In the increasingly networked world, mobile code is a programming paradigm that becomes more and more important. It provides a flexible way to structure cooperative computation in distributed systems. At present, the Internet is full of mobile code fragments, such as Java applets, which represent only a simple form of mobile code.
Mobile agents are mobile code that act autonomously on behalf of a user for continuous collecting, filtering, and processing of information. They combine the benefits of the agent paradigm, such as reacting to a changing environment and autonomous operation, with the features of remote code execution. They operate in computer networks and are capable of moving from server to server as necessary to fulfill their goals. Important applications include mobile computing, where bandwidth is limited, or users are disconnected, data retrieval from large repositories, and configuration management of software and networks. The vision of mobile agents roaming the Internet may soon become reality as the paradigm is incorporated in large-scale applications.
Mobile code is to be understood as a program that is produced by one entity, called the originator, and is subsequently transferred to another entity, the host, immediately before it is executed by the host. In other words, no manual intervention, such as performing an installation or running a setup routine, is required on behalf of the host; mobile code comes ready to run. Moreover, mobile agents are capable of continued, autonomous operation disconnected from the originator and migrate freely to other hosts during their lifetime. Such agents have also been called itinerant agents. Mobile code is exposed to various security threats: a malicious host may examine the code, try to learn the secrets carried by an agent, and exploit this knowledge in its interaction with the agent to gain an unfair advantage. A host might also try to manipulate the result of a computation.
There are at least two security problems that arise in the area of mobile code: (1) protecting the host from malicious code and (2) protecting the code from malicious hosts. The first problem has received considerable attention because of the imminent threat of computer viruses and Trojan horses. Current solutions are to run mobile code in a so-called sandbox with fine-grained access control and to apply code signing for exploiting a trust relation with the code producer.
Protecting mobile code was deemed impossible by some mobile code researchers until T. Sander and C. F. Tschudin realized that tools from theoretical cryptography could be useful to execute mobile code in an encrypted form on an untrusted host, as described in their article “Protecting mobile agents against malicious hosts, Mobile Agents and Security” (G. Vigna, ed.), Lecture Notes in Computer Science, vol. 1419, Springer, 1998. Most protocols for so-called secure computation require several rounds of interaction, however, and are not applicable to achieve secrecy for mobile applications and integrity for their outputs. Sander and Tschudin concluded that only functions representable as polynomials can be computed securely in this manner. Subsequent work of Sander et al. extends this to all functions computable by circuits of logarithmic depth, as disclosed by T. Sander, A. Young, and M. Yung in “Non-interactive CryptoComputing for NC1”, Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS), 1999.
A further form of code is active mobile code that performs some immediate action on the host. Thereby, information about the encrypted computation is often leaked to the host whereby only the originator shall receive any output.
A basic problem with active mobile code is that a malicious host can observe the output of the computation and simply run the code again with a different input. The only known existing defense for active mobile code against a malicious host uses trusted hardware. This has been proposed and entails running mobile code exclusively inside tamperproof hardware, encrypting it as soon as it leaves the trusted environment.
U.S. Pat. No. 6,026,374 is related to a system and method using of a trusted third party to provide a description of an information product to potential buyers, without disclosing the entire contents of the information products, which might compromise the interests of the seller. The buyer trusts the third party to give an accurate description of the information that is for sale, while the seller trusts the third party not to reveal an excessive amount of the information product's content. The system can include a seller of information products, a buyer of such products, and a trusted third party summarizer. Each of these operating as a node in a communications network, such as the Internet. A disadvantage of this system and method is that the third party has to be a trusted one and that this third party gets information and learns about everything. This could be dangerous if said third party gets cracked. Moreover, several messages are necessary to process the request of the buyer.