anand tripathi, university of minnesota2 mobile agent programming in ajanta anand tripathi...

Anand Tripathi, University of Minnesota 1

Mobile Agent Programming in AjantaMobile Agent Programming in Ajanta

Anand Tripathi

Department of Computer Science

University of Minnesota

Minneapolis MN 55455

http://www.cs.umn.edu/Ajanta/

This work was supported by NSF grants ANIR 9813703 and EIA 9818338


Outline

• Mobile Agent Paradigm

• Benefits, Obstacles, and Potential Applications

• Evolution of the Mobile Agent Paradeigm

• Ajanta Mobile Agent Programming System

• Conclusions and Future Directions


Contributors to Ajanta ProjectContributors to Ajanta Project

Neeran Karnik (currently with IBM New Delhi)

Manish Vora (currently with Fore Systems)

Tanvir Ahmed

Ram Singh (currently with Cisco)

Arvind Prakash (currently with Microsoft)

Shremattie Jaman


Aspects of Mobile Agent Research

• Distributed System Research– Focus on system architectures and protocols for

managing executions of mobile agent objects.

– Security, fault tolerance, naming, yellow pages

• Programming Languages Research– Code mobility, safety, programming constructs

– Agent communication languages

• Artificial Intelligence Research– Focus on intelligence, learning, and cooperation


What is an agent?

• An agent is a software component (object) which can perform one or more tasks in some predefined manner.

• Properties of an agent:

– Mobility

– Autonomy

– Deliberative vs. Reactive

– Learning

– Cooperation

See: IEEE Spectrum April 1998 paper by Morreale


Evolution

parameters(data)Client Server

results (data)

Remote Procedure Call:

Code resides atthe server

• Courier at Xerox PARC in 1980• Sun RPC 1984• DCE, CORBA late 1980’s


Evolution … Process Migration

• Process migration allows a partially executed process to be relocated to another node.– Execution state of the process is migrated.

• Stack, memory, program counter, state of open files.

• Mainly used for load balancing.• In the mid 1980s several mechanisms were

investigated and supported in a local area network environments.– Locus (UCLA), Sprite (UC Berkeley), Condor (Wisconsin)


Evolution … Object Migration

• Object migration allows objects to be moved across address spaces at different nodes.– Requires mobility of object’s code and data.

• Emerald supported object mobility under program control. (Univ. of Washington) (1986)

• Chorus distributed system (1988) supported object mobility with autonomous control by the object.

• Most of these system supported migration in a homogeneous system.


Evolution ...

Remote Programming and Code Mobility:

procedure code + data ServerClient

results (data)

Code transportedto the server

• Remote Evaluation model by Stamos and Gifford (MIT) (1990).• Java Sun Microsystems (1995) allows code migration across heterogeneous platforms.


Mobile Agents

A mobile agent is an object capable of autonomously migrating from one host to another in a distributed system to perform actions on behalf of its creator.

Clientagent

(code+data)Mobile Agent

Server 1

Server 3 Server 2


Potential Benefits and Capabilities

• Concurrency• Reduced network usage (bandwidth + frequency)

– No need to maintain client-server connection

– Move processing closer to where needed

• Client-server asynchrony– Disconnected operations

• Installation of client-specific interfaces• Dynamic interface upgrades


Examples of Potential Applications• User-level applications

– Search and information filtering agents

– Personal assistants

• Middleware systems– Global file systems

– Distributed collaboration and workflow systems

• System level tasks– Network status monitoring and control

– Intrusion detection

– Software distribution, installation, upgrades


Basic Requirements• A mobile agent system needs to support migration

of a partially executed agent object from one node to another.– Code migration to the destination node

– Agent state migration– There are two approaches to state migration

– Strong mobility refers to transfer of system level execution state, such as execution stack, program counter, memory

– Weak mobility refers to application level state transfer

• IEEE TSE May’98 paper by Fugetta, Picco, Vigna


Obstacles -- Security Issues

• Protection of host resources– Unauthorized access to host resources

• files, processes, system programs

– privacy concerns

– Damage to resources

– Denial of service attack

– ‘annoyance’ attacks

• Privacy & integrity of agent data– Passive & active attacks

• Beyond applet security model


Obstacles -- Robustness Issues

• Fault Tolerance Issues– Exceptions during agent’s remote execution

– Unavailability of server

– Loss of an agent during migration

• Status Monitoring and Control– Support to monitor an agent’s status

– Support to recall or terminate an agent


Obstacles - Programming Support

• Programming model and APIs • Programming infrastructure and services• Naming scheme for servers, agents, resources• Agent transfer protocol• Inter-agent communication protocol• Debugging facilities


Mobile Agent Systems - Approaches

Mobile Agent Systems

Languages Middleware Systems

OO Language Based Script Language Based

TelescriptOblique

Java based Tcl, Python, Perl


Agent Programming Systems• Telescript - A language developed by

General Magic in the early 1990s. • OO language for programming mobile agents.• Designed with security requirements.• It was used for email• It was used in Sony’s Magic Link personal

digital assistant linking to messaging and email services of AT&T and AOL

• Now discontinued in favor of Odyssey.


