Eimear Gallery (2007) Authorisation Issues for Mobile Code in Mobile Systems.
Full text access: Open
This thesis is concerned with authorisation issues for mobile code in mobile systems. It is divided into three main parts. Part I covers the development of a policy-based framework for the authorisation of mobile code and agents by host systems. Part II addresses the secure download, storage and execution of a conditional access application, used in the secure distribution of digital video broadcast content. Part III explores the way in which trusted computing technology may be used in the robust implementation of OMA DRM version 2. In part I of this thesis, we construct a policy-based mobile code and agent authorisation framework, with the objective of providing both mobile devices and service providers with the ability to assign appropriate privileges to incoming executables. Whilst mobile code and agent authorisation mechanisms have previously been considered in a general context, this thesis focuses on the special requirements resulting from mobile code and agent authorisation in a mobile environment, which restrict the types of solutions that may be viable. Following the description and analysis of a number of architectural models upon which a policy-based framework for mobile code and agent authorisation may be constructed, we outline a list of features desirable in the definitive underlying architecture. Specific implementation requirements for the capabilities of the policy and attribute certificate specification languages and the associated policy engine are then extracted. Candidate policy specification languages, namely KeyNote (and Nereus), Ponder (and (D)TPL) and SAML are then examined, and conclusions drawn regarding their suitability for framework expression. Finally, the definitive policy based framework for mobile code and agent authorisation is described. In the second part of this thesis, a flexible approach that allows consumer products to support a wide range of proprietary content protection systems, or more specifically digital video broadcast conditional access systems, is proposed. Two protocols for the secure download of content protection software to mobile devices are described. The protocols apply concepts from trusted computing to demonstrate that a platform is in a sufficiently trustworthy state before any application or associated keys are securely downloaded. The protocols are designed to allow mobile devices to receive broadcast content protected by proprietary conditional access applications. Generic protocols are first described, followed by an analysis of how well the downloaded code is protected in transmission. How the generic protocols may be implemented using specific trusted computing technologies is then investigated. For each of the selected trusted computing technologies, an analysis of how the conditional access application is protected while in storage and while executing on the mobile host is also presented. We then examine two previously proposed download protocols, which assume a mobile receiver compliant with the XOM and AEGIS system architectures. Both protocols are then analysed against the security requirements defined for secure application download, storage and execution. We subsequently give a series of proposed enhancements to the protocols which are designed to address the identified shortcomings. In the final section of this thesis, we examine OMA DRM version 2, which defines the messages, protocols and mechanisms necessary in order to control the use of digital content in a mobile environment. However, an organisation, such as the CMLA, must specify how robust implementations of the OMA DRM version 2 specification should be, so that content providers can be confident that their content will be safe on OMA DRM version 2 devices. We take the requirements extracted for the robust implementation of the OMA DRM version 2 specification and propose an implementation which meets these requirements using the TCG architecture and TPM/TSS version 1.2 commands.
This is a Published version This version's date is: 18/05/2007 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/4ba714c3-6a31-9d31-8e1a-959bc6e96636/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 14-Dec-2010
[1] A. Abdul-Rahman and S. Hailes. A distributed trust model. In Pro-ceedings of the 1997 Workshop on New Security Paradigms, pages 48{60,Langdale, Cumbria, United Kingdom, 23{26 September 1998. ACM Press,New York, USA.
[2] B. Albahari, P. Drayton, and B. Merrill. C# Essentials. O'Reilly, Se-bastopol, California, USA, 2nd edition, March 2002.
[3] R. Anderson. Cryptography and competition policy - issues with `trustedcomputing'. In Proceedings of the 23rd Annual Symposium on Principlesof Distributed Computing (PODC 2003), pages 3{10, St. John's, New-foundland, Canada, 25{28 July 2003. ACM Press, New York, USA.
[4] W.A. Arbaugh, D.J. Farber, and J.M. Smith. A secure and reliable boot-strap architecture. In Proceedings of the 1997 IEEE Symposium on Se-curity and Privacy (S&P 1997), pages 65{71, Oakland, California, USA,May 1997. IEEE Computer Society Press, Los Alamitos, California.
[5] B. Balache®, L. Chen, S. Pearson, D. Plaquin, and G. Proudler. TrustedComputing Platforms: TCPA Technology in Context. Prentice Hall, UpperSaddle River, New Jersey, USA, 2003.
[6] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neuge-bauery, I. Pratt, and A. War¯eld. XEN and the art of virtualization. InProceedings of the 19th ACM Symposium on Operating Systems Princi-ples (SOSP 2003), pages 164{177, Bolton Landing, New York, USA, 19{22October 2003. ACM Press, New York, USA.
[7] M.F. Barrett. Towards an open trusted computing framework. Mastersthesis, Department of Computer Science, The University of Auckland,New Zealand, February 2005.
[8] European Broadcasting Union (EBU) Project Group B/CA. Functionalmodel of a conditional access system. EBU technical review, EBU, Geneva,Switzerland, October 1995.
[9] M. Bellare and C. Namprempre. Authenticated encryption: Relationsamoung notions and analysis of the generic composition paradigm. InTatsuaki Okamoto, editor, Proccedings of Advances in Cryptology | ASI-ACRYPT 2000, 6th International Conference on the Theory and Appli-cation of Cryptology and Information Security, volume 1976 of LectureNotes in Computer Science (LNCS), pages 531{545, Kyoto, Japan, 3{7December 2000. Springer{Verlag, Berlin{Heidelberg, Germany.
