Access Control in Ubiquitous Computing Environments an Analysis of the Trust Based Approach

8/14/2019 Access Control in Ubiquitous Computing Environments an Analysis of the Trust Based Approach

1/5

Access Control in Ubiquitous Computing Environments : An analysis of the

Trust-Based approach

Roushdat Elaheebocus

School of Electronics and Computer Science

University of Southampton

[email protected]

Abstract

In this report, we have identified the major

challenges that systems dealing in ubiquitous access

control have to tackle. An in-depth analysis of six

trust-based access control models has then been performed to find out the extent at which they

overcome these challenges. Finally some of their

security vulnerabilities have been briefly described.

1. Introduction

Ubiquitous Computing described by Mark Weisel

[1] as the embedding of computing capabilities into our

everyday environment to users from the 'how' of doing

things, allowing them to focus on the 'what' tasks to

perform thus creating a pervasive environment [2]

which can also be described as a smart or activeSpace.Access control policies and mechanisms are

necessary to ensure that users only use the resources

(both hardware and software) in an Active Space in

authorised ways, and to allow shared use of the space

[3].

In our literature search [4] we have found that there

are at least five major challenges to overcome when

dealing with access control in ubiquitous computing

environments. The researches done so far have adopted

one or a combination of strategies out of four common

ones which are :

i. Trust-Based Access Control (TBAC)

ii. Context-Based Access Control (CBAC)

iii. Role-Based Access Control (RBAC)

iv. Policy-Based Access Control (PBAC)

The most popular one among researchers, based on

the number of papers published, seems to be Trust-

Based. While it would have been very interesting to dig

deeper into all the approaches, space limitation in this

technical report has constrained us to pick only one of

them and TBAC has been chosen due to its popularity.

2. Analysis

A complete analysis of all the approaches withrespect to how they tackle the different challenges

would have yielded a table as shown in Table 1.

Usability Privacy Mobility Scalability Resource

Constraints

Trust-

Based

Context-

Based

Role-

Based

Policy-

Based

Table 1. access control approaches Vs challenges

The full analysis for each approach would have

produced some results that could have been quantified

and compared. As mentioned earlier, in this report, we

will analyse only for the Trust-Based approach (The

highlighted row in Table 1.).

Based on the literature search [4], six recent papers

proposing solutions of Trust-Based nature for access

control have been selected for the in-depth critical

analysis. We will refer to them as:

paper A [7]

paper B [8]

paper C[9]

paper D [10]

paper E[11]

paper F[12]


2/5

3.Trust-Based approach: In-Depth analysis

3.1. Usability

Assuming users will be accessing hundreds of

services from different devices simultaneously, access

control mechanisms should be appropriate for suchsituations with the users' ease of use in mind [5].

While most of the trust models have avoided human-

involvement during the identification and

authentication phases through automated trust-

negotiation using trust evidence consisting of

credentials, context data and past interactions [7],

paper B has suggested asking for users' intervention in

cases where policies concerning the amount of private

data to be released have not been specified a-priori.

This avoids the system from taking an arbitrary action

in ambiguous situations which is good. But on the other

hand, this human-part can weaken the system in two

ways: from the usability point of view, users will haveto tackle policy-related problems which can be quite

technical and on the security side, humans will be the

system's weak point since they can be deceived.

Paper Fproposes two possible ways of admitting a

new node; human-authentication of ID or trial-

admission to the network. While the first option is

feasible and simple to implement in a small sized

network, it is impracticable for larger ones, specially in

ubiquitous environments.

3.2.Privacy

There is always a compromise to be performed

between privacy and service personalisation but the

extent of this compromise varies depending on the

access control approach in use [6].

Paper A argues that in dealing with a node that is

neither known by the service provider nor by peers, the

trust negotiation will have to be performed from

scratch and can cause some privacy issues for the client

since the latter may not know whether it is safe to

disclose its credential for example. A solution for this

has been proposed as the disclosure of credentials

between the provider and the requester piece by piece

and in-turn. While it also mentions about protecting

privacy of information and securing data flow, no

suggestion is made about how to perform this. Probably

some kind of encryption was thought about but this will

add extra-computation load on the nodes.