Agent Programming Systems• Tacoma - Tcl based system developed at Cornell and

Tromso University (1994-95)

• Agent Tcl - Tcl based system developed at Dartmouth College. (1994-95) D’Agents

• Aglets - Java based system from IBM. (1996)

• Concordia - Java based system from Mitsubishi Research. (1997)

• Voyager - Java based system from ObjectSpace

• Odyssey - Java based system from General MagicSee http://www.informatik.uni-stutgart.de/pvr/projekte/mole/mal/mal.html


Ajanta Mobile Agent System

• Ajanta System Architecture

• Agent Programming Primitives

• Agent Server Architecture and Security

• Agent Protection

• Patterns for Agent Migration

• Agent-Based Applications

• Conclusions and Future Directions


Ajanta System ArchitectureA mobile agent in Ajanta is a Java object• Infrastructure for agent-based applications

– The base Agent and AgentServer classes

• Infrastructure for hosting agents– Applications extend the generic agent server to define

• Name service – Location information and public-key distribution

– Based on Uniform Resource Naming (URN) framework


Mobile Agents in Ajanta

Host-A Host-B

Object Objectbyte array

serialize deserialize

n e t w o r k

state mobility using Java object serialization

code mobility based on “on-demand” class loading

Agent transfer is lightweight (no code or thread state transfer) weak mobility

execution context - control flow by method chaining


Agent Programming Support

• Base Agent class defines basic functionality for creating and launching an agent.

• Agent execution model– arrive and depart methods define entry and exit

protocols at a host.

• ItinAgent class defines itinerary based agents• Migration patterns for itinerary composition• Exception handling by guardians.


Defining an Application Agent

• An application specific agent is defined by inheriting from Ajanta’s base Agent class.

• The base Agent class has empty definitions for run, arrive, and depart methods.

• Application specific agent class must suitably redefine these methods.


Agent Credentials

• Credentials object includes:– agent name (its own identity, in URN format)

– owner (URN of the human user it represents)

– creator (program/application that created it)

– guardian (its “home site”/exception handler)

– code base (class bytecode server)

– owner’s signature on the above


Agent Migration Request

go(destination,methodName, parameter description)

• If no method is specified, by default run method is executed at the destination server.

• Absolute vs Relative migration (co-location with other agents/resources)


Agent Execution at a Server

When an agent arrives at a server:• Its credentials are verified.• A thread is created for its execution.• This thread first executes the arrive method of

the agent.• It then executes the requested method.• Finally it executes the depart method.


Exception Handling -- Guardian

Agent CreatorAgent Server

Guardian

Agent transfer on exception

Agent

Agent

Exception

Agent colocates with theGuardian’s and callsits Report method

Agent launch

Code Base Server


Protection of Server Resources

• Agents should be granted controlled access to host resources based on their credentials.– Access to files, network, application resources

• Agents should be prevented from bringing impostor code for security sensitive classes.

• Agents should be prevented from transferring a resource to a remote site.


Protection of Server Resources• Based on JDK 1.1 security model• Protection domains for agents

– Thread groups in Java

– Using the thread-group ID to identify the agent

– The Domain Registry

– Class loading in Java [Lindholm & Yellin 1996]

– Class loader-based namespace isolation

– One class loader per agent (domain)

• On-demand, secure code transfer


Agent and Server - Interactions

Agent Environment

ResourceRegistry

AgentTransfer

DomainRegistry

host

StateCode

M1 M2 M3

currentItinerary

AGENT

AGENT SERVER

ServerInterface

ATP

Resource

AccessProtocol

Proxy1

Proxy2

Unprotected DataAppendOnly Data

Targeted DataReadOnly Data

Credentials

RMI


Proxy Based Resource Access

• Agents aren’t given references to resource objects

• Proxy interposition [Shapiro 1986]

• Proxy as identity-based capability [Gong 1989]– access control

– dynamic revocation

– usage metering

• Assumption: agent server is not malicious

Agent2

Resource

Proxy2

Agent1Proxy1


AccessProtocol

Proxy2Proxy1

Resource binding protocol

Agent

Resource

Agent Environment

ResourceRegistry

DomainRegistry

1

ServerInterface

AgentTransfer

6

2

3

4 5

1. Resource registers its URN2. Agent requests a resource3. Server locates resource in registry

4. getProxy method is invoked5. New proxy object is returned to agent6. Agent accesses resource via proxy


Security against potential attacks

• Indirect access to the embedded resource: prevented using Java encapsulation (private).

