Ciarán Bryce

Using trust for secure collaboration in uncertain environments

The SECURE project investigates the design of security mechanisms for pervasive computing based on trust. It addresses how entities in unfamiliar pervasive computing environments can overcome initial suspicion to provide secure collaboration.

Compile-Time Detection of Information Flow in Sequential Programs

We give a formal definition of the notion of information flow for a simple guarded command language. We propose an axiomatisation of security properties based on this notion of information flow and we prove its soundness with respect to the operational semantics of the language. We then identify the sources of non determinism in proofs and we derive in successive steps an inference algorithm which is both sound and complete with respect to the inference system.

Coordinating processes with secure spaces

The Linda shared space model and its derivatives provide great flexibility for building parallel and distributed applications composed of independent processes. However, the shared space model does not provide protection against untrustworthy processes. Linda processes communicate by reading and writing messages in a globally visible data space, so a malicious process can launch any number of security attacks. This paper presents the design of a new coordination model which extends Linda with fine-grained access control. The semantics of the model is presented in the context of a process calculus. A prototype of our model, called SECOS, has been implemented in JAVA.

A Coordination Model Agents Based on Secure Spaces

Shared space coordination models such as Linda are ill-suited for structuring applications composed of erroneous or insecure components. This paper presents the Secure Object Space model. In this model, a data element can be locked with a key and is only visible to a process that presents a matching key to unlock the element. We give a precise semantics for Secure Object Space operations and discuss an implementation in JAVA for a mobile agent system. An implementation of the semantics that employs encryption is also outlined for use in untrusted environments.

An approach to safe object sharing

It is essential for security to be able to isolate mistrusting programs from one another, and to protect the host platform from programs. Isolation is difficult in object-oriented systems because objects can easily become aliased. Aliases that cross program boundaries can allow programs to exchange information without using a system provided interface that could control information exchange. In Java, mistrusting programs are placed in distinct loader spaces but uncontrolled sharing of system classes can still lead to aliases between programs. This paper presents the object spaces protection model for an object-oriented system. The model decomposes an application into a set of spaces, and each object is assigned to one space. All method calls between objects in different spaces are mediated by a security policy. An implementation of the model in Java is presented.

Resource management for clusters of virtual machines

Enterprise applications are increasingly being built using type-safe programming platforms and deployed over horizontally scalable systems. Horizontal scalability depends crucially on the ability to monitor resource usage and to define and enforce resource management policies capable of guaranteeing a desired service level. However, current safe language platforms have very limited support for resource management, and their cluster-enabled versions reflect this deficiency. We describe an architecture of federated Java/spl trade/ virtual machines. Its distinguishing feature is an integrated resource management interface that addresses the above issues. It offers programmatic control over monitoring and controlling the allocation of resources to applications and their components. The scope of each policy can span multiple nodes, realizing finegrained control. New resource types can be defined and integrated into the framework. Remote management of local resources and the notion of cluster-global resources form a powerful combination capable of expressing policies that achieve effective performance isolation for cluster applications.

Mobile Object Systems

The ECOOP workshop on Mobile Object Systems was first organized in 1995 and has been held every year since. The first two episodes in the series – entitled “Objects and Agents” (1995) and “Agents on the Move” (1996) – were exploratory in nature, reflecting a growing awareness and interest in the possibilities of mobile code and mobile objects for Internet programming. Towards the end of the 1990s, Interest in the domain began to mature and several mobile object systems appeared in the research community. As a consequence, further editions of the Mobile Object Systems workshop concentrated on specific aspects of mobile objects. For instance, the title of the 1997 workshop was “Operating System Support”, the theme of the 1998 workshop was “Security”, and the theme of the 1999 installment was “Programming Language Support”. With the workshop entering into its second half-decade, the themes of the workshop became more broad in scope. On the other hand, we decided to place more emphasis on discussions in the workshops and on invited presentations. The theme of the workshop in 2000 was “Operating System Support, Security and Programming Languages”, and the theme of the 2001 edition was “Application Support and Dependability”. For the 2002 edition, the theme chosen was “Experience”, even though we accepted papers from all areas of the mobile object domain. There were 11 papers accepted for this year’s workshop, of which 9 were presented, as well as 4 invited talks. The invited talks were from Doug Lea of SUNY OSWEGO, Jan Vitek of Purdue University, Luc Moreau of Southampton University and Chrislain Razafimahefa of Geneva Univesity. The program committee was composed of experts from all areas of the mobile object systems domain, many of whom had already participated in previous editions of the workshop in some form. The committee was: Walter Binder, (CoCo Software, Vienna, Austria), Eric Jul (CopenHagen University, Denmark), Doug Lea (OSWEGO, USA), Giovanna di Marzo Serugendo (Geneva University, Switzerland), Luc Moreau (Southampton, UK), Peter Sewell (Cambridge University, UK), Jan Vitek (Purdue University, USA), and Jarle Hulaas (Geneva University, Switzerland). I am very grateful to these researchers for reviewing papers, and for contributing to the workshop over the years. The workshop was held on Monday, June 10th just prior to the ECOOP conference at the Computer Science institute of Málaga University. There were

Coordination and security on the Internet

This chapter examines the impact of security on the design of coordination models for agent-based systems deployed over the Internet. A reference architecture for secure coordination in shared space models is presented. In this context, we argue that the interaction of agents and system components throughout a shared space should be governed by policies that satisfy both coordination and security requirements. A distributed scenario, composed of multiple independent shared spaces, is then considered. The integration of cryptographic primitives into tuple-based communication is necessary, but this has subtleties that system designers must be aware of. Some examples of these subtleties are discussed. Finally, existing coordination models and systems are analyzed with respect to the general security framework presented.

A Security Framework for a Mobile Agent System

This paper describes a distributed security infrastructure for mobile agents. The first property of the infrastructure is believability ; this means that mechanisms are provided for authenticating information furnished by an agent. A second security property is survivability . This means that an agent computation can be programmed to survive attacks by malicious hosts on individual agents; this is achieved through encryption as well as agent replication and voting. The main feature of the infrastructure is that mobile agents are themselves used to enforce the security properties.

Towards an evaluation methodology for computational trust systems

Trust-based security frameworks are increasingly popular, yet few evaluations have been conducted. As a result, no guidelines or evaluation methodology have emerged that define the measure of security of such models. This paper discusses the issues involved in evaluating these models, using the SECURE trust-based framework as a case study.