A Middleware Secure by Design for the Pervasive Computing

Home , Secure by design

Sheikh I Ahamed, Munirul M Haque, and K M Ibrahim Asif MSCS Dept., Marquette University, Milwaukee, Wisconsin, USA {iq, mhaque, kasif}@mscs.mu.edu

Abstract hoc nature of the environment, connections between Portable devices have become day-to-day devices may not remain for a long span of time. necessities in our lives. These devices have several Additionally, more than one device may critical constraints due to their small size and simultaneously request the same service from the environment, relying on the importance of middleware same device. Moreover, security has a significant role in the pervasive computing environment. The in resource discovery [3, 4, 5]. Trust is also related to significance of security is well-known in this field and security concerns in the service sharing environment it is long overdue to have middleware in the pervasive of pervasive computing [6, 7, 8]. Modeling trust computing environment that deals with security. In relationship among devices is important. Trust will this paper, we present S-MARKS, middleware that is help devices to decide whether to share the service secure by design. Features of S-MARKS include (from both the requester’s and provider’s points of validating devices, discovering resources, modeling view) after discovering it. Furthermore, handling a trust, handling malicious recommendations, and malicious recommendation is also a key factor which avoiding privacy violation. needs to be addressed. Privacy is another important issue related to security of a handheld device in 1. Introduction pervasive computing environment [8-12]. What is the point of sharing resources even to a valid trusted Today’s technology enables users to be connected device if one’s privacy is violated while doing that? by carrying portable devices. Pervasive computing [1] No one will risk their privacy in order to share has started to establish its viability in education, resources. There may be a situation when healthcare, industry, and elsewhere. These portable unintentionally some sensitive information is revealed devices have limitations that lead to dependency to an unwanted party; this may be termed information among devices through mutual co-operation. This is leakage and normally leads to a privacy violation. enormously significant in a pervasive computing These aspects of security concerns demand a environment. Middleware can play a vital role to cope middleware that is secure by design for the pervasive with the ever growing requirements. A few types of computing environment. The present middleware [13- middleware have been designed to deal with these 24] for this environment does not provide secure challenges but none can be considered as the ultimate solutions in areas of validating devices, modeling solution. trust, handling malicious recommendation, and In a pervasive computing environment, devices avoiding privacy violation. Therefore, a novel can join and leave arbitrarily since the users are very approach is required to provide such middleware. In mobile. In these situations, security is a very critical this paper, we present “S-MARKS”, a middleware issue. Therefore, very important for a device is the which is secure by design. S-MARKS provides the knowledge of current valid neighbors, because any above mentioned functionalities. malicious device acting like a valid one can lead to the The rest of the paper is structured in the following collapse of security and privacy. As a result, having a manner. In Section 2, we discuss the requirements protocol to validate devices before communicating is needed for a middleware to be secure by design. We very important. present our approach and the architecture of S- Resource discovery is another integral part of MARKS in Section 3. We also demonstrate every device present in this environment [2]. The implementation of our approach in Section 4. Section resource discovery feature explores devices in the 5 contains a brief discussion about related middleware vicinity those are capable of offering resources. design in pervasive computing environment. Finally Portable devices present in the pervasive computing we conclude by providing our future works and environment typically have resource limitations. Each acknowledgement in Sections 6 and 7 respectively. device is dependent on others in the environment. But due to lack of a fixed infrastructure support and the ad

2.2. Trust Based Resource Discovery After the validation of devices, the question arises of trust in resource discovery and sharing. Though all the devices that are interacting with one another at this Operating System phase have passed the aforementioned validation phase, the trust level of devices are not the same. The trust level of each device is built up through its interactive behavior and should be updated dynamically through the passage of time. Before acquiring a service, the service requester has to prove that it has the required level of trust.

