Transcript Mobile Agents - AJANTA - University of Minnesota
Mobile Agent Programming in Ajanta
Anand Tripathi Department of Computer Science University of Minnesota Minneapolis MN 55455 http://www.cs.umn.edu/Ajanta/ This work was supported by NSF grants ANIR 9813703 and EIA 9818338
Anand Tripathi, University of Minnesota 2
Outline
• • • • •
Mobile Agent Paradigm Benefits, Obstacles, and Potential Applications Evolution of the Mobile Agent Paradeigm Ajanta Mobile Agent Programming System Conclusions and Future Directions
Anand Tripathi, University of Minnesota 3
Contributors to Ajanta Project
Neeran Karnik (currently with IBM New Delhi) Manish Vora (currently with Fore Systems) Tanvir Ahmed Ram Singh (currently with Cisco) Arvind Prakash (currently with Microsoft) Shremattie Jaman
Anand Tripathi, University of Minnesota 4
Aspects of Mobile Agent Research
•
Distributed System Research
–
Focus on system architectures and protocols for managing executions of mobile agent objects.
–
Security, fault tolerance, naming, yellow pages
•
Programming Languages Research
–
Code mobility, safety, programming constructs
–
Agent communication languages
•
Artificial Intelligence Research
–
Focus on intelligence, learning, and cooperation
Anand Tripathi, University of Minnesota 5
What is an agent?
• •
An agent is a software component (object) which can perform one or more tasks in some predefined manner.
Properties of an agent:
–
Mobility
– –
Autonomy Deliberative vs. Reactive
– –
Learning Cooperation See: IEEE Spectrum April 1998 paper by Morreale
Anand Tripathi, University of Minnesota 6
Evolution
Remote Procedure Call:
parameters(data) Client Server results (data)
Code resides at the server
• • •
Courier at Xerox PARC in 1980 Sun RPC 1984 DCE, CORBA late 1980’s
Anand Tripathi, University of Minnesota 7
Evolution …
Process Migration
• • •
Process migration allows a partially executed process to be relocated to another node.
–
Execution state of the process is migrated.
•
Stack, memory, program counter, state of open files.
Mainly used for load balancing.
In the mid 1980s several mechanisms were investigated and supported in a local area network environments.
–
Locus (UCLA), Sprite (UC Berkeley), Condor (Wisconsin)
Anand Tripathi, University of Minnesota 8
Evolution …
Object Migration
• Object migration allows objects to be moved across address spaces at different nodes.
– Requires mobility of object’s code and data.
• Emerald supported object mobility under program control. (Univ. of Washington) (1986) • Chorus distributed system (1988) supported object mobility with autonomous control by the object.
• Most of these system supported migration in a homogeneous system.
Anand Tripathi, University of Minnesota 9
Evolution ...
Remote Programming and Code Mobility:
Client procedure code + data Server results (data )
Code transported to the server
• •
Remote Evaluation model by Stamos and Gifford (MIT) (1990).
Java Sun Microsystems (1995) allows code migration across heterogeneous platforms.
Anand Tripathi, University of Minnesota 10
Mobile Agents
A mobile agent is an object capable of autonomously migrating from one host to another in a distributed system to perform actions on behalf of its creator.
Client Server 1
agent (code+data) Mobile Agent
Server 3 Server 2 Anand Tripathi, University of Minnesota 11
Mobile Agents
A mobile agent is an object capable of autonomously migrating from one host to another in a distributed system to perform actions on behalf of its creator.
Client Server 1
agent (code+data) Mobile Agent
Server 3 Server 2 Anand Tripathi, University of Minnesota 12
Potential Benefits and Capabilities
• • • • •
Concurrency Reduced network usage (bandwidth + frequency)
– –
No need to maintain client-server connection Move processing closer to where needed Client-server asynchrony
–
Disconnected operations Installation of client-specific interfaces Dynamic interface upgrades
Anand Tripathi, University of Minnesota 13
Examples of Potential Applications
• • •
User-level applications
– –
Search and information filtering agents Personal assistants Middleware systems
–
Global file systems
–
Distributed collaboration and workflow systems System level tasks
– – –
Network status monitoring and control Intrusion detection Software distribution, installation, upgrades
Anand Tripathi, University of Minnesota 14
Basic Requirements
• •
A mobile agent system needs to support migration of a partially executed agent object from one node to another.
