I presently lead a effort of the Parallel and Distributed Systems Group (PDSG) to investigate the security needs of mobile agents deployed into dynamic environments that span a large number of administrative domains. The PDSG is lead by Vijay Karamcheti, with whom I collaborate closely.
The deployment of and communication between mobile agents requires the establishment of sustained authorizing trust relationships between agents and systems that host them, and other agents with whom they interact. Existing component-based frameworks (e.g. J2EE and grid) do not offer appropriate security guarantees for coalition systems that span multiple mutually-distrustful administrative domains. In order to address these challenges, we developed a deployment substrate for mobile agents called DisCo and a decentralized role-based access control system called dRBAC. I am also investigating mechanisms for quantified trust management that provide a rational representation of trust aggregation and increase the expressiveness and scalability of access control systems.
Distributed Role-Based Access Control: We discovered several shortcomings in available systems for decentralized trust management and authorization for large and decentralized systems. Trust relationships between mobile agents and hosts are likely to be indirect, and, while transitive authorization should be weaker than direct trust, commonly used trust management systems do not provide scalable abstractions for representing partial trust. Furthermore, deployment in such environments can require the collection of authorizing credentials from multiple administrative authorities. However no appropriate mechanism is integrated into available trust management systems. Finally, while mobile agents will engage in sustained relationships with hosts and other agents, authorization systems are typically oriented towards transactions which occur only at some instant in time.
In response to these challenges, we developed dRBAC, a decentralized trust management system % used extensively by our demonstration applications for DisCo that provides mechanisms to
The availability of these features within dRBAC significantly reduced the complexity of DisCo and several security-sensitive applications.
DisCo: DisCo is an integrated runtime system with support for the secure and automated deployment of mobile agents. DisCo provides mechanisms for % to support remote agent instantiation, inter-agent communication, locality-aware service discovery, code distribution, and to dynamically modulate runtime permissions, all conditioned by a common abstraction that directly represents sustained authorization relationships implemented using dRBAC. The applications we investigated for DisCo included the secure and dynamic installation of proxies and client programs.
Quantified Stochastic Trust Management: A common weakness in current trust management systems (including dRBAC) is their awkward and non-scalable representation of aggregated trust when multiple agents co-endorse restricted operations. Such aggregated trust is needed to mitigate risk to organizations from malfeasance or error by individual employees or automated systems who, in essence, are only partially trusted. In such systems, where trust is aggregated, authorization should be granted if the trust conferred to and by a set of co-endorsing agents exceeds some minimum threshold bound.
To address this need, I am investigating Quantified Stochastic Trust Management (QTM), an extension to dRBAC's partial trust model. QTM represents each partial trust relationship in a system as a credential indicating the issuer's appraisal of the probability that the trusted party will act in a trustworthy manner. Each such credential is modeled as a distinct stochastic process.
Corresponding to the nature of trust and authorization by a network of partially trusted agents in the real world, the degree of trust conferred by a QTM credential is attenuated when transitively chained, and strengthened when multiple independently trusted agents effectively co-endorse an authorization relationship.
Exact evaluation of a QTM problem reduces to bounded stochastic satisfiability (SSAT), which is P-Space hard. Fortunately, it appears that many practical problems are sufficiently small to be directly evaluated, and that approximation techniques result in tractable solutions for larger problems. Much of my current work, which is funded as a DARPA seedling effort, is directed towards the construction and evaluation of mechanisms to efficiently evaluate and enforce authorization based on QTM credentials.