1

Spheres of Influence:Secure organization and coordination of

diverse device communities

Spheres of Influence:Secure organization and coordination of

diverse device communities

Kevin EusticePh.D. Oral Qualifying Examination

UCLA Computer ScienceApril 20th, 2005

Kevin EusticePh.D. Oral Qualifying Examination

UCLA Computer ScienceApril 20th, 2005

2

Statement of Purpose

• Design and implement a device community management framework supporting ubiquitous computing scenarios.

• Contributions of this work: – Generalized concept of structured device

communities applied to ubiquitous computing.– Framework prototype: Spheres of Influence.– Sample applications illustrating value and generality

of framework

3

Roadmap

Managing Ubiquitous Computing• Our approach: Spheres of Influence• Preliminary Work• Design and Implementation• Related Work• Dissertation Plan

4

What is ubiquitous computing?

Transparent Computing

Tangible Computing

Pervasive Computing

Invisible Computing

Smart SpacesAugmented Reality

Context-Aware Computing

5

What is ubiquitous computing?

“…the third wave in computing…” —Mark Weiser

“Third Paradigm computing”—Alan Kay

Common elements of ubiquitous computing visions:– Large number of devices in the environment– Pervasive communications infrastructure– Interactions support human activities

6

Ubiquitous Computing deconstructed

Interacting devices grouped by context

Device Communities are:– Related by some common attribute– Dynamic with changing membership– Reactive responding to context changes

7

Thesis

Approach: • Divide world into self-managed, physically and

logically grouped device communities.• Manage group transitions and interactions.• Provide common interface for group interaction.Benefits:• Simplifies high-level management through

encapsulation.• Community takes on responsibility for

coordinating members.

8

Applicationsbenefiting from coordination

• Mobile cluster management– At multiple levels

• Policy driven applications– Ensure consistent policy across applications

• Automatic proxy deployment

• Multi-device applications– E.g., multimedia applications

9

Necessary Components

• Membership Services– Secure Device Enrollment– Community Discovery– Relationship Management & Maintenance

• Communication & Event Services– Secure communication channels– Interest management– Event processing and dissemination– Community-aware event semantics

• Policy Engine• Application Support

10

Necessary Components

• Membership Services– Secure Device Enrollment– Community Discovery– Relationship Management & Maintenance

• Communication & Event Services– Secure communication channels– Interest management– Event processing and dissemination– Community-aware event semantics

• Policy Engine• Application Support

11

Roadmap

• Managing Ubiquitous ComputingOur approach: Spheres of Influence• Preliminary Work• Design and Implementation• Related Work• Dissertation Plan

12

Approach: Spheres of Influence

Sphere: a networked software container representing a device or a device community. The sphere serves as an interaction nexus for a community.1

1. Eustice et al. "Enabling Secure Ubiquitous Interactions," Proceedings of the First International Workshop on Middleware for Pervasive and Ad-hoc Computing (MPAC2003).

13

Spheres of Influenceare recursive

Spheres can join with others to form larger, structured spheres– Coordinator of a sphere is the Sphere Leader

Represents complex structures:– Locations– Organizations– Device Clusters

14

Kevin’s Personal Sphere

My Personal Sphere

15

Boelter Hall

Boelter 3rd Floor

Boelter 3564

Physical Sphere

Personal Sphere

Location Sphere Hierarchy

16

Boelter Hall

Physical Sphere

Personal Sphere

Location Sphere Hierarchy

1st Floor

2nd Floor

3rd Floor 4th Floor

5th Floor

6th Floor

… Floor

17

Spheres of Influence

Spheres serve as a scoping mechanism for:

• Policy

• Privilege

• Event flow

• Communication

18

Spheres of InfluenceOperational Vision

• Relationships adjust with behavior

• Spheres negotiate for service

• Applications leverage community context to customize user experience

19

Ackerman

Kevin

Sphere authenticates, negotiates for access to Ackerman

20

Ackerman

Kevin

Kevin’sFriends

Accesses local services & Ackerman scoped events

Negotiate access to “Friends” sphere, update location, check for new relevant events.

21

AckermanBoelter Hall

Boelter 3564

Kevin

LASR

Kevin

To receive LASR-specific services in 3564, Kevin must be able to show

active membership in the LASR social sphere.

22

Anticipated Benefits

• Community Coordination

• Improved Security

• Structured, Common Community Model

• Vehicle for Application Innovation

23

Community Coordination

• Group members are group-aware• Preferences and policy exposed to group• Group members can interact as peers• Structure serves to improve scalability of

communities

Example: Group Mobility Optimization

24

Museum

Example: Mobile Tour Group

Network Impact for Group of size N• Startup: 0• Transition: N*(Associate+ DHCP+Resource Acquisition)

• Maintenance: dependsDrawbacks:• Consistent behavior requires multiple consistent configurations!• Hosting network is flooded at every network transition!

