Deutsches Forschungszentrum für Künstliche Intelligenz GmbH Research Report RR-02-02 Secure Mobile Multiagent Systems In Virtual Marketplaces A Case Study on Comparison Shopping Ina Schaefer March 2002 Deutsches Forschungszentrum für Künstliche Intelligenz GmbH Postfach 20 80 67608 Kaiserslautern, FRG Tel.: + 49 (631) 205-3211 Fax: + 49 (631) 205-3210 E-Mail: info@dfki.uni-kl.de WWW: http://www.dfki.de Stuhlsatzenhausweg 3 66123 Saarbrücken, FRG Tel.: + 49 (681) 302-5252 Fax: + 49 (681) 302-5341 E-Mail: info@dfki.de
Deutsches Forschungszentrum für Künstliche Intelligenz DFKI GmbH German Research Center for Artificial Intelligence Founded in 1988, DFKI today is one of the largest nonprofit contract research institutes in the field of innovative software technology based on Artificial Intelligence (AI) methods. DFKI is focusing on the complete cycle of innovation from world-class basic research and technology development through leading-edge demonstrators and prototypes to product functions and commercialization. Based in Kaiserslautern and Saarbrücken, the German Research Center for Artificial Intelligence ranks among the important Centers of Excellence worldwide. An important element of DFKI s mission is to move innovations as quickly as possible from the lab into the marketplace. Only by maintaining research projects at the forefront of science can DFKI have the strength to meet its technology transfer goals. DFKI has about 165 full-time employees, including 141 research scientists with advanced degrees. There are also around 95 part-time research assistants. Revenues for DFKI were about 30 million DM in 2000, half from government contract work and half from commercial clients. The annual increase in contracts from commercial clients was greater than 20% during the last three years. At DFKI, all work is organized in the form of clearly focused research or development projects with planned deliverables, various milestones, and a duration from several months up to three years. DFKI benefits from interaction with the faculty of the Universities of Saarbrücken and Kaiserslautern and in turn provides opportunities for research and Ph.D. thesis supervision to students from these universities, which have an outstanding reputation in Computer Science. The key directors of DFKI are Prof. Wolfgang Wahlster (CEO) and Dr. Walter Olthoff (CFO). DFKI s five research departments are directed by internationally recognized research scientists: Knowledge Management (Director: Prof. A. Dengel) Intelligent Visualization and Simulation Systems (Director: Prof. H. Hagen) Deduction and Multiagent Systems (Director: Prof. J. Siekmann) Language Technology (Director: Prof. H. Uszkoreit) Intelligent User Interfaces (Director: Prof. W. Wahlster) In this series, DFKI publishes research reports, technical memos, documents (eg. workshop proceedings), and final project reports. The aim is to make new results, ideas, and software available as quickly as possible. Prof. Wolfgang Wahlster Director
ACaseStudyonComparisonShopping Secure Mobile Multiagent Systems In Virtual Marketplaces Ina Schaefer DFKI-RR-02-02
This work has been supported by a grant from The Federal Ministry of Education, Science, Research, and Technology (FKZ ITW-01 IWA 01). cdeutsches Forschungszentrum für Künstliche Intelligenz 2002 This work may not be copied or reproduced in whole or part for any commercial purpose. Permission to copy in whole or part without payment of fee is granted for nonprofit educational and research purposes provided that all such whole or partial copies include the following: a notice that such copying is by permission of the Deutsche Forschungszentrum für Künstliche Intelligenz, Kaiserslautern, Federal Republic of Germany; an acknowledgement of the authors and individual contributors to the work; all applicable portions of this copyright notice. Copying, reproducing, or republishing for any other purpose shall require a licence with payment of fee to Deutsches Forschungszentrum für Künstliche Intelligenz. ISSN 0946-008X
SecureMobileMultiagentSystems ACaseStudyonComparisonShopping InVirtualMarketplaces InaSchaefer developmentofinternet-basedapplicationslikevirtualmarketplaces.however,thereisan mercialstructures.agentsandmultiagentsystemswillplayamajorroleinthefurther ThegrowthoftheInternethasdeeplyinuencedourdailylivesaswellasourcom- Abstract marketplacescenarioandanapplicationdomainforamobilemultiagentsystem,withrespecttoitssecurityissues.theinterestsoftheparticipantsinthescenario,merchantfuluntiltheirproblemsaresolved.thisreportexaminescomparisonshopping,avirtual increasingawarenessofthesecurityproblemsinvolved.thesesystemswillnotbesuccess- fortheactualimplementationofthesebuildingblocksaresuggested.itispointedout tivescounteractingthosethreatsareestablished.theseobjectivesarerenedintobuilding blocksasecuremultiagentsystemshouldprovide.thebuildingblocksaretransformed intofeaturesofagentsandexecutingplatforms.originatingfromthisanalysis,solutions andclients,areinvestigated.potentialsecuritythreatsareidentiedandsecurityobjec- underwhichassumptionsitispossibletoachievethesecuritygoals,ifatall.
Contents 1Introduction 2Relatedwork 2.1Relatedwork{ComparisonShopping...4 3 2.1.2VirtualMarketplaceSystems...5 2.1.1ConstructionandWorkingPrinciplesofComparisonShoppingAgents..4 2.1.3TheEconomicPerspective...6 4 2.2Relatedwork{SecurityMechanismsforMobileAgents...7 2.1.4ComparsonShoppingintheSecurityLiterature...6 3ComparisonShopping{ACaseStudy 2.2.1ProtectionofHostsfromMaliciousAgents...7 3.1TheScenario...10 2.2.3ProtectioninBothDirections...9 2.2.2ProtectionofAgentsagainstMaliciousHosts...8 3.2SecurityAnalysis...13 3.2.2DierentInstancesoftheScenario...15 3.2.1RolesandtheirInterests...13 10 4TowardsaSecureSystem 3.3OverallSecurityThreatsandSecurityObjectives...16 3.4RemarksontheSecurityThreatsandObjectives...19 4.4TowardsaTechnicalRealisation...24 4.3FeaturesoftheAgentsandPlatforms...23 4.2BuildingBlocks...21 4.1ATechnicalRealisationoftheMultiagentSystem...20 4.4.1GeneralRemarksontheAchievabilityofSecurityObjectives...24 References 5ConclusionandFuturework 4.4.2AspectsofTechnicalRealisationsfortheProposedBuildingBlocks...25 31 32 2
