222 Chapter 6 Speciﬁcations of the Kalong Mobility Model
Besides the agent’s object state, agents also have an external state, which
is deﬁned as a set of ser ializable Java objects that are accessible by the
agent but are not part of the object state. Each element of the external
state must have a unique name to be stored and accessed by its owner.
A name must be codeable as a Java String object. Data items of the exter-
nal state must not be accessible to other agent instances. A single data item
should not be shared with another agent instance, because it is copied when it
Each data item has a status that can be defined or undefined. If a data
item is transferred to another agency, it is locally set to undefined and set
to defined at the destination agency. Thus, it is possible to let data items
remain at the home agency even if the agent has migrated to another agency.
The agent can request those data items from its home agency later. Kalong
must ensure that a data item currently set to undefined is never read or
written by the agent manager.
Another potential problem is that a data item could be uploaded to the
wrong agency. For example, data items could be overwritten accidentally at
a home agency, when the agent has already deﬁned a mirror agency. Addi-
tionally, we have to consider a security problem. A malicious agency might
send forged data-upload messages to a home or mirror agency and thereby
manipulate data items. The problem could also occur if a malicious agency
requests a data item from a home agency. If the state of this data item is set
to undefined at the home agency, the agent will not be able to download
the same data item later.
Unfortunately, we cannot solve this problem completely; we cannot pro-
tect the home agency against malicious access. However, we can provide a
two-step technique that will allow the agent to notice a malicious access and
be able to react.
1. Downloading and uploading data items always changes the state of
the data item. If a data item is downloaded, then its state is set to
undefined at the home agency. If the agent later tries to download this
data item again, it receives an error message.
2. If a malicious server loads a data item, modiﬁes it, and then uploads it
again, the state is set to defined at the home agency. The agent would
not notice the manipulation in this case. Therefore, we introduce a