This invention relates to a distributed system, an access control process and apparatus, and an access control program product. More particularly, it relates to a distributed system in which a mobile code migrates for execution on plural computers interconnected over a network, an access control process and apparatus, and an access control program product.
Recently, as the personal computer is improved in performance and decreased in cost, and as the global scale network typified by Internet is enlarged, the configuration in which plural computers are interconnected over a network, rather than being used in a stand-alone state, is becoming more commonplace in order for a computer to exploit resources of the other remote computers through the network. With increase in the number of computers interconnected over the network, a distributed system furnishing variegated services on the network is becoming popular.
In this sort of the distributed system, there has been developed a technique in which a program code prepared on certain computer is downloaded to different computers through the network to enable the program to be executed on the computers. For example, a mobile agent system has a function of receiving and executing the program sent from other computers.
By exploiting this technique, it becomes possible to execute programs between heterogeneous computers interconnected over a network, without dependency on the computer types or the type of the operating system.
On the other hand, the possibility that the resources, such as crucial files, of a computer be accessed by an untrustable or malicious program code, is also becoming high.
For this reason, it is necessary for such distributed system to be equipped with a method and apparatus by which to distinguish a trustable program code from an untrustable program code insofar as security is concerned.
As an example of this sort of the conventional distributed system, reference is made to the description of a publication entitled xe2x80x9cJava Security Architecture (JDK1.2)xe2x80x9d issued by SUN-MICROSYSTEMS INC. FIG. 23 shows schematics of this conventional access control system.
Referring to FIG. 23, there is mounted in a program code 1004 a system of collating a Code Base (URL, uniform resource locator) held on the program code 1004 and a signatory of the Program code 1004 to a security policy 1003 of an own computer 1000 to permit only on program authorized to have access is allowed to operate on a virtual machine (Java virtual machine) 1001 on the own computer 1000, no matter whether the code is prepared on the own computer 1000, that is the local code, or the remote code, that is a code prepared on another computer and downloaded on the own computer 1000.
By way of a specified example, if a policy:
grant {
permission java. io FilePermission xe2x80x9ctmp_filexe2x80x9d, xe2x80x9creadxe2x80x9d;
}
is written in the security policy 1003, the entire program codes are given the authorization to xe2x80x9creadxe2x80x9d a file having a filename xe2x80x9ctmp_filexe2x80x9d.
On the other hand, if a policy:
grant xe2x80x9chttp.://java.sun.comxe2x80x9d, signedBy xe2x80x9cLixe2x80x9d{
permission java.io.FilePermission xe2x80x9c/tmp/file*xe2x80x9d, xe2x80x9creadxe2x80x9d;
permission java.io.SocketPermission xe2x80x9cnec.co.jpxe2x80x9d, xe2x80x9cconnectxe2x80x9d;
}
is stated, there are accorded to the program code signed by xe2x80x9cLixe2x80x9d and downloaded from the URL xe2x80x9chttp.//sun.comxe2x80x9d an authorization to read (xe2x80x9creadxe2x80x9d) all files directly below the filename xe2x80x9c/tmpxe2x80x9d and an authorization to access (xe2x80x9cconnectxe2x80x9d) the network through a socket to xe2x80x9cnec.co.jpxe2x80x9d.
In this manner, the program code realizes access control based on the URL of the computer which ha s downloaded the program code and the information on the signatory as a xe2x80x9csubjectxe2x80x9d.
As another system, there is known xe2x80x9cA Security Model for Agletsxe2x80x9d stated on pages 68 to 77 of a publication (IEEE Internet Computing July/August 1997). This system is called Aglets system. In this Aglets system, the subject of the security is extended not only to the information on the signatory of the program code but also to the execution environment of the program code (called xe2x80x9cContextxe2x80x9d or xe2x80x9cAglet Contextxe2x80x9d in the Aglets system), producer and the manager of the execution environment of the program code.
This enables execution of a Program code prepared by a subject not recognized by a security policy of a given computer and to perform fine access control on the condition that the authorization for execution is prescribed in detail in the security policy.
However, the aforementioned access control device suffers from the following problems:
The first problem is that access control in a multi-agent system in which plural agents can have communication with one another is insufficient for the following reasons:
In a system in which agents can have communication with one another, such as Internet, an indefinite number of agents transmit/receive the communication. In such case, there is a possibility that communication with an agent causes communication with other agents to be produced, that is that the communication is of multi-stage such that the communication passes through a large number of agents or agent environments.
The more frequent the communication among agents, the higher is the possibility that communication with an untrustable agent with malicious intention participates in the communication or the communication must pass through evil agent environments. In such case, the contents of the communication tend to be modified. If the modified program code is received and executed, the agent environment tends to be affected adversely.
However, in the conventional access control device, no attention is paid to access control in case where the communication becomes multiple-staged and the number of relays is increased.
The second problem is that access control in a multiple agent system, in which agents are migrated frequently, is insufficient, for the following reason:
In certain ones of recent agents, the program code is migrated from a computer environment on a network to a different computer environment.
In certain mounting of the agent system, not only is data held by an agent is migrated, but its execution is interrupted, its state information, such as the information as to up to which number of program code in the sequence of the Program codes is executed, is saved and migration is made to a different computer environment to re-start the execution as from this state.
