Access Control in Ubiquitous Computing Environments : An analysis of the

Trust-Based approach

Roushdat Elaheebocus
School of Electronics and Computer Science
University of Southampton
re1e08@soton.ac.uk

Abstract technical report has constrained us to pick only one of

them and TBAC has been chosen due to its popularity.
In this report, we have identified the major
2. Analysis
challenges that systems dealing in ubiquitous access
control have to tackle. An in-depth analysis of six
A complete analysis of all the approaches with
trust-based access control models has then been
respect to how they tackle the different challenges
performed to find out the extent at which they
would have yielded a table as shown in Table 1.
overcome these challenges. Finally some of their
security vulnerabilities have been briefly described.
Usability Privacy Mobility Scalability Resource
Constraints
1. Introduction Trust-
Based
Ubiquitous Computing described by Mark Weisel Context-
[1] as the embedding of computing capabilities into our Based
everyday environment to users from the 'how' of doing Role-
things, allowing them to focus on the 'what' tasks to Based
perform thus creating a pervasive environment [2] Policy-
which can also be described as a smart or active Based
Space.“Access control policies and mechanisms are Table 1. access control approaches Vs challenges
necessary to ensure that users only use the resources
(both hardware and software) in an Active Space in
The full analysis for each approach would have
authorised ways, and to allow shared use of the space”
produced some results that could have been quantified
[3].
and compared. As mentioned earlier, in this report, we
In our literature search [4] we have found that there will analyse only for the Trust-Based approach (The
are at least five major challenges to overcome when highlighted row in Table 1.).
dealing with access control in ubiquitous computing Based on the literature search [4], six recent papers
environments. The researches done so far have adopted proposing solutions of Trust-Based nature for access
one or a combination of strategies out of four common control have been selected for the in-depth critical
ones which are : analysis. We will refer to them as:
i. Trust-Based Access Control (TBAC) • paper A [7]
ii. Context-Based Access Control (CBAC) • paper B [8]
iii. Role-Based Access Control (RBAC) • paper C [9]
iv. Policy-Based Access Control (PBAC) • paper D [10]
The most popular one among researchers, based on • paper E [11]
the number of papers published, seems to be Trust- • paper F [12]
Based. While it would have been very interesting to dig
deeper into all the approaches, space limitation in this
3.Trust-Based approach: In-Depth analysis
3.1. Usability
Assuming users will be accessing hundreds of
services from different devices simultaneously, access
control mechanisms should be appropriate for such
situations with the users' ease of use in mind [5].
While most of the trust models have avoided human-
involvement during the identification and
authentication phases through automated trust-
negotiation using trust evidence consisting of
credentials, context data and past interactions [7],
paper B has suggested asking for users' intervention in
cases where policies concerning the amount of private
data to be released have not been specified a-priori.
This avoids the system from taking an arbitrary action
in ambiguous situations which is good. But on the other
hand, this human-part can weaken the system in two
ways: from the usability point of view, users will have
to tackle policy-related problems which can be quite
technical and on the security side, humans will be the
system's weak point since they can be deceived.
Paper F proposes two possible ways of admitting a
new node; human-authentication of ID or trial-
admission to the network. While the first option is
feasible and simple to implement in a small sized
network, it is impracticable for larger ones, specially in
ubiquitous environments.
3.2.Privacy
There is always a compromise to be performed
between privacy and service personalisation but the
extent of this compromise varies depending on the
access control approach in use [6].
Paper A argues that in dealing with a node that is
neither known by the service provider nor by peers, the
trust negotiation will have to be performed from
scratch and can cause some privacy issues for the client
since the latter may not know whether it is safe to
disclose its credential for example. A solution for this
has been proposed as the disclosure of credentials
between the provider and the requester piece by piece
and in-turn. While it also mentions about protecting
privacy of information and securing data flow, no
suggestion is made about how to perform this. Probably
some kind of encryption was thought about but this will
add extra-computation load on the nodes.
