Models for Privacy in Ubiquitous Computing Environments

This thesis addresses the discretionary privacy demands of users in heterogeneous distributed systems such as ubiquitous computing environments. Because of the physical proximity and pervasiveness of personal devices, sensors, actuators, and other devices and services, ubiquitous computing environments need a powerful infrastructure for coordinating accesses to these resources. However, this infrastructure makes it easy for malicious administrators to gain access to private information of users. We present models for privacy of a user's communication, unlink-ability of a user's accesses, and authorized policy feedback that is both useful and privacy preserving. Our models expose the potential threats to a user's privacy, and allow users to express their individual and differing privacy demands based on these threats. We show how a user's privacy policies can be efficiently satisfied under our models. For secure and private communication, we present a model for trustworthy routing , with a policy specification language that is computationally efficient to enforce. We show how quantitative trust models can be used to find trustworthy paths of communication and explore various semantic models of trust. For the unlinkability of a user's accesses to services in a ubiquitous computing environment , we present a model based on access control and decentralized enforcement of policy constraints. We prove that our solution is secure, and show how security can be maintained by trading off precision for evolving protection state. Lastly, we present a model called Know for providing feedback regarding access control decisions to users. This model aims to make ubiquitous computing environments more usable and secure, while honoring the privacy of other users in the system. Administrators can specify meta-policies to tailor feedback to individual users based on perceived threat to the policy's contents. iii To my parents Who valued my education Above all else iv Acknowledgments I would like to thank the many people who have helped me during my career as a " professional student. " My advisor, Roy H. Campbell, for taking me under his wing while I was a young undergraduate student and stimulating my interest in research. For countless hours of memorable and thought-provoking discussions, and for his never-ending flow of ideas. And lastly, for always giving me the freedom to explore new and exciting research directions of my choosing. Laboratories. This fellowship funded my work on several interesting research projects and I am truly grateful for their support. My committee members. Mahesh Viswanathan, who helped me …

[1]  Masahiro Fujita,et al.  On variable ordering of binary decision diagrams for the application of multi-level logic synthesis , 1991, Proceedings of the European Conference on Design Automation..

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  Robin Kravets,et al.  Security-aware ad hoc routing for wireless networks , 2001, MobiHoc '01.

[4]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Beate Bollig,et al.  Improving the Variable Ordering of OBDDs Is NP-Complete , 1996, IEEE Trans. Computers.

[6]  Roy H. Campbell,et al.  Access control for Active Spaces , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[7]  Roy H. Campbell,et al.  Routing through the mist: privacy preserving communication in ubiquitous computing environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[8]  P. Orponen,et al.  On Approximation Preserving Reductions: Complete Problems and Robust Measures (Revised Version) , 1987 .

[9]  Jon Crowcroft,et al.  Quality-of-Service Routing for Supporting Multimedia Applications , 1996, IEEE J. Sel. Areas Commun..

[10]  Steven M. LaValle,et al.  Planning algorithms , 2006 .

[11]  Naftaly H. Minsky A decentralized treatment of a highly distributed Chinese-Wall policy , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[12]  Erland Jonsson,et al.  Protecting Security Policies in Ubiquitous Environments Using One-Way Functions , 2003, SPC.

[13]  Ramanathan V. Guha,et al.  Cyc: toward programs with common sense , 1990, CACM.

[14]  K. Sullivan,et al.  Galileo: a tool built from mass-market applications , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[15]  D. Estrin,et al.  RSVP: a new resource reservation protocol , 2001 .

[16]  David Garlan,et al.  Project Aura: Toward Distraction-Free Pervasive Computing , 2002, IEEE Pervasive Comput..

[17]  Ram Dantu,et al.  Constraint-Based LSP Setup using LDP , 2002, RFC.

[18]  Ivan Visconti,et al.  An Anonymous Credential System and a Privacy-Aware PKI , 2003, ACISP.

[19]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[20]  Hans Tompits,et al.  Proof-complexity results for nonmonotonic reasoning , 2001, TOCL.

[21]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[22]  Deborah L. McGuinness,et al.  Explaining answers from the Semantic Web: the Inference Web approach , 2004, J. Web Semant..

[23]  Anupam Joshi,et al.  Data Mining, Semantics and Intrusion Detection: What to dig for and Where to find it , 2003 .

[24]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[25]  James A. Landay,et al.  An architecture for privacy-sensitive ubiquitous computing , 2004, MobiSys '04.

[26]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[27]  Christian Blum,et al.  Local Search Algorithms for the k-cardinality Tree Problem , 2003, Discret. Appl. Math..

[28]  Ernesto Damiani,et al.  A component-based architecture for secure data publication , 2001, Seventeenth Annual Computer Security Applications Conference.

[29]  Fred B. Schneider,et al.  COCA: a secure distributed online certification authority , 2002 .

[30]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[31]  Chris J. Mitchell,et al.  Limits to Anonymity When Using Credentials , 2004, Security Protocols Workshop.

