Policy-Guided Interactions in Ubiquitous Computing Systems A Dissertation Prospectus V. Ramakrishna Advisor: Dr. Peter Reiher Laboratory for Advanced Systems

Policy-Guided Interactions in Ubiquitous Computing Systems

A Dissertation Prospectus

V. RamakrishnaAdvisor: Dr. Peter Reiher

Laboratory for Advanced Systems ResearchDepartment of Computer Science, UCLA

2

Proposal

Problem

Safe spontaneous interoperation in ubiquitous computing without pre-established trust relationships or rigid protocols

Solution

A generic and flexible negotiation protocol guided by local policy

3

Outline

Problem Introduction Proposed Solution System Research Issues Design Approach Research Plan Related and Complementary Research

4

Problem Introduction

5

Scenario – Web Service

Membership Request

News ServiceWeb Client

Your Name, Date of Birth, School, Email?

My Privacy Policy: Blah…blah…blah….

Why do I need to give up all this info?

I have NO TIME to read this list of policies, and I don’t know what

they mean!

Here’s all my info

Access GRANTED

Access REFUSED

Selected info

Come to think of it, I don’t really need all this

stuff he is promising!

Introduction – Solution – Research Issues – System Design – Research Plan – Related Work

6

Scenario – Conference Room

PDA – CELL PHONE

PRIVILEGED ACCESSCOMMITTEE MEMBER

Internet

Require: Web access, Projector display, Printer.

Ring during emergency!

Allow display access to display only to attendees.Allow access to printer only to journal subscribers.No sound during presentations!Advertise journal!


7

Scenario – Car on Freeway

Internet GPS

High bandwidth connection for streaming video

Identity info, credit card

Provide Internet Connection service.

Monitor traffic for the city.

WiMAX BASE STATION


8

Motivations

Scenarios support limited ways of interaction Ubicomp scenarios will have more variations Rigid policies not desirable Cannot guarantee pre-established security

relationships Cannot enforce uniform interaction protocols


9

The Ubiquitous Computing Vision


Computing services everywhere and at any time

– Mark Weiser, 1991

10

Ubicomp Goals and Characteristics

Internet

Home Network

Coffee ShopPHYSICAL INTEGRATION

SPONTANEOUS INTEROPERATION

No Milk !

Characteristics

Decentralized controlHeterogeneityAd hoc interactions

Personal Network

Location (GPS)

Video

Grocery Time !


11

Ubicomp Research

Mature research areas• Seamless mobile networking

• Open systems and interfaces

• Smart space projects; e.g. Intelligent Room, GAIA

Not enough consideration given to• Bottom-up growth of infrastructure

• Security and privacy issues


12

Ubicomp Interoperation

ALICE

BOB

Internet

Home Network

Coffee Shop

No Milk !Tell Alice.

Nature and Purpose

Discovery of external services Resource usage and access Intertwined processes of discovery and access control

Personal Network

GPS

Video

Grocery Time !


Device Network

Device Device

Connectivity?Location?Where is Bob?

Display Device?

13

Barriers to Interoperation

Concerns• Security and privacy

• Dynamism and context changes

Roadblocks• Middleware and security frameworks do not scale

• Cannot force particular architectures or security preferences as standards

• Cannot guarantee pre-established security relationships

14

Problems and Challenges

Hard problems• Match service demands to local resources within

policy constraints and context

• Reach flexible agreements in an automated fashion Challenges in a ubicomp environment

• Heterogeneous devices and communication features

• Diversity in resources possessed and exported

• Diversity in capabilities, desires and security policies

• Huge number of contexts and context-sensitive constraints that cannot be anticipated in advance


15

In Ubicomp Environments …..

Every device and every domain will not support every service or protocol

All pairs of computing entities will not be compatible


16

Drawbacks in Existing Approaches

Based on rigid and static policies• Cannot resolve all conflicts

• Falls short of autonomic computing

Inadequate security and access control models• Scalability and flexibility issues

• Lack of support for non-identity based trust relationships


17

Proposed Solution

18

Service or application layer agreements

Based on policy Through a process of negotiation


19

TCP/IPMAC

TCP/IP

Platform and Assumptions

TCP/IP

MAC

PHYSICAL

PHYSICALMAC

PHYSICAL

SEMANTIC WEB

APPLICATIONS

Internet /World Wide Web

Semantic Web

NEGOTIATION


(RDF/XML)

20

Policy-Based Management

Policy describes state and desired behavior Governs all actions within bounded domains Wide expressive power Guides following system aspects

• Resource management

• Security and access control

• Context awareness

Interactions between domains• Discovery and access are the constants

• Policy is the only domain dependent variable


21

Thesis Summary

Enable negotiation-driven interaction without:• Pre-established trust relationships

• Common set of service access protocols The negotiation protocol:

• Guided by local policy that constrains use and export of services

• Relies on common resource semantics


22

Why Policy?