Paper B exclusively investigates and proposes a way
of protecting privacy by varying the amount of data
depending on the requesters' identities. Having
evaluated the trust value of a requester, a device can
then categorise him into either the trusted, public or
distrusted group. Depending on the group and privacy
policies in place, the amount of data to be disclosed is
decided. Furthermore the system goes to an extra step
by proposing to shield all data from requesters by
default and disclosing only chosen parts. Unfortunately
this idea simply transfers one more burden to users
whose devices should be capable of such a task.
Paper C adopts a different strategy compared to
conventional routing algorithms; choosing the most
trustworthy nodes to route messages instead of the
shortest and quickest route. While this will increase
communication latency, privacy-protection is greatly
enhanced. But the way trust is evaluated put into
question private-data protection: past-activity records
of nodes are stored, which in case the node storing the
data becomes compromised, all their records get
compromised as well. Perhaps encrypting the records
for storage can be a way out.
Paper D , E and F do not tackle the issue of privacy
directly although inevitably during trust establishment,
private data is at stake.
3.3. Mobility
Securing access to the services in pervasive
environments, the volatile nature of pervasive
environments where devices joining and parting the
networks is normal has to be considered.
For paper A, the context is set such that a service
provider is static and only the client nodes are mobile.
As a result, all new nodes have to go through the same
access control mechanisms when they join the network
resulting in additional processing. This drawback is
solved by paper B that uses peer recommendation for
new nodes but then the assumption is that there should
be enough trusted peers which are within range and
know about the new node. Similarly, paper D mentions
among several characteristics of trust: a transitivity
assumption, that is, if X trusts Y and Y trusts Z, X can
trust Z. While this can be a fairly simple assumption
allowing for an increased range between cooperating
nodes, it is risky in cases that Y may have been
compromised or if the trust evaluation for Y was
wrongly performed, there will be a cascading effect. A
solution for this will be to rely on more than one
intermediary in parallel at a given time.
As for papers C and F, the adoption of smaller sub-
networks referred to as 'communities' consisting of a
small group of nodes (neighbours) having a 1-hop
distance between them makes the model highly mobile.
One or more nodes in one community can be part of
another one as well, thus effectively interlinking the
sub-networks into a large mobile and ubiquitous
network. It is to be noted that it was found by F's
system, increasing the ability for a node to migrate
from one location to another also heightens the risk of
attacks by malicious nodes that can keep moving to
avoid detection.
Although paper E deals with a small organisation for
its ubiquitous scenario, it suggests a way of dealing
with node migration: That of having a shared
delegation policy among the various sub-groups in the
networks. While this is practical in an organisation
where a central authority governs, it will be challenging
to implement in other cases.
3.4. Scalability
In pervasive environments, it is expected that one
user may be in control of hundreds of computing
devices [6]. Scale this to a small group of people and
we very quickly reach a peak exceeding thousands of
devices accessing the network. As a result, for an
access control mechanism to perform appropriately, it
should scale well.
Paper A used a modular approach for implementing
the model's components consisting mainly of different
trust-evaluation strategy modules. This paved the way
for allowing the system to be of a distributed nature
which we believe will enhance its scalability capability.
Consisting of small sub-networks cooperating to
form the larger ubiquitous network, paper C's and F's
models allow themselves to scale very well since there
is no central control and each sub-network can operate
independently.
Paper E uses delegation to 'lease' trust to a new node
by a group of other nodes already trusted in the
network. As it is, this approach will be appropriate in
small private networks where even 'new' nodes can be
known by some older ones but not in large public
networks. Along with paper E, B and D do not take
into consideration the scalability issues for their model
of trust-based access control.
3.5. Resource constraints
In addition to the four main constraints identified in
the literature search [4], we have found that resource
availability is also very important to consider for access
control. Devices being mobile have a tendency to be
very small in size physically with lower processing
power. As a result, they have constraints such as a
shorter power-life and smaller screen compared to non-
mobile devices. Wireless networking also means
reduced bandwidth and frequent data packet loss or
corruption. All these have to be taken care of while
designing an access control mechanism.