[10] P. Bellavista, A. Corradi, R. Montanari, and C. Stefanelli. Policy-drivenbinding to information resources in mobility-enabled scenarios. In M.S.Chen, P.K. Chrysanthis, M. Sloman, and A.B. Zaslavsky, editors, Pro-ceedings of the 4th International Conference on Mobile Data Management(MDM 2003), volume 2574 of Lecture Notes in Computer Science (LNCS),pages 212{229, Melbourne, Australia, 21{24 January 2003. Springer{Verlag Berlin{Heidelberg, Germany.
[11] S. Berkovits, J.D. Guttman, and V. Swarup. Authentication for mobileagents. In G. Vigna, editor, Mobile Agents and Security, volume 1419of Lecture Notes in Comptuer Science (LNCS), pages 114{136. Springer{Verlag, Berlin{Heidelberg, Germany, 1998.
[12] E. Bertino, P.A. Bonatti, and E. Ferrari. TRBAC: A temporal role-basedaccess control model. ACM Transactions on Information and System Se-curity (TISSEC), 4(3):191{233, August 2001.
[13] M. Blaze, J. Feigenbaum, J. Ioanndis, and A. Keromytis. The KeyNotetrust management system version 2. RFC 2740, Internet Engineering TaskForce (IETF), September 1999.
[14] M. Blaze, J. Feigenbaum, and A. Keromytis. KeyNote: Trust manage-ment for public key infrastructures. In W.S. Harbison and M. Roe, edi-tors, Proceedings of the 6th International Workshop on Security Protocols,volume 1550 of Lecture Notes in Computer Science (LNCS), pages 59{63,Cambridge, UK, 15{17 April 1998. Springer{Verlag, Berlin{Heidelberg,Germany.
[15] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralised trust management. InProceedings of the 17th IEEE Symposium on Security and Privacy, pages164{173, Oakland, California, USA, May 1996. IEEE Computer SocietyPress, Los Alamitos, California, USA.
[16] M. Blaze, J. Ioannidis, and A.D. Keromytis. Experience with the KeyNotetrust management system: Applications and future directions. In P. Nixonand S. Terzis, editors, Proceedings of the 1st International Conferenceon Trust Management (iTrust 2003), volume 2692 of Lecture Notes inComputer Science (LNCS), pages 284{300, Heraclion, Greece, 28{30 May2003. Springer{Verlag, Berlin{Heidelberg, Germany.
[17] P. Bonatti and P. Samarati. Regulating service access and informationrelease on the web. In P. Samarati, editor, Proceedings of the 7th ACMConference on Computing and Communications Security, pages 134{143,Athens, Greece, 1{4 November 2000. ACM Press, New York, USA.
[18] A.B. Bondi. Characteristics of scalability and their impact on perfor-mance. In Proceedings of the 2nd International Workshop on Software andPerformance (WOSP 2000), pages 195{203, Ottawa, Ontario, Canada,17{20 September 2000. ACM Press, New York, USA.
[19] J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. OpenPGP MessageFormat. Internet Engineering Task Force (IETF), November 1998.
[20] J. Cappaert, B. Wyseur, and B. Preneel. Software security techniques.COSIC internal report, Computer Security and Industrial Cryptogra-phy (COSIC), Katholieke Universiteit Leuven, Leuven{Heverlee, Belgium,2004.
[21] H. Castaneda. New Studies in Deontic Logic: Norms, Actions and theFoundations of Ethics, chapter The Paradoxes of Deontic Logic: The Sim-plest Solution to all of them in One Fell Swoop, pages 37{85. D. ReidelPublishing company, Dordrecht, Holland, 1981.
[22] CENELEC. Common interface speci¯cation for conditional access andother digital video broadcasting decoder applications. CENELEC Stan-dard 50221, European Committee for Electrotechnical Standardization(CENELEC), Brussels, Belgium, February 1997.
[23] H. Chen and D. Wagner. MOPS: An infrastructure for examining secu-rity properties of software. In Proceedings of the 9th ACM Conferenceon Computer and Communications Security (CCS 2002), pages 235{244,Washington, District of Columbia, USA, 18{22 November 2002. ACMPress, New York, USA.
[24] Y. Chen, P. England, M. Peinado, and B. Willman. High assurancecomputing on open hardware architectures. Microsoft Technical reportMSRTR{2003{20, Microsoft Corporation, March 2003.
[25] D.M. Chess. Security issues in mobile code systems. In G. Vigna, editor,Mobile Agents and Security, volume 1419 of Lecture Notes in ComptuerScience (LNCS), pages 1{14. Springer{Verlag, Berlin{Heidelberg, Ger-many, 1998.
[26] Y. Chu, J. Feigenbaum, B.A. LaMacchia, P. Resnick, and M. Strauss.REFEREE: Trust management for web applications. The World WideWeb Journal, 2(3):127{139, 1997.
[27] P.C. Clark and L.J. Ho®man. BITS: a smartcard protected operatingsystem. Communications of the ACM, 37(11):66{94, November 1994.
[28] J. Classens, B. Preneel, and J. Vandewalle. (How) can mobile agentsdo secure electonic transactions on untrusted hosts? { a survey of thesecurity issues and the current solutions. ACM Transactions on InternetTechnology, 3(1):28{48, 2003.
[29] CMLA. Client adopter agreement. Technical Report Revision 1.00-050708,The Content Management License Administrator Limited Liability Com-pany (CMLA, LLC), August 2005.
[30] A. Corradi, N. Dulay, R. Montanari, and C. Stefan. Policy-driven man-agement of agent systems. In M. Sloman, J. Lobo, and E. Lupu, editors,Proceedings of the 3rd Workshop on Policies for Distributed Systems andNetworks (POLICY 2001), volume 1995 of Lecture Notes in ComputerScience (LNCS), pages 214{229, Bristol, England, UK, 29{31 January2001. Springer{Verlag, Berlin{Heidelberg, Germany.