Minimum necessary for interaction and agreement

Why not specialized applications?• Difficult to make changes and to control

• Cannot anticipate all requirements and contexts

• Inter-modular dependencies difficult to handle


23

Interaction through Negotiation

Bidirectional stateful protocol Strategic messaging Constant re-evaluation of goals Meta-policies and heuristics designed to

reach an agreement or compromise

A decentralized process of policy resolution and conflict management


24

Negotiation model

D1 D2

R1

S1

P1

S2

R2

P2

Q1 R2 Q2 R1


Resources Applications Policies

25

Scenario – Conference Room

PDA – CELL PHONE

PRIVILEGED ACCESSCOMMITTEE MEMBER

Internet

Require: Web access, Projector display, Printer.

Ring during emergency!

Allow display access to display only to attendees.Allow access to printer only to journal subscribers.No sound during presentations!Advertise journal!


REQUEST: Display; Web Access; Printer

PROOF: Committee Member

Sorry! I am just a Student Attendee

PERMISSION: Projector display, web accessOFFER: Journal membership for privileged access

POLICY: No sounds permitted!

OKI have ACM membership, as a UCLA student

OFFER: Privileged access

26

Research Contributions

Interoperation approached top-down General purpose negotiation framework Context-sensitive access control Verification of security properties Non-intrusive and autonomic Enhances Panoply ubicomp middleware


27

System Research Issues

28

Protocol Structure

Flexibility• Independent of application and domain

characteristics

• Identify a tight set of common objects and operations

• Only task for users – write high level policies Extensibility Strike a useful balance by experimenting

with characteristic applications


29

Policy Language and Reasoning Engine

An expressive policy language Must be based on logic

• Support declarative cross-domain semantics

• Supports formal reasoning Must manage conflicts and maintain

consistency Support efficient indexing and retrieval


30

Candidate Logical Framework

First order logic• Ontology includes objects and relationships

• Augment with deontic concepts

• Can be augmented (or restricted) to deal with contextual and trust parameters

• Reasoning framework and querying algorithms


31

Security Aspects Key research aspects

• Security benefits to ubicomp• Secure negotiation protocol from compromise

Security benefits• Concerns proper use of security mechanisms rather than

propose new ones• Promotes a paradigm that ensures safety is taken into

consideration before interaction• Allows static and dynamic detection of security conflicts

Protocol security• Cryptographic mechanisms, SSL, TLS• Can the nature of the protocol itself be used to compromise

security?


32

Trust and Access Control Access control framework targets

• Scalability and flexibility• Based on a general notion of trust

Trust model• Based on identity, provable relationships, properties and

actions• Domain and application independent• Provides heuristics to compare among choices and make

negotiation decisions Negotiation is a way of doing fine-grained,

dynamic and context-sensitive access control Can be used to build webs of trust


33

Negotiation Strategies and Heuristics

Negotiation protocol• Series of messaging rounds

• Directed towards a perceived goal

• Strategies to choose among various options• Eager and lazy: two extreme ends

Heuristics as decision-making aid• Compute and re-evaluate goals

• Must work within policy constraints extrapolated to the current context

• Use trust and utility functions


34

Theoretical Aspects

Correctness Completeness Optimality


35

System Design Issues

Resource management, interfaces and access mechanisms

Context Awareness Performance Fault tolerance and reliability Working with low capability devices and

networks Negotiation with legacy devices and software


36

Design, Implementation and Evaluation

37

Panoply Ubicomp Infrastructure

Middleware for ubiquitous computing Building and management of device

communities (spheres of influence) Spheres of influence

• Boundaries around sets of devices and resources

• Criteria could be geography (physical location, common LAN), tasks, social group

• Scopes policy, which guides interactions

• Communication based on an event model


38

Panoply Architecture

PANOPLY MIDDLEWARE

SPHERE MANAGER

APPLICATIONS

OPERATING SYSTEM

NETWORK

POLICY MANAGER

MyResearch

Associated Research

External Components


39

Policy Manager - Functional View

Messaging Interface (To other system components, remote computers)

Policy Database

FRONT END

CONTROLLER

POLICY ENGINE

Knowledge engineering Mechanisms (Forward Chaining, Backward Chaining,

Conflict Resolution, etc.)