1 Introduction ThesuccessoftheInternetandtheWorldWideWebhasdeeplyinuencedoureverydaylives aswellasourcommercialstructures.agenttechnologiesandmultiagentsystemswillplaya majorpartinthefurtherdevelopmentofwww-basedapplications:virtualmarketplaceswith customerandselleragents,chatroomsandavatars,personalassistantagentsaswellasnon benevolentagentsdesignedtoattackasite,arejustsomeofmanyapplications.whilethere isstillaconsiderablehypeconcerningagenttechnologies,thereisalsoanincreasingawareness oftheproblemsinvolved.thegrowthofinternet-basedcommerceistemperedbylegitimate concernsonthesecurityofsuchsystems.inparticular,theseapplicationswillnotbesuccessful unlesssecurityissuescanbeadequatelyhandled.oneofthemajorconcernsforbothcustomers andmerchantsparticipatinginecommerceisthepotentiallossofassetsandprivacydueto thebreachesinthesecurityofcorporatecomputersystems.althoughthereisalargebodyof workoncryptographictechniquesthatprovidebasicbuildingblockstosolvespecicsecurity problems,relativelylittleworkhasbeendoneininvestigatingsecurityinamultiagentsystem context.theintroductionofmobilesoftwareagentssignicantlyincreasestherisksinvolvedin InternetandWeb-basedapplications. MobileagentshaveseveraladvantagesinasystemliketheInternet.Mobileagentstraveltoa platformtobeexecutedandgowheretherequireddataisstored.sotheoverallcommunication tracoverlow-bandwidth,high-latencyandhigh-costaccessnetworksisreduced.alsoifthe connectiontotheagentownerisinterrupted,theagentcanstillgoonworking.itreturnsthe resultswhentheconnectionisre-established.theownerdoesnothavetobeonlineallthe timeforhisagenttoperformhistask.thisisparticularlyusefulincasetheconnectionismade viamobilephone.therefore,thetrade-obetweenperformanceandsecurityissueshastobe considered. TheresearchpresentedinthisreportwasdoneasapartoftheSEMAS(SecurityinMobile MulitagentSystems)projectfundedbytheGermanMinistryforEducationandResearch.It investigatesthefundamentalsecuritythreatsinthedesignofmobilemultiagentsystemswithin virtualmarketplaces.thesethreatscanbeclassiedaccordingtowhethertheyareinherentto theapplicationscenariotobeimplemented,inherenttothemultiagentsystemleveldesign,a consequenceofthedesignoftheindividualagentoraresultofusingmobilecomputing.semas thereforeinvestigatesintohowthedesignoftheapplication,thedesignoftheagentsociety andtheselectionofthecomputationalparadigminuencesthecharacteristicsofthesecurity threatsandhowsecuritymeasurescanbecombinedtoanall-embracingsecurityinfrastructure. Accordingly,theSEMASmethodologyandalsotheresearchworkisorganisedintothreelayers: rstlytheapplicationlayer,secondlythesystemarchitectureandthirdlythecomputational architecture.theaimofthesemasprojectistocomeupwithamethodologyforthedesign andimplementationofsecuremobilemultiagentsystems,particularlyforvirtualmarketplaces. SinceSEMAScoverstheapplicationorienteddesignphaseaswell,thereisaneedtofocuson afamilyofscenarios.guidedbytheeconomicalimportanceandscienticsignicance,semas exploresconcreteinstancesofvirtualmarketplacesbasedonauctionsandfreenegotiation.the casesconsideredinsemasareauctionsandcomparisonshoppingasimportantapplications formobileagentsinvirtualmarketplaces.theyarealsoimportantinstancesofnegotiationon marketsfromaneconomicperspective. Thisreportfocusesonthecomparisonshoppingscenario,oneoftheSEMAScasesonthe applicationlayer.itinvestigatessecurityrequirementsandpossiblesolutionsforthisconcrete scenario.in[dew96],thecomparisonshoppingproblemisdescribedasfollows:givenarea domaindescriptionwithusefulattributestodierentiatebetweendierentproducts,asetof URLsforthehomepagesofpossiblevendors,anattributeAbywhichtheuserwantstocompare thevendors(e.g.theprice)andnallyaspecicationofthedesiredproductintermsofdesired valuesfortheproduct'sattributes.thetaskofacomparisonshoppingagentistodetermine thesetofstoreswherethedesiredproductisavailablesortedbytheattributea. Inthisreport,adetailedmodelforthecomparisonshoppingscenariowillbeestablished.With respecttoitsdierentphasesandinstances,itwillbeexploredwhichinterestsandexpectations theparticipantshave.theinterestsandpossibilitiesofanattackerandtheresultingsecurity threatsfortheapplicationwillbeconsidered.fromthatanalysis,theoverallsecurityobjectives counteractingthosethreatsareidentied.thesecurityobjectivesspecifytherequirementsthe 3
systemhastosatisfyforconsideringitassecure.havingsketchedapotentialmobilemultiagent systemtorealisethescenario,theobjectivesarebrokendownintomoredetailedfeaturesof thesystemtobeconstructed,i.e.buildingblocksorinterfacesthesystemarchitecturehasto provideattheapplicationlevel.thebuildingblocksarefurtherrenedintofeaturesofsingle agentsroaminginthesystemandofexecutingplatforms.finally,concretetechnicalmeansare proposedtoimplementthebuildingblocksonthelevelofthesystemarchitecture. Furthermore,thisreportgivesanoverviewofresearchoncomparisonshoppingfromdierent pointsofview,i.e.theconstructionofshopbots,virtualmarketplaces,economicimpactand securityissues.additionally,anoverviewofexistingsecuritymechanismsformobileagentsand platformsispresented.itisshownwhichofthoseareapplicableinthiscasestudy. Theremainderofthisreportisstructuredasfollows:Insection2,wediscussrelatedworkwith respecttocomparisonshoppingandsecurityofmobileagents.insection3,adetailedmodel ofthecomparisonshoppingscenarioisestablishedanditsdierentphasesandinstancesare analysed.insection4,wemovetowardsasecuresystemandshowwhichbuildingblocksare neededtoconstructasecuremobilemultiagentsystemforthisapplicaionscenarioandhow theycanberealisedtechnically.section5nishesthereportwithabriefsummaryofthemain resultsandanoutlooktofuturework. 2 Relatedwork 2.1Relatedwork{ComparisonShopping Researchoncomparisonshoppingcanbedividedintodierentareasaccordingtoitsfocus.The rstmainareaofresearchisconcernedwiththefunctionalityandconstructionofcomparison shoppingagentsorso-calledshopbots.itisinvestigatedhowacomparisonshoppingagent hastowork,howwrappersfortheretrievedinformationareconstructedandhowthendings willberanked.asecondfocusarevirtualmarketplaces,mostofwhichcontainacomparison shoppingphase.athirdareaofresearchistheeconomicperspectiveoncomparisonshopping. Researchersinvestigatewhichimpactshopbotshavetotheeconomyanddevelopmethodsto analyseeconomieswithcomparisonshoppingagents.finally,comparisonshoppingisoftenused asexampleinliteratureconsideringsecurityofmobileagents.manyauthorsusecomparison shoppingtoillustratethesecurityissueslinkedtomobileagents.inthefollowing,wehavea closerlookatthesefourareasofcomparisonshoppingresearch. 2.1.1ConstructionandWorkingPrinciplesofComparisonShoppingAgents Therstareaofcomparisonshoppingresearchisconcernedwiththeconstructionofcomparison shoppingagentsthataresentouttondthebestmatchforagivenproductdescription. AndresenConsulting'sBargainFinder[Kru96]istherstevermodelofamerchantbrokering shoppingagentorcomparisonshoppingagent.givenaspecicmusiccdnamebargainfinder requestsitsprice(includingdelivery)fromeachofninedierentonlinemusiccatalogsusing thesamerequestsasawebbrowser.itpresentsitsresultstotheconsumerthatmakesthe naldecisionwheretobuyfrom.severalmerchantsdecidednottoparticipateorblocked BargainFinder.BargainFinderworksinahard-wiredwayandishand-codedforthespecic productdomain.itemploysmanualruleextractionanddoesnotconstructwrappersitself. ThismeansthatitisexplicitlyencodedintheBargainFinderagenthowtheinformationfrom aspecicvisitedwebsiteisextracted.exite'sjangowasanothermerchantbrokeringshopping assistantsimilartobargainfinder,butwithmoreproductfeaturesandshoppingcategoriesto searchacross. Shopbot[DEW96]iscomparabletoBargainFinderandJango.ItisinspiredbyBargainFinder's feasibilitydemonstrationandpopularity.however,shopbotisproductindependentandtakes adescriptionofaproductdomainasaninput.allinformationitneedsaboutashopisits URL.ShopbotlearnshowtoextractinformationfromthestoreandreliesonAItechniques likeheuristicsearch,patternmatching,orinductivelearningincontrasttothehand-coded BargainFinder.Shopbotsuggestsanautomaticruleextractiontechniquebyanalysingand learninginshoppingmalls.inordertointegratespecicproductinformation,shopbotremoves irrelevantinformationsuchasadvertismentsbyusinginductivelearningmechanismsandthen 4