[31] J.P. Cunard, K. Hill, and C. Barlas. Curent developments in the ¯eldof digital rights management. WIPO document SCCR/10/2, World In-tellectual Property Organisation Standing Committee on Copyright andRelated Rights (WIPO SCCR), Geneva, Switzerland, August 2003.
[32] F. Cuppens and C. Saurel. Specifying a security policy: A case study. InProceedings of the 9th IEEE Computer Security Foundations Workshop(CSFW 1996), pages 123{134, Kenmare, Kerry, Ireland, 10{12 March1996. IEEE Computer Society Press.
[33] D.J. Cutts. DVB conditional access. IEE Electronics and CommunicationsEngineering Journal, 9(1):21{27, February 1997.
[34] N. Damianou, A.K. Bandara, M. Sloman, and E.C. Lupa. A survey ofpolicy speci¯cation approaches. Research report, Department of Comput-ing, Imperial College of Science Technology and Medicine, London, UK,2002.
[35] N. Damianou, N. Dulay, E. Lupu, and M. Sloman. Ponder: A language forspecifying and managenent policies for distributed systems, the languagespeci¯cation. Research Report Version 2.3, Department of Computing,Imperial College of Science Technology and Medicine, London, UK, 2000.
[36] N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policyspeci¯cation language. In M. Sloman, J. Lobo, and E.C. Lupu, editors,Proceedings of the 2nd International Workshop on Policies for DistributedSystems and Networks (POLICY 2001), volume 1995 of Lecture Notesin Computer Science (LNCS), pages 18{38, Bristol, England, UK, 29{31January 2001. Springer{Verlag, Berlin{Heidelberg, Germany.
[37] N.C. Damianou. A Policy Framework for Management of Distributed Sys-tems. PhD thesis, Department of Computing, Imperial College of Science,Technology and Medicine, London, UK, February 2002.
[38] A.W. Dent and C.J. Mitchell. User's Guide to Cryptography and Stan-dards. Artech House, Boston, Massachusetts, USA, 2005.
[39] NTT DoCoMo, IBM, and Intel Corporation. Trusted mobile platform.Software Architecture Description TMP SWAD rev1 00 20040405, June2004.
[40] D. Dolev and A. Yao. On the security of public key protocols. IEEETransactions on Information Theory, 29(2):198{208, March 1983.
[41] J.G. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith,and S. Weingart. Building the IBM 4758 secure coprocessor. IEEE Com-puter, 34(10):57{66, October 2001.
[42] G. Edjlali, A. Acharya, and V. Chaudhary. History-based access controlfor mobile code. In Proceedings of the 5th ACM Conference on Computerand Communications Security, pages 38{48, San Francisco, California,USA, 2{5 November 1998. ACM Press, New York, USA.
[43] P. England, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. Atrusted open platform. IEEE Computer, 36(7):55{62, July 2003.
[44] European Telecommunications Standards Institute (ETSI). Digital VideoBroadcasting (DVB); Support for use of Scrambling and Conditional Ac-cess (CA) within Digital Broadcasting Systems. ETSI Technical Re-port ETR 289, European Telecommunications Standards Institute (ETSI),Sophia Antipolis, France, October 1996.
[45] European Telecommunications Standards Institute (ETSI). Digital VideoBroadcasting (DVB): Head-End Implementation of DVB Simulcrypt.ETSI Standard TS 103 197 V1.3.1, European Telecommunications Stan-dards Institute (ETSI), Sophia Antipolis, France, January 2003.
[46] S. Farrell and R. Housley. An internet attribute certi¯cate pro¯le forauthorization. RFC 3281, Internet Engineering Task Force IETF, April2002.
[47] J. Feghhi, J. Feghhi, and P. Williams. Digital Certi¯cates { Applied In-ternet Security. Addison-Wesley-Longman, October 1998.
[48] FIPS PUB 186-2, Digital Signature Standard (DSS). Gaithersburg, Mary-land, USA, January 2000.
[49] S.N. Foley, T.B. Quillinan, J.P. Morrison, D.A. Power, and J.J. Kennedy.Exploiting KeyNote in webcom: Architecture neutral glue for trust man-agement. In Proceedings of the 5th Nordic Workshop on Secure IT Systems(NORDSEC 2000), pages 101{119, Reykjavik, Iceland, 12{13 October2000.
[50] Foundation for Intelligent Physical Agents (FIPA). FIPA agent man-agement speci¯cation. Standard SC00023K, Foundation for IntelligentPhysical Agents (FIPA), March 2004.
[51] W. Ford. Computer Communications Security | Principles, StandardProtocols and Techniques. Prentice-Hall, Upper Saddle River, New Jersey,USA, 1994.
52] S. Franklin and A. Graesser. Is it an agent, or just a program?: A tax-onomy for autonomous agents. In J.P. MÄuller, M.J. Wooldridge, andN.R. Jennings, editors, Proceedings of the Intelligent Agents III, the 3rdInternational Workshop on Agent Theories, Architectures, and Languages(ATAL 1996), volume 1193 of Lecture Notes in Computer Science (LNCS),pages 21{35, Budapest, Hungary, 12{13 August 1996. Springer{Verlag,Berlin{Heidelberg, Germany.
[53] E. Gallery. Mobile agent and mobile code authorisation in mobile sys-tems: A policy-based authorisation framework. In Proceedings of the 10thWireless World Research Forum Meeting, New York, USA, 27{28 October2003. Wireless World Research Forum (WWRF).