Paper A to some extent sacrifices computing power
for the sake of having a more generalised and dynamic
model. This is due to the fact that by combining several
trust strategies for trust evaluation, the processing load
will increase considerably given the fact that a large
number of clients are expected to go through the access
control mechanism. While the paper aims at achieving
concurrency during the trust evaluation phase, the
claim is doubtful since there will be so many nodes to
control at a given time. However some parallelism may
be achieved through distributed computing.
Paper B assumes that each ubiquitous client node is
able to evaluate and categorise neighbours on its own.
This will require more processing power, bandwidth
and also consume more of the limited battery life.
While this may be possible for some devices, not all of
them will match these capabilities.
Similarly paper C makes a rather similar assumption
by requiring each node to host a TOMS (Trust
cOmputation and Management System) system locally
and paper F requires each node to monitor their
neighbours' activities to detect misbehaving nodes.
However by doing so, nodes will use less bandwidth
since they will be able to interact directly with peers 1-
hop away from them.
Concerning the system proposed by paper E, the best
guess is that it will need a lot of computing resources
based on the fact that tests were run using Pentium IV
processors.
One way of preserving resources according to paper
D is through the use of resource-constrained trust
negotiation (RCTN) that can alleviate the consumption
of resources such as processing and bandwidth during
the trust negotiation phase by altering credentials.
4. Possible Vulnerabilities uncovered
During the analysis of the different trust models
proposed, we have found several vulnerabilities mostly
related to denial of service in them.
In paper A, if a client node willing to gain access to
the network provides more than one type of trust
evidence, the system may choose to evaluate them
concurrently. Considering the situation when a group of
malicious nodes feeds the system with a high number
of trust evidence, this can degrade performance.
Paper B's system relies on peers to obtain the trust
value of a new node. No mention is made about how
new peers are added to the peer list and also if the
network is not dense enough, situations may arise
where there is no peer within range at a given time.
Another important point is that in order to inquire
about the new node's trust, a broadcast message is sent
over the network. If a group of malicious nodes try to
gain access from different locations, this may trigger
broadcasts from all peers and risk flooding the
network.
Paper C mentions the fact that neighbouring nodes
having the same trust value will share the same key.
However it also says that trust value of a node may
change and that node's key can be revoked. But since
there is the possibility that it was initially sharing that
same key with other nodes, their keys will be revoked
too and will have to be re-issued new keys. If this
situation occurs frequently, system performance will
degrade considerably.
Most of the models, except that of paper F do not
give enough importance about dealing with attacks
from trusted nodes that can be compromised at a given
time while already being inside the system.
Ubiquitous botnets [13], whereby trusted devices are
remotely manipulated and coordinated to perform
attacks over ubiquitous networks can be a major threat
to such system in the near future. While most access
control systems are able to detect single malicious
nodes, a coalition of cooperating malicious nodes will
be more challenging to detect and isolate. We also
think about the possibility of sleeper-malicious-nodes
that gather record information silently and act
maliciously for short periods, shot enough to avoid
detection.
5. Conclusion
Having analysed some trust-based access control
models with respect to how they tackle the major
challenges, we have found that most of these models
take into consideration very few of the challenges.
They focus mainly on how to evaluate trust value and
experimented either through simulations, proofs or in
closed environments. While trust-evaluation is an
important aspect of trust-based access control, the
models will not perform appropriately in real-life
situations since the major challenges have not been
properly addressed. Finally, the trust-based access
control models have been found to be vulnerable to a
variety of denial of service attacks possibly becoming
victims to ubiquitous botnets.
6. References
[1] M. Weiser, “The Computer for the 21st Century,” Sci.
Amer., Sept., 1991.