extractsnecessaryproductinformation.however,shopbotusesstrongassumptionsaboutthe structureofhtmllesandthedisplayformatofproductsforlearning.moreaboutthe technicaldetailscanbefoundin[pdew95]. [JCK+00]proposesamorescalablecomparisonshoppingagentasanimprovementtoShopbot.Theypresentarobustandautomaticshoppingmalllearningalgorithmandanontology generationmethod.themainideaoftheproposedalgorithmistodeterminethepositionof aproductdescriptionunitfromthehtmlsourceofasearchresultpagebyrecognizinga repeatedpatternoflogicallineinformation.thepositionalinformationisconvertedintoan extractionrulethatbecomesthemainpartofthewrapper.thisalgorithmissimple,butrobust becausenostrongbiasesareassumed.consequently,thesuccessrateishigherforconstructing acorrectwrapper.furthermore,amechanismissuggestedthatgeneratestheontologyfrom thewell-structuredoutputs.theexistingontologyisautomaticallyextendedbyapplyingitto unstructuredsearchresults.moredetailsontheconstructionofthesewrapperscanbefound in[ylc00]. In[BG99],Brodyetal.introducethePocketBargainFinderdevice.Acustomerentersa bookshopandndsaninterestingbook.hetakesthepocketbargainfinderandscansthe book'sbarcode.pocketbargainfinderconnectstotheinternetandevaluatesthebook'sprice atdierentonlineretailers.thecustomerseeswhetherhecouldorderthebookontheinternet forbetterconditionstakingdeliverycostsanddeliverytimeintoaccount.theusedhardware isapdaandabarcodereaderaswellaswirelesscommunication.pocketbargainfinderis proposedforuseinaugmentedcommerce,i.e.commerceintherealworldenhancedwith electroniccommercecomponents. [GM98]stressesthenecessityofincludingmultipleattributesintheproductrankingdoneby agentsduringcomparisonshopping.anonline-merchantwould,asinthephysicalworld,prefer hiscustomersonlytoshopathissitebecausecross-merchantcomparisonisseenasathreatto hisownprotability.however,consumerswanttocompareproductoeringsacrossmerchants. Cross-merchantcomparisonisacharacteristicofretailmarketplaces.Thus,merchantsenhance theirproductswithproduct-addedvalueslikeextendedwarranties,superiorcustomerservice andsoontodistinguishthemselvesfromothermerchants.cross-merchantcomparisonismuch easierandlesscostlyifitisdonebycomparisonshoppingagents.therstgenerationof comparisonshoppingagentsmakestheirrecommendationsonlyonthepriceoftheproductignoringotherproduct-addedvalues.thatresultsininappropriatelycompetativemarkets.that maymisleadcustomerssincethecheapestproductisnotalwaysthebesttobuy.comparison shoppingagentshavetobeimprovedinsofarastheyshouldemployintegrativenegotiation techniques,i.e.theytrytoresolveaconictovermultiple,butnotmutuallyexclusivegoals [GM98].Thisdecisionprocessinvolvingmultipleattributescanbedescribedandanalysed usingmulti-attributedecisiontheory. 2.1.2VirtualMarketplaceSystems Manyoftheexistingvirtualmarketplacesystemsimplementastagesimilartocomparison shopping.kashbah[cm96]isaweb-basedmulti-agentclassiedadsystemwhereuserscreatebuyingandsellingagentshelpingtotransactgoods.theseagentsautomatecomparison shoppingandnegotiationbetweenbuyersandsellers.auserwantingtobuyorsellagood createsanagentandsendsittoacentralisedmarketplace.anagent'sgoalistocompletean acceptabledealsatisfyingitsowner'spreferences.however,thereareothermoresophisticated marketswhichimplementmoremarketmechanismsandmoreadvancednegotiation. MAGMA[TMGW97]issuchamoresophisticatedvirtualmarketplacesystemwhichcomprises allstagesfromtheproductbrokeringtotheactualpurchase.magma,asarealvirtual marketplace,comprisesbanking,communicationinfrastructure,mechanismsfortransportation andstorageofgoods,facilitiesforadvertising,economicmechanismsandtransactionprotocols. MAGMAalsocontainsacomparisonshoppingstage.Anothervirtualmarketplacesystemof thiskindincludingcomparisonshoppingcalledtete-a-tetewasdevelopedatthemit. In[GMM98]asurveyofexistingvirtualandagent-basedmarketplacesystemsisgiven.The classicationofsuchvirtualmarketplacesismadeaccordingtowhichstagesoftheconsumer BuyingBehaviour(CBB)modelareimplemented.TheCBBmodeldividesapurchaseprocess intodierentphases.intheproductbrokeringstage,acustomerdecideswhathewantstobuy. 5
Inthefollowingmerchantbrokeringorcomparisonshoppingstagethecustomerevaluatesthe oersforthisproductofdierentmerchantstondoutwhomtobuyfrom.thisincludesthe evaluationofmerchantalternatives,basedoncustomerprovidedcriteria(e.g.price,warranty, availability,deliverytime,repudiation).afterthemerchantbrokeringstage,thenegotiation phasefollows.theprocessendswithpurchaseanddeliveryofaproduct.inthissurvey,itcan beseenwhichexistingsystemsimplementacomparisonshoppingstageandwhichdonot. 2.1.3TheEconomicPerspective KephartandGreenwaldin[KG99,GK99]explorethepotentialimpactofshopbotsonmarket dynamicsbyproposing,analysingandsimulatingamodelofshopboteconomicswhichincorporatessoftwareagentrepresentationsofbuyersandsellers.theystatethatthereductionof economicfrictionduetothedecreasedsearchcostscoulddramaticallyaltermarketbehaviour inthefutureasshopbotsbecomemorefrequentlyused.theirmainobjectiveistounderstand thedynamicsofthefutureinformationeconomyinwhichsoftwareagents,ratherthanhumans, playthekeyroleandtodesignutilitymaximisationalgorithmsforeconomicallymotivated software-agents.inthelatterpaper,theyalsoexaminetheimpactofpricebots,i.e.software agentsthatsetpricesaccordingtosupplyanddemand. In[MU01],theauthorsfocusontheimpactofsoftwareagent-basedshopbotsandpricebots onelectronicmarkets.shopbotsandpricebotschangethecapabilitiesavailabletobuyersand sellersonthemarket.ashopbotisattachedtoasinglebuyerandabletoqueryseveralsellers aboutadesiredproduct.inthissense,shopbotsaresimilartocomparisonshoppingagents. Apricebotisattachedtoasinglesellerandhastheabilitytochangethepriceofaservice dynamicallytomaximizetheseller'sprot.thepaperproposesamodelinwhichdierent situations,e.g.nopriceandnoshopbot,onlyshopbotsorbothofthemareanalysed.one mainresultofthisinvestigationisthatsellersarealwaysbetterocolludingwithshopbotsby xingpricesandpermittingthemtoevaluatethose.asecondresultisthattheuseofpricebots mayresultinaprice-warwhichinthelongrunleadstoprotdecline. 2.1.4ComparsonShoppingintheSecurityLiterature Alsointhesecurity-relatedliteraturecomparisonshoppingiswidelyspreadasamotivating example.[yee97]proposesmeanstoprotectthecomputationresultsoffree-roamingmobile agents.thisismotivatedbythefollowingexampleofcomparisonshopping.asoftwareagent issentouttondtheleastexpensivefareforaightfromsandiegotowashingtond.c. takingintoaccountvarioustriptiming,seatpreferenceandroutingconstraints.oneofthe queriedairlines,fly-by-night.com,runsawebserverwww.ybynight.com,wheretheagent's codeisautomaticallyrecognizedandbrainwashed.theagent'smemoryaboutcollectedoers ofotherairlinesismodiedsuchthatitendsuprecommendingaightbyfly-by-nightairlines althoughalessexpensivedaytimeighthasbeenoeredbyanotherairline.thisexampleis alsoquotedbyotherauthors,e.g.