Paper B exclusively investigates and proposes a way

of protecting privacy by varying the amount of data

depending on the requesters' identities. Having

evaluated the trust value of a requester, a device can

then categorise him into either the trusted, public or

distrusted group. Depending on the group and privacy

policies in place, the amount of data to be disclosed is

decided. Furthermore the system goes to an extra step

by proposing to shield all data from requesters by

default and disclosing only chosen parts. Unfortunately

this idea simply transfers one more burden to userswhose devices should be capable of such a task.

Paper C adopts a different strategy compared to

conventional routing algorithms; choosing the most

trustworthy nodes to route messages instead of the

shortest and quickest route. While this will increase

communication latency, privacy-protection is greatly

enhanced. But the way trust is evaluated put into

question private-data protection: past-activity records

of nodes are stored, which in case the node storing the

data becomes compromised, all their records get

compromised as well. Perhaps encrypting the records

for storage can be a way out.

Paper D , E and Fdo not tackle the issue of privacydirectly although inevitably during trust establishment,

private data is at stake.

3.3. Mobility

Securing access to the services in pervasive

environments, the volatile nature of pervasive

environments where devices joining and parting the

networks is normal has to be considered.

For paper A, the context is set such that a service

provider is static and only the client nodes are mobile.

As a result, all new nodes have to go through the same

access control mechanisms when they join the networkresulting in additional processing. This drawback is

solved by paper B that uses peer recommendation for

new nodes but then the assumption is that there should

be enough trusted peers which are within range and

know about the new node. Similarly, paper D mentions

among several characteristics of trust: a transitivity

assumption, that is, if X trusts Y and Y trusts Z, X can

trust Z. While this can be a fairly simple assumption

allowing for an increased range between cooperating

nodes, it is risky in cases that Y may have been

compromised or if the trust evaluation for Y was

wrongly performed, there will be a cascading effect. A

solution for this will be to rely on more than oneintermediary in parallel at a given time.

As forpapers C and F, the adoption of smaller sub-

networks referred to as 'communities' consisting of a

small group of nodes (neighbours) having a 1-hop

distance between them makes the model highly mobile.

One or more nodes in one community can be part of

another one as well, thus effectively interlinking the


3/5

sub-networks into a large mobile and ubiquitous

network. It is to be noted that it was found by F's

system, increasing the ability for a node to migrate

from one location to another also heightens the risk of

attacks by malicious nodes that can keep moving to

avoid detection.

Althoughpaper Edeals with a small organisation forits ubiquitous scenario, it suggests a way of dealing

with node migration: That of having a shared

delegation policy among the various sub-groups in the

networks. While this is practical in an organisation

where a central authority governs, it will be challenging

to implement in other cases.

3.4. Scalability

In pervasive environments, it is expected that one

user may be in control of hundreds of computing

devices [6]. Scale this to a small group of people and

we very quickly reach a peak exceeding thousands ofdevices accessing the network. As a result, for an

access control mechanism to perform appropriately, it

should scale well.

Paper A used a modular approach for implementing

the model's components consisting mainly of different

trust-evaluation strategy modules. This paved the way

for allowing the system to be of a distributed nature

which we believe will enhance its scalability capability.

Consisting of small sub-networks cooperating to

form the larger ubiquitous network, paper C's and F's

models allow themselves to scale very well since there

is no central control and each sub-network can operate

independently.Paper E uses delegation to 'lease' trust to a new node

by a group of other nodes already trusted in the

network. As it is, this approach will be appropriate in

small private networks where even 'new' nodes can be

known by some older ones but not in large public

networks. Along with paper E, B and D do not take

into consideration the scalability issues for their model

of trust-based access control.

