Big ideas paper: Policy-driven middleware for a legally-compliant Internet of Things

Internet of Things (IoT) applications, systems and services are subject to law. We argue that for the IoT to develop lawfully, there must be technical mechanisms that allow the enforcement of specified policy, such that systems align with legal realities. The audit of policy enforcement must assist the apportionment of liability, demonstrate compliance with regulation, and indicate whether policy correctly captures legal responsibilities. As both systems and obligations evolve dynamically, this cycle must be continuously maintained. This poses a huge challenge given the global scale of the IoT vision. The IoT entails dynamically creating new services through managed and flexible data exchange. Data management is complex in this dynamic environment, given the need to both control and share information, often across federated domains of administration. We see middleware playing a key role in managing the IoT. Our vision is for a middleware-enforced, unified policy model that applies end-to-end, throughout the IoT. This is because policy cannot be bound to things, applications, or administrative domains, since functionality is the result of composition, with dynamically formed chains of data flows. We have investigated the use of Information Flow Control (IFC) to manage and audit data flows in cloud computing; a domain where trust can be well-founded, regulations are more mature and associated responsibilities clearer. We feel that IFC has great potential in the broader IoT context. However, the sheer scale and the dynamic, federated nature of the IoT pose a number of significant research challenges.

[1]  Jean-Pierre Seifert,et al.  Beyond Kernel-Level Integrity Measurement: Enabling Remote Attestation for the Android Platform , 2010, TRUST.

[2]  Yassine Lakhnech,et al.  Information flow control of component‐based distributed systems , 2013, Concurr. Comput. Pract. Exp..

[3]  Geoff Mulligan,et al.  The 6LoWPAN architecture , 2007, EmNets '07.

[4]  Sabine Bauer,et al.  Data Provenance in the Internet of Things , 2013 .

[5]  Siani Pearson,et al.  Sticky Policies: An Approach for Managing Privacy across Multiple Parties , 2011, Computer.

[6]  David M. Eyers,et al.  Policy enforcement within emerging distributed, event-based systems , 2014, DEBS '14.

[7]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[8]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[9]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[10]  Yu-Hung Huang,et al.  A lightweight authentication protocol for Internet of Things , 2014, 2014 International Symposium on Next-Generation Electronics (ISNE).

[11]  David M. Eyers,et al.  Integrating Messaging Middleware and Information Flow Control , 2015, 2015 IEEE International Conference on Cloud Engineering.

[12]  Wouter Joosen,et al.  Policy-Driven Tailoring of Sensor Networks , 2010, S-CUBE.

[13]  Srijith Krishnan Nair,et al.  Self Managed Security Cell, a Security Model for the Internet of Things and Services , 2009, 2009 First International Conference on Advances in Future Internet.

[14]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[15]  Jatinder Singh,et al.  Camflow: Managed Data-Sharing for Cloud Services , 2015, IEEE Transactions on Cloud Computing.

[16]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[17]  Niraj K. Jha,et al.  Analysis and design of a hardware/software trusted platform module for embedded systems , 2008, TECS.

[18]  Namje Park,et al.  Symmetric Key-Based Authentication and the Session Key Agreement Scheme in IoT Environment , 2015 .

[19]  Elio Rossi,et al.  Policy , 2007, Evidence-based Complementary and Alternative Medicine : eCAM.

[20]  Angelos D. Keromytis,et al.  Cloudopsy: An Autopsy of Data Flows in the Cloud , 2013, HCI.

[21]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[22]  Gordon S. Blair,et al.  The case for reflective middleware , 2002, CACM.

[23]  Marc Chiarini,et al.  Collecting Provenance via the Xen Hypervisor , 2011, TaPP.

[24]  Jatinder Singh,et al.  Clouds of Things Need Information Flow Control with Hardware Roots of Trust , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[25]  David M. Eyers,et al.  Information Flow Audit for PaaS Clouds , 2016, 2016 IEEE International Conference on Cloud Engineering (IC2E).

[26]  Soma Bandyopadhyay,et al.  Role Of Middleware For Internet Of Things: A Study , 2011 .

[27]  Hannes Tschofenig,et al.  Securing the Internet of Things: A Standardization Perspective , 2014, IEEE Internet of Things Journal.

[28]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[29]  Seyed Masoud Sadjadi,et al.  A Survey of Adaptive Middleware , 2003 .

[30]  John A. Stankovic,et al.  Research Directions for the Internet of Things , 2014, IEEE Internet of Things Journal.

[31]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[32]  Jatinder Singh,et al.  Data Flow Management and Compliance in Cloud Computing , 2015, IEEE Cloud Computing.

[33]  Sasu Tarkoma,et al.  A gap analysis of Internet-of-Things platforms , 2015, Comput. Commun..

[34]  Siani Pearson Trusted Computing Platforms , the Next Security Solution , 2002 .

[35]  Jadwiga Indulska,et al.  A survey of context modelling and reasoning techniques , 2010, Pervasive Mob. Comput..

[36]  David W. Chadwick,et al.  Enforcing "sticky" security policies throughout a distributed application , 2008, MidSec '08.

[37]  J. Davenport Editor , 1960 .

[38]  UngureanuVictoria,et al.  Law-governed interaction , 2000 .

[39]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[40]  Stefan Berger,et al.  Scalable Attestation: A Step Toward Secure and Trusted Clouds , 2015, 2015 IEEE International Conference on Cloud Engineering.

[41]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[42]  Christopher Millard,et al.  Cloud Computing Law , 2013 .

[43]  Chris I. Dalton,et al.  Trusted Computing Platforms , 2014, Springer International Publishing.