2.3. Dealing Malicious Recommendation The trust mechanism works by obtaining recommendation from others directly and indirectly. In this process, a device may provide a false recommendation about the service requester. A Figure 1: Architecture of S-MARKS mechanism is needed to handle these kinds of incidents. The malicious recommendation should not 3.1. Valid Device Discovery have any effect on the overall trust related to the In order to restrict the interaction to only valid service requester. devices, we developed a device discovery mechanism named ILDD (Impregnable Lightweight Device 2.4. Avoiding Privacy Violation Discovery). The model has two units: Challenge Privacy violation is the most sensitive issue Response Unit and Validation Unit. Figure 2 shows regarding service sharing. After all the required the architecture of ILDD. Every device needs to functionalities are in place, people still may not want maintain a list of authenticated devices to ensure to share if they think their privacy will be authenticity of information. This list is updated compromised. Thus, a middleware needs to have a dynamically in a periodic manner. Our method works mechanism to avoid privacy violation in terms of on a modified version of the well-known LPN providing full fledged security in a pervasive (Learning Parity with Noise) algorithm [27, 28]. Here, computing environment. all the authenticated devices will carry a secret x of a specific length. A leader node will be chosen based on 3. Our Approach battery power and trust level. Whenever a new node tries to join the network, every other node present in Our middleware S-MARKS, as shown in Figure the network will send a challenge to this new node. 1, is composed of both core components and other The requesting node will calculate the result based on components (or services). Core components include the challenge and the secret x, and reply to the ILDD (Impregnable Lightweight Device Discovery), challengers. Each challenger node will check the SSRD (Simple and Secure Resource Discovery) with answer for validity and send to the leader node its Trust Management [25, 26], and ORB (Object recommendation (true or false) about the requesting

helps S-MARKS to handle a false recommendation. It Figure 2: Architecture of ILDD consists of two functional units: alpha and beta. Both the units check all the recommendations, identify the 3.2. Trust Based Resource Discovery malicious one and try to handle the overall Resource discovery is a core component in a recommendation with the least effect from the middleware. We developed a trust based resource malicious recommendations. Alpha unit works when discovery model named SSRD (Simple and Secure there are few numbers of recommendations. Beta unit Resource Discovery) [26]. Our model has two comes into action when the model has to deal with a functional units: security management unit and trust large number of recommendations. Figure 4 shows the management unit. The security management unit architecture of MaRcHer. decides the mode of communication based on the situation and need for a specific service. The trust µ ~ recommendation management unit maintains the trust relationship with others. Figure 3 shows the architecture of SSRD.

alpha unit beta unit

Figure 4: Architecture of MaRcHer

We fit the control chart method [29] in the alpha unit since the number of recommendations is small and we can easily find the standard deviation. But for the beta unit, we utilize the statistical distribution Figure 3: Architecture of SSRD named Student’s t-Distribution [30, 31]. This approach is used when the standard deviation is not In our trust model, 0 represents complete distrust known which is true for virtually almost all real life whereas 1 represents complete trust. A device that has scenario. In both cases, we get some interval region. just passed the validation phase (ILDD) and has no We discard any recommendation value that is outside prior interaction records will have a trust value of 0.5. of this region since those values differ from the The trust model has the characteristics of reflexivity majority of the recommendations. and partial transitivity (if γ denotes the trust value by A on B and δ denotes that of B on C then the trust 3.4. Avoiding Privacy Violation value of A on C is a function of γ and δ). This model is service and context specific. Here each device To handle any privacy violation issues while maintains a table of available services and sharing services, we developed a model named PriVA corresponding security level that ranges from 1 to 10. (Privacy Violation Avoider). This helps our