[fgs96b],[mea97],[kag98]. In[CMS01],aframeworkforasecuremarketplaceontheInternetisproposed.Acomparison shoppingagent,dispatchedtondthemostconvenientoerforaightticketamongseveral airtravelagencies,isfacingthefollowingsecurityrisks:theshoppingagentcouldtrytoaccess privilegedinformation,reduceresourceavailabilityofthecurrenthostingsiteorperformacoordinateattackwithotheragents.theotherwayround,amalicioushostcoulddiscloseagent's privateinformation,tamperwiththeagent'scodeormodifyordeletepreviouslycollected prices,therebygainingeconomicadvantage. [Hoh97]usesacomparisonshoppingexampleasillustrationofthecodemessupmechanism proposedtoprotectagentsfromdirectmanipulationoftheircode.thecodeofthecomparison shoppingagentisalteredsuchthatthesemanticoftheagentcannotbefoundouteasily. In[Vig98],Vignaproposestheconceptofcryptographictraceswhereexecutiontracesofthe mobileagentsareusedtocheckwhetheragentshavebeenexecutedcorrectly.attheendof hispaperheillustrateshisconceptatacomparisonshoppingscenario.heshowsthatusinghis approachitispossibletondoutthatpreviouslycollectedoerswheremodied. Moredetailsabouttheproposedmechanismscanbefoundinthenextsection. 6
Researchonthesecurityofmobileagentsisdividedintotwodierentcategories,rstlythe protectionofhostsfrommaliciousagents,theeasierpart,andsecondlytheprotectionofagents 2.2Relatedwork{SecurityMechanismsforMobileAgents canbeusedforprotectioninbothdirections.inthefollowing,wewillillustratesometechniques whichwemayuselaterinoursystem. frommalicioushostswhichismuchharder.someapproaches,however,havecomponentswhich agents.weorderthetechniquesaccordingtoincreasingstrictness.thenalapproachinthis 2.2.1ProtectionofHostsfromMaliciousAgents Inthissection,wefocusontheprotectionofhostsfrommaliciousoperationsperformedby partconcentratesonresourcecontrolathosts. withhissecretkeyandcertiesthatthisishisobject.thesignaturecanbeveriedwiththe betweentheauthorandhiscode.theauthororthedispatcherofamobileobjectsignsit SignedCodeThemainideaofsigningthecodedigitallyistocreateanunforgeablelink signer'spublickeyassumingapkiexists.ifthereexistsatrustmodelthetrustintheauthor cansobetransferredtothemobileobjectthatworksonhisbehalf.aplatformthattruststhe theopennessofthesystemsinceparticipantshavetoregistertheirkeyswithacentralauthority. authorofthecodeassumesthatthecodeisnotmaliciousandexecutesit.thisapproachis portabletoalmostanysystem,whereapublickeyinfrastructureexists.thishoweverrestricts Adrawbackcouldbethatanauthorcanalsosignmaliciouscodeandharmsomeonethattrusts Itcanbeaddressedbyshiftingtotheinterpretationofsomeintermediarycodeonavirtual him. machine.thesecurityproblemisreducedtothesecuritypolicyimplementedbytheinterpreter. ExamplesforthisapproachareSafe-TclandJava1. SafeInterpreters[Moo98]Runningalreadycompiledexecutablesisaseveresecurityrisk. 1.Safe-Tcl InSafe-Tcl,theagentisexecutedinsideapaddedcell,whichoperatesinadierentname space.thecontrolovertheenvironmentbelongstoamasterinterpreterwhichprevents thecallofunsafefunctions.theproblemisthatithastobedeterminedwhetherafunction isunsafeornot.sofunctionsthatareessentialfortheagentmaynotbeexecuted.in 2.Java1 rightstogettheleastcommonaccess. additiontothat,anaccesscontrollistismaintainedforthesystemresources.thisuses InJava1,theJavaVirtualMachinehasseveralcomponentstoensuresecurity.Thesecuritymanagerapprovestheaccesstounsafeoperations.TheByteCodeVerierchecksthe JavaByteCodeforviolationsinthenamespacerestrictions,forstack-overorunder-ow andforillegaltypecasts.theclassloaderkeepsseparatenamespacesforlocaltrusted classesandfordownloaded,untrustedclasses.aproblemisthatthesecuritymanager cryptographicauthentication,congurablesecuritypoliciesandtheintersectionofaccess FaultIsolation/Sandboxing[Moo98]Sandboxingisanothermechanismtomonitorthe perbrowserwhichdisablestohavedierentrightsforappletsinthesamebrowser. andtheclassloadercanbecheated.additionally,thereisonlyonesecuritymanager onlypermittedinsidethefaultdomain.thisisimplementedbyconditionaladdresschecksor overwritingupperaddressbitssuchthateachaddressfallsintothefaultdomain.sandboxing separatedomainorsandbox,theso-calledfaultdomain.eachload,storeorjumpcommandis hasabetterperformancethaninterpretersandischeaperintermsofcodeoverhead.however, executionofagentsandtorestrictsafetycriticaloperations.theuntrustedcoderunsina mappedintothefault-domain. thedownloadedcodeisnolongerplatform-independent,becausetheaddresseshavetobe 7
CodeVerication/ProofCarryingCode(PCC)[Moo98,Nec97]Inthisapproach, theauthorofthecodecompilesaproofthathiscodesatisesasecuritypolicygiveninsome logicalframeworkbythehost.thisproofissentwiththeagent.atthearrivaloftheagent,the hostveriestheprooftoguaranteethatthecodehasindeedthedesiredproperties.however, thequestionremainsinwhichlogicalframeworkthesecuritypropertiesshouldbeformulated tohavethenecessaryexpressiveness.furthermore,thecodeisnolongerplatformindependent andportingisnotstraightforward. Market-basedResourceControl[BKR98]Thisapproachisconcernedwiththerestrictionofresourcesanagentcanallocateatahost.Ifagentsusetoomanyresourcesforatoo longtimetheycanpreventtheserverfrombeingavailabletootherusers.themainideais thatagentshavearestrictedamountofe-cashtopayaresourcemanagerfortheallocationof resources.becauseoftherestrictedamountofe-cash,agentscanonlyallocatealimitednumber ofresourcesatatime.thisenablesagentstousetheserver'sresourcesinanequalproportion. Alsoitpreventsdenialofserviceattackscausedbyasmallnumberofagentsblockingallavailableresources.Additionally,thepriceforresourcescanbesetdynamicallydependingonthe demandforresourcestoreducebottlenecks.however,agentscantrytocheatduringpayment, e.g.acquireresourceswithoutpayingfor.thiscouldbepreventedbyintroducinganarbiter agentwhereadepositisleftthatislostifanagentmisbehaves. 