Académique Documents
Professionnel Documents
Culture Documents
King St.
Vehicles participating in the vehicular service
infrastructure (Figure 1) are equipped with an X Workplace
embedded microprocessor with a display interface, a
GPS receiver, a class 1 Bluetooth sensor node, and an
onboard diagnostics (ODI) interface. Some vehicles
may have alternative wireless network connectivity Traffic direction
support based on an on-board cellular communication Wireless station
Building
device. The ODI is used to acquire a small set of data Bluetooth Connection Vehicle
23
B. Invisibility access control system to ensure privacy protection is by
One of the key motivators of pervasive environment frequently changing pseudonyms or by generating a
advocated by Langherich [6] is the invisibility issue. multiple digital identities so that users are avoided from
Providing high degree of invisibility is extremely being identified by the locations they visited but at the
important [5]. After all, the automation of daily same time they can fully enjoy a service that require
activities is one of the aims of pervasive computing their location information.
technology. Therefore it is ideal to provide entirely E. Overall Performance
human-free interactions [7]. Complete disappearance of
An access control system should be fast and consume
pervasive computing technology should be considered
minimal amount of resources. Designing the flow of
in access control applications. An access control
data in the system must not be complex. The overheads
mechanism [8] must work with minimal active
associated with it must be minimized. For example, if
participation from the user. Determining access rights
the access control system is able to collect sufficient
correctly requires the consideration of a complex set of
credentials about its users without putting their privacy
drivers representing relationships between entities and
at stake, this will result in a reduction of the overheads
the current context governing those entities. Hence, for
associated with the repeated exchange of information at
authorizing an access to a service, it is necessary to
different authentication points.
gather sufficient and different credentials of the user.
The framework should hide the existence of real F. Autonomous behaviour
interactions that will also result in less user distraction. The model needs to be able to monitor the users
C. Critical Events interaction patterns to enable it to auto-correct future
access control errors or enhance services list, by using
Most of the actual existing access control mechanisms
knowledge gained from previous interactions. That is, it
do not take critical events [9] into consideration.
should be self-healing.
Examples are Role-Based [10], Time-Based [11],
Location-Based [12], Proximity-Based [13], Task- TABLE I. ANALYZING ROLE AND IMPACT OF REQUIREMENTS
Based [14], Team-Based [15], Attribute-Based [16],
Token-Based [17] and Context-Aware Role-Based [18].
Requirements Role and impact on an access control
In general, all systems have two modes: normal and model
abnormal. Critical events occur when a system is in an - The model should define a basic/generic
abnormal state, thus service requirements may changed access control policy and later be able to
radically. In a pervasive environment covering, for e.g., customize it for specific scenarios.
Flexibility in - The model should be simple to ease the
a small city, standard access control policies may the definition of management of the different tasks and
prevent, for e.g., fire brigades, access to certain access policies maintenance of the security specifications.
buildings which are on fire. For example, fire brigades - It must be flexible enough to add new,
brought in from neighboring cities in response to a fire remove and/or modify existing security
constraints.
disaster may not automatically be granted access to - Usage of contextual information to further
buildings in the smart city. enhance the flexibility of the model.
A pervasive computing system needs to be able to - The model must be able to gather sufficient
observe its environment continually and to take Invisibility credentials to authenticate a user but at the
same time hide the interactions between the
corrective measures in case of environmental changes user and the system.
which can cause the system to enter an abnormal state. - The model must have a component that will
Such an environmental change is known as Critical be responsible for continuously monitoring
Events. Once a critical event has been detected, the the system in case a critical event occurs.
Critical events - The model should be able to change
system should take immediate (as soon as the criticality policies in response to a critical event.
is detected) action to control its effects. - Changes in policies should not affect the
normal working of the system.
D. Privacy/Anonymity/Client-side Restriction - Configuration of privacy access control
The more a system knows about the users and the policies.
Privacy/Anonymity/ - Management of privacy requirements of the
application environment, the more it can provide fine- Client-side owner of the information, that of the collector
grained access control to protected resources. But this restriction and possible privacy laws.
also implies an increase in the risk of compromising the - Privacy rules must be attached to the data
users privacy. An example is location privacy [19]. during their movement in the system among
different parties.
