Post on 31-Mar-2015
transcript
Anand Tripathi, University of Minnesota 1
Mobile Agent Programming in AjantaMobile Agent Programming in Ajanta
Anand Tripathi
Department of Computer Science
University of Minnesota
Minneapolis MN 55455
http://www.cs.umn.edu/Ajanta/
This work was supported by NSF grants ANIR 9813703 and EIA 9818338
Anand Tripathi, University of Minnesota 2
Outline
• Mobile Agent Paradigm
• Benefits, Obstacles, and Potential Applications
• Evolution of the Mobile Agent Paradeigm
• Ajanta Mobile Agent Programming System
• Conclusions and Future Directions
Anand Tripathi, University of Minnesota 3
Contributors to Ajanta ProjectContributors to Ajanta Project
Neeran Karnik (currently with IBM New Delhi)
Manish Vora (currently with Fore Systems)
Tanvir Ahmed
Ram Singh (currently with Cisco)
Arvind Prakash (currently with Microsoft)
Shremattie Jaman
Anand Tripathi, University of Minnesota 4
Aspects of Mobile Agent Research
• Distributed System Research– Focus on system architectures and protocols for
managing executions of mobile agent objects.
– Security, fault tolerance, naming, yellow pages
• Programming Languages Research– Code mobility, safety, programming constructs
– Agent communication languages
• Artificial Intelligence Research– Focus on intelligence, learning, and cooperation
Anand Tripathi, University of Minnesota 5
What is an agent?
• An agent is a software component (object) which can perform one or more tasks in some predefined manner.
• Properties of an agent:
– Mobility
– Autonomy
– Deliberative vs. Reactive
– Learning
– Cooperation
See: IEEE Spectrum April 1998 paper by Morreale
Anand Tripathi, University of Minnesota 6
Evolution
parameters(data)Client Server
results (data)
Remote Procedure Call:
Code resides atthe server
• Courier at Xerox PARC in 1980• Sun RPC 1984• DCE, CORBA late 1980’s
Anand Tripathi, University of Minnesota 7
Evolution … Process Migration
• Process migration allows a partially executed process to be relocated to another node.– Execution state of the process is migrated.
• Stack, memory, program counter, state of open files.
• Mainly used for load balancing.• In the mid 1980s several mechanisms were
investigated and supported in a local area network environments.– Locus (UCLA), Sprite (UC Berkeley), Condor (Wisconsin)
Anand Tripathi, University of Minnesota 8
Evolution … Object Migration
• Object migration allows objects to be moved across address spaces at different nodes.– Requires mobility of object’s code and data.
• Emerald supported object mobility under program control. (Univ. of Washington) (1986)
• Chorus distributed system (1988) supported object mobility with autonomous control by the object.
• Most of these system supported migration in a homogeneous system.
Anand Tripathi, University of Minnesota 9
Evolution ...
Remote Programming and Code Mobility:
procedure code + data ServerClient
results (data)
Code transportedto the server
• Remote Evaluation model by Stamos and Gifford (MIT) (1990).• Java Sun Microsystems (1995) allows code migration across heterogeneous platforms.
Anand Tripathi, University of Minnesota 10
Mobile Agents
A mobile agent is an object capable of autonomously migrating from one host to another in a distributed system to perform actions on behalf of its creator.
Clientagent
(code+data)Mobile Agent
Server 1
Server 3 Server 2
Anand Tripathi, University of Minnesota 11
Mobile Agents
A mobile agent is an object capable of autonomously migrating from one host to another in a distributed system to perform actions on behalf of its creator.