–
Code migration to the destination node
– – –
Agent state migration There are two approaches to state migration Strong mobility refers to transfer of system level execution state, such as execution stack, program counter, memory
–
Weak mobility refers to application level state transfer IEEE TSE May’98 paper by Fugetta, Picco, Vigna
Anand Tripathi, University of Minnesota 15
Obstacles --
Security Issues
• • •
Protection of host resources
–
Unauthorized access to host resources
•
files, processes, system programs
– – – –
privacy concerns Damage to resources Denial of service attack ‘annoyance’ attacks Privacy & integrity of agent data
–
Passive & active attacks Beyond applet security model
Anand Tripathi, University of Minnesota 16
Obstacles --
Robustness Issues
• •
Fault Tolerance Issues
– – –
Exceptions during agent’s remote execution Unavailability of server Loss of an agent during migration Status Monitoring and Control
– –
Support to monitor an agent’s status Support to recall or terminate an agent
Anand Tripathi, University of Minnesota 17
Obstacles -
Programming Support
• • • • • •
Programming model and APIs Programming infrastructure and services Naming scheme for servers, agents, resources Agent transfer protocol Inter-agent communication protocol Debugging facilities
Anand Tripathi, University of Minnesota 18
Mobile Agent Systems -
Approaches
Mobile Agent Systems Languages Telescript Oblique Middleware Systems OO Language Based Java based Script Language Based Tcl, Python, Perl
Anand Tripathi, University of Minnesota 19
Agent Programming Systems
• • • • • •
Telescript - A language developed by General Magic in the early 1990s. OO language for programming mobile agents.
Designed with security requirements.
It was used for email It was used in Sony’s Magic Link personal digital assistant linking to messaging and email services of AT&T and AOL Now discontinued in favor of Odyssey .
Anand Tripathi, University of Minnesota 20
Agent Programming Systems
•
Tacoma - Tcl based system developed at Cornell and Tromso University (1994-95)
•
Agent Tcl - Tcl based system developed at Dartmouth College. (1994-95) D’Agents
• •
Aglets - Java based system from IBM. (1996) Concordia - Java based system from Mitsubishi Research. (1997)
• •
Voyager - Java based system from ObjectSpace Odyssey - Java based system from General Magic See http://www.informatik.uni-stutgart.de/pvr/projekte/mole/mal/mal.html
Anand Tripathi, University of Minnesota 21
Ajanta Mobile Agent System
• • • • • • •
Ajanta System Architecture Agent Programming Primitives Agent Server Architecture and Security Agent Protection Patterns for Agent Migration Agent-Based Applications Conclusions and Future Directions
Anand Tripathi, University of Minnesota 22
Ajanta System Architecture
• • •
A mobile agent in Ajanta is a Java object Infrastructure for agent-based applications
–
The base
Agent
and
AgentServer
classes Infrastructure for hosting agents
–
Applications extend the generic agent server to define Name service
– –
Location information and public-key distribution Based on Uniform Resource Naming ( URN ) framework
Anand Tripathi, University of Minnesota 23
Mobile Agents in Ajanta
Object
serialize byte array deserialize
Object Host-A n e t w o r k Host-B
state mobility using Java object serialization
code mobility based on “on-demand” class loading
Agent transfer is lightweight (no code or thread state transfer) weak mobility
execution context - control flow by method chaining
Anand Tripathi, University of Minnesota 24
Agent Programming Support
• • • • •
Base Agent class defines basic functionality for creating and launching an agent.
Agent execution model
–
arrive and depart methods define entry and exit protocols at a host.
ItinAgent class defines itinerary based agents Migration patterns for itinerary composition Exception handling by guardians.
Anand Tripathi, University of Minnesota 25
Defining an Application Agent
• • •
An application specific agent is defined by inheriting from Ajanta’s base Agent class.
The base Agent class has empty definitions for run, arrive , and depart methods.
Application specific agent class must suitably redefine these methods.
Anand Tripathi, University of Minnesota 26
Agent Credentials
•
Credentials
– – – – – –
object includes: agent name (its own identity, in URN format) owner (URN of the human user it represents) creator (program/application that created it) guardian (its “home site”/exception handler) code base (class bytecode server) owner’s signature on the above
Anand Tripathi, University of Minnesota 27
Agent Migration Request
go(destination,methodName, parameter description) • •
If no method is specified, by default run method is executed at the destination server .