– Congestion degrades performance of DHCP

Other WLAN

A BC ED

25

Museum

Example: Mobile Tour Sphere

Network Impact for Sphere of size N• Startup: (N-1)*(Associate + DHCP + Sphere Join)• Transition: Associate + DHCP + Resource Acquisition• Maintenance: 1 (Broadcast,Multicast), N-1 (Unicast)Advantages: • Consistent behavior due to common policy• Configuration overhead spread over time• Spatial reuse possibilities

– Museum sphere can provide information on underutilized frequency spaceDrawbacks:• Sphere Bottleneck (can be optimized)

Other WLAN

A BC ED

26

Security Benefits

• Security boundary– Sphere members protected from outside– Sphere join can include integrity analysis1

• Membership services– Sphere access control– Wireless enrollment mechanisms

1. K. Eustice et al. "Securing WiFi Nomads: The Case for Quarantine, Examination, and Decontamination," Proceedings of the New Security Paradigms Workshop (NSPW) 2003.

27

Applications Innovation

• Spheres as collaboration nexus

• Relationships used to customize behavior

• Group as User– Semantics– Interfaces

Example: Interactive Media

28

Example: Interactive Media

Multimedia application,using sphere behavioras input:• Transitions• Membership• Interactions

Possible applications:• Campus-wide game• LACMA tour group

application

SocialSphere

Location

Sphere

SocialSphere

29

Structured Common Community Model

• Multiple fidelity community membership

• Shared structure scopes relevance

• Simple standardized interface– Cross-community references– Diverse relations (Boelter 3564 and LASR)

30

Roadmap

• Managing Ubiquitous Computing• Our approach: Spheres of InfluencePreliminary Work• Design and Implementation• Related Work• Dissertation Plan

31

Bob’s Office

QED

Bob

Worker

Worker

Worker

Worker

Quarantine device upon entry into network, and authenticate.

Examine device for vulnerabilities or undesirable services.

Decontaminate: Work with device to repair vulnerabilities!

32

Results from QED

• Evaluated in LASR testbed over 802.11b

• Vulnerable machines required additional time– Variable based on

package size, average file size

– E.g., perl required ~91 sec. for 34 Mbyte update

0

1

2

3

4

5

6

7

8

DHCP Ipsec Exam Total

QED Components

Tim

e (s

)

Fig 1. Measured overhead in each component of QED session with up-to-date machine; 99% confidence intervals.

[Eustice05] K. Eustice, L. Kleinrock, M. Lukac, V. Ramakrishna and P. Reiher, “QED: Securing the Mobile Masses,” UCLA Technical Report TR-ID pending. 2005.

33

Roadmap

• Managing Ubiquitous Computing• Our approach: Spheres of Influence• Preliminary WorkDesign and Implementation• Related Work• Dissertation Plan

34

Major Systems Issues

• Placement of Management Logic

• Sphere Discovery

• Relationship Management

• Fault Tolerance and Reliability

• Events and Event Semantics

• Application Primitives

35

Sphere Discovery

• How do I find any sphere?– Broadcast & multicast– Reference-based maps

• How do I find a specific sphere?– Lookup Server– DNS-based approach

36

Relationship Management

• Sphere Bindings – Which sphere is the right sphere for me?– Different devices will bind to different spheres

• Approach• User/Application Preferences• Leverage existing relationships• Negotiation – resource/requirement matching

37

Events and Event Semantics

• Handling dynamic membership – Queuing events for inactive members– Interest registration

• Event Semantics– Scoping events– Closest spheres may be most relevant– Event Ordering

38

Spheres of InfluenceComponents

• Doorman: handles external interactions

• Sphere Manager: handles internal interactions

• Policy Manager: mediates interactions

• Applications Interface Sphere

Manager

PolicyManager

Sphere StateMember tableAccess Rights

Event Registration…

Doorman

Int.EventIface

Ext.EventIface

ApplicationsConnection to any related

Spheres

39Network (802.11, Bluetooth, Ethernet)

Operating System

Ext. SphereInterface

EventCoordinator

Security Services

ConnectionManager

DiscoveryModule

Advert.Module

JoinModule

Sphere API

PolicyEngine

Applications

Int. Sphere Interface

Sphere Manager

Policy Manager

Doorman

External components

A Sphere of Influence Node

40

Roadmap

• Managing Ubiquitous Computing• Our approach: Spheres of Influence• Preliminary Work• Design and ImplementationRelated Work• Dissertation Plan

41

Related Work

Location-based Infrastructure [Roman’01, Undercoffer’02, Al-

Muhtadi’04 …]

Personal Cluster Management [Chetan’04]

Social Group Applications [Wang’04]

?Spheres

ofInfluence

Service Groups?

