spacer back contents
ERCIM News No.49, April 2002


Security for Distributed and Mobile Active Objects with the ProActive Library

by Isabelle Attali, Denis Caromel and Arnaud Contes

In the domain of distributed applications, networks, and mobile agents, this research - started in spring 2001 in the Oasis Team at INRIA Sophia Antipolis - aims to develop mechanisms for specifying a security policy at a high level of abstraction for a given application.

The classical approach in information systems security requires a partitioning from the point of view of the organisation, geography and structure of information, in terms of their level of sensitivity and their domain. With the development of telecommunications however, a system can be distributed all over the world: data and code can be distributed and shared. This tremendous evolution prevents the classical approach being used.

Existing security techniques (PGP, C-SET, SSL, X509, etc) are known as standards working on a particular aspect of security and risks. We propose a complementary approach at the application level, possibly based on the cited standard techniques.

Besides existing system-level and network-level mechanisms, we believe that it is necessary to provide application-specific configurable techniques. Further, information transfer in object systems is enriched and more typed, compared with non-object systems (requests, replies, mobility of agents, remote object creation). These exchanges often require the definition of security attributes (authentication, integrity, confidentiality). Finally, in the setting of a given distributed application, some computers will play a specific role, and as a consequence, require specific rights and protections (eg, two secured servers versus access to a portable computer).

It seems of interest to organise in a hierarchical manner the different computers participating in a given distributed application, and to associate specific rights with these hierarchies. Our work can be seen as the creation of a Virtual Private Network at the application level. Another issue is secured meta-computing: how to use a federation of computing resources in a secure manner. A security policy for an application is specified in a declarative manner. An example of a security policy file is given in Figure 1.

INRIA = *;
ETCA = *;

INRIA <-> ETCA: Q,R # [+A,+I,?C];
ETCA -> INRIA: M # [+A,+I,+C];

Figure 1:
Example of a security policy file for an application.

A user defines in this policy two abstract domains (INRIA, ETCA) and expresses that communications - Queries and Replies - have to be authenticated between all computers of INRIA and ETCA (+A).

Moreover, mobile agents (M) are allowed only from ETCA to INRIA, and must be in mode authentication, confidentiality, and integrity (+A, +I, +C).

Figure 2: Deploying and monitoring a ProActive application using a graphical interface (IC2D) that makes it possible to ‘drag and drop objects over the world’.

Figure 2:
Deploying and monitoring a ProActive application using a graphical interface (IC2D) that makes it possible to'drag and drop objects over the world'.

A prototype has been implemented in Java with the ProActive library (over the standard RMI layer). This prototype is made of two parts:

  • interpretation and verification of the consistency between different security policies, and policy negociation between hosts
  • handling of these policies using public, private and symmetric keys; we are using the SPKI public key infrastructure for encoding communications.

Examples have already been specified and executed and early performance measures have shown that this approach is viable. For instance, only 25ms were required for the full treatment of a secured message including encryption, transfer, decryption, and the checking of the sender certificate and digital signature.

Our approach proposes security features at the application level, especially in the setting of distributed objects with mobility.

Compared to related work, the ProActive security can be characterised by four main advantages:

  • we use standard (non-modified) tools (eg, standard JVM, standard SPKI infrastructure); this gives a wide portability to our applications
  • the declarative language allows easy definition and composition of security policies, potentially in a decentralised manner
  • object and activity mobility is now possible in distributed applications and shows up new solutions for information protection
  • security can be finely tuned with respect to information sensitivity and threat levels by treating each application separately. This would allow the high cost of cryptographic mechanisms in a local network to be avoided.
  • Future work will include a better control of security policies in the presence of mobile code and mobile agents. We will also study the composition of security policies (hierarchy, compatibility, static verification, etc). Another issue is to study the centralisation of all (or part) of a security policy. Lastly, we wish to formally model our approach in order to prove that policies are respected, in the presence of migration and variable placements of objects on machines.


Please contact:
Isabelle Attali, INRIA
Tel: +33 4 92 38 79 10