• Copying of embedded resource via serialization: prevented using Java’s transient keyword.

• Use of proxy class that compromises embedded resource: Ajanta class loader only loads trusted proxy classes.

• Typecasting of proxy: not possible, since proxy class has no ancestors (other than the base Java class Object).

• Cloning of proxy: not allowed, since proxy class does not implement Cloneable interface.


Inter-agent Communication

• Inter-agent communication for co-located agents: using proxy-based binding

• Remote communication with agent using RMI:– leakage of sensitive data via remote invocation

– proxy interposition between remote caller and agent

– the createRMIProxy primitive

– proxy screens (authenticates) incoming RMI calls

– security manager screens outgoing connections


Protection of Agent State

• On the network: ATP uses encryption• Types of objects contained in an agent

– read-only (constants)

– append-only (logs, write-once data)

– targeted (private, for specific servers)


Agent Control Primitives

• Remote agents can be terminated or recalled home:

– public void terminate (URN agent,...);– public void recall (URN agent,...);– public void retract (URN agent,...);

• Authentication necessary for these primitives

– public Ticket authenticate (URN caller, int nonce);


Agents and Itineraries

Host A, action M

Host B, action M

Host C, action M

Host D, action M

Host E, action M

Host F, action M

Current

next

An example of a simple itinerary


Migrations PatternsAn itinerary is a sequence of patterns.

A pattern is a collection of patterns. (Recursive)

ItinEntry - primitive pattern host, action

Sequence of patterns: execute the patterns in a sequential order.

1 2 3 4

Set of patterns: execute in anyarbitrary order

3 1 4 3

Selection of one patternamong a set of patterns

1


Applications of mobile agents• A Calendar Management System

– a ‘calendar server’ maintaining users’ calendars

– agents for scheduling meetings using patterns:

• Global File Access System– agent-based remote file access system

• Web Index Search Service – built above the file access system. Agents are used

for searching a user’s web-page directory.

• Distributed Collaboration


Distributed Calendar System

• Each person in a group maintains a calendar and runs a calendar server.

• Calendar is a collection of events, organized by days.

• An event has: start time, duration, description

• To schedule a meeting of a set of people, an agent is sent to check each participant’s calendar server with proposed meeting times.


Calendar Agent and ServersCal Server of User A

Calendar

Calendar

Calendar

Calendar

Cal Server of User C Cal Server of User D

Cal Server of User B

Agent

Agent Agent

Agent


Files withACL

Global File Access System

User A’s File Access Server


Files withACL


Files with ACL

Client

Agent Migration

Agent to fetch/deposit files


Global File Access System

• File load, store, transfer, ‘stat’, keyword search• Interface primitives:

– fetchFile (URN fileName);– transferFile (URN fileName, URL dest);– depositFile (byte[] data, URN fileName);– getFileStat (URN fileName);– search (String keywords);

• ‘root’ directory, and access control list


Web Index Search Service

• A user can run a Web-Index Server for his/her web directory.

• This server stores an index for the user’s web directory.

• This index is prepared using Glimpse, an indexing and search tool from the University of Arizona.

• A client can send an agent to one or more web-index servers to search for files containing some given set of words.


Agent Based Web Search

Server Client

Launch Agent

Search/Filter

Glimpse index of the .www

File Server Thread

ResultsView

Processing Browser


Global File System

• Requirements

- open, read and write a remote file - support for different consistency model (AFS, Sprite, NFS etc)

- dynamically configurable cache module (block size, cache size etc)

- centralized as well as distributed caching policy


File System Initialization and Open Command

Agent

AjfsFile

open

File ServerAgent

File Client Agent

File Client Agent

12

3

Client Agent Environment File Server

4

Agent Transfer

5 getProxy

6

Data and Control channel


Agent-based Distributed Collaboration

• Agent can be used as workflow objects.

• Agents can be installed or transported to different user’s nodes for executing coordination protocols.

• Specify workflow constraints for a dynamic collaboration

• Role based access-control


Approach

• Define a collaboration environment• in terms of user roles, shared objects, security and

coordination requirements using XML DTD

• A written contract between Ajanta Collaborative System and a convener.