Clientagent
(code+data)Mobile Agent
Server 1
Server 3 Server 2
Anand Tripathi, University of Minnesota 12
Potential Benefits and Capabilities
• Concurrency• Reduced network usage (bandwidth + frequency)
– No need to maintain client-server connection
– Move processing closer to where needed
• Client-server asynchrony– Disconnected operations
• Installation of client-specific interfaces• Dynamic interface upgrades
Anand Tripathi, University of Minnesota 13
Examples of Potential Applications• User-level applications
– Search and information filtering agents
– Personal assistants
• Middleware systems– Global file systems
– Distributed collaboration and workflow systems
• System level tasks– Network status monitoring and control
– Intrusion detection
– Software distribution, installation, upgrades
Anand Tripathi, University of Minnesota 14
Basic Requirements• A mobile agent system needs to support migration
of a partially executed agent object from one node to another.– Code migration to the destination node
– Agent state migration– There are two approaches to state migration
– Strong mobility refers to transfer of system level execution state, such as execution stack, program counter, memory
– Weak mobility refers to application level state transfer
• IEEE TSE May’98 paper by Fugetta, Picco, Vigna
Anand Tripathi, University of Minnesota 15
Obstacles -- Security Issues
• Protection of host resources– Unauthorized access to host resources
• files, processes, system programs
– privacy concerns
– Damage to resources
– Denial of service attack
– ‘annoyance’ attacks
• Privacy & integrity of agent data– Passive & active attacks
• Beyond applet security model
Anand Tripathi, University of Minnesota 16
Obstacles -- Robustness Issues
• Fault Tolerance Issues– Exceptions during agent’s remote execution
– Unavailability of server
– Loss of an agent during migration
• Status Monitoring and Control– Support to monitor an agent’s status
– Support to recall or terminate an agent
Anand Tripathi, University of Minnesota 17
Obstacles - Programming Support
• Programming model and APIs • Programming infrastructure and services• Naming scheme for servers, agents, resources• Agent transfer protocol• Inter-agent communication protocol• Debugging facilities
Anand Tripathi, University of Minnesota 18
Mobile Agent Systems - Approaches
Mobile Agent Systems
Languages Middleware Systems
OO Language Based Script Language Based
TelescriptOblique
Java based Tcl, Python, Perl
Anand Tripathi, University of Minnesota 19
Agent Programming Systems• Telescript - A language developed by
General Magic in the early 1990s. • OO language for programming mobile agents.• Designed with security requirements.• It was used for email• It was used in Sony’s Magic Link personal
digital assistant linking to messaging and email services of AT&T and AOL
• Now discontinued in favor of Odyssey.
Anand Tripathi, University of Minnesota 20
Agent Programming Systems• Tacoma - Tcl based system developed at Cornell and
Tromso University (1994-95)
• Agent Tcl - Tcl based system developed at Dartmouth College. (1994-95) D’Agents
• Aglets - Java based system from IBM. (1996)
• Concordia - Java based system from Mitsubishi Research. (1997)
• Voyager - Java based system from ObjectSpace
• Odyssey - Java based system from General MagicSee http://www.informatik.uni-stutgart.de/pvr/projekte/mole/mal/mal.html
Anand Tripathi, University of Minnesota 21
Ajanta Mobile Agent System
• Ajanta System Architecture
• Agent Programming Primitives
• Agent Server Architecture and Security
• Agent Protection
• Patterns for Agent Migration
• Agent-Based Applications
• Conclusions and Future Directions
Anand Tripathi, University of Minnesota 22
Ajanta System ArchitectureA mobile agent in Ajanta is a Java object• Infrastructure for agent-based applications
– The base Agent and AgentServer classes
• Infrastructure for hosting agents– Applications extend the generic agent server to define
• Name service – Location information and public-key distribution
– Based on Uniform Resource Naming (URN) framework
Anand Tripathi, University of Minnesota 23
Mobile Agents in Ajanta
Host-A Host-B
Object Objectbyte array
serialize deserialize
n e t w o r k
state mobility using Java object serialization
code mobility based on “on-demand” class loading
Agent transfer is lightweight (no code or thread state transfer) weak mobility
execution context - control flow by method chaining
Anand Tripathi, University of Minnesota 24
Agent Programming Support
• Base Agent class defines basic functionality for creating and launching an agent.
• Agent execution model– arrive and depart methods define entry and exit
protocols at a host.
• ItinAgent class defines itinerary based agents• Migration patterns for itinerary composition• Exception handling by guardians.
Anand Tripathi, University of Minnesota 25
Defining an Application Agent
• An application specific agent is defined by inheriting from Ajanta’s base Agent class.
• The base Agent class has empty definitions for run, arrive, and depart methods.
• Application specific agent class must suitably redefine these methods.
Anand Tripathi, University of Minnesota 26
Agent Credentials
• Credentials object includes:– agent name (its own identity, in URN format)
– owner (URN of the human user it represents)
– creator (program/application that created it)
– guardian (its “home site”/exception handler)
– code base (class bytecode server)
– owner’s signature on the above
Anand Tripathi, University of Minnesota 27
Agent Migration Request
go(destination,methodName, parameter description)
• If no method is specified, by default run method is executed at the destination server.
