Security in the Sanctuary System

The Sanctuary mobile code system includes security mechanisms for protecting mobile agents from malicious servers as well as mechanisms for protecting mobile agent servers from malicious mobile code. To protect remotely executed mobile code, we integrate several key approaches: (1) security attributes certification to enable mobile code to avoid nodes in the agent-server network that are untrustworthy, as determined by user-centric security policies; (2) forward secure cryptography to improve detection of malicious tampering by servers; and (3) defining separate roles for agent author and agent owner, which justifies restricted delegation and external reference monitors with owner-provided agents to limit potential damage caused by buggy or compromised agent code. Simply put, we enable mobile code to avoid trouble when possible, and to detect trouble when it is unavoidable. We examine security-aware itinerary planning as a means to supplement these approaches, and describe our analysis of this problem. Our server uses well known approaches to defend itself from malicious code, and custom extensions that address the security needs of the mobile code itself. This paper describes our mechanisms and how they are integrated into the Sanctuary mobile code system.