To evaluate the effectiveness of our middleware

Figure 5: Architecture of PriVA S-MARKS, we will use prototype implementation, cognitive walkthrough, and performance PriVA has three functional units: service measurement. classifying unit, analyzing privacy unit, and avoiding We are currently implementing the S-MARKS. information leakage unit. PriVA communicates with Our test bed includes several Dell Axim X50 pocket the resource manager to handle any privacy issue in PCs (Intel PXA270@624 MHz). We use C# on .NET resource sharing. Figure 5 shows the architecture of compact framework. This makes our prototypes PriVA. All three units are interrelated and work in compatible with different portable devices supported close agreement to avoid privacy violation. The by the framework. We use IEEE 802.11b for wireless Service Classifying Unit deals with classifying the connectivity. services and resources present in a device. It has two By adopting the cognitive walkthrough strategy, modules named TagR and ClsR. TagR acquires the we will collect valuable feedback to measure the list of resources from the resource manager and tags performance of our middleware. Subsequently, we each service as sharable or non-sharable. In ClsR, all will improve our prototype based on the feedback. the resources and services are classified in different We are also planning to measure the performance default groups. For example, all text documents, of our middleware S-MARKS using some criteria spreadsheets, and presentations can be classified as such as battery power consumption, processor and documents. memory usage, size of ad hoc network etc. The ClsR module is also used in the analyzing the privacy unit. The other two modules present in this 5. Existing Middleware Solutions unit are CustomP and ComputeP. We used the concept of policies (also known as access-rights) to analyze Researchers are involved in middleware design services in terms of privacy. Each group, classified in [13-24] for portable devices running in pervasive the ClsR module, will have a set of default policies. computing environments. But they are not yet close to Default policies may not always serve the purpose; in providing an optimum solution that is secure by some cases of resource sharing, additional customized design. policies are desirable. The module CustomP deals In Reflective middleware [13], the concept of user with custom policies to be used in addition to the profile was introduced but not utilized to its full default policies. CustomP works together with ClsR to capacity. A simple yet powerful algorithm, to unearth provide functionality to the analyzing privacy unit. available resources, has not yet been devised. Most of We articulate these policies for a service using the approaches follow the resource announcement Ordered Binary Decision Diagram (OBDD) [32, 33]. policy. The module ComputeP takes an OBDD representation Reconfigurable Context Sensitive Middleware of policies for a given resource and lists the possible (RCSM+) [22] mainly deals with situation-awareness, ways to satisfy them. ephemeral group management, and autonomous To minimize the computational overhead at the coordination for information dissemination. Gaia [21] time of the service request, all resources listed in the tries to solve the problem of ubiquitous computing by TagR module are previously computed and introducing a general operating system middleware, maintained in the PlcT module which is part of the which exports and coordinates the resources contained Avoiding Information Leakage Unit (AILU). Privacy in a physical space. They introduce the idea of active is correlated with information leakage from the space that converts a physical space and its ubiquitous technological point of view. Information leakage can computing devices into a programmable computing