[54] E. Gallery. A policy based authorisation framework for software down-load. In Proceedings of the 2nd Software De¯ned Radio Forum TechnicalConference (SDR 2003), Orlando, Florida, USA, 17{19 November 2003.Software De¯ned Radio Forum (SDRF).
[55] E. Gallery. Towards a policy framework for mobile agent authorisationin mobile systems. In Proceedings of the 4th International Conferenceon 3G Mobile Communication Technologies (3G 2003), number 494 inIEE Conference Publication, pages 13{18, Savoy Place, London, UK, 25{27 June 2003. The Institute of Electrical Engineers (The IEE), MichaelFaraday House, Six Hills Way, Stevenage, UK.
[56] E. Gallery. An overview of trusted computing technology. In C.J. Mitchell,editor, Trusted Computing, IEE Professional Applications of ComputingSeries 6, chapter 3, pages 29{114. The Institute of Electrical Engineers(IEE), London, UK, April 2005.
[57] E. Gallery and S. Balfe. Mobile agents and the deus ex machina. InWorkshop on Current and Emerging Research Issues in Computer Security(CERICS 2006), Royal Holloway, University of London, July 2006.471
[58] E. Gallery and A. Tomlinson. Conditional access in mobile systems: Se-curing the application. In Proceedings of the 1st International Conferenceon Distributed Frameworks for Multimedia Applications (DFMA 2005),pages 190{197, Besan»con, France, 6{9 February 2005. IEEE ComputerSociety.
[59] E. Gallery and A. Tomlinson. Protection of downloadable software onSDR devices. In Proceedings of the 4th Software De¯ned Radio ForumTechnical Conference (SDR 2005), Orange County, California, USA, 14{18 November 2005. Software De¯ned Radio Forum (SDRF).
[60] E. Gallery and A. Tomlinson. Secure delivery of conditional access appli-cations to mobile receivers. In C.J. Mitchell, editor, Trusted Computing,IEE Professional Applications of Computing Series 6, chapter 7, pages195{238. The Institute of Electrical Engineers (IEE), London, UK, April2005.
[61] T. Gar¯nkel, M. Rosenblum, and D. Boneh. Flexible OS support andapplications for trusted computing. In Proceedings of the 9th USENIXWorkshop on Hot Topics on Operating Systems (HotOS-IX), pages 145{150, Kauai, Hawaii, USA, 18-21 May 2003. USENIX, The Advanced Com-puting Systems Association.
[62] A.K. Ghosh. E-commerce Security; Weak Links, Best Defences, chapterDeadly Content: The Client Side Vulnerabilities, pages 31{96. John Wileyand Sons, New York, USA, 1998.
[63] J.I. Glasgow, G.H. MacEwen, and P. Panangaden. A logic for reasoningabout security. ACM Transactions on Computer Systems (ACM TOCS),10(3):226{264, August 1992.
[64] L. Gong. Inside Java 2 Paltform Security: Architecture, API Design, andImplementation. Addison-Wesley Longman Publishing Co. Inc., Boston,Massachusetts, USA, 2003.
[65] D. Grawrock. The Intel Safer Computing Initiative. Intel Press, Oregon,USA, March 2006.
[66] R. Gray, D. Kotz, S. Nog, D. Rus, and G. Cybenko. Mobile agents formobile computing. Technical Report PCS-TR96 285, Dartmouth College,Hanover, New Hampshire, USA, May 1996.
[67] R.S. Gray, D. Kotz, G. Cybenko, and D. Rus. D'agents: Security inmultiple-language, mobile agent system. In G. Vigna, editor, MobileAgents and Security, volume 1419 of Lecture Notes in Computer Science(LNCS), pages 154{187. Springer{Verlag, Berlin{Heidelberg, Germany,1998.
[68] A. Herzberg, Y. Mass, J. Mihaeli, D. Naor, and Y. Ravid. Access controlmeets PKI, or: Assigning roles to strangers. In Proceedings of the 21stIEEE Syposium on Security and Privacy (S&P 2000), pages 2{14, Wash-ington, District of Columbia, USA, May 2000. IEEE Computer Society.
[69] F. Hohl. Time limited blackbox security: Protecting mobile agents frommalicious hosts. In G. Vigna, editor, Mobile Agents and Security, vol-ume 1419 of Lecture Notes in Computer Science (LNCS), pages 92{113.Springer{Verlag, Berlin Heidelberg, Germany, 1998.
[70] F. Hohl. Time limited blackbox security:protecting mobile agents frommalicious hosts. In G. Vigna, editor, Mobile Agents and Security, vol-ume 1419 of Lecture Notes in Computer Science (LNCS), pages 92{113.Springer{Verlag, Berlin{Heidelberg, Germany, 1998.
[71] IEEE. Standard speci¯cations for public key cryptography. IEEE 1363standards documents IEEE 1363-2000, IEEE Computer Society, August2000.
[72] Intel. LaGrande technology architectural overview. Technical Report252491-001, Intel Corporation, September 2003.
[73] J. Irwin and T. Wright. Digital rights management. Vodafone internalnewsletter, Vodafone, Newbury, England, UK, August 2004.
[74] ISO/IEC 9594-8, Information Technology | Open Systems Intercon-nection | The Directory: Public-Key and Attribute Certi¯cate Frame-works. International Organization for Standardisation, Geneva, Switzer-land, 2005.
[75] ISO/IEC 11770-1, Information Technology | Security techniques | Keymanagement |Part 1: Framework. International Organization for Stan-dardisation, Geneva, Switzerland, 1996.