Location information of users captured by sensors on - Consumers of the data must manage the
an ongoing basis generate an enormous amount of data only by following the privacy rules.
potentially sensitive information. Privacy of location - The model should allow users to specify
information is about controlling access to this their own restrictions when their information
is accessed by a third party.
information. This cannot be stopped because some - The system must not be resource greedy,
applications use this information to provide useful Overall minimize overheads and must follow a
services, but it should be in control. One way for an performance simple design.
24
- The model need to be able to monitor the discussed in Section II. We proceed with the detailed
Autonomous users interaction patterns to enable it to description of the different components of the
behavior auto-correct errors by using knowledge gain
from previous interactions, that is, it should architecture.
be self-healing.
25
the-middle attacks and at the same time can fully enjoy 5. Authorization: Firstly, the AM puts all service
a service that require their location information. names and their corresponding ids, extracted from the
The Pattern Identifier (PI) identifies patterns in the accept stack list, in an authorized service list. Secondly,
users interaction behavior so as to enhance services it will listen for input from the CU in case of critical
retrieval list and reduces processing time. It uses events. In there are no critical events, the input
information stored in the UI repository. This component parameter supplied by the CU to the AM is NULL. On
ensures the autonomous characteristic of the access the contrary, a critical list comprising of serviceIDs is
control model. supplied and this is compared with the reject stack list.
The Access Control Engine (ACE) uses location serviceID that matches, are quickly added to the
information, time, user information and policies to authorized service list together with the corresponding
decide whether to grant or revoke access to services. serviceName attribute. This process is looped until the
The Authorization Manager (AM) receives different critical list is empty. Once the latter is empty, the
access requests for different services. It passes the authorized service list is assumed to be complete and is
requests to the ACE. Based on the response obtained thus sent to the concerned vehicle.
from the ACE and the Critical Unit (CU), the AM There is some additional processing that is performed.
decides whether access should be granted or not. In stage 3, when a request is sent to the UM for
In the case of critical events as described in Section II additional information, the latter invoke the PI with
(C), the Critical Unit can largely influence access userID as parameter to identify behavioural patterns of
control decision made by the AM thus overriding the concerned user. An example of a typical data set is
policies if necessary. shown in Figure 3 below.
26
reviewed propose access control for pervasive [10] Sandhu R., Coyne E., Feinstein H., Youman C., Role-
environments, but most of them do not take an Based Access Control Models, IEEE Computer, vol. 29,
num. 2, p. 38-47, 1996.
extensive context requirement of the user and the [11] Bertino A.E., Bonatti P.A., Ferrari E., TRBAC: A
system into account in a satisfying way, though it must Temporal Role-based Access Control Model, ACM
be central in pervasive environments. These models do Transactions on Information and System Security, 4(3),
not address some pervasive-related issues. The August 2001, pages 191-233.
originality of our analysis relies in the specification [12] Ray I., and Kumar M., Towards a Location-Based
Mandatory Access Control Model, Computers &
possibilities to define access control requirements Security, 25(1), February 2006.
precisely and easily secure policies useful in a vehicular [13] Gupta S. K. S., Mukherjee T., Venkatasubramanian K.
mobile pervasive environment, thanks to a strong K. and Taylor T. B., Proximity Based Access Control in
theoretical background. We then present an access Smart-Emergency Departments in PerCom Workshops
control architecture that satisfies the requirements 2006, pp 512-516.
identified and furthermore describe the access control [14] Zhang C-x., Hu Y-x., and Zhang G-b., Task-Role Based
Dual System Access Control Model, IJCSNS
process. Currently, we are developing a low-cost International Journal of Computer Science and Network
prototype based on Bluetooth technology to finally Security, VOL. 6 No. 7B, July 2006.
proceed with testing in a real environment. [15] Thomas R. K., Team-based Access Control (TMAC): A
Primitive for Applying Role-based Access Controls in
Collaborative Environments, in proceedings of the
References RBAC 97 Fairfax Va USA, 1997.