Absolute vs Relative migration (co-location with other agents/resources)
Anand Tripathi, University of Minnesota 28
Agent Execution at a Server
• • • • •
When an agent arrives at a server: Its credentials are verified.
A thread is created for its execution.
This thread first executes the the agent.
arrive method of It then executes the requested method .
Finally it executes the depart method.
Anand Tripathi, University of Minnesota 29
Exception Handling -- Guardian
Agent Creator Code Base Server Agent Server Agent launch Agent Exception Agent transfer on exception Agent Guardian Agent colocates with the Guardian’s and calls its Report method
Anand Tripathi, University of Minnesota 30
Protection of Server Resources
• Agents should be granted controlled access to host resources based on their credentials.
– Access to files, network, application resources • Agents should be prevented from bringing impostor code for security sensitive classes.
• Agents should be prevented from transferring a resource to a remote site. Anand Tripathi, University of Minnesota 31
Protection of Server Resources
• • •
Based on JDK 1.1 security model Protection domains for agents
– – – – – –
Thread groups in Java Using the thread-group ID to identify the agent The Domain Registry Class loading in Java [Lindholm & Yellin 1996] Class loader-based namespace isolation One class loader per agent (domain) On-demand, secure code transfer
Anand Tripathi, University of Minnesota 32
Agent and Server - Interactions
AGENT current Itinerary AGENT SERVER Resource Proxy1 Proxy2 AccessProtocol Code
M1 M2 M3
State Unprotected Data AppendOnly Data Targeted Data ReadOnly Data Credentials host RMI Server Interface Agent Environment Resource Registry Domain Registry Agent Transfer ATP
Anand Tripathi, University of Minnesota 33
Proxy Based Resource Access
• • •
Agents aren’t given references to resource objects Proxy interposition [Shapiro 1986] Proxy as identity-based capability [Gong 1989]
– – –
access control dynamic revocation usage metering
Resource Proxy1 Proxy2 Agent1 Agent2 •
Assumption: agent server is not malicious
Anand Tripathi, University of Minnesota 34
Resource binding protocol
Resource Proxy2 Proxy1 6 Agent 1 AccessProtocol 4 Agent Environment 5 Resource Registry 3 Domain Registry Server Interface
1. Resource registers its URN 2. Agent requests a resource 3. Server locates resource in registry
2 Agent Transfer 4
. getProxy method is invoked 5. New proxy object is returned to agent 6. Agent accesses resource via proxy
Anand Tripathi, University of Minnesota 35
Security against potential attacks
• • • • •
Indirect access to the embedded resource: prevented using Java encapsulation ( private ).
Copying of embedded resource via serialization: prevented using Java’s transient keyword.
Use of proxy class that compromises embedded resource: Ajanta class loader only loads trusted proxy classes.
Typecasting of proxy: not possible, since proxy class has no ancestors (other than the base Java class Object ).
Cloning of proxy: not allowed, since proxy class does not implement Cloneable interface.
Anand Tripathi, University of Minnesota 36
Inter-agent Communication
• •
Inter-agent communication for co-located agents: using proxy-based binding Remote communication with agent using RMI :
– – –
leakage of sensitive data via remote invocation proxy interposition between remote caller and agent the createRMIProxy primitive
– –
proxy screens (authenticates) incoming RMI calls security manager screens outgoing connections
Anand Tripathi, University of Minnesota 37
Protection of Agent State
• •
On the network: ATP uses encryption Types of objects contained in an agent
– – –
read-only (constants) append-only (logs, write-once data) targeted (private, for specific servers )
Anand Tripathi, University of Minnesota 38
Agent Control Primitives
• •
Remote agents can be terminated or recalled home:
– public void terminate (URN agent,...); – public void recall (URN agent,...); – public void retract (URN agent,...);
Authentication necessary for these primitives
– public Ticket authenticate (URN caller, int nonce); Anand Tripathi, University of Minnesota 39
Agents and Itineraries
An example of a simple itinerary next Current Host A, action M Host B, action M Host C, action M Host D, action M Host E, action M Host F, action M
Anand Tripathi, University of Minnesota 40
Migrations Patterns
An itinerary is a sequence of patterns. A pattern is a collection of patterns. (Recursive) ItinEntry primitive pattern host, action Sequence of patterns: execute the patterns in a sequential order.
