|
To protect mobile agents from attacks by their execution
environments, or hosts, one class of protection mechanisms uses
"reference states" to detect modification attacks.
Reference states are agent states that have been produced by
non-attacking, or reference hosts. This paper presents a new
protocol using reference states by modifying an existing approach,
called "traces". In contrast to the original approach,
this new protocol offers a model, where the execution on one host is
checked unconditionally and immediately on the next host, regardless
of whether this host is trusted or untrusted. This modification
preserves the qualitative advantages like asynchronous execution,
but also introduces two new problems: input to the execution session
on one host cannot be held secret to a second host, and
collaboration attacks of two consecutive hosts are possible. The
overhead needed for the protocol roughly doubles the cost of the
mobile agent execution.
|