Heuristics/Metrics Security/Trust ModelSemantic Interpretation

of Messages

Protocol State Machine

Message Multiplexer/De-multiplexer

Event Listener


40

Negotiation Protocol

Minimal number of message types• Requests

• Offers

• Policies

Protocol state machine• Based on message types

• Independent of message content

• Content interpreted by lower layers


41

Policy Model

Prolog used for writing policies• Subset of first order logic

• Declarative syntax

• Fast algorithms for logical reasoning

State information and rules written as predicates• Designated predicates for high-level understanding

• External functions (Java) for non-logical tasks

Develop richer ontology


42

Current Negotiation Model

Security model• Permit actions or accesses in a conservative

manner

Negotiation goals and strategies• Fixed goals and alternatives

• Fixed strategy, based on satisfaction of relevant policies


43

Future Models

Trust model• Use advanced RBAC mechanisms

• Trust levels for comparison of alternatives

Negotiation strategy• Heuristics that allow risk-benefit analysis

• Use game-theoretic notions

• Utility model than can infer and compare utilities of objects and actions


44

Implementation

Policy Manager• Implemented in Java

• Policy Engine based on SWI-Prolog Description of entities, resources and

properties• XML and RDF

Security mechanisms• X.509 certificates

• Panoply vouchers


45

Current Status Basic policy manager implemented

• Front end• Implements protocol state machine• Supports multiple threads

• Policy engine• Query the policy database• Add, remove and replace statements

• Controller• Adopts simple, cautious negotiation strategy• Requests, offers and checks for alternatives

Integrated within a Panoply sphere• Uses events for negotiation and to obtain and update state information

Principal task performed: Negotiate for membership within a sphere


46

Research Plan

47

Basic Policy Manager and Evaluation

Experiment with policy manager within the Panoply context• Performance evaluations

• Overhead measurements

• Scalability

• Explore benefits through applications• Location sensitive interactive fiction

• LACMA gallery experience


48

Modeling Issues

Policy Language and Reasoning Engine Trust Model Resource Utility Model Negotiation Strategy and Heuristics


49

Complete Policy Manager

Incorporate models into negotiation heuristics• Enhance controller with strategic decision

making capability

Augment spheres by adding• Resources and services

• Context sensors


50

Analysis and evaluation

Generate real ubicomp scenarios Theoretical Analysis

• Correctness and completeness

• Efficacy of strategies

Performance Evaluations• Overhead measurements

• Scalability with respect to

• Policy database size

• Multi-session load


51

Evaluation of Success

Success of strategies and heuristics• Compare initial set of requirements or desires

with the final result

• Compare final result with optimal result

Security benefits• Amount of risk taken, or compromises made


52

Dissertation Timeline

Milestone Completion Date

Basic Policy Manager July 2005

Evaluation of Basic Policy Manager November 2005

Policy Language Enhancements December 2005

Security, Trust and Utility Models March 2006

Generalized Policy Manager May 2006

Evaluation of Generalized Policy Manager August 2006

Optimizations October 2006

Writing Dissertation March 2007


53

Related and Complementary Research

54

Research Areas

Negotiation Protocols Policy Languages Ubiquitous Interoperation Middleware Access Control and Trust


55

Protocols and Languages Negotiation protocols

• Automated trust negotiation• Goal: client-server transactions on the web• Conflicts result in failure• TrustBuilder [BYU,UIUC], PeerTrust

• Service level negotiations in grid computing• SNAP [ISI]

Policy languages• Rei pervasive computing language

• Cross-application semantics• Deontic concepts

• Trust negotiation languages – PSPL, Keynote• XML-based web access control – XACML, TPL [IBM]

Semantic web ontology – DAML+OIL, OWL, SOUPA


56

Service Discovery and Access Control Frameworks Middleware for open systems

• Ubicomp active space middleware – Hyperglue [MIT], Cerberus [UIUC]

