Dynamic Data Protection for Mobile Agents: XACML/ABAC Policies

Abstract

A mobile agent can move from one platform to another during runtime to access data or resources. He moves with his own code and data. Agents take on two roles in the runtime environment. First, agents are treated as subjects, because agents access the different resources of a platform. Second, they are considered as active resources in the execution environment. The protection of platform resources against the attack of malicious mobile agents is already addressed in the literature. However, the protection of code and agent data is an open and difficult issue due to the fact that the execution environment has full control over the mobile agent. A malicious platform may attempt to attack a mobile agent in order to analyze or modify the data collected (Dynamic Data) by this agent while it is running on another platform. To solve this problem, we have developed a security mechanism to manage access to the agent’s dynamic data between the platforms visited by this agent. This mechanism is implemented by the SAS (Security Adaptation System) which allows defining the access control rules to the dynamic data of the mobile agent. The SAS estimates the security level of each agent component (agent code in the form of software components) and the degree of confidence of the platforms visited by this agent. It then uses the multi-level model to define these rules. We adapt the ABAC model and the XACML language to create and publish access control policies for dynamic mobile agent data based on these rules.