• Absolute vs Relative migration (co-location with other agents/resources)
Anand Tripathi, University of Minnesota 28
Agent Execution at a Server
When an agent arrives at a server:• Its credentials are verified.• A thread is created for its execution.• This thread first executes the arrive method of
the agent.• It then executes the requested method.• Finally it executes the depart method.
Anand Tripathi, University of Minnesota 29
Exception Handling -- Guardian
Agent CreatorAgent Server
Guardian
Agent transfer on exception
Agent
Agent
Exception
Agent colocates with theGuardian’s and callsits Report method
Agent launch
Code Base Server
Anand Tripathi, University of Minnesota 30
Protection of Server Resources
• Agents should be granted controlled access to host resources based on their credentials.– Access to files, network, application resources
• Agents should be prevented from bringing impostor code for security sensitive classes.
• Agents should be prevented from transferring a resource to a remote site.
Anand Tripathi, University of Minnesota 31
Protection of Server Resources• Based on JDK 1.1 security model• Protection domains for agents
– Thread groups in Java
– Using the thread-group ID to identify the agent
– The Domain Registry
– Class loading in Java [Lindholm & Yellin 1996]
– Class loader-based namespace isolation
– One class loader per agent (domain)
• On-demand, secure code transfer
Anand Tripathi, University of Minnesota 32
Agent and Server - Interactions
Agent Environment
ResourceRegistry
AgentTransfer
DomainRegistry
host
StateCode
M1 M2 M3
currentItinerary
AGENT
AGENT SERVER
ServerInterface
ATP
Resource
AccessProtocol
Proxy1
Proxy2
Unprotected DataAppendOnly Data
Targeted DataReadOnly Data
Credentials
RMI
Anand Tripathi, University of Minnesota 33
Proxy Based Resource Access
• Agents aren’t given references to resource objects
• Proxy interposition [Shapiro 1986]
• Proxy as identity-based capability [Gong 1989]– access control
– dynamic revocation
– usage metering
• Assumption: agent server is not malicious
Agent2
Resource
Proxy2
Agent1Proxy1
Anand Tripathi, University of Minnesota 34
AccessProtocol
Proxy2Proxy1
Resource binding protocol
Agent
Resource
Agent Environment
ResourceRegistry
DomainRegistry
1
ServerInterface
AgentTransfer
6
2
3
4 5
1. Resource registers its URN2. Agent requests a resource3. Server locates resource in registry
4. getProxy method is invoked5. New proxy object is returned to agent6. Agent accesses resource via proxy
Anand Tripathi, University of Minnesota 35
Security against potential attacks
• Indirect access to the embedded resource: prevented using Java encapsulation (private).
• Copying of embedded resource via serialization: prevented using Java’s transient keyword.
• Use of proxy class that compromises embedded resource: Ajanta class loader only loads trusted proxy classes.
• Typecasting of proxy: not possible, since proxy class has no ancestors (other than the base Java class Object).
• Cloning of proxy: not allowed, since proxy class does not implement Cloneable interface.
Anand Tripathi, University of Minnesota 36
Inter-agent Communication
• Inter-agent communication for co-located agents: using proxy-based binding
• Remote communication with agent using RMI:– leakage of sensitive data via remote invocation
– proxy interposition between remote caller and agent
– the createRMIProxy primitive
– proxy screens (authenticates) incoming RMI calls
– security manager screens outgoing connections
Anand Tripathi, University of Minnesota 37
Protection of Agent State
• On the network: ATP uses encryption• Types of objects contained in an agent
– read-only (constants)
– append-only (logs, write-once data)
– targeted (private, for specific servers)
Anand Tripathi, University of Minnesota 38
Agent Control Primitives
• Remote agents can be terminated or recalled home:
– public void terminate (URN agent,...);– public void recall (URN agent,...);– public void retract (URN agent,...);
• Authentication necessary for these primitives
– public Ticket authenticate (URN caller, int nonce);
Anand Tripathi, University of Minnesota 39
Agents and Itineraries
Host A, action M
Host B, action M
Host C, action M
Host D, action M
Host E, action M
Host F, action M
Current
next
An example of a simple itinerary
Anand Tripathi, University of Minnesota 40
Migrations PatternsAn itinerary is a sequence of patterns.
A pattern is a collection of patterns. (Recursive)
ItinEntry - primitive pattern host, action
Sequence of patterns: execute the patterns in a sequential order.
