04/18/23 ICPS 2006 1

Designing a Publish Subscribe Substrate for Privacy/Security in Pervasive EnvironmentsLukasz Opyrchal Miami University, Oxford, OH

Atul Prakash University of Michigan, Ann Arbor

Amit Agrawal IIT, New Delhi, India

04/18/23 ICPS 2006 2

Miami University

Oxford, Ohio Not Miami, Florida

Established in 1809 Older than state of Florida Older than city of Miami

04/18/23 ICPS 2006 3

Two Themes

Building a secure content-based publish subscribe system

Create a “privacy-aware” location tracking application

04/18/23 ICPS 2006 4

Publish Subscribe Systems

subscriber

subscriber

subscriber

subscriber

subscriber

publisher

publisher

subscriber

subscriber

brokers

04/18/23 ICPS 2006 5

Content-Based Publish Subscribe

SIENA, Elvin, Hermes IBM: Gryphon Microsoft: Herald

Publishers

Subscribers

[Issue = "IBM", Price > 100]

[Issue = *, Vol >= 1000]

[Issue = "IBM", Price*Vol >= 1M]

Event Schema:

[Issue,Price,Vol]

Only rudimentary security solutions exist

04/18/23 ICPS 2006 6

Dynamic Nature of Content-Based Systems

Cannot determine the set of interested subscribers before an event is published

04/18/23 ICPS 2006 7

Content-Based Systems and Security? Only basic security solution

Coarse grained

Cambridge University Opera group First attempt at security model for content-based

systems RBAC model Little detail in the published paper

04/18/23 ICPS 2006 8

Policy Dimensions

Authorization/Authentication existing solutions (Kerberos, certificates, etc.)

Access Control conditions under which an action can be performed historically – coarse-grained

Data Security security guarantees (confidentiality, integrity, sender

authenticity, etc.) Granularity of Security Guarantees

explained later

04/18/23 ICPS 2006 9

Entities

Application application administrator consists of multiple event types LOC_APP application:

LOC_INFO and LOC_SERVICE event types Event type

describes event schema Owner

can authorize others to subscribe, receive and modify policy for its events

one or more owners per event type

04/18/23 ICPS 2006 10

Policy Language

Based on KeyNote [RFC 2704] Fields:

Authorizer Licensees Conditions Signature

04/18/23 ICPS 2006 11

Sample Rules

Authorizer: “POLICY”Licensees: adminConditions: (app_domain == “LOC_APP”)

-> “true”;

Authorizer: adminLicensees: joeConditions: (app_domain == “LOC_APP”)&&

(evtType == “LOC_INFO”) &&(user == “joe”) &&(owner == “joe”)

-> “true”;

04/18/23 ICPS 2006 12

Policy Evaluation

KeyNote Trust Management System Used in many applications Available implementation Clear API Slow

CPOL Developed at University of Michigan

By Kevin Borders and Atul Prakash High performance policy evaluation Language expressiveness similar to KeyNote Direct support for delegation

04/18/23 ICPS 2006 13

Access Control

Actions authenticate advertise publish subscribe receive change policy

04/18/23 ICPS 2006 14

System

Implemented in Java Supports any number of applications and event types

Advertisements read at start-up External attributes

Event schema List of attributes All attributes - String

[LOC_INFO: (user, building, room)]

04/18/23 ICPS 2006 15

Location-Tracking Application

04/18/23 ICPS 2006 16

Policies We Are Interested In

Environment-dependent sharing Share info at certain times, Share info in certain locations, Share info during special events, etc.

Privacy-protected access to services Location-based notification Without revealing ones location

04/18/23 ICPS 2006 17

Location-Tracking Application

Event schema:[LOC_INFO: (user, building, room)]

Sensors planned – RFID, 802.11 currently – event generator

Privacy policies users own events about them allow others to receive your events based on event attributes and external attributes

04/18/23 ICPS 2006 18

Authorizer: POLICYLicensee: location_adminConditions: (app_domain == “LOC_APP”) -> “true”;

Authorizer: location_adminConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”)

(action == “SUBSCRIBE’) -> “true”;

Authorizer: location_adminLicensee: location_publisherConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”)

(action == “PUBLISH’) -> “true”;

Authorizer: location_adminLicensee: ownerConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) &&

((action == “RECEIVE”) || (action == “CHANGE_POLICY”))-> “true”;

Authorizer: BobLicensee: Alice || Eve || NickConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) &&

(owner == “Bob”) && (action == “RECEIVE”) && ((extTime == “WORK_DAY”) || (extTime == “WORK_NIGHT”)) -> “true”;

Authorizer: NickConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) &&

(owner == “Nick”) && (action == “RECEIVE”) && (extCollaborator == “true”)-> “true”;

Authorizer: EveConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) &&

(owner == “Eve”) && (action == “RECEIVE”) &&(building == extBuilding) && (room == extRoom) -> “true”;

location_admin is the administrator of LOC_APP application

Authorizer: POLICYLicensee: location_adminConditions: (app_domain == “LOC_APP”) -> “true”;

Eve authorizes everybody to receive her events but only when Eve and the subscriber are in the same room.

Authorizer: EveConditions: (app_domain == “LOC_APP”) && (evtType == “LOC_INFO”) &&

(owner == “Eve”) && (action == “RECEIVE”) &&(building == subBuilding) && (room == subRoom) -> “true”;

04/18/23 ICPS 2006 19

Conclusion and Future Work

Flexible security framework for content-based systems

Support for complex privacy policies Services (such as privacy filters)

Event filter infrastructure Publisher/subscriber

04/18/23 ICPS 2006 20

Future Work

Restricting delegation CPOL provides direct control over delegation

Support for contract signing Support for archived events Extensions to the pub-sub system

Broker trust Extensive performance experiments

04/18/23 ICPS 2006 21

Questions?

opyrchal@muohio.edu

04/18/23 ICPS 2006 22

Privacy

The ability of an individual to control the terms for acquisition and usage of their personal information*

How to build applications and services while providing means to users to have control over the conditions of distribution of their data

* M. J. Culnan, “Protecting Privacy Online: Is Self Regulation Working.”

04/18/23 ICPS 2006 23

Motivation

Publish subscribe systems information delivery enterprise systems

supply chain, workflow, e-commerce pervasive applications

Content-based systems emerging applications

wireless/location aware apps, military apps, sensor networks, large scale enterprise systems, web services

emerging commercial solutions IBM (Gryphon), Microsoft (Herald), Mantara, Pre-Cache

04/18/23 ICPS 2006 24

Architecture

Client Handler Authentication Handler

Security Manager

Protocol Handler

KeyNote System

Content-BasedMatching Engine

Broker-to-Broker Handler

User Database

Security Policy

Extension Manager

Extension Class

Extension Class

...