Brian Shand

Using trust for secure collaboration in uncertain environments

The SECURE project investigates the design of security mechanisms for pervasive computing based on trust. It addresses how entities in unfamiliar pervasive computing environments can overcome initial suspicion to provide secure collaboration.

Composite event detection as a generic middleware extension

Event-based communication provides a flexible and robust approach to monitoring and managing large-scale distributed systems. Composite event detection extends the scope and flexibility of these systems by allowing application components to express interest in complex patterns of events. This makes it possible to handle the large numbers of events generated in Internet-wide systems, and in network monitoring and pervasive computing applications. In this article, we introduce a novel generic composite event detection framework that can be added on top of existing middleware architectures, as demonstrated in our implementation over JMS. We argue that the framework is flexible, expressive and easy to implement. Based on finite state automata extended with a rich time model and parameterization support, it provides a decomposable core language for specifying composite events. This allows detection to be distributed automatically throughout the system, guided by distribution policies that control the quality of service. Finally, tests show that using our composite event system over JMS can reduce bandwidth consumption while maintaining low notification delay for composite events.

A framework for event composition in distributed systems

For large-scale distributed applications such as internet-wide or ubiquitous systems, event-based communication is an effective messaging mechanism between components. In order to handle the large volume of events in such systems, composite event detection enables application components to express interest in the occurrence of complex patterns of events. In this paper, we introduce a general composite event detection framework that can be added on top of existing middleware architectures -- as demonstrated in our implementation over JMS. We argue that the framework is flexible, expressive, and easy to implement. Based on finite state automata extended with a rich time model and support for parameterisation, it provides a decomposable core language for composite event specification, so that composite event detection can be distributed throughout the system. We discuss the issues associated with automatic distribution of composite event expressions. Finally, tests of our composite event system over JMS show reduced bandwidth consumption and a low notification delay for composite events.

Towards a common API for publish/subscribe

Over the last decade a wide range of publish/subscribe (pub/sub) systems have come out of the research community. However, there is little consensus on a common pub/sub API, which would facilitate innovation, encourage application building, and simplify the evaluation of existing prototypes. Industry pub/sub standards tend to be overly complex, technology-centric, and hard to extend, thus limiting their applicability in research systems. In this paper we propose a common API for pub/sub that is tailored towards research requirements. The API supports three levels of compliance (with optional extensions): the lowest level specifies abstract operations without prescribing an implementation or data model; medium compliance describes interactions using a light-weight XML-RPC mechanism; finally, the highest level of compliance enforces an XML-RPC data model, enabling systems to understand each others event and subscription semantics. We show that, by following this flexible approach with emphasis on extensibility, our API can be supported by many prototype systems with little effort.

Enforcing End-to-End Application Security in the Cloud

Security engineering must be integrated with all stages of application specification and development to be effective. Doing this properly is increasingly critical as organisations rush to offload their software services to cloud providers. Service-level agreements (SLAs) with these providers currently focus on performance-oriented parameters, which runs the risk of exacerbating an impedance mismatch with the security middleware. Not only do we want cloud providers to isolate each of their clients from others, we also want to have means to isolate components and users within each client’s application.

Policies in accountable contracts

In this paper, accounting policies explicitly control resource usage within a contract architecture. Combined with a virtual resource economy, this allows efficient exchange of high-level computer services between untrustworthy participants. These services are specified as contracts, which must be signed by the participants to take effect. Each contract expresses its accounting policy using a limited language, with high expressiveness but predictable execution times. This is evaluated within a novel resource economy, in which physical resources, trust and money are treated homogeneously. A second-order trust model continually updates trustworthiness opinions, based on contract performance; trust delegation certificates support flexible, distributed extension of these trust relationships. The introspectible contracts, resource and trust models together provide accountability and resilience, which are particularly important for large-scale distributed computation initiatives such as the Grid. Thus participants can take calculated risks, based on expressed policies and trust, and rationally choose which contracts to perform.

