Safe Tcl

A sandboxing mechanism for Tcl that splits execution into a trusted master interpreter and one or more untrusted slave interpreters, with dangerous commands hidden from slaves and selectively re-exposed via aliases (link substitution) controlled by policy. Used in both Agent Tcl and D’Agents for mobile-code isolation.

In this vault

Summary

This chapter describes the security architecture of D’Agents (formerly Agent Tcl), a mobile-agent system whose agents can be written in Tcl, Java, or Scheme. The authors frame mobile-agent security as four interrelated problems: protecting the host machine from malicious agents, protecting agents from each other, protecting an agent from a malicious machine, and limiting aggregate resource consumption across groups of machines.

For machine and inter-agent protection, D’Agents relies on PGP-based cryptographic authentication of owners, identity-based resource managers that enforce access-control policies, and secure execution environments (Safe Tcl, Java security managers, Scheme 48 modules) separated cleanly from policy. For group-of-machine protection they plan an electronic-cash market approach; for agent-from-host attacks they survey partial techniques (detection via audit trails, encrypted computation, trusted reference machines) since full prevention requires hardware support they do not assume.

Key Ideas

Four interrelated mobile-agent security problems.

Separation of enforcement mechanism from policy.

Multi-language support with a uniform C/C++ server library.

Cryptographic authentication + per-identity resource managers.

Open problem: protecting agents from malicious hosts without trusted hardware.

Conceptual Contribution

Claim: Mobile-agent security comprises four distinct but interrelated problems (protecting machine, protecting other agents, protecting agent from host, protecting group of machines); solving them requires layered mechanisms that cleanly separate enforcement from policy and span multiple execution languages.

Mechanism: Architectural description of D’Agents’ four-level stack (transport, server, interpreter, agents); PGP-based owner authentication; language-specific enforcement modules (Safe Tcl, Java security manager, Scheme 48) routed through a language-independent resource manager; planned e-cash market approach for aggregate-resource protection; survey of partial techniques (audit trails, encrypted computation) for the agent-from-host problem.

Concepts introduced/used: Mobile Agent, Four Security Problems, Mechanism vs Policy, Safe Tcl, Resource Manager Agent, PGP Authentication, Audit Trail, Encrypted Computation

Stance: engineering / survey

Relates to: Extends the earlier Agent Tcl Flexible Secure Mobile Agents with a mature security story; shares threat concerns with AI Agents Under Threat and Distributed Security; policy/mechanism separation echoes the sandboxing principles of Extensible Distributed Coordination and Agents Secure Interaction in Data Driven Languages.

Summary

Gray introduces Agent Tcl, a mobile-agent system built on the Tcl scripting language plus Safe Tcl that supports migration with a single agent_jump instruction, transparent inter-agent communication, and pluggable transport mechanisms. The paper argues that Tcl’s simplicity and ease of embedding make it more accessible than Telescript’s object-oriented language while the Safe Tcl extension provides the sandboxing needed for secure execution — a better balance than the ARA, Tacoma, or SodaBot alternatives.

The architecture has four layers (transport, server, interpreter, agents) and supports PGP-signed agents, resource-manager-based authorization, direct-connection and message-passing communication, and a flat namespace of named agents. Gray details how the Tcl core was modified to capture complete interpreter state (stack, procedure frames, variables) for transparent migration at arbitrary points, and outlines a plan to add Java and Scheme as additional agent languages.

Key Ideas

Single-instruction migration (agent_jump) that transparently captures/restores state.

Safe Tcl for sandboxed execution with policy decoupled from mechanism.

Layered architecture supporting multiple languages and transports.

Security approach: PGP-signed code + resource managers + Safe Tcl.

Explicit interpreter stack rewrite to enable mid-execution migration.

Conceptual Contribution

Claim: A mobile-agent system can be both simple and secure by building on an interpreted scripting language (Tcl) augmented with Safe Tcl sandboxing, exposing migration as a single instruction that transparently captures/restores complete interpreter state.

Mechanism: Modifies the Tcl core to use an explicit command stack (replacing recursive Tcl_Eval) so full execution state is capturable; primitives agent_begin/submit/jump/send/receive/meet/accept provide uniform mobility and messaging; security via PGP-signed agents + per-identity resource managers + Safe Tcl trusted/untrusted dual interpreters with link substitution.

Concepts introduced/used: Mobile Agent, agent_jump, State Capture, Safe Tcl, Sandboxing, Explicit Command Stack, Flat Namespace, Resource Managers

Stance: engineering

Relates to: Precursor to DAgents Security Book Chapter which formalises the security model; contemporary alternative to Telescript/ARA/Tacoma (discussed in the D’Agents chapter); shares interpreter-level security philosophy with Agents Secure Interaction in Data Driven Languages.

Safe Tcl

In this vault

Backlinks