Set of patterns: execute in any arbitrary order 3 1 2 1 4 3 Selection of one pattern among a set of patterns 1
Anand Tripathi, University of Minnesota
3 4
41
Applications of mobile agents
• • • •
A Calendar Management System
– –
a ‘calendar server’ maintaining users’ calendars agents for scheduling meetings using patterns: Global File Access System
–
agent-based remote file access system Web Index Search Service
–
built above the file access system. Agents are used for searching a user’s web-page directory. Distributed Collaboration
Anand Tripathi, University of Minnesota 42
Distributed Calendar System
• • • •
Each person in a group maintains a calendar and runs a calendar server.
Calendar is a collection of events, organized by days.
An event has: start time, duration, description To schedule a meeting of a set of people, an agent is sent to check each participant’s calendar server with proposed meeting times .
Anand Tripathi, University of Minnesota 43
Calendar Agent and Servers
Cal Server of User A Agent Calendar Cal Server of User B Agent Calendar Cal Server of User C Agent Calendar Cal Server of User D Agent Calendar
Anand Tripathi, University of Minnesota 44
Global File Access System
Client Agent Migration User A’s File Access Server Agent to fetch/deposit files Files with ACL Files with ACL User A’s File Access Server User A’s File Access Server Files with ACL
Anand Tripathi, University of Minnesota 45
Global File Access System
• File load, store, transfer, ‘stat’, keyword search • Interface primitives: – fetchFile (URN fileName); – transferFile (URN fileName, URL dest); – depositFile – getFileStat (byte[] data, URN fileName); (URN fileName); – search (String keywords); • ‘root’ directory, and access control list Anand Tripathi, University of Minnesota 46
Web Index Search Service
• • • •
A user can run a Web-Index Server for his/her web directory.
This server stores an index for the user’s web directory. This index is prepared using Glimpse, an indexing and search tool from the University of Arizona.
A client can send an agent to one or more web index servers to search for files containing some given set of words.
Anand Tripathi, University of Minnesota 47
Agent Based Web Search
Server Agent File Server Thread Client Launch Results View Processing Browser Search/Filter Glimpse index of the .www
Anand Tripathi, University of Minnesota 48
Global File System
•
Requirements
-
open, read and write a remote file - support for different consistency model (AFS, Sprite, NFS etc) - dynamically configurable cache module (block size, cache size etc) - centralized as well as distributed caching policy
Anand Tripathi, University of Minnesota 49
File System Initialization and Open Command
Client Agent Environment File Server
Agent AjfsFile 5 getProxy File Client Agent 1 6 Data and Control channel open 2 File Server Agent 3 File Client Agent 4 Agent Transfer Anand Tripathi, University of Minnesota 50
Agent-based Distributed Collaboration
• Agent can be used as workflow objects.
• Agents can be installed or transported to different user’s nodes for executing coordination protocols.
• Specify workflow constraints for a dynamic collaboration • Role based access-control Anand Tripathi, University of Minnesota 51
Approach
• Define a collaboration environment • in terms of user roles, shared objects, security and coordination requirements using XML DTD • A written contract between Ajanta Collaborative System and a convener.
• Specify a collaboration plan in XML • This plan conforms to the DTD and shared • Role are assigned to people • Execute the Ajanta Collaborative System Anand Tripathi, University of Minnesota 52
Steps in Building a Collaboration
Collaborative Environment in XML DTD XML Specification of a Collaborative Plan Agent based Distributed Collaborative System using Ajanta
Anand Tripathi, University of Minnesota 53
Agent-based Collaborative System
User A User Interface User B User Interface a b c d
Shared Replicated Objects (Object Space) Agent-based Coordination Facility
Communication Network
Dispatching of a Coordination Agent
a b c d
Shared Replicated Objects(Object Space) Agent-based Coordination Facility
Anand Tripathi, University of Minnesota 54
Collaborative Authoring System
User Interface Document Manager
Proxy
AGENT
from a remote user’s UCI
Objects created from XML plan AccessProtocol
Agent Environment Anand Tripathi, University of Minnesota 55
Future Directions
• • • • •
Further investigations into agent security issues, and analysis of integrity and security of the Ajanta mechanisms Scale of operations with a number of different kinds of applications involving a significant number of agents.