• Specify a collaboration plan in XML• This plan conforms to the DTD and shared

• Role are assigned to people

• Execute the Ajanta Collaborative System


Steps in Building a Collaboration

CollaborativeEnvironmentin XML DTD

XML Specification of a

CollaborativePlan

Agent based Distributed

Collaborative System

using Ajanta


Agent-based Collaborative System

a b dc

User Interface

Shared Replicated Objects (Object Space)

Agent-based Coordination Facility

User A

a b dc

User Interface

Shared Replicated Objects(Object Space)

Agent-based Coordination Facility

User B

CommunicationNetwork

Dispatching of a Coordination Agent


Agent Environment

Collaborative Authoring System

AccessProtocol

AGENT from a remote

user’s UCI

User Interface

Document Manager

Proxy

Objects created from XML plan


Future Directions

• Further investigations into agent security issues, and analysis of integrity and security of the Ajanta mechanisms

• Scale of operations with a number of different kinds of applications involving a significant number of agents.– Robustness and fault-tolerance

• Agent group coordination and management

• Support for debugging agent applications

• High level language for agent programming


Resource ImplementationResource

ResourceImpl

CalendarImpl CalendarProxy

Calendar AccessProtocol

= provided by Ajanta

= written by resource provider

= implementation inheritance

= interface inheritance


Access control in the proxyThe Calendar proxy:

private transient Calendar ref; // the hidden resourceprivate Method[] enabledMethods;

boolean isFree (TimeRange t){ // Use Java reflection to find the isFree Method object thisMethod = myClass.getMethod (“isFree”,……);

if (isEnabled(thisMethod)) return ref.isFree(t); // pass it through to ref else // throw security violation exception}


Server and Agent: Interactions

OS File System

Access Control List

Agent

File Server

Agent Thread

File SystemThread

File System Resource

Job bufferFile System

Proxy


Team Members• Anand Tripathi

– Associate Professor, Computer Science– B.Tech (Elect. Eng.), 1972, IIT Bombay– Ph.D. 1980, University of Texas at Austin– 1981-84, Senior Principal Research Scientist,

Honeywell Inc. Minneapolis– 1995-97 Program Director for Operating

Systems and Systems Software program at the National Science Foundation.


Team Members

Anand Tripathi ( Principal Investigator)

Current Team Members

• Tanvir Ahmed (M.S. student)

• Ram Singh (M.S. student)

• Arvind Prakash (M.S. student)

Graduated Team Members :

• Neeran Karnik (Ph.D.)

• Manish Vora (M.S.)


RESEARCH GOALS

The primary goal of the Ajanta project is to investigate and build an agent programming infrastructure for programming secure, high-confidence agent-based applications.


Current Research Activities

1 The Ajanta infrastructure– agent execution, migration & binding

– agent programming primitives

– secure, remote control of agents

– Location-independent naming based on the URN framework

2 Secure Agent Transfer3 Mechanisms for server resource protection


Current Research Activities

4 Secure inter-agent communication using RMI5 Authentication protocol for client-server

interactions6 Mechanisms to protect agent state

– Read-only state, Append-only state, Targeted state

– the ElGamal cryptosystem in Java


Evolution

Client Server

ServerClient

parameters(data)

results (data)

procedure (code)

results (data)

RPC

REV


Applications of mobile agents

• A Global File System– Agents to act as client-side protocol managers with

dynamic policies for caching and synchronization.

– Agents as mobile shared objects

– Server should be able to control the client-side protocol manager’s behavior dynamically

• Active Mail System– Agents as multimedia mail carriers

– On-demand retrieval of multimedia


Patterns for Itinerary Composition• Itinerary = sequence of ‘patterns’

• A pattern is a collection of patterns. (Recursive)

• Pattern types:– ItinEntry (server + method specification)– Sequence (ordered list of patterns)– Set (unordered list of patterns)– Selection (any one from a list of patterns)– Loop (iterate over a sequence of patterns)– Split (create one child agent per pattern in list)– SplitJoin (wait for child agents to return)


Secure Agent Transfer

• Requirements:– Code and state transfer

– Security requirements (secrecy, integrity, authentication)

– Failure/exception handling

– Name service updates

– Audit trails

– Garbage collection

– Thread allocation

• Absolute vs Relative migration (co-location with other agents/resources)


Applications of mobile agents• Global File Access System

– Currently we have a simple agent-based remote file access system

– An agent can be used to fetch/deposit files at remote user’s node.

• Web Index Search Service– This is built on the file access system. Agents are

used for searching a user’s web-page directory.

– User runs a web-index server


Web Index Sever and Agent• The server uses Glimpse to search the index and

get the list of files satisfying the given search query. The agent is given the URLs of these files.

• Agent can bring back some initial parts of files.• The agent returns home and creates an HTML

document with these URLs as hypertext links.• The result document also shows the frequency of

occurrence of the search string in each document.

anand tripathi, university of minnesota2 mobile agent programming in ajanta anand tripathi...

Documents

mobile agent system

data mobile agent server

client agent code

executed agent object

code migration

cooperation slide

s slide

mobile agent paradigm