[76] ISO/IEC 13888-1. Information technology | Security techniques | Non-repudiation | Part 1: General. International Organization for Standard-isation, Geneva, Switzerland, 2004. 2nd edition.
[77] ISO/IEC 14888-1. Information technology | Security techniques | Datasignatures with appendix | Part 1: General. International Organizationfor Standardisation, Geneva, Switzerland, 1998.
[78] ISO/IEC 14888-2. Information technology | Security techniques | Datasignatures with appendix | Part 2: Identity-based mechanisms. Interna-tional Organization for Standardisation, Geneva, Switzerland, 1999.
[79] ISO/IEC 14888-3. Information technology | Security techniques | Datasignatures with appendix | Part 3: Certi¯cate-based mechanisms. Inter-national Organization for Standardisation, Geneva, Switzerland, 1998.
[80] ISO/IEC 7498-2 / ITU-T X.800, Data Communication Networks: OpenSystem Interconnection (OSI); Security, Structure and Applications | Se-curity Architecture for Open Systems Interconnection for CCITT Appli-cations. International Organization for Standardisation, Geneva, Switzer-land, 1991.
[81] ISO/IEC 9594-8, Information technology { Open Systems Interconnection{ The Directory: Public-key and attribute certi¯cate frameworks. Interna-tional Organization for Standardisation, Geneva, Switzerland, 2001.
[82] ISO/IEC 9797-1. Information technology - Security techniques | Mes-sage Authentication Codes (MACs) | Part 1: Mechanisms using a blockcipher. International Organization for Standardisation, Geneva, Switzer-land, 1999.
[83] ISO/IEC 9797-2. Information technology | Security techniques | Mes-sage Authentication Codes (MACs) | Part 2: Mechanisms using ahash-function. International Organization for Standardisation, Geneva,Switzerland, 2002.
[84] ISO/IEC 9798-1 Information technology | Security techniques | Entityauthentication | Part 1: General. International Organization for Stan-dardisation, Geneva, Switzerland, 1997. 2nd edition.
[85] ISO/IEC 9798-3 Information technology | Security techniques | Entityauthentication mechanisms | Part 3: Mechanisms using digital signa-ture techniques. International Organization for Standardisation, Geneva,Switzerland, 1998. 2nd edition.
[86] ISO/IEC 9798-4, Information technology | Security techniques | Entityauthentication | Part 4: Mechanisms using a cryptographic check func-tion. International Organization for Standardisation, Geneva, Switzer-land, 1999. 2nd edition.
[87] ISO/IEC 9798-5, Information technology | Security techniques | En-tity authentication | Part 5: Mechanisms Using Zero-Knowledge Tech-niques. International Organization for Standardisation, Geneva, Switzer-land, 2004.
[88] N. Itoi, W.A. Arbaugh, S.J. Pollack, and D.M. Reeves. Personal securebooting. In Proceedings of the 6th Australasian Conference on Informa-tion Security and Privacy ACISP 2001, volume 2119 of Lecture Notes InComputer Science (LNCS), pages 130{141, Sydney, Australia, 11{13 July2001. Springer{Verlag, London, UK.
[89] ITU-T Recommendation X.509, Information technology | Open SystemsInterconnection | The Directory: Public-key and Attribute Certi¯cateFrameworks. International Organization for Standardisation, Geneva,Switzerland, 2000. 4th edition.
[90] S. Jajodia, P. Samarati, and V.S. Subrahmanian. A logical language forexpressing authorisations. In Proceedings of the IEEE Symposium on Se-curity and Privacy (S&P 1997), pages 31{42, Oakland, CA, USA, 4{7May 1997. IEEE Computer Society, Washington, District of Columbia,USA.
[91] W. Jansen and T. Karygiannis. Mobile agents and security. NIST Spe-cial Publication 800-19, National Institute of Standards and Technol-ogy (NIST), Computer Security Division, Gaithersburg, Maryland, USA,1999.
[92] W. Johnston, S. Mudumbai, and M. Thompson. Authorization and at-tribute certi¯cates for widely distributed access control. In Proceedingsof IEEE 7th International Workshops on Enabling Technologies: Infras-tructure for Collaborative Enterprises (WETICE 1998), pages 340{345,Palo Alto, California, USA, 17{19 June 1998. IEEE Computer Society,Washington, District of Columbia, USA.
[93] B. Kaliski and J. Staddon. PKCS #1: RSA cryptographic speci¯cations{ version 2. RFC 2437, Internet Engineering Task Force (IETF), October1999.
[94] J.A. Knottenbelt. Policies for agent systems. Masters thesis, ImperialCollege of Science, Technology and Medicine, London, UK, June 2001.
[95] H. Krawczyk, M. Bellare, and R. Canetti. HMAC { keyed hashing for mes-sage authentication. RFC 2104, Internet Engineering Task Force (IETF),February 1997.
[96] B. Lampson, M. Abadi, and M. Burrows. Authentication in distributedsystems: Theory and practice. ACM transactions on computer, 10(4):265{310, November 1992.
[97] J. Lettice. Bad publicity: Clashes trigger MS Palladium name change.Press pass { information for jornalists, The Register, 27th January 2003.
[98] D. Lie. Architectural Support for Copy and Tamper Resistant Software.Phd thesis, Department of Electrical Engineering, Stanford University,Stanford, California, USA, December 2003.
[99] D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, andM. Horowitz. Architectural support for copy and tamper resistant soft-ware. In Proceedings of the 9th International Conference on ArchitecturalSupport for Programming Languages and Operating Systems (ASPLOS-IX), pages 169{177, Cambridge, Massachusetts, USA, 12{15 November2000. ACM Press, New York, USA.
