A Pessimistic Approach to Trust in Mobile Agent Platforms

Mobile agent technologies such as Aglets 1 and Telescript2 are being deployed on the Internet to support new approaches to distributed computing. In the domain of electronic commerce, a scenario involving these technologies might consist of an agent program that searches a service for its owner by roaming the Internet and visiting the sites of various service (or product) providers. Such an agent is configured by its owner with all the relevant information to describe a desired service, the constraints on an acceptable offer, and a list of potential providers. The agent may also hold confidential information such as data for one or several payment methods to finalize a purchase. The agent should make this data available to a provider only in the event of a purchase. Even then, it should offer only data pertinent to the payment method used in the purchase. Because the agent is vulnerable while it is executing on the service provider’s execution platform, its owner must obtain some guarantees concerning the protection of the agent. Example threats from a malicious service provider include trying to obtain payment data without providing the service or trying to remove information about a better offer from the agent’s memory, thereby tricking it into accepting the malicious provider’s offer. The usual approach to protecting mobile agents is to assume that service providers are trusted principals that behave correctly.3 Although the importance of trust has long been recognized as paramount for the development of secure systems, the meaning associated with trust or a trusted principal is seldom clearly defined. In this article, we address the question of how to base trust on technical reasoning. We present a pessimistic approach to trust, which tries to prevent malicious behavior from occurring in the first place rather than correcting it after it has occurred. Our approach relies on a tamper-resistant hardware device that can be operated safely in an untrusted environment. The ideas presented here are purely conceptual and have yet to be implemented. Nevertheless, we believe that they can have important repercussions on the design of open mobile agent systems, whereby potentially everyone could become a service provider.