• Service discovery – JINI, UPnP• Limited security features

Access Control• Advanced Role-Based Access Control Models

• Generalized RBAC• Dynamic RBAC

Trust frameworks• SECURE project

• Dynamic notion of trust• Trust evolution based on interaction history

• Reputation frameworks


57

Conclusion Existing means of interoperation are too rigid

and unsuitable for ubicomp Identify flexible policy as the minimum

requirement Negotiation can be automated using logic-

based policy, trust and utility models Applications can rely on the underlying system

to discover and access external resources with minimal risk and adjusting with context

Promote a security-oriented approach towards the design of intelligent spaces

58

Thank YouThank You

Relevant publications:

Kevin Eustice, Leonard Kleinrock, Shane Markstrum, Gerald Popek, V. Ramakrishna and Peter Reiher, “Enabling Secure Ubiquitous Interactions,” In the proceedings of the 1st International Workshop on Middleware for Pervasive and Ad-Hoc Computing (in conjunction with Middleware 2003), 17th June 2003 in Rio de Janeiro, Brazil.

K. Eustice, L. Kleinrock, S. Markstrum, G. Popek, V. Ramakrishna and P. Reiher, "Securing WiFi Nomads: The Case for Quarantine, Examination, and Decontamination," Proceedings of the New Security Paradigms Workshop (NSPW), 2003.

59

Conclusion Existing means of interoperation are too rigid

and unsuitable for ubicomp Identify flexible policy as the minimum

requirement Negotiation can be automated using logic-

based policy, trust and utility models Applications can rely on the underlying system

to discover and access external resources with minimal risk and adjusting with context

Promote a security-oriented approach towards the design of intelligent spaces

60

Security Aspects Key research aspects

• What security benefits does a negotiation protocol provide to a system offering ubiquitous services?

• How do we secure the negotiation protocol itself from being compromised?

Security benefits• Concerns proper use of security mechanisms rather than propose

new ones• Promotes a paradigm that ensures safety is taken into

consideration before interaction• Allows static and dynamic detection of security conflicts

Protocol security• Cryptographic mechanisms, SSL, TLS• Can the nature of the protocol itself be used to compromise

security?


61

Research Issues

Policy Expression and Reasoning Security and Trust Model Negotiation Heuristics and Strategies Theoretical Issues Systems Issues

• Protocol flexibility and extensibility

• Performance

• Fault tolerance and reliability


62

Thesis Proposal

A generic and flexible negotiation protocol guided by local policy through which devices and domains in ubicomp can interoperate spontaneously

63

Outline First slide – one line summary of the problem I am tackling Ubicomp vision

• What has been done• How it has been done• What is missing, or what needs to be seriously improved; i.e. motivation

My approach at a very high level, with the assumptions I make about the world Everything about policy

• How policy is useful in ubicomp situations• Domain-oriented view of world• Different categories of policies• Potential for conflicts with large number of policies, and the need for expressiveness, domain-independence,

well-defined semantics and reasoning mechanisms Negotiation as a model for interactions Examples:

• Starbucks: current (simple model); then, with negotiation• Another example: maybe the home video example

List of benefits/research contributions Research issues Current design and implementation status Research plan and timeline Conclusion

64

Scenario

Bob’s PDA DHCP Protocol


65

Scenario

REQUEST: Join networkREQUEST: High bandwidth connection

REQUEST: Printer access

Bob’s PDA

(YES): Join network, get requested services

DEMAND: Email addressDEMAND: Accept pop-ups

(NO): No connectivity


66

Ubicomp Interoperation

Nature and purpose of interoperation• Discovery of external services

• Access and usage of resources and data

• Service discovery and access control intertwined

Typical interactions• Mobile devices and wireless networks

• Direct communication between two devices


67

Assumptions

Common networking capability Common understanding of objects at the

application layer• Leverage Semantic Web research

• Common syntax, or annotations, using XML


68

Negotiation Model

Initial state• Each entity has a set of resources, policies and initial

requirements

Communication protocol• Exchange of messages that results in a maximal

satisfaction of requirements as constrained by the policies

• Messages include requests, offers, policy rules

• Bi-directional protocol (after initial message)

• Stateful protocol

69

Scenario

Join network, need ‘x’ bandwidth

Offer ‘y’ < ‘x’, OR ask for private info (email)

Bob’s PDA

Certificates?, Privacy Policy?