[100] V.B. Livshits and M.S. Lam. Tracking pointers with path and contextsensitivity for bug detection in C programs. In The 11th ACM SIG-SOFT International Symposium on the Foundations of Software Engi-neering (ESEC/SIGSOFT FSE{11), pages 317{326, Helsinki, Finland,1{5 September 2003. ACM Press, New York, USA.
[101] A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryp-tography, volume 6 of Discrete Mathematics and its Applications. CRCPress, Boca Raton, Florida, USA, 1997.
[102] R.C. Merkle. Protocols for public key cryptography. In Proceedings ofIEEE Symposium on Security and Privacy, pages 122{134, Oakland, Cal-ifornia, USA, April 1980. IEEE Computer Society Press.
[103] Z. Miklos. A decentralised authorisation mechanism for e-business applica-tions. In Proceedings of the 13th International Workshop on Database andExpert Systems Applications (DEXA 2002) - International Workshop onTrust and Privacy in Digital Business - TrustBus, pages 446{450, Aix-en-Provence, France, September 2002. IEEE Computer Society, Washington,District of Columbia, USA.
[104] Chris Mitchell, editor. Trusted Computing. IEE Professional Applica-tions of Computing Series 6. The Institute of Electrical Engineers (IEE),London, UK, April 2005.
[105] R. Montanari, G. Tonti, and C. Stefanelli. Programming agent mobility.In M. Klusch, S. Ossowski, and O. Shehory, editors, Proceedings of the 6th
International Workshop on Coorperative Information Agents - IntelligentAgents for the Internet and Web (CIA 2002), volume 2446 of LectureNotes in Arti¯cial Intelligence (LNAI), pages 287{296, Madrid, Spain,18{20 September 2002. Springer{Verlag, Berlin{Heidelberg, Germany.
[106] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. InternetX.509 public key infrastructure, online certi¯cate status protocol { OCSP.RFC 2560, Internet Engineering Task Force (IETF), June 1999.
[107] G.C. Necula and P. Lee. Safe, untrusted agents using proof-carrying code.In G. Vigna, editor, Mobile Agents and Security, volume 1419 of Lecturenotes in conputer science (LNCS), pages 61{91. Spring{Verlag, Berlin{Heidelberg, Germany, 1998.
[108] NIST. Security requirements for cryptographic modules. Federal Infor-mation Processing Standards Publication FIPS PUB 140{1, National In-stitute of Standards and Technology (NIST), January 1994.
[109] NIST. Security hash standard. Federal Information Processing StandardsPublication FIPS PUB 180{1, National Institute of Standards and Tech-nology (NIST), April 1997.
[110] NIST. Common criteria of information technology security evaluation.Technical Report Version 2.1, National Institute of Standards and Tech-nology (NIST), August 1999.
[111] H.S. Nwana and D.T. Ndumu. An introduction to agent technology. InH.S. Nwana and N. Azarmi, editors, Software Agents and Soft Computing:Towards Enhancing Machine Intelligence, number 1198 in Lecture notesin Arti¯cial Intelligence (LNAI), pages 3{26. Springer{Verlag, Berlin{Heidelberg, Germany, 1997.
[112] OASIS. Assertion and protocol for the OASIS Security Assertion MarkupLanguage (SAML) version 1.0. OASIS Standard Document oasis-sstc-saml-core-1.0, OASIS, 5 November 2002.
[113] OASIS. Bindings and pro¯les for the OASIS Security Assertion MarkupLanguage (SAML) version 1.0. OASIS Standard Document oasis-sstc-saml-bindings-1.0, OASIS, 5 November 2002.
[114] OASIS. Assertion and protocol for the OASIS Security Assertion MarkupLanguage (SAML) version 1.1. OASIS Standard Document oasis-sstc-saml-core-1.1, OASIS, 2 September 2003.
[115] OASIS. Bindings and pro¯les for the OASIS Security Assertion MarkupLanguage (SAML) version 1.1. OASIS Standard Document oasis-sstc-saml-bindings-1.1, OASIS, 2 September 2003.
[116] OASIS. Assertion and protocol for the OASIS Security Assertion MarkupLanguage (SAML) version 2.0. OASIS Standard Document saml-core-2.0-os, OASIS, 15 March 2005.
[117] OASIS. Bindings for the OASIS Security Assertion Markup Language(SAML) version 2.0. OASIS Standard Docuement saml-bindings-2.0-os,OASIS, 15 March 2005.
[118] OASIS. Pro¯les for the OASIS Security Assertion Markup Language(SAML) version 2.0. OASIS Standard Docuement saml-pro¯les-2.0-os,OASIS, 15 March 2005.
[119] OMA. Digital Rights Management v1.0. Technical Speci¯cation OMA-Download-DRM-V1 0-20040615-A, The Open Mobile Alliance (OMA),June 2004.
[120] OMA. DRM architecture v2.0. Technical Speci¯cation OMA-DRM-ARCH-V2 0-2004071515-C, The Open Mobile Alliance (OMA), July 2004.
[121] OMA. Drm architetcure speci¯cation v1.0. Technical Speci¯cation OMA-Download-ARCH-V1 0-20040625-A, The Open Mobile Alliance (OMA),June 2004.
[122] OMA. DRM speci¯cation v2.0. Technical Speci¯cation OMA-DRM-DRM-V2 0-20040716-C, The Open Mobile Alliance (OMA), July 2004.
[123] OMA. OMA DRM V1.0 approved enabler speci¯cation. Technical Speci¯-cation OMA-DRM-V1 0-20040625-A, The Open Mobile Alliance (OMA),June 2004.
