Over the years computer systems have evolved from centralized monolithic computing devices supporting static applications, into client-server environments that allow complex forms of distributed computing. Throughout this evolution limited forms of code mobility have existed. The explosion in the use of the World Wide Web coupled with the rapid evolution of the platform independent programming languages has promoted the use of mobile code and at the same time raised some important security issues. This chapter introduces mobile code technology and discusses the related security issues. The first part of the chapter deals with the need for mobile codes and the various methods of categorizing them. One method of categorising the mobile code is based on code mobility. Different forms of code mobility like code on demand, remote evaluation and mobile agents are explained in detail. The other method is based on the type of code distributed. Various types of codes like Source Code, Intermediate Code, Platform-dependent Binary Code, Just-in-Time Compilation are explained. Mobile agents, as autonomously migrating software entities, present great challenges to the design and implementation of security mechanisms. The second part of this chapter deals with the security issues. These issues are broadly divided into code related issues and host related issues. Techniques like Sandboxing, Code signing and Proof carrying code are widely applied to protect the hosts. Execution tracing, Mobile cryptography, Obfuscated code, Co-Operating Agents are used to protect the code from harmful agents. The security mechanisms like language support for safety, OS level security and safety policies are discussed in the last section. In order to make the mobile code approach practical, it is essential to understand mobile code technology. Advanced and innovative solutions are to be developed to restrict the operations that mobile code can perform but without unduly restricting its functionality. It is also necessary to develop formal, extremely easy to use safety measures.
Mobile code consists of small pieces of software, obtained from remote systems outside the enclave boundary, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient.
The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one that they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. A mobile code is associated with at least two parties: its producer and its consumer – the consumer being the host that runs the code.
Examples of mobile code include a Java script embedded within an HTML page, a Visual-Basic script contained in a WORD document, an HTML Help file, an ActiveX Control, a Java applet, a transparent browser plug-in or DLL, a new document viewer installed on demand, an explicitly downloaded executable binary, etc. Since mobile code runs in the execution context of the user that downloads the code, it can issue any system calls that the user is allowed to make, including deleting files, modifying configurations or registry entries, ending emails, or installing back-door programs in the home directory. The most common type of malicious mobile code is email attachment.
Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approaches like flexibility in software design beyond the well established object oriented paradigm and bandwidth optimization. As usual, increased flexibility comes with a cost that is increased vulnerability in the face of malicious intrusion scenarios akin to Internet. Possible vulnerabilities with mobile code fall in one of two categories: attacks performed by a mobile program against the remote host on which the program is executed as with malicious applets or ActiveX programs, and the less classical category of attacks due to the subversion of the mobile code and its data by the remote execution environment.
Advantages of Mobile Code
Here are some possible advantages of mobile code:
Eliminates configuration, installation problems and reduces software distribution costs of desktop applications
The code is potentially portable to many platforms
Enhances the scalability of client/server applications
Achieves performance advantages
Achieves interoperability of distributed applications