FlowR: aspect oriented programming for information flow control in ruby

This paper reports on our experience with providing Information Flow Control (IFC) as a library. Our aim was to support the use of an unmodified Platform as a Service (PaaS) cloud infrastructure by IFC-aware web applications. We discuss how Aspect Oriented Programming (AOP) overcomes the limitations of RubyTrack, our first approach. Although use of AOP has been mentioned as a possibility in past IFC literature we believe this paper to be the first illustration of how such an implementation can be attempted. We discuss how we built FlowR (Information Flow Control for Ruby), a library extending Ruby to provide IFC primitives using AOP via the Aquarium open source library. Previous attempts at providing IFC as a language extension required either modification of an interpreter or significant code rewriting. FlowR provides a strong separation between functional implementation and security constraints which supports easier development and maintenance; we illustrate with practical examples. In addition, we provide new primitives to describe IFC constraints on objects, classes and methods that, to our knowledge, are not present in related work and take full advantage of an object oriented language (OO language). The experience reported here makes us confident that the techniques we use for Ruby can be applied to provide IFC for any Object Oriented Program (OOP) whose implementation language has an AOP library.

FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications

Bugs in the authorisation logic of web applications can expose the data of one user to another. Such data disclosure vulnerabilities are common---they can be caused by a single omitted access control check in the application. We make the observation that, while the implementation of the authorisation logic is complex and therefore error-prone, most web applications only use simple access control models, in which each piece of data is accessible by a user or a group of users. This makes it possible to validate the correct operation of the authorisation logic externally, based on the observed data in HTTP traffic to and from an application. We describe FlowWatcher, an HTTP proxy that mitigates data disclosure vulnerabilities in unmodified web applications. FlowWatcher monitors HTTP traffic and shadows part of an applications access control state based on a rule-based specification of the user-data-access (UDA) policy. The UDA policy states the intended data ownership and how it changes based on observed HTTP requests. FlowWatcher detects violations of the UDA policy by tracking data items that are likely to be unique across HTTP requests and responses of different users. We evaluate a prototype implementation of FlowWatcher as a plug-in for the Nginx reverse proxy and show that, with short UDA policies, it can mitigate CVE bugs in six~popular web applications.

Security in Multi-domain Event-based Systems Sicherheit in ereignis-basierten Mehrdomänensystemen

Abstract Event-based systems give the potential for active information sharing. The event-based paradigm, if used for event transport, provides loose coupling between components, many-to-many communication and mutual anonymity of event producers and event consumers. This communication style has been adopted enthusiastically for convenience of programming; particularly for financial processing, healthcare applications and sensor-based systems. But some data is sensitive, and its visibility must be controlled carefully for personal and legal reasons. Our research projects have explored this space for some time, investigating application domains in which the event-based paradigm is appropriate yet where security is an issue. We discuss security issues for multi-domain, event-based systems, considering the requirements of applications and the risk associated with failure. We provide an overview of the state-of-the-art in secure event-based systems: research already carried out, work in progress and issues still to be addressed. This is of relevance to emerging large-scale systems required by government and public bodies for domains such as healthcare, police, transport and environmental monitoring.

Distributed middleware enforcement of event flow security policy

Distributed, event-driven applications that process sensitive user data and involve multiple organisational domains must comply with complex security requirements. Ideally, developers want to express security policy for such applications in data-centric terms, controlling the flow of information throughout the system. Current middleware does not support the specification of such end-to-end security policy and lacks uniform mechanisms for enforcement. We describe DEFCon-Policy, a middleware that enforces security policy in multi-domain, event-driven applications. Event flow policy is expressed in a high-level language that specifies permitted flows between distributed software components. The middleware limits the interaction of components based on the policy and the data that components have observed. It achieves this by labelling data and assigning privileges to components. We evaluate DEFCon-Policy in a realistic medical scenario and demonstrate that it can provide global security guarantees without burdening application developers.