meaning of basic notions such as "read access" and "write access" by subjects to objects is difficult to grasp and characterize when looked at from within MA. To overcome these difficulties, we introduce a variant of Mobile Ambients, named Boxed Ambients (BA). Boxed Ambients inherit from MA the primitives in and out for mobility, but not open, and introduce direct primitives for communication across ambient boundaries, between parent and child. This new form of communication fits the design principles of MA, and complements the existing constructs for ambient mobility, and local exchanges, with finer-grained, and more effective, mechanisms for ambient interaction. The resulting calculus retains the computational flavor of MA and the elegance of its formal presentation. On the other hand, the new communication model preserves the flexibility of typed communications from MA, while providing more effective means for reasoning about access control policies. We study two versions of the calculus, based on synchronous and asynchronous communication, respectively. Interestingly, the new model of communication sheds new insight into the relationship between the two forms of interaction. In particular, we show that classical encodings of the asynchronous model in terms of the synchronous one do not carry over to calculi that combine non-local exchanges and dynamic system reconfiguration based on mobility. We complement the definition of the calculus with a study of different type systems. A first type system provides standard safety guarantees for communication. A second type system enhances the typing of mobility and develops a new typing technique, based on different typing "modes" for processes, in which processes and their continuations may have different types while still preserving subject reduction. A Boxed Ambients · 3 last type system combines the new technique with a richer class of types to provide for the static detection of violations of MAC policies in a multilevel security environments. All the type systems, in particular the access control type system are designed, and proved sound, for both the synchronous and the asynchronous versions of the calculus. Remarkably, the moded typing system is initially motivated by the synchronous semantics but then proves equally effective for the asynchronous calculus that we eventually adopt in our discussion of access control. Plan. Section 2 presents our analysis of security and access control in MA. Section 3 introduces the calculus of Boxed Ambients. Section 4 details encodings of additional primitives for communications on named channels (BA relies on anonymous channels). Section 5 introduces the basic type system for the calculus. Section 6 compares the typing systems of BA and MA with respect to mobility and communication. Section 7 develops an enhanced type system based on the technique named "moded typing". Section 8 studies the asynchronous version of the calculus. Section 9 develops a sound typing system for static access control, and illustrates its use with several BA programs. Section 10 studies a more extensive example: in particular, it shows that the access control typing system can effectively be employed to specify (and statically enforce) diverse and powerful security policies for a simple, but non-trivial, distributed language. Section 11 compares our approach with related work, and Section 12 concludes with final remarks. Two separate appendices collect the typing rules and the proofs of subject reduction and type soundness. The paper integrates and extends the results reported in [Bugliesi et al. 2001a ] and [Bugliesi et al. 2001b ]. MOTIVATIONS FOR BEING BOXED Mobile Ambients are named process of the form a[ [ P ] ] where a is a name and P a process. Processes can be composed in parallel, as in P | Q, be replicated as in !P, exercise a capability, as in M.P, declare local names as in (νa)P, or simply do nothing as in 0. Ambients may be nested to form a tree structure that can be dynamically reconfigured by exercising the capabilities in, out and open. In addition, ambients and processes may communicate. Communication is anonymous, and happens inside ambients. The configuration (x)P | M represents the parallel composition of two processes, the output process M that "drops" the message M, and the input process (x)P that reads the message M and continues as P{x := M}, that is P where every free occurrence of x has been substituted with M. The open capability has a fundamental interplay with communication: in fact, communication results from a combination of mobility and opening control. To exemplify, the synchronization between the input process (x)P and the output M in the system enabled by exercising the capability open b to unleash the message M . While fundamental in MA to enable communication across ambient boundaries, the open capability appears to bring about serious security concerns in distributed applications. Consider a scenario in which a process P running on host h downloads an application program Q from some other host over the network. This situation can be represented by the configuration a[ [ in h.Q] ] | h[ [ P ] ] , where Q is included in the pilot ambient a which is routed to h in response to the download request from P. As a result of a exercising the capability in h, the system evolves into the new configuration h[ [ a[ [ Q ] ] | P ] ] , where the download is completed. The application program Q may be running and computing within a, but as 4 · Bugliesi M., Castagna G., and Crafa S. long as it is encapsulated into a, there is no way that P and Q can effectively interact. To enable these interactions, P will need to dissolve the transport ambient a. Dissolving a produces the new configuration h[ [ P | Q ] ] where now P and Q are granted free access to each other's resources, with the obvious problem that there is no way to tell what Q may do with them. An alternative solution to the above scenario is to treat a as a sandbox and take the Java approach to security: P clones itself and enters the sandbox to interact with Q. Again, however, the kind of interaction between P and Q is not fully satisfactory: