¶ … Security
Mobile Code
Mobile code creates a required programming device to provide adaptability to form distributed systems for the Internet viz. Java Applets. (Mobile Code Security) Mobile code may be defined as small bits of software, which can without a user initiating action or even without his knowledge, be automatically downloaded into the workstation and executed. Without suitable controls appropriately positioned, there is the possibility of security risks, as these executable programs are downloaded from a server. Though mobile code meets the demand for functionality, it is necessary to protect any organization's system and networks from malicious mobile code, by writing a suitable security policy. (Writing Mobile Code Policies) Every initiator has the capability to generate independent mobile agents that can remit to unrestricted number of hosts and thereafter come back to the initiator. (Mobile Code Security)
A user was to be allowed to download a small piece of software, which enabled the user to increase their online experience. In the beginning this software could be used by Program Developers for several functions, without putting a load on the server. These functions include customising pages, doing data validation on forms, and doing some basic processing. The release of Java language and Java Virtual Machine environment by Sun created unlimited possibilities and was expected to change the whole picture of the Internet. It now became possible for a Programmer to create a single program and run it anywhere where Java Virtual Machine environment was available. The availibility of Java Virtual Machine in most browsers led to the birth of the mobile code.(Writing Mobile Code Policies)
Types of Mobile Code:
Let us examine some of the frequently and commonly seen forms of mobile code. The Internet Explorer has Embedded Script -JScript / VBScript, embedded within web pages and forms the first set of common forms of mobile code. These scripts enable the objects on a web page to be manipulated. These languages also enable the loading of objects like ActiveX controls and Java applets. The Windows Script Host allows the running of VBScript and JScript on any Windows platform. They run in the user's security context, as they are not under restrictions that are placed on code run in the browser. So if downloaded it allows the user any action including the manipulation of registry and file system by using objects present or calling upon other installed applications with the help of Component Object Model COM interfaces. COM forms the architecture of Microsoft to make programming objects that van be used again and again and give services to other programs. (Managing Mobile Code with Microsoft Technologies)
An ActiveX control is nothing but a COM and is another common form of mobile code. The ActiveX control has been designed so that it can be downloaded and made use of in web pages. On installing it, it runs in the security context of the web browser and is capable of doing any operation a user can. So ActiveX controls are a powerful tool for browser-based applications. Yet, it can pose a security check if normal safeguards are not taken. Similar to ActiveX controls are Java Applets and another common form of mobile code. Java applets consist of reusable code modules. They can be downloaded and installed on any client machine. The downloaded applet gets loaded into the Java Virtual Machine that controls the running of the applet. So the control restricts the functionality imposed by the Java Virtual Machine. Yet it offers better security by this. "Built-in" Objects is yet another form of mobile code and Internet Explorer uses these objects to perform scripting functions. They can be accessed from VBScriptor JScript. (Managing Mobile Code with Microsoft Technologies)
Quite a few of the Microsoft and other applications permit the Visual Basic Applications to be manipulated within other applications. Visual Basic Applications allows similar types of services as VBScript, being another form of it. These scripts get embedded within application documents and can be activated by the opening of certain application actions, like a document being opened. (Managing Mobile Code with Microsoft Technologies) Mobile code applications, like Java applets, ActiveX controls, JavaScript, and other auto-executable applications, are powerful applications in the distribution of information. The increasing power also creates an increased potential for unscrupulous individuals to exploit these applications for towards their goals. (Mobile code applications are the latest online-security threat)
Security Considerations With Respect to allowing Mobile Code into internal network:
Network oriented technologies possess extensively diverse security models and has varied ranges and advantages while...
As more and more computers get networked along with data mobility and code this has considerably augmented the susceptibility to infected code and holes in network security. A lot of network oriented technologies have become available lately that have extensively different security models and hand out immensely varied threats and advantages while being used in the networked settings. Active X executes a model that has a feature of code signing wherein the entity signs the executable content. Depending on the intensity of confidence in the person who signs, the user has the option of either accepting the code or rejecting it. Code that arrives from a dependable source executes with all the rights of the user, and can subsequently execute malevolent as also favorable actions.
Whereas the signing will facilitate in tracing the initiator of the malevolent or defective code, as also guaranteeing that any alterations is not made to the code while it is midway in its transmission, the Active X model is an "everything or nothing" model. The Java 2 security model uses cryptographic validation in association with safety domains to give a precision based approval and access control system that is considerably stronger compared to other mobile code methods. This model permits the granting on a class by class basis, allowing for instance, classes signed by a specific entity to have permission to use up to a level of a particular directory and to log into specific web sites. This characterizes a cautious, precise respite of the initial, much protected Java "sandbox" in order to permit Java classes to be increasingly functional as also keeping strong management on exactly what the code might act in specific settings. JavaScript does not possess any major safety policy. (Overview of Security in Mobile Code Technologies)
Mobile Code Friend or Foe:
There are a number of advantages in the use of mobile code and mobile agent computing paradigms. Some of these are overcoming network latency, reducing network load, executing asynchronously and autonomously, adapting dynamically to the environment, and operating in different environments, and possessing a tough and fault-tolerant behavior. (Mobile Agent Systems) Employing mobile agents does have advantages over agents. This does not suggest that other technologies including remote objects cannot be used. This is because anything a mobile agent can do, so too will a stationary object. Yet the stationery object may be more difficult to deploy, less efficient or even awkward. (Mobile Agents for Network Management)
However, the biggest constraint to the larger use of mobile agents is the real security concerns of all concerned, ranging from systems developers and network managers to information officers. Moreover, one of the main obstacles to the widespread adoption of mobile agents is the legitimate security concerns of system developers, network administrators, and information officers. There have been many security mechanisms suggested to lessen the impact of malicious code on agent-to-agent, agent-to-platform, and platform-to-agent security risks. These security mechanisms by themselves do put constraints on the performance, which could have an impact on design decisions or simply cancel out the advantages of using mobile code in some applications. (Intrusion Detection)
Corrupt elements lie in waiting to take advantage of the security holes in any software irrespective it is new or old, in case the developer of the code is not prepared with any answer against the danger. The anticipation by the specialist in this realm is that a lot of worms and other malicious activities will be rife that are unleashed for attacking the computer systems of big businesses from 2002. The latest spheres of broadband, wireless and instant messaging will also be put to danger. (Mobile code applications are the latest online-security threat)
Conclusion:
Current trends lead one to the conclusion that mobile code mobile agents will be an important part of the Internet. This is not because new applications will be made possible with mobile codes or because mobile enhance performance over traditional techniques. It would be because mobile agents provide a single and general framework for the easy implementation of distributed and information-oriented applications. It will also evenly spread the programming burden between the information, middleware and client providers. In short providers will find that mobile code enables them to their users with more useful applications having more useful features. (Mobile Agents and the Future of the Internet) No doubt that security will be a topic of severe debate, yet it will gradually go away as mobile code technologies advance and make the users more comfortable with it. Mobile agents will still be extremely useful in the…