Sheikh I Ahamed, Munirul Haque, and KM Asif, S-MARKS: A Middleware Secure by Design for the Pervasive Computing Environment, Proceedings of the Fourth International Conference on Information Technology : New Generations (ITNG 2007), IEEE CS Press, April, 2007, Las Vegas, Nevada, USA, pp. 303-308. system. Gaia’s activities, however, are confined only incorporated them in S-MARKS, a middleware that is within the active space. MIT’s Oxygen project [16] secure by design. In our first prototype, we fully turns the inactive environment into an empowered one implemented the device validation and trust based to facilitate the users. This project focuses on new resource discovery. We are working on adaptive mobile devices, new embedded distributed implementation to handle malicious recommendations computing devices, intelligent knowledge access and avoid privacy violations while sharing services. technology, automation technology etc. At present S-MARKS can have an influential effect on systems can divert a user in many explicit and implicit people’s lives through addressing security concerns ways, which may reduce his/her effectiveness. Project when sharing services among portable devices. This Aura [18] rethinks system design to address this may encourage people to utilize portable devices on a problem. Aura tries to provide each user computing larger scale. and information services at every level regardless of location. Gaia, Oxygen, and Aura show splendid 7. Acknowledgement performance inside the smart space. But their focus is different, as they try to accommodate all the facilities The authors appreciate the help of Paula Stroud they mentioned inside a particular smart space. for her valuable comments to improve the paper. Consequently, these are not the ultimate solution for mobile devices running in a pervasive computing References environment. Other noteworthy middleware for mobile devices [1] M. Weiser, “Some computer science issues in ubiquitous are MARKS [14], Mobiware [15], TSpaces [17], computing,” Communications of the ACM, vol. 36(7), 1993, pp.75-84. LIME [19], XMIDDLE [20], PICO [23] and ALICE [24]. MARKS supports knowledge usability, resource [2] T. Kindberg, and A. Fox, “System Software for discovery and self-healing aspects in the pervasive Ubiquitous Computing,” IEEE Pervasive Computing, January-March, 2002, pp. 70-81. computing environment. LIME, supporting scarce context-awareness and inadequate ad hoc [3] K. Matsumiya, S. Tamaru, G. Suzuki, J. Nakazawa, K. communication, is the result of a development process Takashio, H. Tokuda, “Improving security for ubiquitous assimilating formal modeling integration and campus applications,” Symposium on Applications and the application development. TSpaces provides a common Internet Workshops (SAINT 2004), January 2004, pp. 417- 422. platform to facilitate the linkage of all systems and application services. Server software containing data [4] F. Stajano, and R. Anderson, “The Resurrecting are stored on fixed and powerful machines; this is Duckling: Security Issues for Ubiquitous Computing,” inappropriate in an ad-hoc communication Computer, vol. 35(4), Part Supplement, April 2002, pp. 22- 26. environment. Xmiddle uses a tree-structure for storing data. Here, the unit of replication can be adjusted to [5] F. Stajano, “Security for Ubiquitous Computing,” Wiley, accommodate both device and application needs. It is February 2002, pp.110-111. appropriate for mobile computing since it targets ad- [6] L. Kagal, T. Finin, A. Joshi, "Trust-based Security in hoc networks. However, it is implemented using Pervasive Computing Environments," Computer, vol. Extensible Markup Language (XML) that increases 34(12), December 2001, pp.154-157. the communication overhead. [7] D. Quercia, S. Hailes, L. Capra, “TATA: Towards The middleware designs discussed above and Anonymous Trusted Authentication,” Proceedings of the other existing ones did not provide security solutions Fourth International Conference on Trust Management from the perspective of validating devices, (iTrust’06), Pisa, Italy, 2006. discovering resources, modeling trust, handling [8] M. Satyanarayanan, "Pervasive Computing: Vision and malicious recommendations, and avoiding Challenges," IEEE Wireless Communications, vol. 8(4), August 2001, pp.10-17. privacy violation. S-MARKS provides these features in a middleware. [9] A.R. Beresford, F. Stajano, "Location Privacy in pervasive Computing," Pervasive Computing, IEEE , vol. 2(1), Jan-Mar 2003, pp. 46-55. 6. Conclusion [10] R. Campbell, J. Al-Muhtadi, P. Naldurg, G. In this paper, we have addressed the issues of Sampemane1, and M. D. Mickunas, “Towards security and device validation, trust based resource discovery, privacy for pervasive computing,” In Proceedings of malicious recommendation, and privacy violation. International Symposium on Software Security, Tokyo, Japan, 2002. These are all related to security concerns in the pervasive computing environment. We have