–
Robustness and fault-tolerance Agent group coordination and management Support for debugging agent applications High level language for agent programming
Anand Tripathi, University of Minnesota 56
Resource Implementation
Resource AccessProtocol ResourceImpl Calendar CalendarImpl CalendarProxy
= provided by Ajanta = written by resource provider = = implementation inheritance interface
inheritance Anand Tripathi, University of Minnesota 57
Access control in the proxy
The Calendar proxy: private transient Calendar ref; private Method[] enabledMethods; // the hidden resource boolean isFree (TimeRange t) { // Use Java reflection to find the isFree Method object thisMethod = myClass.getMethod (“isFree”,……); if (isEnabled(thisMethod)) return ref.isFree(t); // pass it through to ref } else // throw security violation exception
Anand Tripathi, University of Minnesota 58
Server and Agent: Interactions
File System Resource Job buffer File System Proxy File System Thread Access Control List File Server OS File System Agent Thread Agent Anand Tripathi, University of Minnesota 59
Team Members
•
Anand Tripathi
–
Associate Professor, Computer Science
–
B.Tech (Elect. Eng.), 1972, IIT Bombay
–
Ph.D. 1980, University of Texas at Austin
–
1981-84, Senior Principal Research Scientist, Honeywell Inc. Minneapolis
–
1995-97 Program Director for Operating Systems and Systems Software program at the National Science Foundation.
Anand Tripathi, University of Minnesota 60
Team Members
Anand Tripathi
( Principal Investigator) • • •
Current Team Members Tanvir Ahmed Ram Singh
(M.S. student) (M.S. student)
Arvind Prakash
(M.S. student) • •
Graduated Team Members : Neeran Karnik
(Ph.D.)
Manish Vora
(M.S.) Anand Tripathi, University of Minnesota 61
RESEARCH GOALS
The primary goal of the Ajanta project is to investigate and build an agent programming infrastructure for programming secure, high-confidence agent-based applications.
Anand Tripathi, University of Minnesota 62
Current Research Activities
1
The Ajanta infrastructure
– – – –
agent execution, migration & binding agent programming primitives secure, remote control of agents Location-independent naming based on the URN framework
2
Secure Agent Transfer
3
Mechanisms for server resource protection
Anand Tripathi, University of Minnesota 63
Current Research Activities
4
Secure inter-agent communication using RMI
5
Authentication protocol for client-server interactions
6
Mechanisms to protect agent state
– –
Read-only state, Append-only state, Targeted state the ElGamal cryptosystem in Java
Anand Tripathi, University of Minnesota 64
Client
Evolution
parameters(data) results (data
) Server
procedure (code)
Client
results (data)
Server
RPC REV
Anand Tripathi, University of Minnesota 65
Applications of mobile agents
• •
A Global File System
–
Agents to act as client-side protocol managers with dynamic policies for caching and synchronization.
– –
Agents as mobile shared objects Server should be able to control the client-side protocol manager’s behavior dynamically Active Mail System
– –
Agents as multimedia mail carriers On-demand retrieval of multimedia
Anand Tripathi, University of Minnesota 66
Patterns for Itinerary Composition
• • •
Itinerary = sequence of ‘patterns’ A pattern is a collection of patterns. (Recursive) Pattern types:
– ItinEntry
(server + method specification)
– Sequence
(ordered list of patterns)
– Set
(unordered list of patterns)
– Selection
(any one from a list of patterns)
– Loop
(iterate over a sequence of patterns)
– Split
(create one child agent per pattern in list)
– SplitJoin
(wait for child agents to return)
Anand Tripathi, University of Minnesota 67
Secure Agent Transfer
• •
Requirements:
– –
Code and state transfer Security requirements (secrecy, integrity, authentication)
– – – – –
Failure/exception handling Name service updates Audit trails Garbage collection Thread allocation Absolute vs Relative migration (co-location with other agents/resources)
Anand Tripathi, University of Minnesota 68
Applications of mobile agents
• •
Global File Access System
–
Currently we have a simple agent-based remote file access system
–
An agent can be used to fetch/deposit files at remote user’s node.
Web Index Search Service
–
This is built on the file access system. Agents are used for searching a user’s web-page directory.
–
User runs a web-index server
Anand Tripathi, University of Minnesota 69
Web Index Sever and Agent
• • • •
The server uses Glimpse to search the index and get the list of files satisfying the given search query. The agent is given the URLs of these files .
Agent can bring back some initial parts of files.
The agent returns home and creates an HTML document with these URLs as hypertext links.
The result document also shows the frequency of occurrence of the search string in each document.
Anand Tripathi, University of Minnesota 70