[124] OMA. OMA DRM V2.0 approved enabler speci¯cation. Technical Spec-i¯cation OMA-ERP-DRM-V2 0-20060303-A, The Open Mobile Alliance(OMA), July 2004.
[125] J.K. Ousterhout, J.Y. Levy, and B. B. Welsh. The safe TCL securitymodel. In G. Vigna, editor, Mobile Agents and Security, volume 1419of Lecture Notes in Computer Science (LNCS), pages 217{235. Springer{Verlag, Berlin{Heidelberg, Germany, 1998.
[126] M. Peinado, Y. Chen, P. England, and J. Manferdelli. NGSCB: A trustedopen system. In H. Wang, J. Pieprzyk, and V. Varadharajan, editors,Proceedings of 9th Australasian Conference on Information Security andPrivacy, ACISP 2004, volume 3108 of Lecture Notes in Computer Sci-ence (LNCS), pages 86{97, Sydney, Austrailia, 13{15 July 2004. Springer{Verlag, Belin{Heidelberg, Germany.
[127] B. P¯tzmann, J. Riordan, C. Stuble, M. Waidner, and A. Weber. ThePERSEUS system architecture. Technical Report RZ 3335 (#93381), IBMResearch Division, Zurich Laboratory, April 2001.
[128] C.P. P°eeger. Security in Computing. Prentice Hall, Upper Saddle River,New Jersey, USA, 2nd edition, 1997.
[129] C. Ribeiro, A. Zuquete, P. Ferreira, and P. Guedes. SPL: An access controllanguage for security policies with complex constraints. In Proceedings ofNetwork and Distributed System Security (NDSS '01), pages 89{107, SanDiego, California, USA, 7{9 February 2001. The Internet Society.
[130] J. Riordan and Bruce Schneier. Environmental key generation towardsclueless agents. In G. Vigna, editor, Mobile Agents and Security, vol-ume 1419 of Lecture Notes in Comptuer Science (LNCS), pages 15{24.Springer{Verlag, Berlin{Heidelberg, Germany, 1998.
[131] K. Rothermel and M. Schwehm. Mobile agents. In A. Kent and J.G.Williams, editors, Encyclopedia for Computer Science and Technology,volume 40, pages 155{176. M. Dekker Inc., New York, USA, 1999.
[132] A.R. Sadeghi and C. Stuble. Taming \Trusted Platforms" by OperatingSystem Design. In K. Chae and M. Yung, editors, Proceedings of Infor-mation Security Applications, 4th International Workshop, (WISA 2003),volume 2908 of Lecture Notes in Computer Science (LNCS), Jeju Island,Korea, 25{27 August 2003. Springer-Verlag, Berlin{Heidelberg, Germany.
[133] T. Sander and C.F. Tschudin. Protecting mobile agents against malicioushosts. In G. Vigna, editor, Mobile Agents and Security, volume 1419of Lecture Notes in Comptuer Science (LNCS), pages 44{60. Springer{Verlag, Berlin{Heidelberg, Germany, 1998.
[134] NHK Science and Technical Research Laboratories. Scrambling (condi-tional access system). NHK Science and Technical Research LaboratoriesBulletin 12, Tokyo, Japan, Autumn 2002.
[135] Software De¯ned Radio Forum (SDRF). Security considerations for opera-tional software for software de¯ned radio devices in a commercial wirelessdomain. SDRF Archived Approved Document 2004-A0010, 27 October2004.
[136] K. Seamons, M. Winslett, T. Yu, B. Smith, E. Child, J. Jacobson, H. Mills,and L. Yu. Requirements for policy languages for trust negotiation. InProceedings of the 3rd International Workshop on Policies for DistributedSystems and Networks (POLICY 2002), pages 68{79, Monterey, Califor-nia, USA, 5{7 June 2002. IEEE Computer Society, Washington, Districtof Columbia, USA.
[137] K.E. Seamons and W. Winborough. Internet credential acceptance poli-cies. In M. Falaschi, M. Navarro, and A. Policriti, editors, Joint Confer-ence on Declarative Programming (APPIA-GULP-PRODE 1997), pages415{432, Grado, Italy, 16{19 June 1997.
[138] R. Sekar, C.R. Ranalrishnan, I.V. Ramakrishnan, and S.A. Smolka. ModelCarrying Code (MCC): A new paradigm for mobile code security. In NewSecurity Paradigms Workshop (NSPW'01), pages 23{30, Cloudcroft, NewMexico, USA, 10{13 September 2001. ACM Press, New York, USA.
[139] Bilal Siddiqui. Web services security. XML.com, 4 March 2003.
[140] M. Sihvonen. CC/PP negotiation of a mobile station in mexe service envi-ronment. In International Conference on Information Systems Technologyand its Applications (ISTA 2001), pages 185{198, St. Augustin, Germany,2001. Gesellschaft fuer Mathematik und Datenverarbeitung.
[141] D. Singel¶ee and B. Preneel. Secure e-commerce using mobile agents onuntrusted hosts. COSIC internal report, Computer Security and Indus-trial Cryptography (COSIC), Katholieke Universiteit Leuven, Leuven{Heverlee, Belgium, 2004.
[142] W. Stallings. Cryptography and Network Security, Principles and Prac-tices. Prentice Hall, Upper Saddle River, New Jersey, 2nd edition, 1999.
[143] E. Suh, D. Clarke, B. Gassend, M. van Dyke, and S. Devadas. TheAEGIS processor architecture for tamper{evident and tamper-resistantprocessing. In 17th Annual ACM International Conference on Supercom-puting (ICS'03), pages 160{171, San Francisco, California, USA, 23{26June 2003. ACM Press, New York, USA.
