1. The Field of the Invention
The present invention is generally related to distributed computing environments and in particular to secure operation of agents accessing services as components of the distributed computing environment.
2. The Prior State of the Art
Distributed computing environments allow for dispersal of tasks performed by an application. As distributed computing environments become more prevalent and well understood, many monolithic programming efforts are being replaced with modular computing efforts.
In a modular view of the computing, modules have their own identities, which are separate from descriptive attributes. A module can be a collection of programmable interfaces. Modules typically have well-defined programmable interfaces at both the source code level and the run-time executable code level. The interfaces are uniquely identified by name or some unique key value, often called a globally unique identifier (GUID). The uniqueness of a module name provides a mechanism such that the module's visibility within a containing process, application, archive, or another module is clear. For example, two spell checking processes may exist on a computing device; however without a way to distinguish between the two, an application could make use of the one of the spell checkers with unpredictable results.
One driving factor in modular-based development and run-time systems has been the need to control and reduce the increased technical complexity of software development. Goals of modular-based software development include producing software that is fully scalable to small or large computing environments and producing it faster than is possible with monolithic programming.
A typical application today using conventional monolithic programming might have an event-driven graphical user interface (GUI), network interfaces to both a local area network and the Internet, and include a multi-tiered architecture for use within client-server environments. In contrast, modules allow for a level of abstraction at design time when modeling applications and systems, so that systems can then be assembled at run-time with modules viewed as “black boxes” resulting in a known and understood behavior.
Modules that have been well tested and perform well can be used within an application with a level of trust that they will perform as expected. Modules that are buggy or do not perform well can be refactored and worked on in isolation from more stable modules. While not altogether eliminating the technical complexity of software development, applications and systems built using modules can be assembled more quickly and offer a level of trust that could not be realized in a monolithic architecture.
Several well-known frameworks support module-based computing, including Microsoft's COM, COM+, and .Net frameworks, Sun's JavaBeans framework, and OMG's CORBA environment. Using these frameworks, a developer can build modules that interact with other modules on local machines and across networks. The most common method of module interaction and communication in these environments is through a remote procedure call (RPC) mechanism, where a remote module's interface is made to be seen the same as calling a module's internal interface. Although the level of interoperability provided by RPC mechanisms between heterogeneous modules is limited, current frameworks do offer a good way to build module-based applications and systems. The frameworks also do a fair job of hiding the complexity of using modules that are distributed across the network, particularly within a local, secured network, but they present more of a challenge with unsecured networks such as the Internet.
An agent is a modular software component that has a level of autonomous behavior and acts on behalf of an application or process often referred to as the agent's “client”. An agent is designed to carry out one or more specific functions for its client.
Mobile software agents are agents that can move from one environment to another environment, with their execution in the one environment able to continue in the other environment. Mobile agents can solve problems with network bandwidth utilization. If a computing process needs to sift through a large volume of remote data, having the computing process run on a local computer and access the data over a network would use considerable network bandwidth. A more bandwidth efficient method would be to have the computing process provide or invoke an agent to move near the data and perform its operations locally.
Mobile agents are also useful for overcoming problems of intermittent network connectivity. For example, if a local computer is executing a long-running process that requires processing data across the network and the local computer can become disconnected from the network, the process may fail. A better solution is to allow an agent to move near the data and perform its processing operations, then have the agent (or its data) return to the local computer when the local computer is ready to receive the results of the agent's operations.
Agents using complex programming logic can sometimes exhibit seemingly intelligent behavior. These agents are often referred to as “intelligent agents”. Some intelligent agents perform a directed sequence of actions to achieve a processing goal. Some use a knowledge base. Some use artificial intelligence (AI) methods, such as neural networks to provide problem solving processing.
IBM's recently open sourced Aglets framework allows for the building and deployment of Java-based mobile agents, but their uses are limited and do not provide the container control or interaction that might be needed.
Jade is a Java-based development environment that claims Foundation for Intelligent Physical Agents (FIPA) compliance. FIPA is a non-profit organization that promotes and provides specification for the interoperability of agents. Jade code, and similar approaches, has a default mode of running without security. A security manager can be used to protect machine resources, but this must be used throughout a system to ensure full security.
A service, as used herein, is a software component that provides computer processing through a clearly defined interface. For example, an application using the information provided by the clearly defined interface could execute a “stock quote” service, and a “weather” service, possibly provided by different vendors, and combine the results into an application that provides a graphical user interface (GUI) to show how weather affects stocks. This application could provide, as an adjunct to the GUI, a service that would supply the results to other applications in a raw form as data.
A service-oriented architecture (SOA) is used to describe applications and systems built primarily using services that are made available. An example of a service is a web service. Web services might interoperate with other services and applications using a wire-level standard protocol such as the Simple Object Access Protocol (SOAP) that uses Extensible Markup Language (XML) to describe a service interface and data elements that will be sent by the invoker of the web service. SOAP is also the protocol of the returned results.
Unlike the more common Remote Procedure Call (RPC), web services use a self-describing interface to communicate. The interface fully describes the method by which the service is accessed. The contents of a SOAP message include the service interface description and data. By using self-describing interfaces and a wire-level protocol like SOAP, heterogeneous components can communicate. For example, a C++ based module can interoperate with a JavaScript web service.
The scripting of various service processes is called orchestration or workflow. Microsoft's BizTalk Server is a well-known product that provides for the orchestration of services and XML messages. There is also work being done to provide standard specifications for how web services are orchestrated. For example, Business Process Execution Language for Web Services (BPEL4WS) is one proposed standard. There are also proposed standards to address how a web service might provide support for transactional processing. Transactions are popular in database systems, where transactions provide a method to insure that a set of operations applied to the database either succeed in their entirety or fail in their entirety, leaving the database system in the same state as prior to the start of the transaction.
Some agent frameworks support services, such as web services (JADE is one example). The World Wide Web Consortium (W3C) is working on standards for agents to understand services and the functionality they offer, with Ontology Web Language for Services (OWL-S). While the generalized interaction of agents with services may make design of distributed computing environments easier, it comes at a price in terms of increased complexity and greater security concerns.
Some risks stem from the fact that untrusted (or only partially trusted) code is often allowed to execute on a machine often without the machine's owner's explicit knowledge, as is the case with mobile agents and downloaded services. The code that executes can have a cascade effect, where it modifies behavior or code that previously ran correctly but now runs poorly. An example is the application of a software patch or update that seemly installs acceptably, but after the update, the system is left operating poorly. Because the user is often unaware of the complex processing that takes place “under the covers” on the computing device, it can be extremely difficult to undo the changes caused by running mobile code.
Other security concerns with the use of mobile code are access to sensitive information that could be inadvertently used without the user's knowledge. The concerns described above are present with non-malicious code and the security concerns are greatly heightened if the mobile code has malicious intent.
One approach to maintaining security is the use of the “container” concept, wherein code runs on a platform that prevents the code from accessing other resources (software, hardware, etc.) of the platform other than through well-defined and controlled openings in the container. Examples are the Java Virtual Machine (JVM), the Java 2 Enterprise Edition (J2EE) Servlet Specification, and the Globus Toolkit. These typically require a developer to provide a significant amount of code to achieve the level of control and manageability required by automated applications.
What is needed is a system that can efficiently and securely manage service and agent interaction in a controlled environment.