3.5. Resource constraints

In addition to the four main constraints identified in

the literature search [4], we have found that resourceavailability is also very important to consider for access

control. Devices being mobile have a tendency to be

very small in size physically with lower processing

power. As a result, they have constraints such as a

shorter power-life and smaller screen compared to non-

mobile devices. Wireless networking also means

reduced bandwidth and frequent data packet loss or

corruption. All these have to be taken care of while

designing an access control mechanism.

Paper A to some extent sacrifices computing power

for the sake of having a more generalised and dynamic

model. This is due to the fact that by combining several

trust strategies for trust evaluation, the processing load

will increase considerably given the fact that a largenumber of clients are expected to go through the access

control mechanism. While the paper aims at achieving

concurrency during the trust evaluation phase, the

claim is doubtful since there will be so many nodes to

control at a given time. However some parallelism may

be achieved through distributed computing.

Paper B assumes that each ubiquitous client node is

able to evaluate and categorise neighbours on its own.

This will require more processing power, bandwidth

and also consume more of the limited battery life.

While this may be possible for some devices, not all of

them will match these capabilities.

Similarlypaper Cmakes a rather similar assumption by requiring each node to host a TOMS (Trust

cOmputation and Management System) system locally

and paper F requires each node to monitor their

neighbours' activities to detect misbehaving nodes.

However by doing so, nodes will use less bandwidth

since they will be able to interact directly with peers 1-

hop away from them.

Concerning the system proposed by paper E, the best

guess is that it will need a lot of computing resources

based on the fact that tests were run using Pentium IV

processors.

One way of preserving resources according to paper

D is through the use of resource-constrained trustnegotiation (RCTN) that can alleviate the consumption

of resources such as processing and bandwidth during

the trust negotiation phase by altering credentials.

4. Possible Vulnerabilities uncovered

During the analysis of the different trust models

proposed, we have found several vulnerabilities mostly

related to denial of service in them.

Inpaper A, if a client node willing to gain access to

the network provides more than one type of trust

evidence, the system may choose to evaluate them

concurrently. Considering the situation when a group ofmalicious nodes feeds the system with a high number

of trust evidence, this can degrade performance.

Paper B's system relies on peers to obtain the trust

value of a new node. No mention is made about how

new peers are added to the peer list and also if the

network is not dense enough, situations may arise

where there is no peer within range at a given time.


4/5

Another important point is that in order to inquire

about the new node's trust, a broadcast message is sent

over the network. If a group of malicious nodes try to

gain access from different locations, this may trigger

broadcasts from all peers and risk flooding the

network.

Paper Cmentions the fact that neighbouring nodeshaving the same trust value will share the same key.

However it also says that trust value of a node may

change and that node's key can be revoked. But since

there is the possibility that it was initially sharing that

same key with other nodes, their keys will be revoked

too and will have to be re-issued new keys. If this

situation occurs frequently, system performance will

degrade considerably.

Most of the models, except that of paper F do not

give enough importance about dealing with attacks

from trusted nodes that can be compromised at a given

time while already being inside the system.

Ubiquitous botnets [13], whereby trusted devices areremotely manipulated and coordinated to perform

attacks over ubiquitous networks can be a major threat

to such system in the near future. While most access

control systems are able to detect single malicious

nodes, a coalition of cooperating malicious nodes will

be more challenging to detect and isolate. We also

think about the possibility of sleeper-malicious-nodes

that gather record information silently and act

maliciously for short periods, shot enough to avoid

detection.

5. Conclusion

Having analysed some trust-based access controlmodels with respect to how they tackle the major

challenges, we have found that most of these models

take into consideration very few of the challenges.

They focus mainly on how to evaluate trust value and

experimented either through simulations, proofs or in

closed environments. While trust-evaluation is an

important aspect of trust-based access control, the

models will not perform appropriately in real-life

situations since the major challenges have not been

properly addressed. Finally, the trust-based access

control models have been found to be vulnerable to a

variety of denial of service attacks possibly becoming

victims to ubiquitous botnets.

6. References

[1] M. Weiser, The Computer for the 21st Century, Sci.

Amer., Sept., 1991.