Others?

42

Related Work

• Ubiquitous Computing Infrastructure– Intelligent Room/Project Oxygen, Gaia, Centaurus2, one.world

• Ubiquitous Group Management– Ephemeral Social Groups, Mobile Gaia, Super Spaces

• Cluster Management– Open Cluster Framework, Mobile ad hoc clustering

• Content Distribution/Pub-Sub Event Distribution– SIENA, REBECA

• Secure Enrollment and Network Configuration– Resurrecting Duckling, Network-in-a-Box

43

Roadmap

• Managing Ubiquitous Computing• Our approach: Spheres of Influence• Preliminary Work• Design and Implementation• Related WorkDissertation Plan

44

Planned Activities

• Complete Implementation

• Measure of Utility

• Evaluation

• Measure of Applicability

45

Complete Implementation

• The Spheres of Influence prototype will be completed as detailed in the prospectus.

• Iterative development model for fast feedback.

• Implementation will be made publicly available via Sourceforge.

46

Measure of Utility

Implementation and demonstration of two sample applications– A “coordinate and optimize” application– An application to show novelty, using

community transitions and interactions as application input

47

System Evaluation

• Framework Overhead

• Application Performance

• Methodology– Basic overhead measurements will be

gathered in LASR testbed– Application results will also be gathered and

analyzed

48

Measure of Applicability

My assumption: devices will interact in different types of organized groups.

• Provide a model to characterize ubiquitous applications in terms of group interactions.

• Analysis of common applications.

49

Examples

• Community Geo-annotation– mapping of social sphere[s] onto location spheres

• Friend-finder– mapping of location sphere[s] onto social spheres

• Access-control applications– mapping of social spheres onto physical spheres

• Location-aware Wireless Device Configuration– mapping of physical spheres from location sphere

onto elemental device spheres

50

Implementation Status

Completed:– Communications framework– Sphere join protocol – Event registration and processing– Network configuration modules– Reference map-based discovery

51

Statement of Purpose

• Design and implement a device community management framework supporting ubiquitous computing scenarios.

• Contributions of this work: – Generalized concept of structured device

communities applied to ubiquitous computing.– Framework prototype: Spheres of Influence.– Sample applications illustrating value and generality

of framework

52

Spheres of Influence: Secure organization and coordination

of diverse device communities

Spheres of Influence: Secure organization and coordination

of diverse device communities

Kevin Eustice

April 20th, 2005

Kevin Eustice

April 20th, 2005

53

Extra Slides

55

SphereID is a globally unique identifier.

L is the language that describes all valid system events.

History is a set of past States.

State is the current sphere state and is defined as:

Formal Foundations of Spheres of Influence

{ , , , , }S SphereID State History L

{ , , , }State C P R

where,C is the set of spheres that are S’s children P is the set of spheres that are S’s parents R is the set of resources that are available in S. is a set of policy rules that constrain interactions within the sphere.

56

Formal Foundations of Spheres of Influence

1 1

1 1

( , , )

( , ,{( { }) ( )})

where ,

i i

i i

i i i i

State History e L

State History C P S E L

C C C P P P

is the time-step function that updates the sphere based on current state and incoming events. A basic time-step function is given as:

57

Sphere Join Protocol

ISISM

PMState

DM

Members of SESI

Candidates of S

C

O M

58

Group Coordination through Sphere Events

• Interest-based Event Management

• Sphere structure scopes event flow– Event processing influenced by current

connections– Different possible semantics

• Policy regulates interactions

59

Home

Living Room

Physical Sphere

Personal Sphere

Elemental Device Sphere

MediaPC

Registers interest in “MediaControl” events

Kevin

60

Home

Living Room

Physical Sphere

Personal Sphere

Elemental Device Sphere

MediaPCLaptop generates a

“MediaControl” event

Kevin

61

Interconnection Topology

• What device configuration?– Hierarchical– Acyclic Peer-Peer– General Peer-Peer

• Hybrid model– Many communities tends to be hierarchical– Multiple community memberships requires

peer-to-peer

62

Doorman (External Agent)

• Advertisement

• Discovery

• Enrollment

• Connection management

Sphere Manager

PolicyManager

Sphere StateMember tableAccess Rights

Event Registration…

Doorman

Int.EventIface

Ext.EventIface Applications Connection

to any related Spheres

63

Discovery/Advertisement Modes

• Broadcast & Multicast– Most feasible for physical spheres– Technical issues regarding visibility of advertisements

• Lookup Server– DNS-based approach– Most appropriate for abstract spheres

• Static mappings– Most appropriate for locations– Staleness and Size– Dissemination modes?