[44]  Stjepan Picek,et al.  Homomorphic encryption in the cloud , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[45]  Andrei V. Gurtov,et al.  Two-phase authentication protocol for wireless sensor networks in distributed IoT applications , 2014, 2014 IEEE Wireless Communications and Networking Conference (WCNC).

[46]  Jatinder Singh,et al.  Integrating Middleware with Information Flow Control , 2015 .

[47]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[48]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[49]  Alec Wolman,et al.  Using ARM trustzone to build a trusted language runtime for mobile applications , 2014, ASPLOS.

[50]  Trevor J. M. Bench-Capon,et al.  A history of AI and Law in 50 papers: 25 years of the international conference on AI and Law , 2012, Artificial Intelligence and Law.

[51]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[52]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[53]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[54]  Xiaohui Liang,et al.  Secure provenance: the essential of bread and butter of data forensics in cloud computing , 2010, ASIACCS '10.

[55]  Ross J. Anderson,et al.  The collection, linking and use of data in biomedical research and health care: ethical issues , 2015 .

[56]  Frédéric Le Mouël,et al.  A Survey on Service Composition Middleware in Pervasive Environments , 2009, ArXiv.

[57]  Jon Crowcroft,et al.  Unclouded Vision , 2011, ICDCN.

[58]  Hans-Arno Jacobsen,et al.  A Policy Management Framework for Content-Based Publish/Subscribe Middleware , 2007, Middleware.

[59]  Wouter Joosen,et al.  Middleware for efficient and confidentiality-aware federation of access control policies , 2013, Journal of Internet Services and Applications.

[60]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[61]  Mohan Kumar,et al.  Dynamic Service Composition in Pervasive Computing , 2007, IEEE Transactions on Parallel and Distributed Systems.

[62]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[63]  Paramvir Bahl,et al.  The Case for VM-Based Cloudlets in Mobile Computing , 2009, IEEE Pervasive Computing.

[64]  Rodrigo Roman,et al.  Securing the Internet of Things , 2017, Smart Cards, Tokens, Security and Applications, 2nd Ed..

[65]  Lilian Bossuet,et al.  New paradigms for access control in constrained environments , 2014, 2014 9th International Symposium on Reconfigurable and Communication-Centric Systems-on-Chip (ReCoSoC).

[66]  Oscar Garcia-Morchon,et al.  Security Considerations in the IP-based Internet of Things , 2013 .

[67]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[68]  Evan Selinger,et al.  The Internet of Heirlooms and Disposable Things , 2016 .

[69]  Michael R. Genesereth,et al.  Computational law , 2005, ICAIL '05.

[70]  Massimo Paolucci,et al.  Data interoperability in the future of middleware , 2012, Journal of Internet Services and Applications.

[71]  Se Won Oh,et al.  Decentralized access permission control using resource-oriented architecture for the Web of Things , 2014, 16th International Conference on Advanced Communication Technology.

[72]  David M. Eyers,et al.  Data-Centric Access Control for Cloud Computing , 2016, SACMAT.

[73]  Jatinder Singh,et al.  Policy-Based Information Sharing in Publish/Subscribe Middleware , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[74]  Jatinder Singh,et al.  On middleware for emerging health services , 2014, Journal of Internet Services and Applications.

[75]  Rafael Accorsi,et al.  BBox: A Distributed Secure Log Architecture , 2010, EuroPKI.

[76]  Valérie Issarny,et al.  The Role of Ontologies in Emergent Middleware: Supporting Interoperability in Complex Distributed Systems , 2011, Middleware.

[77]  Victoria Ungureanu,et al.  Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems , 2000, TSEM.

[78]  Jon Crowcroft,et al.  Policy, Legal and Regulatory Implications of a Europe-Only Cloud , 2016, Int. J. Law Inf. Technol..

[79]  Zhou Cheng,et al.  Overview of the Internet of Things , 2011 .

[80]  Arkady B. Zaslavsky,et al.  Context Aware Computing for The Internet of Things: A Survey , 2013, IEEE Communications Surveys & Tutorials.

[81]  Lionel Touseau,et al.  Combining heterogeneous service technologies for building an Internet of Things middleware , 2012, Comput. Commun..

[82]  Adriane Chapman,et al.  It's About the Data: Provenance as a Tool for Assessing Data Fitness , 2012, TaPP.

[83]  David M. Eyers,et al.  Information Flow Control for Secure Cloud Computing , 2014, IEEE Transactions on Network and Service Management.

[84]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[85]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[86]  Jatinder Singh,et al.  Twenty Legal Considerations for Clouds of Things , 2016 .

[87]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[88]  Edward Curry,et al.  Thingsonomy: Tackling Variety in Internet of Things Events , 2015, IEEE Internet Computing.

[89]  David M. Eyers,et al.  Disclosure control in multi-domain publish/subscribe systems , 2011, DEBS '11.

[90]  Matthias Baldauf,et al.  A survey on context-aware systems , 2007, Int. J. Ad Hoc Ubiquitous Comput..

[91]  David Safford,et al.  Trustworthy geographically fenced hybrid clouds , 2014, Middleware.

[92]  Klaus Wehrle,et al.  Security Challenges in the IP-based Internet of Things , 2011, Wirel. Pers. Commun..

[93]  Valérie Issarny,et al.  Guest editorial: Special issue on the future of middleware , 2011, Journal of Internet Services and Applications.

[94]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[95]  Valérie Issarny,et al.  Service Oriented Middleware for the Internet of Things: A Perspective - (Invited Paper) , 2011, ServiceWave.

[96]  Klaus Wehrle,et al.  Towards viable certificate-based authentication for the internet of things , 2013, HotWiSec '13.

[97]  Yérom-David Bromberg,et al.  OverStar: An Open Approach to End-to-End Middleware Services in Systems of Systems , 2012, Middleware.

[98]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..