Post on 12-Jan-2016
Threats, Risk Assessment, and Policy Management in UbiComp
Workshop on Security in UbiComp
UBICOMP 2002, 29th Sept. Göteborg, Sweden
Philip Robinson, SAP Corporate Research & Telecooperation Office
Management & Access Scope of UbiComp Environments and ApplicationsClosed/ EmbeddedClosed/ Embedded
PersonalPersonal
Static GroupsStatic Groups
PublicPublic
Ad Hoc GroupsAd Hoc Groups
Point of AlertStatic Threat = Static Threat =
Unsolicited Unsolicited interactive access to interactive access to system by non-group system by non-group
membermemberAd Hoc Threat = Ad Hoc Threat = Unsolicited use of Unsolicited use of special services – special services –
access beyond role access beyond role and rights and rights
Public Threat = Public Threat = “unsolicited “unsolicited
modification/ misuse modification/ misuse of systemof system
Personal Threat = Personal Threat = Unsolicited Unsolicited
possession of system possession of system (tangible access)(tangible access)
Closed Threat = Closed Threat = Unsolicited access to Unsolicited access to
system locationsystem location
“Access to a system or its resources/ information is the first line of attack”
Risk – all about Context
• Information and Resources have no value without a particular Context.
• Context information changes the awareness and evaluation of risks
• Awareness of risks changes the utility of and contribution to the Context information
4999 910 876 1234Credit Card #:
Photodiode(light intensity sensor)
Accelerometer(movement sensor)
Thermometer(temperature sensor)
Barometer(pressure sensor)
(other sensor...)
Analog/ DigtalConverter
MicrocontrollerCommunications
Photodiode(light intensity sensor)
Accelerometer(movement sensor)
Thermometer(temperature sensor)
Barometer(pressure sensor)
(other sensor...)
Analog/ DigtalConverter
MicrocontrollerCommunications
When is the risk pending?
DataData
Sensor/ Low-levelContext Information
(cues) temperature accelerationlocation
Computed/ PartialContext Information
Movement
Office
Occupied
Elicited/ Meta-levelContext Information
Meeting and Discussionin Session, and topic is…
Attack Profile
RREESSOOUURRCCEESS
CCOONNTTEEXXTT
CommunicationalCommunicational(Reception & Transmission(Reception & Transmission)
InteractiveInteractive(Stimuli & Response(Stimuli & Response)
PerceptivePerceptive(Sensors & Actuators)(Sensors & Actuators)
ComputationalComputational(Memory, Power & Processing(Memory, Power & Processing)
ATTACKATTACK
ATTACKATTACK
ATTACKATTACK
ATTACKATTACK
Attacker listens in on communications channel.
Attacks on confidentiality & privacy!
Attack by abusing lack or excess of computational
capacity – denial of service or malicious code attacks
Attack by embedding false sensor and actuator devices
into environment – attack on context derivation integrity
Attack by falsifying the physical environment’s
signals – attack on context reading integrity
Policy ManagementAdministrative Distribution
data
Definition-Document encoded-Application encoded-Entity encoded
Enforcement-Security Mechanism selection-Physical vs. Logical
Modification & Dissolution-Static vs. Dynamic-Consistency & notification
Auditing-Centralized vs. Distributed
Behavioral policy, relational policy
Analogsignal
A/D
transmissionComputationDigitalsignal
Interpretationemission
Physicalenvironment
Signal integrity policy
Context-based policies Computational policies
Communication policies
Authorization policies
Summary
• Identify access scope of UbiComp application• Determine point-of-alert based on access scope• Determine when the context creates a manageable
risk• Perform a Threat Analysis• Define policy model to circumvent threats• Implement mechanisms to enforce policy• Establish methodology for managing policy
information
Policy Enforcement
Policy Dissolution
Policy Modification