[1] Yeun C., Lua E., and Crowcroft J., Security for [16] Wang L., Wijesekera D., and Jajodia S., A Logic-based
Emerging ubiquitous networks, IEEE International Framework for Attribute based Access Control, in
Conference one-Vehicular Technology, Volume 2, pp. proceedings of the CCS04, October, 2004.
1242-1248, 25-28 September 2005.
[17] Iachello G., and Abowd G. D., A Token-based Access
[2] Wang J., Yang Y., and Yurcik W., Secure Smart Control Mechanism for Automated Capture and Access
Environments: Security Requirements, Challenges and Systems in Ubiquitous Computing Georgia Institute of
Experiences in Pervasive Computing, NSF Technology GVU Center Technical Report GIT-GVU-
Infrastructure Experience 2005, NSF/CISE/CNS 05-06.
Pervasive Computing Infrastructure Experience
Workshop , Siebel Center for Computing Science [18] Shen H. and Hong F., A Context-Aware Role-Based
University of Illinois at Urbana-Champaign, July 27, Access Control Model for Web Services proceedings of
2005. the ICEBE 2005, pp 220-223.
[3] Iachello G., and Abowd G. D., A Token-based Access [19] Beresford A. R., and Stajano F., Location Privacy in
Control Mechanism for Automated Capture and Access Pervasive Computing, Pervasive Computing Magazine,
Systems in Ubiquitous Computing, GIT Technical 2003.
Report GIT-GVU-05-06, Georgia Institute of [20] Syukur E., Loke S.W., and Stanski P., Methods for
Technology, GVU Center, 2005. Policy Conflict Detection and Resolution in Pervasive
[4] Damiani E., De Capitani di Vimercati S., and Samarati Computing Environments, In Policy Management for
P., New Paradigms for Access Control in Open Web workshop in conjunction with WWW2005
Environments, Proceedings of the Fifth IEEE Conference, Chiba, Japan, 10-14 May 2005.
International Symposium on Volume , Issue , 18-21 Dec. [21] Kamoda H., Yamaoka M., Matsuda S., Broda K., and
2005 Page(s): 540 545 Sloman M., Policy Conflict Analysis Using Free
[5] Javanmardi S., Hemmati H., and Jalili R., An Access Variable Tableaux for Access Control in Web Services
Control Framework For Pervasive Computing Environments, Policy Management for Web, A
Environments, presented at International Conference on WWW2005 Workshop 14th International World Wide
Pervasive Systems & Computing PSC'06, Nevada, USA, Web Conference, 10 May 2005, Chiba, Japan, pp. 5-12,
2006. May, 2005.
[6] Langeheinrich M., Privacy by Design Principles of [22] Srikant R. and Agrawal R., Mining sequential patterns:
Privacy Aware Ubiquitous Systems, in UBICOMP Generalizations and performance improvements,
2001, LNCS 2201, pp 273-291, 2001. Technical Report, IBM Almaden Research Centre, 1999.
[7] Garlan D., Siewiorek D.P., Smailagic A., and Steenkiste, [23] U.S. Census Bureau. Topologically Integrated
Project Aura: toward distraction-free pervasive Geographic Encoding and Referencing system,
computing, Pervasive Computing IEEE, Volume 1, pp. http://www.census.gov/geo/www/tiger/ (accessed on 31st
22 31, Issue 2, April-June 2002. January 2008).
[8] Kottahachchi B., ACCESS: Access Controls for [24] T. Nadeem, S. Dashtinezhadd, C. Liao, and L. Iftode,
Cooperatively Enabled Smart Spaces, In MIT Student Trafficview: Traffic data dissemination using car-to-car
Oxygen Workshop. Ashland, MA. September, 2004. communication, ACM Sigmobile Mobile Computing and
Communications Review, Special Issue on Mobile Data
[9] Gupta S. K. S., Mukherjee T., and Venkatasubramanian Management, vol. 8, no. 3, pp. 619, July 2004.
K., Criticality Aware Access Control Model for
Pervasive Applications, In Proc of 4th IEEE Conf on
Pervasive Computing, Pisa, Italy, March 2006.
27