2.2.2ProtectionofAgentsagainstMaliciousHosts Protectioninthisdirectionismoredicultsincethehostorplatformcertainlyneedsaccessto theagent'scodeandcontrolstateinordertoexecuteit.therefore,itcanreadandalterthe agent'sdatainplaintext.importantquestionsherearehowsensitivedatacanbekeptsecret andhowthehonestexecutionoftheagentcanbeguaranteed.thefollowingtwoapproaches focusontheprotectionofdatatheagentscollectsorcomputesonhisway,whereasthelastthree techniquesconcentrateonensuringacorrectexecution.theapproachesareorderedaccording totheirstrictness. DetectionObjects[Mea97]Detectionobjectsareawaytodetectintensionalmodications ofthedataanagentcarrieswithitself.therefore,detectionobjects,whicharedummydata itemsnotusedbytheagent,areadded.thesedetectionobjectswillnotbemodiedduring acorrectexecutionoftheagent.butiftheagentcomesbacktoitsownerandthedetection objectsaremodied,itisclearthattheagenthasbeentamperedwith.forinstance,an incrediblelowoerforaproductisaddedasadetectionobjectiftheagentislookingforcheap oersforthisproduct.iftheagentcomestoamaliciousmerchant,whochangesalloersthe agentcollectedbeforetomakehisoerlookthebest,alsothedetectionobjectwillbemodied. However,detectionobjectsareonlyapplicablefordetectionanddonotoerprotectionagainst tampering.theyhavetobechosenapplicationspecicandarenotusableinallscenarios. Anotherprobleminconstructingctionaldataforthedetectionobjectsisthatithastobe plausibleenoughtofoolhosts,butmaynotinuencethenalresults.furthermore,itmight benecessarytomodifythedetectionobjectsfromtimetotimesuchthatitisnotpossiblefor ahosttodiscoverthembycomparingseveralagents. PartialResultAuthenticationCodes(PRAC)[Yee97]Partialresultauthenticationas proposedbyyeein[yee97]isamethodthattriestoprotecttheprivacyandintegrityofan agent'scomputationresults.thisisdonebyauthenticatingtheagent'spartialresultsbefore itissenttoanexthost.theresultsareauthenticatedwithdigitalsignaturescreatedwitha keyfromasequenceofpublickeystheagentcarries.ausedkeyisdestroyedtoavoidthat ahostisabletochangetheresultlater.analternativetoasequenceofkeysistocompute anewpublickeyfromanoldoneusingaone-wayfunction.additionally,[yee97]proposesa mechanismtopubliclyverifythecorrectnessofthepartialresultsontheagent'sjourneyby providingitwithvericationpredicates.however,itisnotmadeexplicithowthesepredicates areconstructed.adrawbackofthisapproachisthatthenumberofhoststhatwillbevisited hastobeknownbeforehandtoprovidethecorrectnumberofkeys.thisproblemisaddressed in[kag98]wheretheideasofyeeareextendedandimproved.in[kag98]thepartialresults 8
andtheidentitiesofthehostsarelinkedtogetherbyahashchainwhichpreventsthatresults canlaterbemodiedorexchanged.thismethoddoesnotneedasequenceofkeysanymore, butassumestheexistenceofapki.however,onlythestateaftertheagentexecutioncanbe checkedandveriedwiththeseapproaches.tamperingintheinteractionwiththeagentwhile stillonthehostcannotbedetectedorprevented. CodeMessUpandLimitedLifetime[Hoh97]Toprotectagentsagainstmanipulation ofcode,dataorcontrolowandtoensurethecorrectexecutionofanagent,[hoh97]proposes themethodofcodemessup.theagent'scodeistranslatedintoanunreadableandhardly analysableformat,suchthatittakesthehostanunproportionalamountoftimetondout whatthecodeissupposedtodo.thelifetimeofthecodeisrestrictedbyanexpirytimesuch thatitisimpossibletobeanalysedbeforethecodeexpires.thismechanismdoesnottryto detectmodications,buttriestopreventthem.however,undirectedmodicationsarealways possiblejustbyrandomlyalteringcertainbits.anotherproblemistodetermineareasonable expirytimeforthecode,i.e.thetimeinwhichitispossibletogureoutthemeaningof thecode.additionally,rulesforthecodemessuphavetobexed.codemessupoersno protectionagainstblack-box-tests,sabotageordenialofexecution. CryptographicTraces[Vig98]Sincemobileagentscannotbeentirelyprotectedfromdamagedonetothem,mechanismshavetodevelopedwhichdetectpotentialtampering.Oneof thosemechanismsisexecutiontracingasproposedbyvignain[vig98].theexecutinghost producesanexecutionprotocoloranexecutiontracefortheagent.thetraceconsistsofpairs (n,s)wherenistheidentierofacodestatementandsistheinputfromoutside.ifthereis noinput,sisempty.aftertheexecution,ahashofthistraceandahashoftheagent'sstate iscreated.thesehashsaresignedbythehostandtransmittedwiththeagent.thetraceis storedatthehostincasetheagentownerdoubtsthecorrectexecutionofhisagent.then herequeststhetracefromthehosttocompareitwiththehash.ifnecessary,thetraceis re-executedandsoacheatinghostcanbeidentied.iftheinitialstateofanagentissigned beforeitissenttosomehost,itcanbepreventedthathostslieabouttheinitialstateofa receivedagent.however,thismethodhassomeseriousdrawbacks.itcannotbedetectedifa hostliesaboutinputfromtheoutside.alsotheapplicabilitymightberestrictedbecauseofthe hughoverheadproducedbythestorageoftraces.ageneralproblemofdetectionisthatitis onlypossibleaposteriori.participantshavetobemadeliableafterthedetectionofcheating. EncryptedFunctions[ST98]Encryptedfunctionsaretheonlymechanismthathidesthe semanticsoftheagent.thehostexecutestheagentandcomputessomefunction.butitdoes notknowaboutthesemanticsoftheprogrambecauseboththefunctionanditsresultare encrypted.themechanismworkslikethis:rstlytheagentownerencryptsthefunctionfto E(f)andcreatesaprogramP(E(f)).ThentheagentissenttoahostdispatchedwithP(E(f)). AtthehostP((E(f))(x)executedandE(f)(x)iscomputed.Backhome,theownerdecrypts E(f)(x)andobtainstheresultf(x).Theevaluationofthefunctionf(x)iscompletelysecret anddoesnotrevealanythingaboutitssemantics.sincethehostdoesnotknowaboutthe semanticsofthecomputation,itcannotdirectlymodifyitsresult.thismechanismtriesto preventintensionalattackstothefunctionalityofagents.however,notallfunctionscanbe expressedasencryptedfunctions.[st98]showsthatpolynomialsareexpressibleasencrypted functions.in[acck01],resultsarepresentedthatextendthistologarithmicandpolynomial sizecircuits.butresearchhasnotgonesofaryetthatencryptedfunctionscanbeusedinabroad rangeofapplications.thismethodcannotbeusedifinteractionwiththehostisdependanton thecomputedresultssincethehostwillnotunderstandthose.indirectedattacks,likerandomly alteringcertainbits,arestillpossibleandundetectable. 2.2.3ProtectioninBothDirections Theapproachestobepresentedinthissectionprotectagentsandhostslikewise.Therst methodpresentedmakesuseoffault-tolerancetechniques,whilethesecondchecksthestateof theagenttodetectmodicationsandtoprotectthehost. 9
Fault-ToleranceApproachesApproachesusedtoensuretheavailablilityofasystemcanbe transferedtotheareaofmobilecodesecurity.forinstance,serverreplication,afault-tolerance method,canbecombinedwithcryptographytoenhancethecondenceincomputedresults. Theserversorhostsinthesytemarereplicated.Anagentvisitssomeofthesereplicated serversandusesvotingandsecretsharingorresplittingtondoutwhatthemostlikelyresult ofacorrectexecutionis.itsimplycomparestheresultsitgotfromallserversanddecidesto accepttheresultthathasbeencomputedinmostcases.however,thisapproachreliesonthe assumptionthatserversfailorcheatindependently.butthisiscontradictedbythefactthat theyareallunderthesamecontrol. Anotherapproachworkswithagentreplication.Agentsarereplicatedandsentalongdierent pathswiththeaimtodetectmalicioushosts.supposingtwoagentsaresentonthesamepath, butinreverseorder.amodicationbyamalicioushostcanbedetectedifonlyonehostscheats bycomparingtheresultsofthosetwoagents.however,[yee97]onlyshowsforaspecialcase thatthisapproachisasolutionofthemalicioushostproblem. AuthenticationandStateAppraisal[FGS96a][FGS96a]proposesatechniquewhich checksagentsarrivingatthehostbeforestartingtheexecutiontoprotecthostsfromexecuting maliciousagentsandtodetectmodicationsofagents.thiscanalsobeusedtopreventagents fromgainingdangerousaccesstothehosts'sdataandresources.atthearrivalofanagentata host,astateappraisalfunctiondeterminesthepermitsthattheagentrequestsfromthehost, i.e.theresourcesitwillneed,aftersuccessfullauthentication.anauthorisationmechanism establisheswhichpermissionswillbegranted.thestateappraisalfunctiondependsonthe agent'scurrentstatewhichallowstocheckthisstateatarrival,e.g.forsomeinvariantconditions.assumingthatahostwouldonlyacceptagentswhosestatessatisfycertainconditions, malicious,modiedorcorruptedagentscanberefusedatthispoint.somisuseofagentscan beprevented.however,notallstatealternations,andnotevenalldangerousmodications, canbedetectedsincedetectiondependsonthecheckedconditions. 