64

Planned Enrollment Techniques

• USB/RFID location-limited sideband (Balfanz et al.)– OOB exchange of hashed public keys– Tie identity to locality

• Network Vouchers

65

Connection Manager

• Initiates Sphere Joins

• Handles incoming supplicants– Eligible supplicants handed to Sphere

Manager– Else, reject connection

• Eligibility is determined by policy manager

66

Sphere Manager

• Manages existing relationships

• Manages events– Registration– Processing– Delivery

• Network interface manager

• Sphere state container

Sphere Manager

PolicyManager

Sphere StateMember tableAccess Rights

Event Registration…

Doorman

Int.EventIface

Ext.EventIface Applications Connection

to any related Spheres

67

Policy Manager

• Policy Manager: – Policy database contains local policy rules– Policy engine answers questions regarding state

changing interactions and local policy

• Policy Language– Describes valid interactions in terms of relational,

deontic, and temporal constraints– Logic-based

• Policy resolution, conflict handling• Focus of V. Ramakrishna’s Dissertation

68

Applications Interface

• Access local sphere via loopback interface

• Device sphere maintains a per-application channel to allow event dissemination– Send/Receive Events– Query Sphere Status

69

Example: Interactive Media

Multimedia application,using sphere behavioras input:• Transitions• Membership• Interactions

Possible applications:• Campus-wide game• LACMA tour group

application

SocialSphere

Location

Sphere

SocialSphere

70

Measure of Success

• Effectiveness– Construct examples similar to those

presented here

• Low Overhead– Measure added complexity of sphere

abstraction as a function of sphere size– Measure time-to-join compared to legacy

network modes– Measure generation and evaluation time of

relationship attestations.

71

Measure of Success

• Complete Implementation– Dynamic demo: automatically manage device

community interactions in face of changing external context, cope with failure

• Usability– Daily use by laboratory inhabitants

• Task Management

– LACMA application– UCLA Campus-based Multimedia Application

72

Contributions

• Model for a consistent representation of device membership spanning heterogeneous communities

• Secure, active management of community memberships

• Secure, cryptographic membership attestation• Intra- and Inter-community event registration and

delivery• Evaluation of model with applications

73

Placement of Management Logic

• Where is sphere management located?– Centralized– Distributed– Partially Distributed

• Security tradeoff– Centralized leadership simpler to secure– Distribute components based on trust

74

Fault Tolerance and Reliability

• Determining failure– Did the sphere fail or did I change contexts?– Analyze external state and see what’s

changed

• Approaches– Distribute management based on trust– Failover based on trust– Rediscover, rebind to sphere and coalesce

75

Application Primitives

• Access to Relational Data– Membership information– Peer information– Request & verify attestations

• Coordination Primitives– Gossiping– Consensus Gathering– Transaction Management

76

Previous Work

QED: mobile integrity management– Quarantine incoming mobile devices– Examine them for vulnerabilities– Decontaminate them, with repairs/updates

• Deployed in LASR to secure laptops– RPM package examination– Package update as needed via secure tunnel

• Measured overhead in QED phases

77

Related WorkStructured

Social

Groups

StructuredLocation Groups

Structured

Service Groups

Structured

Comm.

Groups

Gaia [Roman’02] Users Only Single

Location

Registry

Centaurus2 [Undercoffer’03]

Users Only X X

Super Spaces [AlMuhtadi’04]

Users Only X Distributed

Registry

Mobile Gaia

[Chetan’04]

Registry Personal Device Cluster

Ephemeral

Social Spheres

[Wang’04]

X X

78

Other Approaches

• Infrastructure projects

(Gaia, Centaurus, AIRE/Project Oxygen)– Typical focus is centralized management of

services within a physical space– Database, CORBA ORB, or local registry– Single administrative domain– Limited bootstrapping support

79

Other Approaches

• Gaia SuperSpaces [Al-Muhtadi’04]– Meta structure applied recursively to multiple Gaia

spaces

• Mobile Gaia [Chetan’04]– Personal device cluster management

• Ephemeral Social Groups [Wang’04]• Major Differences:

– Multiple administrative domains.– Common representation model of different groups.

80

Related Work

• Cluster formation work [OCF]– Mobile ad hoc clustering protocols [many]

• Content distribution/pub-sub systems– SIENA [Carzaniga et al. ‘01]– REBECA [Műhl ‘02]

81

Examples of emerging communities

• Personal Device CommunitiesSet of devices with a common owner

• Location-based Device CommunitiesDevices related by proximity

• Social Device CommunitiesDevices connected by user organization

• And others (Interest, Task, Function, ….)

82

Boelter Hall

Boelter 3564

Kevin

Network Connections to Social Sphere through

Phys. SphereKevin

Network Connection to Physical Sphere

LASR

Kevin