An Agent-based Architecture for Supporting Application Aware Security 1. Introduction Conventional networking technology and the Internet makes information access and wide area communication much easier than ever before. The emerging software-intensive network architecture like active networking uses processor power to implement flexibility and extensibility. Traditional security systems lack dynamic security policies and enforcement mechanisms that could make them more flexible and appealing to users. Further, the lack of a flexible and customizable network security architecture inhibits the growth of many new applications like mobile computing and wide-area collaboration. Dynamic security architectures are required for mobile computing, to allow the frequent migration of computers in and out of security enclaves, and wide-area collaboration, to create dynamic sessions that stretch across organizational boundaries. Existing security systems like firewall-based ones can not provide a satisfactory solution to accommodating dynamic adaptation required by these new internet applications. Our approach employs a secure node architecture built within an active network using mobile agents, active capabilities and configurable auditing and security policies. The agent-based security architecture enables both static and runtime application-aware reconfiguration. Adaptation allows the security provisions of the network to meet specific individual security requirements within different application scenarios. It permits run-time adaptation in the face of unexpected security attacks - conditions vital to mission critical environments like military systems. 2. Agent-based Architecture Our mobile agent security research includes agent schemes to solve node- related security problems and mechanisms for the secure transfer of agents between nodes. It exploits the unique flexibility and expressiveness of the agent-based paradigm to provide security solutions for wide-area dynamic distributed applications. In essence we embed security functions in `smart security packets' in active networks. These smart packets implement user-level policy or capabilities as scripts using inherited or parameterized polymorphic security behaviors made safe through typing. Static security behaviors bound to reference monitors are inherited or used as arguments in mobile security agents to bootstrap basic auditing provisions or enforce mandatory security provisions. The center pieces of our architecture are meta-level components used to define the process of verifying the authority and validity of new security services and policies, enforcing the restriction of system resource access by these services and policies. These components provide an orderly yet flexible way of injecting new security services and policies into the base systems. We assume that the architecture has a preconfigured core security service. It provides basic public-key encryption, authentication and basic auditing facilities upon which the meta-level structure is built. This core security service along with a set of default meta-level components forms a security manager with basic facilities supporting dynamic security agents. Hence our architecture supports reflection and permits run-time modification of policy, access, and auditing mechanisms. Such modification is the basis for adaptive security schemes that react to security attacks. To ensure the integrity of reconfigured systems and their conformity to high-level security policies and system designs, we advocate auditing and analysis using a recently developed technology called architecture-aware instrumentation and visualization. This technology allows developers to guide and monitor the process of system modification and reconfiguration using comparisons of the running system against desired or previously observed behaviors. 3. Dynamic Security Services And Policies The frameworks for dynamic security services and polices provide building blocks for doing active capabilities based authorization, active auditing based detection and response, and active policies. Together they provide a descriptive and flexible means of supporting fine grained dynamic access control and active auditing. The function of an active capability is to determine whether a subject has the right to invoke an operation. The active capability authorization framework supports a spectrum of authorization protocols from centralized access control lists to decentralized capabilities. It also facilitates user-oriented revocation schemes based on such as validation time, used-once semantics, and negative access control list. Our auditing framework is integrated with an architecture-aware visualization system in the manner of our prior work on architecture-aware instrumentation. This provides a novel base-line support for monitoring internal system structures and their runtime behaviors. In our architecture active policies are specified as a framework of classes that represent security policy statements as data structures. The data structure are sets and mapping at low level, access control lists, labels and rules at higher-level, and at its highest level, classes representing a variety of complete policy-forms including (but not limited to) types of discretionary and non-discretionary access control. 4. Reflective Security Structures The meta-level structure of the architecture permits reflection; that is, it permits the semantics of the operations of the security model to be changed dynamically. Thus, the architecture allows the system security personnel to easily change the default behaviors of security agents using a well-defined meta-level protocol. Applications of reflection in a security architecture include improved control of the system; counter-attacking security attacks by increasing surveillance, auditing, and security measures; isolating, monitoring, and spoofing compromised remote nodes; providing fault-tolerance by reconfiguring a security system as nodes fail; and replacing compromised encryption or security algorithms. To achieve these goals, we extend the IDL language to support hidden security features, building customizable binding mechanisms for method dispatching and interface-class mapping and architecture- Aware visualization for monitoring and refinement. 5. Analysis and Performance Although building a reflective security architecture is attractive from an object-oriented programming perspective, it also raises practical analysis and performance concerns. We are seeking to utilize Java's inheritance/ subclassing mechanisms to ensure the safety of dynamic security policies by applying the results of various type theories. Well-founded type theories offer a wealth of machinery when applied to reason about the operation of security agents; in particular, type theories offer the prospect of proving certain properties about the security model. On the other hand, since our approach makes heavy use of Java to perform security authentication and access control we are investigating whether it is possible to identify certain libraries of code that can be optimized so that security tasks can be performed very efficiently. Moreover compiler-based techniques can be used to optimize these security related codes and make the verification process of security agents more efficient.