3 ComparisonShopping{ACaseStudy Inthissection,wepresentthesecurityanalysisofthecomparisonshoppingscenariowhichis doneinthefollowingway.firstly,theconcretescenariotobeconsideredisclaried.secondly, theactingentitiesareidentiedandtheirinterestsandexpectationsinthesinglephasesofthe scenarioareanalysed.thirdly,itisinvestigatedwhichpossibilitiesandincentivesanattacker wouldhave. 3.1TheScenario Theelectronicmarketplaceorvirtualmallconsideredforcomparisonshoppingconsistsofaset ofmerchantsthatoertheirproducts,asetofmatchmakersthatprovideadirectoryservice aboutthemerchantsattheportalofthemallandasetofcustomersthatarewillingtoshopat themerchantthatmatchestheirpreferencesbest.customerssendtheiragentstoamatchmaker andthentomerchantsinordertocollecttherequiredinformation.afterwards,theydecide wheretobuyfrom.customers,matchmakersandmerchantsareconnectedviaanetworkin whichtheagentsroam. Thecomparisonshoppingproblemconsistsofthefollowingpartsasdescribedin[DEW96]: Adomaindescription,includinginformationaboutproductattributesusefulfordiscriminatingbetweendierentproductsandbetweenvariantsofthesameproduct(e.g.name, manufacturers,price...) Asetofaddressesofpotentialmerchants AnattributeAbywhichtheuserwantstocomparethevendors AspecicationofthedesiredproductintermsofvaluesofselectedattributesDetermine: ThesetofvendorswherethedesiredproductisavailablesortedbythegivenattributeA. 10
Supposeweliketondthecheapestpriceforaspecicsoftwareprogramortondacertain bookwiththeshortesttimeofdelivery.thisproblemcanbesolvedwithamobilecustomer agentinthefollowingway: 1.Thecustomerdispatchesanagentwithadescriptionofthedesiredproductandthe 2.Theagentvisitsamatchmakertoobtaininformationaboutmerchantsinthevirtualmall. attributestocomparedierentoers. 3.Thecustomeragentvisitsallmerchantsadvertisedbythematchmakerandenquires Thematchmakerissituatedattheportalofthevirtualmallandsimpliesthesearchfor relevantmerchants. 4.Afterhavingvisitedallrelevantmerchants,theagentreturnstoitsownerandreportshis ndingsrankedaccordingtoitsowner'spreferences. aboutthedesiredproduct.themerchantsubmitsanoer,specifyingprice,delivery costs,deliverytimeetc. Thecomparisonshoppingscenariocanberenedintodierentphasesinordertogetadeeper model(francesconicosia,1966),thehoward-shet-model(1969),theengel-kolat-blackwell thattrytocharacterizetheprocessinwhichaconsumerisbuyingsomethingfromtherst recognitionthathemightneedsomethingtothenalpurchaseorevenbeyond.thenicosia existingconsumerbuyingbehaviourmodelsintheliterature.therearemanydierentmodels understandingforevolvingsecurityrequirements.thisrenementisdonewithrespectto (EKB)modelortheConsumerDecisionProcessModel(CDP)byBlackwell,MinardandEngel (2001)aremodelsofconsumerbuyingbehaviour,tonameonlyafew. sevenfundamentalstages.itstartswiththeneedrecognitionphase,wheretheconsumerrealises thathehasgotsomeneedorproblem.inphase2,searchforinformation,theconsumerstarts TheConsumerDecisionProcessModel(CDP)[Sch01]splitstheconsumerbuyingprocessinto andinvestigatesoptionswheretobuy.inphase4,thepurchasephase,thecustomernalises hischoicewhattobuyandwheretobuy.thephaseissubdividedintotwosubphases,where evaluationofalternativeswherethecustomerknowshowhewantstosatisfyhisunmetneed tolookforinformationhowhecansatisfytheunmetneed.phase3iscalledpre-purchase rstlythechoicefortheproductismadeandsecondlythein-storechoicesarenalised.phase Inphase6,thecustomerevaluatestheexperienceshehashadwiththeproduct.Thelastphase 5iscalledtheconsumptionphase,inwhichthecustomerhasgottheproductinhispossession. isthedisvestmentphase,inwhichthecustomerdecideswhethertodispose,sellorrecyclethe product.overviewoftheconsumerdecisionprocess(cdp)model: 1.NeedRecognition 4.Purchase 2.SearchforInformation 3.Pre-PurchaseEvaluationofAlternatives 5.Consumption (b)in-storechoices(specicsalesperson,paymentmethod) (a)customernaliseschoiceofretailerfromoptionsinvestigated. 7.Disvestment 6.Post-ConsumptionEvaluationBehaviour ThesecondmodelthatwasconsideredinordertoidentifythephasesforthecomparisonshoppingscenarioistheConsumberBuyingBehaviourModel[GM98].TheCBBmodelcomprises sixfundamentalstagesofmanyotherbuyingbehaviourmodels. 11
Itsrstphaseistheproblemrecognitionwherethecustomerndsoutthathemightneed lookingaroundshopsandtriestodecidewheretobuy.thefourthstagecomprisestheactual informationsearchorproductbrokeringstage.afterthat,heevaluatesthesealternativesby buyingdecision.purchase,includingpayment,andpost-purchaseevaluationarethelastphases something.thenhestartstoinvestigatewhichalternativesmightsatisfyhisneedinthe inthemodel. OverviewoftheConsumerBuyingBehviour(CBB)model: 1.ProblemRecognition 2.InformationSearch 3.EvaluationofAlternatives 6.Post-PurchaseEvaluation 4.PurchaseDecision 5.Purchase Basedonthemodelsofconsumerbehaviour,thecomparisonshoppingscenariocanbedivided intofourdierentphases: Phase1-InformationSearch/ProductBrokering oerandwhathemightliketobuy.hisinterestistogettoknowwhatapossibleprice rangeforaproductmightbelike.heevaluatestheattributesforhispreferenceswithout Phase1coverscomparisonshoppingwithoutthecustomer'sintentiontobuyanything. Thecustomerjustwalksaroundthemallandtriestondoutwhatproductsareon Phase2-The'real'ComparisonShopping Thisphaseistheactualcomparisonshoppingstage.Theconsumercompareswhathe anyprovablytrueinformation. wantingtobuysomething.hedoesnotwanttoenteranyliabilitiesanddoesnotneed decidingwhattobuy.hemonitorsthedierentattributesoftheproductandthefeatures knowsaboutthedierentproductsandbrandswithwhatheconsidersimportantbefore ofthestorevisited.formanycustomers,itisessentialtothebuyingdecisiontotrustina hehas.inthisphase,itisdenitelythecustomersintensiontobuysomething,buthehas merchant.aprerequisteforthisstageisthattheconsumerknowstheneedortheproblem yetnotdecidedwheretobuy.therefore,hisrequirementsforsecurity,hereparticularly andhispreferences.theagentcontactsthematchmakerattheportalofthemalltond describedabove.inboth,thecustomerdispatcheshisagentwithaproductdescription regardingthetrustworthinessofthemerchant,arehigherthanintheprecedingphase. outaboutappropriatemerchants.itvisitstheadvertisedmerchantsandevaluatesthe valuesforattributesofthedesiredproduct.theproductsarerankedaccordingtoagiven Thephases1and2correspondtophase3intheconsumerbuyingbehaviourmodels Phase3-Commitment/PurchaseDecision attribute,e.g.theprice.finally,theagentreturnstoitsownerandreportsitsndings. Inphase3,thecustomernaliseshisdecision.Thechoiceamongthepossiblealternatives isbasedonthe4ps,namelyproduct,price,placeandpromotion[tmp+97].the essentialthathisidentityisknownundeniablyandveriablyalthoughthecontentofthe consumerconrmswiththemerchantwhathewantstobuyandforwhichconditions. contractcanbekeptsecret.ingeneral,therearetwowaysofhowthedecisiontobuy remainsnolongerremainanonymoussincehehastoenterliabilities.therefore,itis Thenheorderstheproductbymakingalegallyliablecontract.Afterthat,theconditions ofpurchasearexedandcannotbechangedwithoutmutualagreement.thecustomer somethingsomewherecanbemade.eithertheagenthimselfmakesthedecisionbased 12