1 2 3 4
Set of patterns: execute in anyarbitrary order
3 1 4 3
Selection of one patternamong a set of patterns
1
Anand Tripathi, University of Minnesota 41
Applications of mobile agents• A Calendar Management System
– a ‘calendar server’ maintaining users’ calendars
– agents for scheduling meetings using patterns:
• Global File Access System– agent-based remote file access system
• Web Index Search Service – built above the file access system. Agents are used
for searching a user’s web-page directory.
• Distributed Collaboration
Anand Tripathi, University of Minnesota 42
Distributed Calendar System
• Each person in a group maintains a calendar and runs a calendar server.
• Calendar is a collection of events, organized by days.
• An event has: start time, duration, description
• To schedule a meeting of a set of people, an agent is sent to check each participant’s calendar server with proposed meeting times.
Anand Tripathi, University of Minnesota 43
Calendar Agent and ServersCal Server of User A
Calendar
Calendar
Calendar
Calendar
Cal Server of User C Cal Server of User D
Cal Server of User B
Agent
Agent Agent
Agent
Anand Tripathi, University of Minnesota 44
Files withACL
Global File Access System
User A’s File Access Server
User A’s File Access Server
Files withACL
User A’s File Access Server
Files with ACL
Client
Agent Migration
Agent to fetch/deposit files
Anand Tripathi, University of Minnesota 45
Global File Access System
• File load, store, transfer, ‘stat’, keyword search• Interface primitives:
– fetchFile (URN fileName);– transferFile (URN fileName, URL dest);– depositFile (byte[] data, URN fileName);– getFileStat (URN fileName);– search (String keywords);
• ‘root’ directory, and access control list
Anand Tripathi, University of Minnesota 46
Web Index Search Service
• A user can run a Web-Index Server for his/her web directory.
• This server stores an index for the user’s web directory.
• This index is prepared using Glimpse, an indexing and search tool from the University of Arizona.
• A client can send an agent to one or more web-index servers to search for files containing some given set of words.
Anand Tripathi, University of Minnesota 47
Agent Based Web Search
Server Client
Launch Agent
Search/Filter
Glimpse index of the .www
File Server Thread
ResultsView
Processing Browser
Anand Tripathi, University of Minnesota 48
Global File System
• Requirements
- open, read and write a remote file - support for different consistency model (AFS, Sprite, NFS etc)
- dynamically configurable cache module (block size, cache size etc)
- centralized as well as distributed caching policy
Anand Tripathi, University of Minnesota 49
File System Initialization and Open Command
Agent
AjfsFile
open
File ServerAgent
File Client Agent
File Client Agent
12
3
Client Agent Environment File Server
4
Agent Transfer
5 getProxy
6
Data and Control channel
Anand Tripathi, University of Minnesota 50
Agent-based Distributed Collaboration
• Agent can be used as workflow objects.
• Agents can be installed or transported to different user’s nodes for executing coordination protocols.
• Specify workflow constraints for a dynamic collaboration
• Role based access-control
Anand Tripathi, University of Minnesota 51
Approach
• Define a collaboration environment• in terms of user roles, shared objects, security and
coordination requirements using XML DTD
• A written contract between Ajanta Collaborative System and a convener.
• Specify a collaboration plan in XML• This plan conforms to the DTD and shared
• Role are assigned to people
• Execute the Ajanta Collaborative System
Anand Tripathi, University of Minnesota 52
Steps in Building a Collaboration
CollaborativeEnvironmentin XML DTD
XML Specification of a
CollaborativePlan
Agent based Distributed
Collaborative System
using Ajanta
Anand Tripathi, University of Minnesota 53
Agent-based Collaborative System
a b dc
User Interface
Shared Replicated Objects (Object Space)
Agent-based Coordination Facility
User A
a b dc
User Interface
Shared Replicated Objects(Object Space)
Agent-based Coordination Facility
User B
CommunicationNetwork
Dispatching of a Coordination Agent
Anand Tripathi, University of Minnesota 54
Agent Environment
Collaborative Authoring System
AccessProtocol
AGENT from a remote
user’s UCI
User Interface
Document Manager
Proxy
Objects created from XML plan
Anand Tripathi, University of Minnesota 55
Future Directions
• Further investigations into agent security issues, and analysis of integrity and security of the Ajanta mechanisms
• Scale of operations with a number of different kinds of applications involving a significant number of agents.– Robustness and fault-tolerance
• Agent group coordination and management
• Support for debugging agent applications
• High level language for agent programming
Anand Tripathi, University of Minnesota 56
Resource ImplementationResource
ResourceImpl
CalendarImpl CalendarProxy
Calendar AccessProtocol
= provided by Ajanta
= written by resource provider
= implementation inheritance
= interface inheritance
Anand Tripathi, University of Minnesota 57
Access control in the proxyThe Calendar proxy:
private transient Calendar ref; // the hidden resourceprivate Method[] enabledMethods;
boolean isFree (TimeRange t){ // Use Java reflection to find the isFree Method object thisMethod = myClass.getMethod (“isFree”,……);
if (isEnabled(thisMethod)) return ref.isFree(t); // pass it through to ref else // throw security violation exception}
Anand Tripathi, University of Minnesota 58
Server and Agent: Interactions
OS File System
Access Control List
Agent
File Server
Agent Thread
File SystemThread
File System Resource
Job bufferFile System
Proxy
Anand Tripathi, University of Minnesota 59
Team Members• Anand Tripathi
– Associate Professor, Computer Science– B.Tech (Elect. Eng.), 1972, IIT Bombay– Ph.D. 1980, University of Texas at Austin– 1981-84, Senior Principal Research Scientist,
Honeywell Inc. Minneapolis– 1995-97 Program Director for Operating
Systems and Systems Software program at the National Science Foundation.
