240 likes | 244 Vues
This paper explores the design of a secure content-based publish-subscribe system that prioritizes privacy and security in pervasive environments. It discusses the limitations of existing systems and proposes a policy-based approach for access control and data security. The paper also presents a location-tracking application as a case study.
E N D
Designing a Publish Subscribe Substrate for Privacy/Security in Pervasive Environments Lukasz OpyrchalMiami University, Oxford, OH Atul Prakash University of Michigan, Ann Arbor Amit Agrawal IIT, New Delhi, India ICPS 2006
Miami University • Oxford, Ohio • Not Miami, Florida • Established in 1809 • Older than state of Florida • Older than city of Miami ICPS 2006
Two Themes • Building a secure content-based publish subscribe system • Create a “privacy-aware” location tracking application ICPS 2006
Publish Subscribe Systems subscriber publisher subscriber subscriber subscriber brokers publisher subscriber subscriber subscriber ICPS 2006
Content-Based Publish Subscribe • SIENA, Elvin, Hermes • IBM: Gryphon • Microsoft: Herald • Only rudimentary security solutions exist ICPS 2006
Dynamic Nature of Content-Based Systems • Cannot determine the set of interested subscribers before an event is published ICPS 2006
Content-Based Systems and Security? • Only basic security solution • Coarse grained • Cambridge University Opera group • First attempt at security model for content-based systems • RBAC model • Little detail in the published paper ICPS 2006
Policy Dimensions • Authorization/Authentication • existing solutions (Kerberos, certificates, etc.) • Access Control • conditions under which an action can be performed • historically – coarse-grained • Data Security • security guarantees (confidentiality, integrity, sender authenticity, etc.) • Granularity of Security Guarantees • explained later ICPS 2006
Entities • Application • application administrator • consists of multiple event types • LOC_APP application: • LOC_INFO and LOC_SERVICE event types • Event type • describes event schema • Owner • can authorize others to subscribe, receive and modify policy for its events • one or more owners per event type ICPS 2006
Policy Language • Based on KeyNote [RFC 2704] • Fields: • Authorizer • Licensees • Conditions • Signature ICPS 2006
Sample Rules Authorizer: “POLICY” Licensees: admin Conditions: (app_domain == “LOC_APP”) -> “true”; Authorizer: admin Licensees: joe Conditions: (app_domain == “LOC_APP”)&& (evtType == “LOC_INFO”) && (user == “joe”) && (owner == “joe”) -> “true”; ICPS 2006
Policy Evaluation • KeyNote Trust Management System • Used in many applications • Available implementation • Clear API • Slow • CPOL • Developed at University of Michigan • By Kevin Borders and Atul Prakash • High performance policy evaluation • Language expressiveness similar to KeyNote • Direct support for delegation ICPS 2006
Access Control • Actions • authenticate • advertise • publish • subscribe • receive • change policy ICPS 2006
System • Implemented in Java • Supports any number of applications and event types • Advertisements read at start-up • External attributes • Event schema • List of attributes • All attributes - String [LOC_INFO: (user, building, room)] ICPS 2006
Location-Tracking Application ICPS 2006
Policies We Are Interested In • Environment-dependent sharing • Share info at certain times, • Share info in certain locations, • Share info during special events, etc. • Privacy-protected access to services • Location-based notification • Without revealing ones location ICPS 2006
Location-Tracking Application • Event schema: [LOC_INFO: (user, building, room)] • Sensors • planned – RFID, 802.11 • currently – event generator • Privacy policies • users own events about them • allow others to receive your events • based on event attributes and external attributes ICPS 2006
Eve authorizes everybody to receive her events but only when Eve and the subscriber are in the same room. Authorizer: Eve Conditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) && (owner == “Eve”) && (action == “RECEIVE”) && (building == subBuilding) && (room == subRoom) -> “true”; location_admin is the administrator of LOC_APP application Authorizer: POLICY Licensee: location_admin Conditions: (app_domain == “LOC_APP”) -> “true”; ICPS 2006
Conclusion and Future Work • Flexible security framework for content-based systems • Support for complex privacy policies • Services (such as privacy filters) • Event filter infrastructure • Publisher/subscriber ICPS 2006
Future Work • Restricting delegation • CPOL provides direct control over delegation • Support for contract signing • Support for archived events • Extensions to the pub-sub system • Broker trust • Extensive performance experiments ICPS 2006
Questions? opyrchal@muohio.edu ICPS 2006
Privacy • The ability of an individual to control the terms for acquisition and usage of their personal information* • How to build applications and services while providing means to users to have control over the conditions of distribution of their data * M. J. Culnan, “Protecting Privacy Online: Is Self Regulation Working.” ICPS 2006
Motivation • Publish subscribe systems • information delivery • enterprise systems • supply chain, workflow, e-commerce • pervasive applications • Content-based systems • emerging applications • wireless/location aware apps, military apps, sensor networks, large scale enterprise systems, web services • emerging commercial solutions • IBM (Gryphon), Microsoft (Herald), Mantara, Pre-Cache ICPS 2006
Architecture ICPS 2006