onhisndingsinphase2ortheagentmakesthedecisionininteractionwithitsowner. Inourapproach,thesecondpossibilityisadopted.Thispurchaseorcommitmentphase correspondstophase4inthecdpandcbbmodel. Phase4-PurchaseandPayment Thefourthandlastphaseconsideredisthepaymentphase.Notethatthephysical deliveryisnotmodelledsincethiswouldinvolvethreatsthatarenotcomputerspecic andcausedbytransportcompaniesandalike.thisphaseissimilartopartsofphase 5inbothmodels.Accordingtothecontractmadeinphase3,thecustomerpaysthe desiredproductinthisstage.ingeneral,therearedierentwaysavailabletopayin ecommercewhichhavealltheirstrengthsandweaknesses.possibilitiesarepaymentby bill,bankdraftorcreditcard,tomentionthemoreconventionalways.otherpossibilities arepaybox[pay]orotherformsofecash. 3.2SecurityAnalysis Inthefollowing,thecomparisonshoppingscenarioisanalysedfocussingontheinterestsand expectationsofitsparticipantsregardingsecurity.thepotentialactionsofanattackerthreateningthesystemareconsidered.inadditiontothephases,dierentinstancesofacomparison shoppingscenarioareinvestigatedusingtheexampleofhighpriceandlowpricegoods. Theparticipantsinthescenarioarecustomers,merchantssituatedinsidethevirtualmalland matchmakersattheportalofthemall.matchmakersprovidecustomerswithinformation aboutthemerchantsinsidethemall.furthermore,thenetworkownerisconsideredinorder toanalysethesecurityrequirementswithrespecttothenetwork.inthisanalysis,itisomitted thatagentsareabletocontactothercustomeragentsinsidethemalltoobtaininformation aboutmerchants.thatwouldintroducenewsecurityaspects,forinstance,whetheranagent cantrustsuchinformationornot. 3.2.1RolesandtheirInterests InterestsofCustomers Inarstinformationsearchphase,thecustomerwantstondoutwhatamerchanthas onoerforwhichprice.heexpectstobeinformedaboutallinterestingproductsandthe attachedconditions.hedoesnotwanttoenteranyliabilitiesjustbylookingaroundand doesnotwanttobeforcedorrequiredtobuyanything.itishismainobjectivetogetthe desiredproductforthebestpossibleconditions.inthesecondstage,wherethecustomer actuallyintendstobuysomething,hewantstogetexhaustiveinformationaboutproducts andtheirattributesmatchinghispreferences.herequiresthisinformationtobecorrect whichhewantstobasehiscommitmenton. Whenthecustomerwantstocommithimself,hewantstomakealegallybindingcontract withthemerchantthatalsoholdsaslegalevidenceincaseoflitigation.theproducthas tobeavailableandhastobedeliveredfortheconditionsthecustomerwastold.the contentofthecontractcanbekeptcondentialifbothpartiesagreeonthat.thecustomer doesnotwanttobedeceivedbythemerchant.hewantstobesurethatthemerchanthe iscontactingisexactlytheonehethinksheisnegotiatingwith.hewantstoprovidehis personaldataonlyforagreedpurposesandwantstopreventthatthemerchantmisuses hisdataforunintendedpurposessuchasprolingoradvertisment.whenitcomesto paying,thecustomerwantstouseasecure,butconvenientmethodofpayment.hedoes notwanttobedeceivedbythemerchantbybillingmorethanitwasactuallyagreedon. Additionally,hewantshispaymentinformationtobeprotectedagainstmisuse,e.g.the merchantshouldnotforwardhiscreditcardnumbertoanyothermerchant.hewantsthe merchanttobehavetrustworthily,forinstancenottosellproductshecannotsupplyorto delivertheproductafterpayment.furthermore,acustomerexpectsthatthemerchant stickstotheconditionsxedinthecontract. Regardingthematchmakerthecustomerwantstogetallrelevantinformationabout appropriatemerchants.thelistprovidedbythematchmakershouldbeexhaustiveand 13
containnoirrelevantinformation.withrespecttoothercustomers,heexpectsthemto behaveinacompetative,butfairmanner. Thecustomerwantsthemerchantandthematchmakertobeavailableandprovidea serviceofsucientqualityandalsothattheybehavereliablyandtrustworthily.itis importantforhimthathisdata(likepartialresults)andhiscodearenotmanipulatedby someexternalattackerorplatform.furthermore,hewantstostayanonymousandmaintainhisprivacy.thecustomerexpectsthathisagentisexecutedasitwasprogrammed andthatitcanmigrateasintended. InterestsofMerchants Itisthemaininterestofthemerchantthatcustomersbuyathisstoreinordertomakethe bestpossibleprot.amerchantwantstoattractacustomer'sattentionforinstanceby oeringgoodproductsandprices,grantingattractiveconditionsofpurchaseandhaving agoodreputation.furthermore,themerchantwantshisstoretobeavailablesuchthat customerscanvisitit.additionally,theintegrityofhisdataandworkingprinciplesshould beguaranteed.possibly,themerchantwantstoissuesomecondentialoerswhichshould indeedbekeptprivatebythecustomer.phase1and2donotmakeanydierencefor themerchantsincehecannotdistinguishwhetheracustomerintendstobuysomething ornot. Whenacustomercommitshimself,themerchantwantstomakealegallybindingcontract withhim.thecontractshouldholdasevidenceincourtinordertopreventthatthe customerrefusestopayforadeliveredproduct,forinstance.themerchantwantsthe customertoprovidehimwithcorrectinformationabouthispersontomakeacorrect contract.thiscontractcanbekeptsecretbybothparties.additionally,hewantsthe customertoauthenticatehimselfsuchthathecanbesurewhomheiscommunicating with. Atthepaymentstage,themerchant'smaininterestistogettheagreedamountofmoney fromthecustomerasxedinthecontractinaconvenientmanner.themerchantexpects thecustomertobereliableandtrustworthyinthathegivescorrectinformation,sticks tothecontractandfullshisobligations.thisincludesthepaymentoftheproduct. Regardinghisfellowmerchants,amerchantexpectsthemtobehavecompetatively,but fairly.theyshouldnotperformanyillegalactions.thematchmaker,inthemerchant's view,shouldinformthecustomersabouthimselfandhisproducts,beavailableandtrustworthy. InterestsofMatchmakersandNetworkOwner Thenetworkownerwantshisnetworktobereliableandsecureinallphasesinorder toattractusersandtomaintaintheinfrastructure.furthermore,hewantstokeepout criminalactionslikesabotageormanipulation.theusersofthenetworkexpectittobe reliableandsecure.theywanttheircommunicationoverthenetworktobecondential, i.e.thatcommunicationcannotbedisclosed,monitoredormanipulated. Thematchmakerismoreameantoanendandnotanendinhimself.Therefore,heisnot assumedtohaveanyinterestsonhisown.hesimplyoersaservicetoallenititiesthat contacthim.however,hisclientsexpecthimtoprovideasucientqualityofservice,i.e. thatheprovidesexhaustiveandrelevantinformation,isavailableandnon-manipulated. InterestsofanAttacker Inthisscenario,anattackeraneithercomeasamaliciousmerchant,matchmakeror customer,asamaliciousplatformorassomeoneunknownfromtheoutside.theattacker's interestistoperformlegalaswellasillegalactionstomaximizehisutility.anattacker canuselegalworkingprinciplesofthesystemforunintendedpurposes,suchasdenialof serviceattacksbymakingtoomanyrequests.amajorinterestofanattackeristoremain undiscovered. Oneobjectiveoftheattackercanbetogainusefulinformationforhimself.Hecantry tocompromisecustomerprivacyandanonymitytondoutwhatproductsthecustomer 14