[2] M. Satyanarayanan, “Pervasive computing: vision and
challenges,” Personal Communications, IEEE [see also IEEE
Wireless Communications], vol. 8, 2001, pp. 10-17.
[3] G. Sampemane, P. Naldurg, and R. Campbell, “Access
control for active spaces.”, Department of Computer Science,
University of Illinois at Urbana-Champaign, Sept., 2002
[4] R.Elaheebocus, “Acess Control in Ubiquitous
Environments: A Literature Search,” School of Electronics
and Computer Science, University of Southampton, Nov.,
2008.
[5] J. Bardram, “The trouble with login: on usability and
computer security in ubiquitous computing,” Personal and
Ubiquitous Computing, vol. 9, Nov. 2005, pp. 357-367.
[6] R. Thomas and R. Sandhu, “Models, protocols, and
architectures for secure pervasive computing: challenges and
research directions,” Pervasive Computing and
Communications Workshops, 2004. Proceedings of the
Second IEEE Annual Conference on, 2004, pp. 164-168.
[7] Daoxi Xiu and Z. Liu, “A Dynamic Trust Model for
Pervasive Computing Environments,”. Fourth annual
security conference, Las Vegas , NV: 2005.
[8] P.D. Giang, L.X. Hung, R.A. Shaikh, Y. Zhung, S. Lee,
Y. Lee, and H. Lee, “A Trust-Based Approach to Control
Privacy Exposure in Ubiquitous Computing Environment,”.
IEEE International Conference on Pervasive Services,
Istanbul, Turkey: 2007.
[9] A. Boukerche and Y. Ren, “A trust-based security system
for ubiquitous and pervasive computing environments,”
Computer Communications, vol. In Press, Corrected Proof.
[10] Guo Ya-Jun, Hong Fan, Zhang Qing-Guo, and Li Rong,
“An Access Control Model for Ubiquitous Computing
Application,” Mobile Technology, Applications and
Systems, 2005 2nd International Conference on, 2005, pp. 1-
6.
[11] J. Yang and K.H. Rhee, “Securing Admission Control in
Ubiquitous Computing Environment,” Networking - ICN
2005, 2005, pp. 972-979.
[12] Haiyun Luo, Jiejun Kong, P. Zerfos, Songwu Lu, and
Lixia Zhang, “URSA: ubiquitous and robust access control
for mobile ad hoc networks,” Networking, IEEE/ACM
Transactions on, vol. 12, 2004, pp. 1049-1063.
[13] Kwang-Hyun Baek, Sergey Bratus, Sara Sinclair, Sean
W. Smith, “Dumbots: Unexpected Botnets through
Networked Embedded Devices”, Dartmouth College
Computer Science,Technical Report TR2007-591
7. Bibliography
[14] “Computer Science Essays - Ubiquitous Computing:
Authentication techniques in ubiquitous computing,”
http://www.ukessays.com/essays/computer-
science/ubiquitous-computing.php. Accessed 24 November
2008
[15] Varuna Godara, Handbook of Research on Assessment
and Management in Pervasive Computing, 2008.
ISBN:1605662208, 9781605662206. Repository: Google
Books
[16] Tim Kindberg, Abigail Sellen, and Erik Geelhoed,
“Security and Trust in Mobile Interactions: A Study of
Users’ Perceptions and Reasoning,” in UbiComp 2004:
Ubiquitous Computing, 2004, 196-213,
http://www.springerlink.com/content/elj3jeqknr7ffbpb.
[17] Anupam Joshi et al., “Security policies and trust in
ubiquitous computing,” Philosophical Transactions of the
Royal Society A: Mathematical, Physical and Engineering
Sciences 366, no. 1881 (October 28, 2008): 3769-3780,
doi:10.1098/rsta.2008.0142.
[18] C.A. Patterson, R.R. Muntz, and C.M. Pancake,
“Challenges in location-aware computing,” Pervasive
Computing, IEEE 2, no. 2 (2003): 80-89.