Unfortunately, as it is in most applications, performance is sacrificed for increased security. It would, however, be profitable to have applications that are both secure and perform well at the same time. For this reason, there is much research concerned with resolving the conflict between these concepts in some way.
Conclusion
The purpose of this chapter is to raise readers’ awareness of mobile code and various approaches to addressing security of mobile code and agents. All of the techniques discussed in this chapter offer different approaches to combating malicious mobile code. However, the best approach is probably a combination of security mechanisms. The sandbox and code signing approaches are already hybridized. Combining these with firewalling techniques, such as the playground, gives an extra layer of security. PCC is still very much in the research and development phase at present.
In order to make the mobile code approach practical, it is essential to develop advanced and innovative solutions to restrict the operations that mobile code can perform, but without unduly restricting its functionality. It is also necessary to develop formal, extremely easy–to-use safety languages to specify safety policy.
Organizations relying on the Internet face significant challenges to ensure that their networks operate safely, and that their systems continue to provide critical services, even in the face of attack. Even the strictest of security policies will not be able to prevent security breaches. Educating users in social-engineering attacks based around mobile code is also necessary.
References
Alfalayleh, M., & Brankovic, L. (2004). An overview of security issues and techniques in mobile agents. Retrieved from http://sec.isi.salford.ac.uk/cms2004/Program/ CMS2004final/p2a3.pdf
Brown, L. (1996). Mobile code security [Electronic version]. Retrieved from http:// www.unsw.adfa.edu.au/~lpb/papers/mcode96.html
Chan, H. W., & Anthony. (1999). Secure mobile agents: Techniques, modeling and application. Retrieved from http://www.cse.cuhk.edu.hk/~lyu/student/mphil/ anthony/term3.ppt
Felmetsger, V., & Vigna, G. (2005). Exploiting OS-level mechanisms to implement mobile code security. Retrieved from http://www.cs.ucsb.edu/~vigna/pub/ 2005_felmetsger_vigna_ICECCS05.pdf
Ghezzi, C., & Vigna, G. (1997). Mobile code paradigms and technologies: A case study. In K. Rothermet & R. Popescu-Zeletin (Eds.), Mobile agents, First International
Workshop, MA’97, Proceedings (LNCS 1219, pp. 39-49) Berlin, Germany: Springer.
Hefeeda, M., & Bharat, B. (n.d.) On mobile code security. Center of Education and Research in Information Assurance and Security, and Department of Computer Science, Purdue University, West Lafayette, IN. Retrieved from http:// www.cs.sfu.ca/~mhefeeda/Papers/OnMobileCodeSecurity.pdf
Hohl, F. (1997). An approach to solve the problem of malicious hosts. Universität Stuttgart, Fakultät Informatik, Fakultätsbericht Nr. 1997/03. Retrieved from http:/ /www.informatik.uni-stuttgart.de/cgi-bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ ncstrl.ustuttgart_fi/TR-1997-03/TR-1997-03.bib
Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from mali- cious hosts. Retrieved from http://citeseer.ist.psu.edu/hohl98time.html
Hohl, F. (1998). Mobile agent security and reliability. Proceedings of the Ninth
International Symposium on Software Reliability Engineering (ISSRE ’98). Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from malicious
hosts. Mobile Agents and Security, 1419 of LNCS. Springer-Verlag. IBM Aglets. (2002). Retrieved from http://www.trl.ibm.com/aglets/
Jansen, W., & Karygiannis, T. (n.d.). Mobile agent security (NIST Special Publication 800-19) Retrieved from http://csrc.nist.gov/publications/nistpubs/800-19/sp800- 19.pdf
Java Agent Development Framework. (2005). Retrieved from http://jade.tilab.com/ Karjoth, G., Lange, D. B., & Oshima, M. (1997). A security model for aglets. IEEE Internet
Computing, 1(4), 68-77. [Electronic version]. Retrieved from http://www.ibm.com/ java/education/aglets/
Loureiro, S., Molva, R., & Roudier, Y. (2000, February). Mobile code security. Proceedings of ISYPAR 2000 (4ème Ecole d’Informatique des Systems Parallèles et Répartis), Code Mobile, France. Retrieved from www.eurecom.fr/~nsteam/Papers/mcs5.pdf
Lucco, S., Sharp, O., & Wahbe, R. (1995). Omniware: A universal substrate for mobile code. In Fourth International World Wide Web Conference, MIT. [Electronic version] Retrieved from http://www.w3.org/pub/Conferences/WWW4/Papers/165/ McGraw, G., & Morrisett, G. (2000). Attacking malicious code. Retrieved from http://
www.cs.cornell.edu/Info/People/jgm/lang-based-security/maliciouscode.pdf Mobile Code and Mobile Code Security. (2005). Retrieved from http://www.cs.nyu.edu/
~yingxu/privacy/0407/main.html
Mobile Code Security. (1996). [Electronic version] Retrieved from http:// www.unsw.adfa.edu.au/~lpb/papers/mcode96.html
Mobile Code Security and Computing with Encrypted Functions [Electronic version] Retrieved from http://www.zurich.ibm.com/security/mobile
Motlekar, S. (2005). Code obfuscation. Retrieved from http://palisade.paladion.net/ issues/2005Aug/code-obfuscation/
Muller, A. (2000). Mobile code security: Taking the Trojans out of the Trojan horse. Retrieved from www.cs.uct.ac.za/courses/CS400W/NIS/papers00/amuller/essay1.htm Necula, G. C., & Lee, P. (1998). Safe, untrusted agents using proof-carrying code. Lecture
Notes in Computer Science, (1419). Springer-Verlag.
Oppliger, R. (2000). Security technologies for the World Wide Web. Computer Security Series. Artech House Publishers.
Proof-Carrying Code. (2002). Retrieved from http://raw.cs.berkeley.edu/pcc.html Robust Obfuscation. (2005). Retrieved from http://www.cs.arizona.edu/~collberg/Re-
search/Obfuscation/
Roger, A. G. (2001). Malicious mobile code: Virus protection for Windows [Electronic version]. O’Reilly & Associates.
Rubin, A. D., & Geer, D. E. (1998). Mobile code security. IEEE Internet Computing. Sander, T., & Tschudin, C. (1998a). Towards mobile cryptography. Proceedings of the
IEEE Symposium on Security and Privacy.
Sander, T., & Tschudin, C. (1998b). Protecting mobile agents against malicious hosts. [Electronic version] In G. Vigna (Ed.). Mobile agents and security, Lecture Notes in Computer Science, 1419 (pp. 44-60). Retrieved from http://citeseer.ist.psu.edu/ article/sander97protecting.html
SNARE — System iNtrusion Analysis and Reporting Environment (2005). [Electronic version] Retrieved from http://www.intersectalliance.com/projects/Snare Telescript Language Reference. (1995). Retrieved from http://citeseer.ist.psu.edu/
inc95telescript.html
Tennenhouse, D. L., & Wetherall, D. J. (1996) Towards an active network architecture. Computer Communication Review. Retrieved from http://www.tns.lcs.mit.edu/ publications/ccr96.html
Vigna, G. (1997, June). Protecting mobile agents through tracing. Proceedings of the 3rd ECOOP Workshop on Mobile Object Systems, Jyvälskylä, Finland. Retrieved from http://www.cs.ucsb.edu/~vigna/listpub.html