The multi-agent-systems paradigm is becoming more and more popular as a basis for realizing net-based solutions. This development is accompanied by an increasing relevance of security issues. For instance, the potential loss of privacy and other assets is a major concern for, both merchants and customers, in Internet-based commerce and, without being properly addressed, such very legitimate concerns hamper the growth of e-commerce.
This article uses a comparison-shopping scenario to introduce a general methodology for formally verifying the security of multi-agent systems. Following the approach of possibilistic information flow security, the flow of information between and within agents is restricted in order to ensure that secrets will not be disclosed to unauthorized meddlers. The security requirements for the overall system are then decomposed into requirements for the individual agents that can be verified independently from each other. Exploiting the modular structure of a multi-agent system considerably reduces the complexity of the overall security analysis. The techniques for decomposing security requirements, for verifying individual agents, and for deriving global security guarantees for the entire system from locally verified properties are all generic in the sense that they apply also to many other systems and security requirements than the ones that appear in the example scenario.