In a system enabling such agent migration, the probability is high that an indefinite number of agents are migrated over the network to different computer environments. Even if an agent is formulated by a trustable organization and started by a trustable person, the agent environment tends to be affected in such a case wherein the agent is migrated to a evil agent environment and modified and the agent thus modified is migrated to a different agent environment to re-initiate its execution.
In a conventional access control device, no attention is paid to the route information of the agent such that access of the agent which has visited an evil agent environment cannot be controlled appropriately.
The third problem is that access control for protecting an agent on a computer is insufficient.
The reason is that, as discussed in connection with the first and second problems, if there lacks the route information as to the route traversed by the communication or the agent, and thus the access control is insufficient, the agent which should inherently be access-controlled cannot be access-controlled such that other agents tend to be affected by execution of agents for which access control is not possible.
The fourth problem is that fine access control cannot be performed because the route information on the agent or the thread is not used as the access control subject.
The fifth problem is that, if, in a multi-agent system, access control of the agent cannot be performed sufficiently, trustability in security cannot be said to be sufficient.
It is therefore an object of the present invention to provide, in a multi-agent system in which plural agents operate simultaneously or concurrently, an access control device and process whereby it is possible to control execution of individual agents.
It is another object of the present invention to provide, in a multi-agent system in which plural agents operate concurrently and can have communication with one another, an access control device and process whereby execution of individual agents can be control led even when the communication is a multi-stage communication.
It is a further object of the present invention to provide, in a multi-agent system in which agents can migrate in a computer environment on a network to furnish variegated services on the network, an access control device and method which are highly trustable.
It is a further object of the present invention to provide an access control device and process which can Protect both the agent environment and the agent.
It is a still further another object of the Present invention to provide an access control device and process which can perform fine flexible access control adapted to the policy of each agent environment.
It is yet further object of the present invent ion to provide a multi-agent system which is highly trustable in security. Other objects of the present invention will become readily apparent from the following description and the claims.
According to an aspect of the Present invention, there is provided an access control process in which a method and/or an agent are sent from one computer to another computer over a network for execution, comprising:
holding and transmitting visit history information on agent environments of computers traversed by a method and/or an agent,
collating, in an agent environment of a destined computer, the visit history information with a security Policy which defines the security information, and
performing control so as not to permit execution of a method and/or an agent which has traversed an agent environment not permitted under a security policy of an own agent environment.
According to a second aspect of the Present invention, there is provided an access control process for an agent system in which a plurality of computers are interconnected over a network and in which a method disclosed by an agent of a computer is requested to be executed by an agent of another computer, comprising:
storing and holding a security policy which defines security information from one agent environment to another by each computer;
updating and holding, in a method request message, not only information on an agent of a method execution requestor but also information on an agent environment traversed by the method and visit history (or tracing) information on a thread of the method to transmit the resulting message to an agent environment of the method execution requester, and
performing control in an agent environment of an addressee of the method execution request so as not to permit execution of a thread which has traversed an agent environment not permitted under a security policy on an own agent environment, by collating the visit history information of the thread of the received method request message with the security policy.
A According to a third aspect of the present invention there is provided an access control process in a mobile agent system in which an agent is migrated between agent environments of a plurality of computers interconnected over a network, comprising:
storing and holding a security policy which defines security information from one agent environment to another by each computer;
updating and holding agent environment information and agent visit history (or tracing) information in an agent migration message every time an agent traverses an agent environment; and
collating, in an agent environment of a destination of agent movement, the agent visit history information of a received agent migration message with a security policy to perform control so as not to permit execution of an agent which has traversed an agent environment not permitted by the security policy of an own agent environment.
According to a fourth aspect of the present invention, there is provided a distributed system in which a plurality of computers are interconnected over a network and in which a method disclosed by an agent of a computer is requested by an agent of another computer to be executed,
wherein
(a) each computer includes storage means for holding a security policy which defines security information from one agent environment to another; and
(b) the system comprises:
(b1) in an agent environment of a method execution requester, means for storing, in a method request message, not only agent information and agent environment information but also visit (or tracing) history information on a method thread;
(b2) in an agent environment which the method has traversed, means for holding agent environment information added to the thread visit history information of the method request message;
(b3) in an agent environment of an addressee of the method execution request, means for managing control by collating the visit history information of the thread of the received method request message with a security policy of an own agent environment so as not to permit execution of a thread which has traversed a non-permitted agent environment.
According to a fifth aspect of the present invent ion, there is provided a distributed system in which a plurality of computers are interconnected over a network and in which an agent is migrated between agent environments of the computers for execution,
wherein:
(a) each computer includes storage means for holding a security policy defining security information from one agent environment to another; and
(b) the system comprises:
(b1) means for adding agent visit (or tracing) history information with an agent environment to update are agent migration message each time an agent traverses the agent environment; and
(b2) means for collating the agent visit history information of a received agent migration message with a security Policy of an own agent environment to check into migration authorization of the agent, thereby managing control so as not to permit execution of an agent which has traversed an agent environment not permitted by the security Policy.
Further aspects of the present invention are the features of the claims, particularly of claim 6 et seq., the entire disclosure thereof being incorporated herein by reference thereto.
Also, the entire disclosure of the original Japanese patent application No. 11-157214, the priority thereof being claimed herein, is incorporated by reference thereto.