looksfor.hecanachieveinformationgainbypretendingtobeaplatform,merchant ormatchmakerwhichtheagenttrustsin.furthermore,hecantrytodisclosesecret oersandcontracts.anotherwaytoobtaininformationisbydisclosingthenetwork communication. Anattackercansabotageplatformsandrestricttheiravailabilityinordertohavemore customersvisitinghissiteandtopretendtobeabetterchoiceforcustomers.manipulationofdataorworkingprinciples,sabotageordenialofserviceattackscanrestrictthe availability,reliabilityandqualityofserviceofmerchants,matchmakersandplatforms. Sothecompetitionofthemarketcanbeinuenced. Amaliciousmerchantcanprovidethewrongconditionsofpurchase.Hecanmisusethe informationhegotfromthecustomerforunwantedpurposessuchasproling,reselling oradvertising.hecancashmorethanhewasactuallyentitledto,orhecanrefuseto delivertheproductafterpayment.amaliciousmatchmakercandistributeincomplete, irrelevantorincorrectinformationaboutmerchantsfavouringparticularmerchants.a maliciouscustomercanprovidefalsepersonalinformationorrefusetopayareceived product.amalicioushostscanrefusetoexecuteacustomeragentasitwasprogrammed. Also,hecanrefusetosendanagentwhereitwantstogoto. Intherstandsecondphase,anattackercanmanipulatethecustomer'salreadycollected oers.thereasonforthatcanbethattheattackerwantshavethebestoerhimselfor thathecollaborateswithothermerchantswhichhewantstolookbest.inthepayment stage,theincentiveforattacksisevengreaterbecauserealmoneycanbegained.so paymentinformation,e.g.thecreditcardnumberofacustomer,canbeobtainedtoget moneyofthecustomer'saccountortoresellit. 3.2.2DierentInstancesoftheScenario Theanalysisofdierentinstancesofcomparisonshoppinggivesanimpressionhowsecurity requirementsevolve.oneexamplefordierentinstancesisthepurchaseofhighpricegoodsin contrasttolowpricegoods.highpricegoodsare,forinstance,cars,housesorsomethingwhich isnotusuallyboughteverydayoreverymonth.lowpricegoods,however,arethingsthatare boughtmoreoften,likecds,booksoralike.itseemsnaturalthattheinterestsofcustomers andmerchantsdierinthesecasessincetherisksincreasewiththehigherpriceoftheproduct. Consequently,therearedierencesinthesecurityrequirementspeoplehavebothinstances. Withlowpricegoods,itseemstobelessseriousforthecustomerifsomethinggoeswrong becausethenancialdamageissmaller.inthehighpricecase,fraud,deceptionandother attacksaremoreseveresincetheamountofmoneyinvolvedishigher.additionally,fraud anddeceptionseemmorelikelysincetheexpectedgainishigher,ifthemanipulationremains undetected.becauseofthehigherriskswithhighpricegoods,peoplerequiregreaterreliability andtrustworthinessofthesystem. Lookingatthephases,wehaveidentiedpreviously,dierencesbetweenthehighandthelow pricecasecanbeobserved.inphase2,thecomparisonshoppingphasewiththeintention tobuy,thecustomerwantingtobuyingsomethingmoreexpensivedenitelyrequirescorrect informationabouttheproduct,becausefalseinformationcanleadtoseriousnancialharm. Insomecases,itisnoteasytodeterminetheactualvalueofaproduct.Incaseofacarora house,atrustedthirdpartyoracensorisneededtoestimatetheactualvalueoftheobject. Forphase3,thecontract,thatiseventuallymade,hastobeindeedlegallybinding,sincein caseoflitigationthiscontracthastobevalidevidenceincourt.alsothepaymentmethodused inphase3mustbemoresecureforhighpricegoodsbecauseofthehighernancialrisks. Tosumup,thedierencebetweenhighandlowpricegoodsisthatthesecurityrequirements forhighpricegoodsarehigher.whereasthetechnicalthreatsremainmoreorlessthesame, theapplication-orientedthreats,i.e.theopportunitiesforfraud,increase.inordertocounter fraud,thetrustacustomerhasinaretailerbeforecommitmentshouldbehigher. 15
3.3OverallSecurityThreatsandSecurityObjectives Inthepreviousanalysis,weillustratedoccurringsecurityproblemsandtherequirementsof userstoasecuresystem.fromthat,wesetupanoverallviewofthethreatstothemobile multiagentsysteminthevirtualmarketplace.wewillidentifysecurityobjectivestocounter thosethreatsandtosatisfythesecurityrequirementsofthesystemusers.thethreatswillbe groupedintodierentthreatscenarios. ThreatScenario1{DataSecurity Therstthreatscenariocomprisesallthreatsthatareconcernedwiththemisuseofdata,or moreprecisely,theunauthoriseddisclosure,copyingormodicationofdata.alldatathat occurinthisscenariocanbeusedinanunintendedmanneriftheyareunprotected.thedata ofanagentcomprisesitscodeandthedataitcarries,likecollectedoers,identityinformation, contractsmadewithmerchants,orpaymentinformation.thisdatacanbecopied,disclosedor modied.aninterestinginstanceisthecaseinwhichanagenthascollectedseveraloersfrom othermerchantsandvisitsanothermerchant.thismerchantcanmodifyallotherpreviously collectedoerssuchthathisoerseemstobethebest.anothercriticalpointwithrespectto condentialdataistheleakofdatawithoutpermissionoftheowner.inadditiontothat,the inter-agentcommunicationcanbedisclosedandmodiedbyamaliciousplatform.malicious agentsandotherattackerscantrytodisclose,copyormodifythedatathatisstoredatthe platformandalsotheplatform'scodeandworkingprinciples.forinstance,atrojanhorsecan beinsertedintotheplatform'scodesuchthatsomeoneelsegainscontrolovertheplatform. T1UnauthorisedDisclosure,CopyingandModicationofDataor CodeT1.1Disclosureofidentity T1.2Disclosureofsecretoers T1.3Disclosureormanipulationofcontracts T1.4Modicationofalreadycollectedoers T1.5Disclosureandmodicationofpaymentinformation T1.6Modicationofagent'scode T1.7Modicationofagent'sdata T1.8Modicationofhost'scode T1.9Modicationofhost'sdata T1.10Disclosureofsubmittedmessagesbetweenagents T.1.11Modicationofinter-agentcommunication T1.12Unauthorisedpassingonofcondentialinformation SecurityObjective1{ProtectionofData Resultingsecurityobjectivesarethattheagentsandplatformscanprotecttheirandtheirdata andcodefromunauthorisedcopying,disclosureandmodication.itshouldbepossibletodetect andtopreventthatcondentialinformationispassedwithoutpermission.additionally,the customersshouldbeabletostayanonymousaslongaspossiblebeforeeventualcommitment. SO1NoUnauthorisedDisclosure,CopyingorModicationofData SO1.1Onlyauthorisedaccesstoagent'sdataandcode SO1.2Onlyauthorisedaccesstohost'sdataandcode SO1.3Nounwanteddisclosureofidentity SO1.4Onlyauthorisedaccesstospecialoers SO1.5Onlyauthorisedaccesstocontractinformation SO1.6Onlyauthorisedaccesstopaymentinformation,nounauthorisedmodi- cationofpaymentinformation SO1.7Condentialandintegerinter-agentcommunication SO1.8Detectionandpreventionoftheunauthorisedpassingonofcondential information ThreatScenario2{InterceptionofNetworkCommunication Thisthreatscenariodealswiththesecurityofthenetworkcommunication.Here,thenetwork thatconnectstheplatformswitheachotherisconsidered.somemaliciousattackerfromthe 16