[144] E. Suh, C.W. 'O Donnell, I. Sachdev, and S. Devadas. Design and imple-mentation of the AEGIS secure processor using physical random functions.ACM SIGARCH Computer Architecture News, 33(2):25{36, 2005.
[145] J. Tardo and L. Valente. Mobile agent security and telescript. In 41st In-ternational IEEE Computer Society International Conference: Technolo-gies for the Information Superhighway (COMPCON 1996), pages 58{63,Santa Clara, California, USA, 25{28 February 1996. IEEE Computer So-ciety Press.
[146] TCG. TCPA Main Speci¯cation. TCG Speci¯cation Version 1.1b, TheTrusted Computing Group (TCG), Portland, Oregon, USA, February2002.
[147] TCG. Main speci¯cation changes. TCG Speci¯cation Version 1.2, TheTrusted Computing Group (TCG), Portland, Oregon, USA, October 2003.
[148] TCG. TCG Software Stack (TSS) Speci¯cation. TCG Speci¯cation Ver-sion 1.1, The Trusted Computing Group (TCG), Portland, Oregon, USA,August 2003.
[149] TCG. TCG Speci¯cation Architecture Overview. TCG Speci¯cation Ver-sion 1.2, The Trusted Computing Group (TCG), Portland, Oregon, USA,April 2003.
[150] TCG. TPM Main, Part 1 Design Principles. TCG Speci¯cation Version1.2 Revision 62, The Trusted Computing Group (TCG), Portland, Oregon,USA, October 2003.
[151] TCG. TPM Main, Part 2 TPM Data Structures. TCG Speci¯cationVersion 1.2 Revision 62, The Trusted Computing Group (TCG), Portland,Oregon, USA, October 2003.
[152] TCG. TPM Main, Part 3 Commands. TCG Speci¯cation Version 1.2Revision 62, The Trusted Computing Group (TCG), Portland, Oregon,USA, October 2003.
[153] TCG. TCG PC client speci¯c implementation speci¯cation for conven-tional BIOS. TCG speci¯cation Version 1.2 Final, The Trusted ComputingGroup (TCG), Portland, Oregon, USA, July 2005.
[154] TCG. TCG Software Stack (TSS) Speci¯cation. TCG Speci¯cation Ver-sion 1.2, The Trusted Computing Group (TCG), Portland, Oregon, USA,2005.
[155] TCG. TCG Work Group Charter Summary. TCG Speci¯cation, TheTrusted Computing Group, Portland, OR, USA, 2005.
[156] TCG. TPM Main, Part 1 Design Principles. TCG Speci¯cation Version1.2 Level 2 Revision 85, The Trusted Computing Group (TCG), Portland,Oregon, USA, February 2005.
[157] TCG. TPM Main, Part 2 TPM Data Structures. TCG Speci¯cationVersion 1.2 Level 2 Revision 85, The Trusted Computing Group (TCG),Portland, Oregon, USA, February 2005.
[158] TCG. TPM Main, Part 3 Commands. TCG Speci¯cation Version 1.2Level 2 Revision 85, The Trusted Computing Group (TCG), Portland,Oregon, USA, February 2005.
[159] TCG MPWG. Use Case Scenarios. TCG Speci¯cation Version 2.7, TheTrusted Computing Group, Mobile Phone Working Group, Portland, Ore-gon, USA, September 2005.
[160] W. Tuttlebee, D. Babb, J. Irvine, G. Martinez, and K. Worrall. Broad-casting and mobile telecommunications: Interworking | not convergence.European Broadcasting Union (EBU) Technical Review, 293:1{11, January2003.
[161] J. Tygar and B. Yee. Dyad: A system for using physically secure copro-cessors. Technical Report CMU-CS-91-140R, Carnigie Mellon University,Pittsburgh, Pennsylvania, USA, May 1991.
[162] G. Vigna. Cryptographic traces for mobile agents. In G. Vigna, editor,Mobile Agents and Security, volume 1419 of Lecture notes in computerscience (LNCS), pages 137{153. Springer-Verlag, Berlin Heidelberg, Ger-many, 1998.
[163] D. Volpano and G. Smith. Language issues in mobile program security.In G. Vigna, editor, Mobile Agents and Security, volume 1419 of Lec-ture Motes in Computer Science (LNCS), pages 25{43. Springer{Verlag,Berlin{Heidelberg, Germany, 1998.
[164] G.H. von Wright. Deontic logic. Mind, 60:1{15, 1951.
[165] D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken. A ¯rst step towardsautomated detection of bu®er overrun vulnerabilities. In The 7th An-nual Symposium on Network and Distributed System Security Symposium(NDSS 2000), pages 2{4, San Diego, California, USA, February 2000. TheInternet Society.
[166] R. Walsh. Q&A: Microsoft seeks industry wide collaboration for `Palla-dium' initiative. Press pass { information for journalists, Microsoft, 1 July2002.
[167] M. Weber, V. Shah, and C. Ren. A case study in detecting softwaresecurity vulnerabilities using constraint optimization. In IEEE Inter-national Workshop on Source Code Analysis and Manipulation (SCAM2001), pages 3{13, Florence, Italy, 10 November 2001. IEEE ComputerSociety.
[168] J. Wilander. Modeling and visualizing security properties of code using de-pendence graphs. In L. Blankers, editor, The 5th Conference on SoftwareEngineering Research and Practice in Sweden (SERPS 2005), pages 65{74, VÄasterºas, Sweden, 20{21 October 2005. Malardalen University Press.
[169] Philip R. Zimmermann. The O±cial PGP User's Guide. MIT Press,Boston, Massachusetts, USA, 1995.