Alvaro Arenas

Towards Modelling Obligations in Event-B

We propose a syntactic extension of Event-B incorporating a limited notion of obligation described by triggers. The trigger of an event is the dual of the guard: when a guard is not true, an event must not occur, whereas when a trigger is true, the event must occur. The obligation imposed by a trigger is interpreted as a constraint on when the other events are permitted. For example, the simplest trigger next, which states that the event must be the next one to be executed when the trigger becomes true, is modelled as an extra guard on each of the other events which prohibits their execution at this time. In this paper we describe the modelling of triggers in Event-B, and analyse refinement and abstract scheduling of triggered events.

Defeating Colluding Nodes in Desktop Grid Computing Platforms

Desktop Grid systems reached a preeminent place among the most powerful computing platforms in the planet. Unfortunately, they are extremely vulnerable to mischief, because computing projects exert no administrative or technical control on volunteers. These can very easily output bad results, due to software or hardware glitches (resulting from over-clocking for instance), to get unfair computational credit, or simply to ruin the project. To mitigate this problem, Desktop Grid servers replicate work units and apply majority voting, typically on 2 or 3 results. In this paper, we observe that simple majority voting is powerless against malicious volunteers that collude to attack the project. We argue that to identify this type of attack and to spot colluding nodes, each work unit needs at least 3 voters. In addition, we propose to post-process the voting pools in two steps. i) In the first step, we use a statistical approach to identify nodes that were not colluding, but submitted bad results; ii) then, we use a rather simple principle to go after malicious nodes which acted together: they might have won conflicting voting pools against nodes that were not identified in step i. We use simulation to show that our heuristic can be quite effective against colluding nodes, in scenarios where honest nodes form a majority.

Controlling Usage in Business Process Workflows through Fine-Grained Security Policies

We propose a language for expressing fine-grained security policies for controlling orchestrated business processes modelled as a BPEL workflow. Our policies are expressed as a process algebra that permits a BPEL activity, denies it or force-terminates it. The outcome is evaluates with compensation contexts. Finally, we give an example of these policies in a distributed map processing scenario such that the policies constrain service interactions in the workflow according to the security requirements of each entity participating in the workflow.

On trust management in grids

This paper presents an overview of the different concepts and technologies for managing trust in Grids. It examines the relation between trust and security, introducing the current technology for managing trust. The classical Virtual Organisation lifecycle is augmented with trust management actions.

Detecting Conflicts in ABAC Policies with Rule-Reduction and Binary-Search Techniques

Attribute-based access control (ABAC) policies are effective and flexible in governing the access to information and resources in open distributed computing environments. However, ABAC policy rules are often complex making them prone to conflicts. This paper proposes an optimized method to detect the conflicts between statistically conflicting rules in an ABAC policy. This method includes two optimization techniques: rule reduction and binary-search. The first technique reduces the rules into a set of compact, semantically equivalent rules through removing redundant information among the rules. The binary-search technique is then applied to discover the conflicts among them.

Bridging the Gap between Legal and Technical Contracts

Two or more parties typically establish a business relationship using a contract, but a large gap still exists between the provisions of contracts produced by lawyers and the details of computer security and performance addressed by technologists. Some contractual clauses address legal issues that technology can manage as well - the TrustCoM framework offers a paradigm for automating these clauses as technical operations. If a business relationship forms across a service-oriented architecture, the parties involved often manage their collaboration as a virtual organization (VO). In TrustCoM, agreements are the key means of steering VO collaborations and mitigating the risks inherent in integrating processes and resources across organizational boundaries.

Contracts as Trust Substitutes in Collaborative Business

The globalization of business through mergers and acquisitions requires the interoperation of established heterogeneous systems within the enterprise. Supply-chain management and collaboration between companies likewise necessitate interoperation between enterprise systems. Companies must break down system silos to increase utilization rates. Automated contract management can mitigate the risks of interoperating systems.

Toward Web Services Profiles for Trust and Security in Virtual Organisations

The rise in practical Virtual Organisations (VOs) requires secure access to data and interactions between their partners. Ad hoc solutions to meet these requirements are possible, but Web services hold out the potential for generic security solutions whose cost can be spread across several short lived dynamic VOs. This paper identifies trust and security requirements throughout the VO lifecycle and analyse current Web Services specifications to show their suitability to meet these requirements. Although they demonstrate the potential for generic security support, there are uncertainties concerning different level of interoperability and stability of implementation for different specifications, which may slow down their exploitation for security-critical business applications. However, research in Web services developments are well timed to avoid losing first adopter advantage when they become stable.

Defeating colluding nodes in Desktop Grid computing platforms

Desktop grid systems reached a preeminent place among the most powerful computing platforms in the planet. Unfortunately, they are extremely vulnerable to mischief because volunteers can output bad results, for reasons ranging from faulty hardware (like over-clocked CPUs) to intentional sabotage. To mitigate this problem, desktop grid projects replicate work units and apply majority voting, typically on 2 or 3 results. In this paper, we observe that this form of replication is powerless against malicious volunteers that have the intention and the (simple) means to ruin the project using some form of collusion. We argue that each work unit needs at least 3 voters and that voting pools with conflicts enable the master to spot colluding malicious nodes. Hence, we post- process the voting pools in two steps: i) we use a statistical approach to identify nodes that were not colluding, but submitted bad results; ii) we use a rather simple principle to go after malicious nodes which acted together: they might have won conflicting voting pools against nodes that were not identified in step i. We use simulation to show that our heuristic can be quite effective against colluding nodes, in scenarios where honest nodes form a majority.

Fine-Grained Continuous Usage Control of Service Based Grids --- The GridTrust Approach

Access control techniques designed for single domain infrastructures, where users are known by domain administrators, provide considerable liberty in the usage of resources. This paradigm is not suitable for highly scalable and decentralised systems such as Grids and service oriented architectures (SOA), where resources are shared between domains, and users come from remote domains. One approach is to provide policy-driven autonomic solutions that operate a continuous monitoring of the usage of resources by users. This paper presents the services and tools offered by the GridTrust Security Framework (GSF). GSF addresses three layers of the next generation of grid (NGG) architecture: the Grid application layer, the Grid service middleware layer, and the Grid foundation layer. The framework is composed of security and trust services and tools provided at the middleware and Grid foundation middleware layers. Various business case studies are being developed to validate the GridTrust results.