either they interact freely within a, or are isolated from each other. Boxed Ambients · 5 Here, m is the name of the resource manager and R is the associated process. To access, say, r i , the agent a needs to know the name m to be able to move inside the resource manager: Looking at this configuration, we notice that the process R does not have an active role in the system, as the interaction between a[ [ P ] ] and r i may only result from autonomous actions by either the agent or the resource (the same would be true with Levi and Sangiorgi's Safe Ambients [Levi and Sangiorgi 2000] : only the use of a co-action could predicate the move of a into m to the presence of the co-capability in m in R). The role of the ambient m is therefore reduced to the role of its name: it is simply the first password required for the access. Rather, it is each of the r i 's that needs to include its own manager. We can thus formulate the problem in simpler terms, and look directly at the case below: R is the manager for r, and M is the content: for the purpose of the example we assume that the content is a value the agent wants to read. Having defined the problem, we now look at different ways to attack it in MA and discuss their implications in terms of the security models introduced above. First solution: agent dissolution. A first solution is based on the following protocol proposed by [Cardelli and Gordon 1998 ]. In order to access r, a first enters r: Now, the idea of the protocol is that the manager R should be the process !open p, which unleashes authorized clients that entered the resource within a pilot ambient named p. In other words, the protocol requires the client to know the name of the resource, as well the name of the "port" p used for the access. Thus, the agent would first rename itself to p to comply with the rules of the protocol, and then enter: if the access to r is a read, the agent will contain a reading process. Thus, after renaming, the new configuration would be as follows: Finally, the resource manager enables the read, by opening p: The protocol is elegant and robust: there are two passwords the agent needs to know, the resource name r and the name of the port p. There are, however, a number of unsatisfactory aspects to it. A first reason for being unsatisfied with the protocol is that it is hardly realistic to assume that agents willing to read a value should be prepared to be dissolved. A second problem is that opening p[ [ P ] ] may be upsetting to the resource manager, or else to the resource itself, because there is no telling what P might do once unleashed. For what we know, the contents of p could very well be the process N.P, with N a path of in or out capabilities. Unleashing this process inside r could thus result in r being carried away to possibly hostile locations, or otherwise being made unavailable to forthcoming clients. Further problems arise when we try to classify the protocol according to the MAC security principles. As we noted, the action in the protocol that eventually enables the read is taken by the resource manager, which opens the incoming agent. In other words, it is the 6 · Bugliesi M., Castagna G., and Crafa S. last step of the protocol that effectively determines the access to the resource, and since the process enclosed in p is an input process, it is classified as a read access (had p contained an output, this would have been a write access). In multilevel security, it would then be possible to further classify the access according to the security levels associated with r and p, and use that definition to enforce either the military or the commercial security policy. However, while this form of classification fits the protocol, it becomes rather artificial when applied to the primitives of the calculus. Indeed, saying that open p | p [ [ P] ] is a read (or write) by P is rather counter-intuitive, as p[ [ P ] ] undergoes the action rather than actively participating into it. The problem is that the protocol is entirely dependent on the effects of open, but when exercised to enable a read/write request, open exchanges the roles of the two participants in the request, as it is the subject, rather than the object, that is accessed (in fact, opened). As a result, the notion of read/write access becomes rather artificial. 2.1.2 Second solution: resource dissolution.. An alternative solution can be obtained by a change of perspective. One could devise a different protocol where the active role of the subject is rendered by a combination of open and input/output. Thus, for instance, the process open r.(x)P could be interpreted, in the protocol, as a read request on r. This might work reasonably for read requests, even though the interpretation is still weak, as the access has also the side-effect of dissolving the resource. Even weaker would be the interpretation of open r. M as a write: after dissolving r the output M really has nothing to do with a write on r. 2.1.3 Third solution: agents and messengers.. To avoid indiscriminate dissolution upon read and write, Cardelli and Gordon [Cardelli and Gordon 1998] suggest a different approach, based on a protocol in which agents use special ambients acting as messengers to communicate. The idea is to envisage two classes of messengers: Boxed Ambients · 7 would be only one remaining problem, which can be observed by examining the protocol structure and evolution. From the initial configuration: a [ [ open o.(x)P | i[ [ N.(x)o[ [ N −1 . x ] ] ] ] ] ] | r[ [ ! open i | M ] ] via a sequence of reductions the input messenger reaches its destination, it is opened there, and consumes M. At this stage, the structure of the system is: This is the encoding of a write by r to a. In other words, a read by a includes a write by r: if the former is, say, a read-up, then the latter is a write-down. In other words, the protocol has somehow the effect of merging read-up's and write-down's, and dually, write-up's and read-down's. Therefore, military security could still be accounted for with this approach, while commercial security could not. Summary and Assessment
doi:10.1145/963778.963781 fatcat:jozjwfnlavbhhg3scuos62a754