[2] M. Satyanarayanan, Pervasive computing: vision and

challenges, Personal Communications, IEEE [see also IEEE

Wireless Communications], vol. 8, 2001, pp. 10-17.

[3] G. Sampemane, P. Naldurg, and R. Campbell, Access

control for active spaces., Department of Computer Science,

University of Illinois at Urbana-Champaign, Sept., 2002

[4] R.Elaheebocus, Acess Control in UbiquitousEnvironments: A Literature Search, School of Electronics

and Computer Science, University of Southampton, Nov.,

2008.

[5] J. Bardram, The trouble with login: on usability and

computer security in ubiquitous computing, Personal and

Ubiquitous Computing, vol. 9, Nov. 2005, pp. 357-367.

[6] R. Thomas and R. Sandhu, Models, protocols, and

architectures for secure pervasive computing: challenges and

research directions, Pervasive Computing and

Communications Workshops, 2004. Proceedings of the

Second IEEE Annual Conference on, 2004, pp. 164-168.

[7] Daoxi Xiu and Z. Liu, A Dynamic Trust Model for

Pervasive Computing Environments,. Fourth annualsecurity conference, Las Vegas , NV: 2005.

[8] P.D. Giang, L.X. Hung, R.A. Shaikh, Y. Zhung, S. Lee,

Y. Lee, and H. Lee, A Trust-Based Approach to Control

Privacy Exposure in Ubiquitous Computing Environment,.

IEEE International Conference on Pervasive Services,

Istanbul, Turkey: 2007.

[9] A. Boukerche and Y. Ren, A trust-based security system

for ubiquitous and pervasive computing environments,

Computer Communications, vol. In Press, Corrected Proof.

[10] Guo Ya-Jun, Hong Fan, Zhang Qing-Guo, and Li Rong,

An Access Control Model for Ubiquitous Computing

Application, Mobile Technology, Applications and

Systems, 2005 2nd International Conference on, 2005, pp. 1-

6.

[11] J. Yang and K.H. Rhee, Securing Admission Control in

Ubiquitous Computing Environment, Networking - ICN

2005, 2005, pp. 972-979.

[12] Haiyun Luo, Jiejun Kong, P. Zerfos, Songwu Lu, and

Lixia Zhang, URSA: ubiquitous and robust access control

for mobile ad hoc networks, Networking, IEEE/ACM

Transactions on, vol. 12, 2004, pp. 1049-1063.

[13] Kwang-Hyun Baek, Sergey Bratus, Sara Sinclair, Sean

W. Smith, Dumbots: Unexpected Botnets through

Networked Embedded Devices, Dartmouth College

Computer Science,Technical Report TR2007-591

7. Bibliography

[14] Computer Science Essays - Ubiquitous Computing:

Authentication techniques in ubiquitous computing,

http://www.ukessays.com/essays/computer-

science/ubiquitous-computing.php. Accessed 24 November

2008


5/5

[15] Varuna Godara, Handbook of Research on Assessment

and Management in Pervasive Computing, 2008.

ISBN:1605662208, 9781605662206. Repository: Google

Books

[16] Tim Kindberg, Abigail Sellen, and Erik Geelhoed,

Security and Trust in Mobile Interactions: A Study of

Users Perceptions and Reasoning, in UbiComp 2004:

Ubiquitous Computing, 2004, 196-213,

http://www.springerlink.com/content/elj3jeqknr7ffbpb.

[17] Anupam Joshi et al., Security policies and trust in

ubiquitous computing, Philosophical Transactions of the

Royal Society A: Mathematical, Physical and Engineering

Sciences 366, no. 1881 (October 28, 2008): 3769-3780,

doi:10.1098/rsta.2008.0142.

[18] C.A. Patterson, R.R. Muntz, and C.M. Pancake,

Challenges in location-aware computing, Pervasive

Computing, IEEE 2, no. 2 (2003): 80-89.

Documents

Access Control in Ubiquitous Computing Environments an Analysis of the Trust Based Approach