Threats, Risk Assessment, and Policy Management in UbiComp

Workshop on Security in UbiComp

UBICOMP 2002, 29th Sept. Göteborg, Sweden

Philip Robinson, SAP Corporate Research & Telecooperation Office

Management & Access Scope of UbiComp Environments and ApplicationsClosed/ EmbeddedClosed/ Embedded

PersonalPersonal

Static GroupsStatic Groups

PublicPublic

Ad Hoc GroupsAd Hoc Groups

Point of AlertStatic Threat = Static Threat =

Unsolicited Unsolicited interactive access to interactive access to system by non-group system by non-group

membermemberAd Hoc Threat = Ad Hoc Threat = Unsolicited use of Unsolicited use of special services – special services –

access beyond role access beyond role and rights and rights

Public Threat = Public Threat = “unsolicited “unsolicited

modification/ misuse modification/ misuse of systemof system

Personal Threat = Personal Threat = Unsolicited Unsolicited

possession of system possession of system (tangible access)(tangible access)

Closed Threat = Closed Threat = Unsolicited access to Unsolicited access to

system locationsystem location

“Access to a system or its resources/ information is the first line of attack”

Risk – all about Context

• Information and Resources have no value without a particular Context.

• Context information changes the awareness and evaluation of risks

• Awareness of risks changes the utility of and contribution to the Context information

4999 910 876 1234Credit Card #:

Photodiode(light intensity sensor)

Accelerometer(movement sensor)

Thermometer(temperature sensor)

Barometer(pressure sensor)

(other sensor...)

Analog/ DigtalConverter

MicrocontrollerCommunications

Photodiode(light intensity sensor)

Accelerometer(movement sensor)

Thermometer(temperature sensor)

Barometer(pressure sensor)

(other sensor...)

Analog/ DigtalConverter

MicrocontrollerCommunications

When is the risk pending?

DataData

Sensor/ Low-levelContext Information

(cues) temperature accelerationlocation

Computed/ PartialContext Information

Movement

Office

Occupied

Elicited/ Meta-levelContext Information

Meeting and Discussionin Session, and topic is…

Attack Profile

RREESSOOUURRCCEESS

CCOONNTTEEXXTT

CommunicationalCommunicational(Reception & Transmission(Reception & Transmission)

InteractiveInteractive(Stimuli & Response(Stimuli & Response)

PerceptivePerceptive(Sensors & Actuators)(Sensors & Actuators)

ComputationalComputational(Memory, Power & Processing(Memory, Power & Processing)

ATTACKATTACK

ATTACKATTACK

ATTACKATTACK

ATTACKATTACK

Attacker listens in on communications channel.

Attacks on confidentiality & privacy!

Attack by abusing lack or excess of computational

capacity – denial of service or malicious code attacks

Attack by embedding false sensor and actuator devices

into environment – attack on context derivation integrity

Attack by falsifying the physical environment’s

signals – attack on context reading integrity

Policy ManagementAdministrative Distribution

data

Definition-Document encoded-Application encoded-Entity encoded

Enforcement-Security Mechanism selection-Physical vs. Logical

Modification & Dissolution-Static vs. Dynamic-Consistency & notification

Auditing-Centralized vs. Distributed

Behavioral policy, relational policy

Analogsignal

A/D

transmissionComputationDigitalsignal

Interpretationemission

Physicalenvironment

Signal integrity policy

Context-based policies Computational policies

Communication policies

Authorization policies

Summary

• Identify access scope of UbiComp application• Determine point-of-alert based on access scope• Determine when the context creates a manageable

risk• Perform a Threat Analysis• Define policy model to circumvent threats• Implement mechanisms to enforce policy• Establish methodology for managing policy

information

Policy Enforcement

Policy Dissolution

Policy Modification