[32]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[33]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[34]  Terry L. Zimmerman,et al.  Learning-Assisted Automated Planning: Looking Back, Taking Stock, Going Forward , 2003, AI Mag..

[35]  Luca Veltri,et al.  QoS control by means of COPS to support SIP-based applications , 2002, IEEE Netw..

[36]  Roy H. Campbell,et al.  Seraphim: dynamic interoperable security architecture for active networks , 2000, 2000 IEEE Third Conference on Open Architectures and Network Programming. Proceedings (Cat. No.00EX401).

[37]  Jeffrey M. Jaffe,et al.  Algorithms for finding paths with multiple constraints , 1984, Networks.

[38]  Weixiong Zhang Search techniques , 2002 .

[39]  David Chaum,et al.  A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations , 1986, CRYPTO.

[40]  Fabio Somenzi,et al.  Who are the variables in your neighborhood , 1995, ICCAD.

[41]  David R. Karger,et al.  On approximating the longest path in a graph , 1997, Algorithmica.

[42]  Jørn Lind-Nielsen,et al.  BuDDy : A binary decision diagram package. , 1999 .

[43]  Marianne Winslett,et al.  Interoperable strategies in automated trust negotiation , 2001, CCS '01.

[44]  Hari Balakrishnan,et al.  Resilient overlay networks , 2001, SOSP.

[45]  James H. Aylor,et al.  Computer for the 21st Century , 1999, Computer.

[46]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[47]  Ranveer Chandra,et al.  Anonymous Gossip: improving multicast reliability in mobile ad-hoc networks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[48]  Emil C. Lupu,et al.  Security and management policy specification , 2002, IEEE Netw..

[49]  Roy H. Campbell,et al.  KNOW Why your access was denied: regulating feedback for usable security , 2004, CCS '04.

[50]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[51]  Yin Zhang,et al.  On selfish routing in internet-like environments , 2006, TNET.

[52]  N. Mladenović,et al.  Variable neighborhood search for the k-cardinality tree , 2004 .

[53]  Roy H. Campbell,et al.  Super spaces: a middleware for large-scale pervasive computing environments , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[54]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.

[55]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[56]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[57]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[58]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[59]  Klara Nahrstedt,et al.  A Middleware Infrastructure for Active Spaces , 2002, IEEE Pervasive Comput..

[60]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[61]  Gerhard Lakemeyer,et al.  The logic of knowledge bases , 2000 .

[62]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[63]  Miguel Castro,et al.  Defending against eclipse attacks on overlay networks , 2004, EW 11.

[64]  Daphne Koller,et al.  Making Rational Decisions Using Adaptive Utility Elicitation , 2000, AAAI/IAAI.

[65]  F. Somenzi,et al.  Who are the variables in your neighbourhood , 1995, Proceedings of IEEE International Conference on Computer Aided Design (ICCAD).

[66]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[67]  Don E. Ross,et al.  Heuristics to compute variable orderings for efficient manipulation of ordered binary decision diagrams , 1991, 28th ACM/IEEE Design Automation Conference.

[68]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[69]  Robin Kravets,et al.  Integrating Quality of Protection into Ad Hoc Routing Protocols , 2002 .

[70]  Eric R. Verheul,et al.  Self-Blindable Credential Certificates from the Weil Pairing , 2001, ASIACRYPT.

[71]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[72]  Matteo Fischetti,et al.  Weighted k-cardinality trees: Complexity and polyhedral structure , 1994, Networks.

[73]  Subhash Suri,et al.  Finding the k shortest simple paths , 2007, ALENEX.

[74]  Marianne Winslett,et al.  A unified scheme for resource protection in automated trust negotiation , 2003, 2003 Symposium on Security and Privacy, 2003..

[75]  Deepak D'Souza,et al.  An automata-theoretic approach to constraint LTL , 2002, Inf. Comput..

[76]  Ninghui Li,et al.  On mutually-exclusive roles and separation of duty , 2004, CCS '04.

[77]  Roy H. Campbell,et al.  Unlinkability through Access Control: Respecting User-Privacy in Distributed Systems , 2005 .

[78]  Kishor S. Trivedi,et al.  A hierarchial, combinatorial-Markov model of solving complex reliability models , 1986 .

[79]  Armando Fox,et al.  The Interactive Workspaces Project: Experiences with Ubiquitous Computing Rooms , 2002, IEEE Pervasive Comput..

[80]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[81]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[82]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[83]  Ninghui Li,et al.  Safety in Automated Trust Negotiation , 2004, IEEE Symposium on Security and Privacy.

[84]  David Eppstein,et al.  Finding the k shortest paths , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[85]  J. Y. Yen,et al.  Finding the K Shortest Loopless Paths in a Network , 2007 .

[86]  Takashi Horiyama,et al.  Exponential Lower Bounds on the Size of OBDDs Representing Integer Divistion , 1997, ISAAC.

[87]  Roy H. Campbell,et al.  Routing with confidence: supporting discretionary routing requirements in policy based networks , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[88]  Noga Alon,et al.  Color-coding , 1995, JACM.

[89]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.