Security in UbiComp: Protection through Commandments

The increasing potential to combine devices with different capabilities and purposes leads to new security issues. Traditional security prescribes what has to be prohibited and is thus too inflexible to cope with a constantly changing context. In this paper, we propose an alternative approach to formulating security policies in UbiComp based on the notion of commandments. In essence, commandments formulate situations that should occur within an indefinite time span, thus being conceptually similar to, albeit qualitative distinct from, the notion of obligation. Here, we focus on the characteristics of commandments and not on how they are realised. To this end, we demonstrate the shortcomings of the prohibition-based approach to security and argue in favour of commandments as an instrument to provide longlasting security guarantees in UbiComp environments. We conclude with a description of the upcoming research issues involved in applying commandments. 1. A NEW SECURITY PERSPECTIVE Ubiquitous computing arises from advances made in distinct aspects of computing, namely reachability [5], pervasiveness [11], and autonomy [1]. These features lay the technical foundation for dynamic environments and, thus, for a plethora of novel services. While security is an essential requisite in every system, the unprecedented combination of these characteristics raises a number of challenges for traditional security mechanisms. Indeed, security is no longer only the protection against attacks, but, due to e.g. autonomy, also uses policies to decide whether parameters and configuration settings for self-management could threaten the system. Similarly, pervasiveness and reachability pave the way for heterogeneous contexts regarding devices’ cryptographic capabilities. To address this security perspective, we propose a policy language based on the notion of commandments. Its goal is to provide long-lasting security guarantees in UbiComp environments. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. UbiComp ’05 Tokyo, Japan. Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00. 2. TOWARDS COMMANDMENTS Traditionally, known security threats are remedied by devising security policies, which in essence describe threatening situations that should not occur. Security mechanisms then enforce these policies by prohibiting undesirable situations from happening. For example, AAA policies are prohibition-based [7]: Authentication protocols prevent peers from committing transactions with wrong partners (in particular, with an adversary); authorisation techniques preclude illicit subjects from accessing objects to which they do not have the right; and accountability mechanisms avoid repudiation of the actions of a peer. However, to anticipate and describe each and every unwanted situation is an infeasible task in UbiComp, where emergent, at design-time unforeseen behaviour plays an essential role [4]. In this setting, one simply does not know what to forbid! We therefore argue that, although security policies based on prohibitions should not be disregarded, they are insufficient to actually provide a thorough account for security in highly dynamic systems such as UbiComp. A promising approach to address this problem is based on the idea of commandments [2]. Instead of describing only threatening situations, security policies expressed by means of commandments also characterise situations that should eventually take place. Commandments make explicit statements about what is to be achieved, thereby contrasting to prohibitions, which state how a situation is to be achieved. In the context of information security, these specifications are called extensional and intensional, respectively [10]. Conceptually, the commandment-based approach to specifying security properties allows for more flexible specifications, while allowing for long-lasting security policies. 3. SECURITY BY COMMANDMENTS Current security policies refer to specific security mechanisms. As they work at a very low level of implementation, these policies need to be continously adapted for a changing environment. For example, an ACL that tells a reference monitor who is allowed to access resources and who is not, needs to be changed if a component is newly introduced in the system. Similar for IPSec, the policy that configures the security parameters of the protocol for the setup of new communication connections needs to be adjusted if the group of communication partners changes. The primary goal of commandments is to endow a safer behaviour for highly dynamic systems based on UbiComp technologies. As an effect thereof, the overall availability (and thereby dependability) of these systems improves considerably, as the occurence of security incidents decreases. Observe, however, that this happens despite a continously changing combination of components, services, and relationships between them. Commandments work at application level and improve its security, and as a result, also that of the layers underneath. Take “use an up-to-date virus scanner” as a possible commandment. It neither gives instructions which scanner to use, nor which parameters need to be set: the use of an upto-date scanner definitely protects the system as a whole. Which applications commandments should be referred to and which security benefits may result from them is part of ongoing research. To realise this new security approach, we need a new form of policies that can continously guide the system and hold at all times. Commandments describe situations that should occur within an indefinite time span or system properties that need to be preserved forever. Even though the adherence of commandments is desired, it is not obligatory. Considering the virus scanner example, a monitor that observes the progress of the fulfillment would never be able to determine violations and trigger its enforcement. A component can always update its scanner in the next minute and, thus, fulfill the commandment. However, to urge the component to adherence, incentive systems need to be developed, to reward it for the desired behaviour. In our setting, if a component does not adhere to a commandment – because it does not want to yet or it simply is not able to – it is not automatically excluded from accessing a specific service. Hence, commandments weaken the binary “yes or no” decisions of access control mechanisms and realise a first step towards a flexible and durable approach to security. UbiComp environments, in particular, take advantage of this property, as commandments impose security rules every device tries to satisfy according to its capabilities, without being too restrictive with devices incapable of adhering to them.