[12] V. Bellotti and A. Sellen, “Design for Privacy in [25] M. Sharmin, S. Ahmed, S. I. Ahamed, "SAFE-RD Ubiquitous Computing Environments,” Proceedings of third (Secure, Adaptive, Fault Tolerant, and Efficient Resource European Conference on Computer Supported Cooperative Discovery) in Pervasive Computing Environments," Work (ECSCW 93), 1993, pp. 77-92. International Conference on Information Technology: Coding and Computing (ITCC'05) vol (II), 2005, pp. 271- [13] L. Capra, W. Emmerich, and C. Mascolo, “Reflective 276. Middleware Solutions for Context-Aware Applications,” In Proceedings of the Third international Conference on [26] M. Sharmin, S. Ahmed, S. I. Ahamed, "An adaptive Metalevel Architectures and Separation of Crosscutting lightweight trust reliant secure resource discovery for Concerns, September 25 - 28, 2001. pervasive computing environments," Fourth Annual IEEE International Conference on Pervasive Computing and [14] M. Sharmin, S. Ahmed, S. I. Ahamed, "MARKS Communications (PerCom 2006), March 2006, pp. 13-17. (Middleware Adaptability for Resource Discovery, Knowledge Usability and Self-healing) for Mobile Devices [27] N. Hopper and M. Blum, “A Secure Human Computer of Pervasive Computing Environments," Third International Authentication Scheme,” Technical Report CMU-CS-00- Conference on Information Technology: New Generations 139, Carnegie Mellon University, 2000. (ITNG'06), 2006. pp. 306-313. [28] N. J. Hopper and M. Blum, “Secure Human [15] A. T. Campbell, “Mobiware: QOS-aware middleware Identification Protocols,” In Advances in Cryptology - for mobile multimedia communications”, Proceedings of the ASIACRYPT, vol. 2248, 2001, pp. 52-66. IFIP TC6 seventh international conference on High [29] R. E. Zultner, “What Do Our Metrics Mean?,” Cutter performance networking VII, White Plains, New York, IT Journal, vol. 12(4), April 1999, pp. 11-19. United States, 1997, pp. 166-183. [30] M. Abramowitz and I. A. Stegun, eds. (1972) [16] M. Dertouzos, “The Oxygen Project,” Scientific Handbook of Mathematical Functions with Formulas, American, vol. 281(2), August 1999, pp. 52-63. Graphs, and Mathematical Tables. New York: Dover. (See [17] P. Wyckoff, S. W. McLaughry, T. J. Lehman, and D. Section 26.7 A. Ford, “T Spaces,” IBM Systems Journal, vol. 37(3) 1998, [31] W.S. Gossett, “The probable error of a mean,” pp. 454-474. Biometrika, vol. 6(1), 1908, pp. 1-25. [18] J. P. Sousa, and D. Garlan "Aura: an Architectural [32] S. B. Akers, "Binary Decision Diagrams," IEEE Framework for User Mobility in Ubiquitous Computing Transactions on Computers, C-27(6), June 1978, pp. 509- Environments," Proceedings of the 3rd Working IEEE/IFIP 516. Conference on Software Architecture, August, 2002. pp. 29- 43. [33] R. E. Bryant, “Graph-based Algorithms for Boolean Function Manipulation,” IEEE Transactions on Computers, [19] A. L. Murphy, G. P. Picco, and G. C. Roman, “Lime: A C-35(8), 1986, pp. 677-691. Middleware for Physical and Logical Mobility,”

Proceedings of the 21st International Conference on Distributed Computing Systems (ICDCS-21), May2001.

[20] C. Mascolo, L. Capra, S. Zachariadis, W. Emmerich, “XMIDDLE: A Data-Sharing Middleware for Mobile Computing,” J. Wireless Personal Communications, vol. 21(1), April 2002, pp. 77-103.

[21] R. Cerqueira, C. K. Hess, M. Roman, and R. H. Campbell, “Gaia: A Development Infrastructure for Active Spaces,” In Workshop on Application Models and Programming Tools for Ubiquitous Computing (held in conjunction with the UBICOMP 2001), Sept. 2001.

[22] S.S. Yau, W. Yu, and F. Karim, "Development of situation-aware application software for ubiquitous computing environments," Computer Software and Applications Conference (COMPSAC 2002), 2002, pp. 233- 238.

[23] M. Kumar, B. A. Shirazi, S. K. Das, B.Y. Sung, D. Levine, and M. Singhal, "PICO: a middleware framework for pervasive computing," Pervasive Computing, IEEE, vol. 2(3), July-September 2003, pp. 72-79.