Private info

Certificates, Privacy Policy, Preferred Member incentive

Join permission (network configuration info), proxy info, Preferred Member voucher


70

Programming Languages

Artificial IntelligenceOperating Systems

My Research


71

More Issues

Systems Issues• Performance (fast retrieval, fast path)

• Resource description and management

• Fault tolerance and reliability

• Scale to multi-party negotiation

• Context awareness

72

Beyond 2-party Negotiation

Multi-session negotiation• (1 n) negotiation

• Handle dependencies among multiple sessions

• Scalability issues Multi-party negotiation

• (n n) negotiation

• Similar dependency issues

• Additional distributed systems problems

73

Negotiation Protocol State Machine

START

EXPECT

INITIATE

SERVICE PROCESS

STOP

Trigger/Event toStart Negotiation

Send REQUEST(S)

Receive REQUEST(S)

Receive REQUEST(S)

Send REQUEST(S) / OFFERS(S) / POLICIES

Send REQUEST(S) / OFFERS(S) / POLICIES

ReceiveOFFERS(S) / POLICIES

ReceiveOFFERS(S) / POLICIES

ReceiveTERMINATE Signal /

TIMEOUT

SendTERMINATE Signal

SendTERMINATE Signal

74

Implementation

Policy manager implemented in Java Prolog used for writing policies

• Subset of first order logic

• Declarative syntax

• Fast algorithms for logical reasoning Policy Engine based on SWI-Prolog

• Java-Prolog and Prolog-Java APIs

• Open source

• Meta-predicates


75

Implementation (continued)

Description of entities, resources, properties

• XML and RDF Trust and Access Control Models

• Advanced RBAC models Negotiation goals and strategies

• Fixed goals and alternatives

• Fixed strategy, based on satisfaction of relevant policies


76

Current Status

Minimal policy manager almost done• Negotiation protocol state machine

• Policy engine mechanisms to run queries and return state and policy info

• Controller negotiates by sending requests and counter requests to till success/no progress is possible

Next step – testing with Panoply spheres

77

System Optimizations and Enhancements

Design modifications and enhancements based on observed performance• Fast path for quick decision making

• Emphasis on strategy that guarantees results in real time

Multi-session negotiation• Investigate inter-thread dependencies

• Investigate scaling properties of currently used reasoning algorithms

78

Related Work Automated trust Negotiation

• Sequence of credential exchanges that result in access granted/rejected for a resource

• Meant for web transactions / not for dynamic environments like ubicomp

Policy Languages• Mostly application specific• Rei – targeted for pervasive computing

Access Control Models• Certificates/Delegations• Generalized RBAC

79

Negotiation Protocols Automated trust negotiation

• Goal: client-server transactions on the web• Builds up proof of access through progressive

exchange of credentials• Conflicts result in failure• Examples: TrustBuilder [BYU,UIUC], PeerTrust

Service negotiation in grid computing• A decentralized framework for dynamic resource

allocation• Typically neglects security concerns• Example: SNAP [ISI]


80

Policy Languages Rei policy language

• Specially targeted towards pervasive computing and the semantic web

• Defined cross-application semantics• Incorporates deontic concepts like obligations and

permissions Trust negotiation languages

• Portfolio and Service Protection Language (PSPL)• KeyNote

Languages for access control on the web (XML-based)• Limited in expressiveness and support for negotiation• Examples: XACML, IBM’s TPL

Ontology for the semantic web• DAML+OIL, OWL, SOUPA


81

Ubiquitous Middleware

Active Space projects

• Examples: Hyperglue, Cerberus, Centaurus 2

• Generally manage resources and are context-sensitive

• Limited security and access control features Service discovery frameworks

• Examples: Jini, UPnP

• Emphasis on open interfaces and easy interoperation rather than security


82

Access Control and Trust ACLs and capabilities

• Not scalable or usable in dynamic conditions Role-based Access Control

• Not very flexible• Generalized RBAC (GRBAC)• Dynamic RBAC (dRBAC)

Trust• Fairly well-accepted concept in ubicomp• PolicyMaker

• Credentials tied to permissions rather than identity

• SECURE project• Dynamic notion of trust• Trust evolution based on interaction history

• Reputation frameworks


83

Conclusion

Spontaneous ubiquitous interoperation poses many challenges• Mechanisms exist, but no frameworks

Flexible process of reaching agreements through negotiation• Policy management is the core

• Trust and utility models Existing research

• Fails to address problem in its entirety, or

• Produces domain-specific solutions

Documents

Policy-Guided Interactions in Ubiquitous Computing Systems A Dissertation Prospectus V. Ramakrishna Advisor: Dr. Peter Reiher Laboratory for Advanced Systems