Anand Tripathi, University of Minnesota 60
Team Members
Anand Tripathi ( Principal Investigator)
Current Team Members
• Tanvir Ahmed (M.S. student)
• Ram Singh (M.S. student)
• Arvind Prakash (M.S. student)
Graduated Team Members :
• Neeran Karnik (Ph.D.)
• Manish Vora (M.S.)
Anand Tripathi, University of Minnesota 61
RESEARCH GOALS
The primary goal of the Ajanta project is to investigate and build an agent programming infrastructure for programming secure, high-confidence agent-based applications.
Anand Tripathi, University of Minnesota 62
Current Research Activities
1 The Ajanta infrastructure– agent execution, migration & binding
– agent programming primitives
– secure, remote control of agents
– Location-independent naming based on the URN framework
2 Secure Agent Transfer3 Mechanisms for server resource protection
Anand Tripathi, University of Minnesota 63
Current Research Activities
4 Secure inter-agent communication using RMI5 Authentication protocol for client-server
interactions6 Mechanisms to protect agent state
– Read-only state, Append-only state, Targeted state
– the ElGamal cryptosystem in Java
Anand Tripathi, University of Minnesota 64
Evolution
Client Server
ServerClient
parameters(data)
results (data)
procedure (code)
results (data)
RPC
REV
Anand Tripathi, University of Minnesota 65
Applications of mobile agents
• A Global File System– Agents to act as client-side protocol managers with
dynamic policies for caching and synchronization.
– Agents as mobile shared objects
– Server should be able to control the client-side protocol manager’s behavior dynamically
• Active Mail System– Agents as multimedia mail carriers
– On-demand retrieval of multimedia
Anand Tripathi, University of Minnesota 66
Patterns for Itinerary Composition• Itinerary = sequence of ‘patterns’
• A pattern is a collection of patterns. (Recursive)
• Pattern types:– ItinEntry (server + method specification)– Sequence (ordered list of patterns)– Set (unordered list of patterns)– Selection (any one from a list of patterns)– Loop (iterate over a sequence of patterns)– Split (create one child agent per pattern in list)– SplitJoin (wait for child agents to return)
Anand Tripathi, University of Minnesota 67
Secure Agent Transfer
• Requirements:– Code and state transfer
– Security requirements (secrecy, integrity, authentication)
– Failure/exception handling
– Name service updates
– Audit trails
– Garbage collection
– Thread allocation
• Absolute vs Relative migration (co-location with other agents/resources)
Anand Tripathi, University of Minnesota 68
Applications of mobile agents• Global File Access System
– Currently we have a simple agent-based remote file access system
– An agent can be used to fetch/deposit files at remote user’s node.
• Web Index Search Service– This is built on the file access system. Agents are
used for searching a user’s web-page directory.
– User runs a web-index server
Anand Tripathi, University of Minnesota 69
Web Index Sever and Agent• The server uses Glimpse to search the index and
get the list of files satisfying the given search query. The agent is given the URLs of these files.
• Agent can bring back some initial parts of files.• The agent returns home and creates an HTML
document with these URLs as hypertext links.• The result document also shows the frequency of
occurrence of the search string in each document.