[Image]

Things that Go Bump in the Net

This is a brief look at some of the more colorful characters in the
menagerie of network security threats, with an emphasis on how they relate
to agent-based systems. The Massively Distributed Systems group in IBM
Research conducts research into these and other emergent concerns in future
distributed systems.
----------------------------------------------------------------------------

Trojan horses

A Trojan horse is a program that does something that the programmer
intended, but the user would not approve of if he knew about it in advance.
Because most current security systems are based primarily on user-level
privilege rather than program-level privilege, any program that you run can
read any object you have read-access to, write to any object that you have
write-access to, and execute any program or command that you are authorized
to execute.

A Trojan horse concealed in a random game program downloaded from your
favorite newsgroup can read any file you have read access to, and mail it
anywhere in the world. It can erase, or just shuffle around a few bytes in,
any file you can write to. It can send obscene messages to the White House,
or post embarassing things to random newsgroups.

And it can copy itself into any program that you have write access to (see
Viruses and Worms below).

In a mobile-agent system, it is critical to ensure that arriving agents
execute in a controlled environment, and are able to do only those things
that they are authorized to do. Agents should be trusted only as far as the
least-trusted entity that may have been able to alter the program or
internal state of the agent; secure authentication methods (such as digital
signatures) must be used carefully when it is necessary to establish the
real author or sender of an agent. See Itinerant Agents for Mobile Computing
for some related security considerations in these sorts of systems.
----------------------------------------------------------------------------

Viruses and Worms

A virus is a program (generally a Trojan horse) that spreads, by making
copies of iteslf in one way or another. In the microcomputer environment,
viruses generally spread by writing copies of themselves into other
programs, or into boot records of disks and diskettes. (For more information
on computer viruses in PC-compatible machines, see the IBM Computer Virus
Information Center.)

A worm in a networked environment is generally a self-sufficient program
that spreads by spawning copies of itself on other hosts in the network. One
famous worm caused great disruption on the Internet in 1988. There is no
hard line between viruses and worms; in general, if the spreading entity is
a self-sufficient program, it will be called a worm, whereas if it embeds
itself inside other programs or boot code, it will be called a virus.

Can a virus spread between agents in a mobile-agent system? So far, the
consensus seems to be that there is no particular reason to allow one agent
to alter the code of another already-existing agent. If the agent
infrastructure does not allow this, no virus will be able to spread from
agent to agent. On the other hand, if the infrastructure accidentally or
purposely does allow one agent to alter another, inter-agent viruses will be
possible.

Are worms possible in mobile-agent systems? If one agent can create another
agent, the possibility of runaway worm reproduction exists. Agent
reproduction must be controlled in one way or another to limit the
possibility; if agents can create other agents, they must be charged in some
scarce currency, or limited in how large their tree of descendants can get,
or otherwise kept from having children and grandchildren without bound.
----------------------------------------------------------------------------

Flash Crowds

The term Flash Crowd was first used by Larry Niven, in a science fiction
short story. In the story, cheap local teleportation has become possible;
now, the sites of attractive news stories are instantly innundated with
rubberneckers teleporting in to watch.

As systems become more interconnected and more powerful, we have the
equivalent of cheap teleportation; if a Web site becomes known as
particularly interesting, its usage curve can go exponential, causing
network bottlenecks and server crashes. In networks of agents, a vast number
of similarly-programmed agents, like a horde of similarly-programmed trading
programs causing a market crash, can cause network congestion and server
overload. And if the agents all adopt similar fallback strategies in
response to overload, the flash crowd can migrate from server to server on
the net, leading to surging hard-to-remedy travelling overloads.
----------------------------------------------------------------------------

Weeds, Freeloaders and Flying Dutchmen

A weed is a program (or anything else in a system) that does no one any
good, but that uses such a small amount of resources that it's often not
cost-effective to do anything about it. Eventually, weeds start to
accumulate, and it's time to get out the clippers. Or the herbicide.

A freeloader is a program that uses some system or server resources to
survive and possibly benefit its creator, without paying for them. Servers
may provide some minimal service for free, in order to attract paying
customers, or unintentionally, as an unintended effect of complex cost
structures; there may be ways to arrange for some transaction charges,
especially small ones, to be lost in the shuffle. A freeloader exploits
these sorts of things to operate free of charge.

Named for the legendary ghost-ship, a Flying Dutchman is a freeloader that
manages to become effectively immortal, without paying for the resources
that it uses to survive. A Flying Dutchman may move from host to host, never
quite using enough resources to be killed; it may spawn a copy of itself on
another host just before it is terminated, ensuring an unending gene-line.

A Zombie is similar to a Flying Dutchman; it is a program that has been
terminated, but continues to consume some resources anyway, due to
(sometimes infinite) delays in cleaning up all the resources associated with
it. Zombies can sometimes get enough resources to do actual processing; more
often, they exist only as the undead owners of various kinds of space.

A single freeloading or immortal program will not in itself damage a
distributed system, and we anticipate that a typical agent-based system will
tolerate a low level of freeloading. An analogy is to physical stores, which
will tolerate a certain number of people coming in to get out of the rain
and using the restrooms, on the chance that they may eventually buy
something.

Uncontrolled, a large number of weeds can waste significant amounts of
system resources; distributed systems will need the ability to monitor this
sort of activity, and impose controls if it gets out of hand. Requests from
known freeloaders may be charged for, even in cases that are normally free.
Intelligent monitoring processes may be needed to identify and terminate
intentionally or accidentally immortal programs that are serving no useful
purpose. Other sorts of weeds will no doubt require other sorts of
solutions; the unexpected is likely.
----------------------------------------------------------------------------

The Usual Suspects

As well as these new and somewhat speculative threats, most of the
traditional computer-security worries, such as basic access control,
authentication, secure encryption, and so on, also apply to network and
agent security. IBM Research has various other security-related projects. Or
follow this link for some good leads on both traditional and non-traditional
computer security topics in the rest of the universe.
----------------------------------------------------------------------------
David Chess, [email protected]

Thanks to Gene Spafford at Purdue, whose talk "Viruses, Worms, and Things
that go Bump in the Net" may have inspired the title for this page; tricky
things, replicators!
----------------------------------------------------------------------------
[ IBM home page | Order | Search | Contact IBM | Help | (C) | (TM) ]