Naranker Dulay

The Ponder Policy Specification Language

The Ponder language provides a common means of specifying security policies that map onto various access control implementation mechanisms for firewalls, operating systems, databases and Java. It supports obligation policies that are event triggered condition-action rules for policy based management of networks and distributed systems. Ponder can also be used for security management activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations. Key concepts of the language include roles to group policies relating to a position in an organisation, relationships to define interactions between roles and management structures to define a configuration of roles and relationships pertaining to an organisational unit such as a department. These reusable composite policy specifications cater for the complexity of large enterprise information systems. Ponder is declarative, strongly-typed and object-oriented which makes the language flexible, extensible and adaptable to a wide range of management requirements.

Specifying Distributed Software Architectures

There is a real need for clear and sound design specifications of distributed systems at the architectural level. This is the level of the design which deals with the high-level organisation of computational elements and the interactions between those elements. The paper presents the Darwin notation for specifying this high-level organisation. Darwin is in essence a declarative binding language which can be used to define hierarchic compositions of interconnected components. Distribution is dealt with orthogonally to system structuring. The language supports the specification of both static structures and dynamic structures which may evolve during execution. The central abstractions managed by Darwin are components and services. Services are the means by which components interact.

Shared and searchable encrypted data for untrusted servers

Current security mechanisms are not suitable for organisations that outsource their data management to untrusted servers. Encrypting and decrypting sensitive data at the client side is the normal approach in this situation but has high communication and computation overheads if only a subset of the data is required, for example, selecting records in a database table based on a keyword search. New cryptographic schemes have been proposed that support encrypted queries over encrypted data. But they all depend on a single set of secret keys, which implies single user access or sharing keys among multiple users, with key revocation requiring costly data re-encryption. In this paper, we propose an encryption scheme where each authorised user in the system has his own keys to encrypt and decrypt data. The scheme supports keyword search which enables the server to return only the encrypted data that satisfies an encrypted query without decrypting it. We provide a concrete construction of the scheme and give formal proofs of its security. We also report on the results of our implementation.

A policy deployment model for the Ponder language

Policies are rules that govern the choices in behaviour of a system. Security policies define what actions are permitted or not permitted, for what or for whom, and under what conditions. Management policies define what actions need to be carried out when specific events occur within a system or what resources must be allocated under specific conditions. There is considerable interest in the use of policies for the security and management of large-scale networks and distributed services. Existing policy work has focussed on specification, information models and application-specific policy enforcement. We address the important goal of providing a general-purpose deployment model for policies that is independent of the underlying policy enforcement mechanisms and can be employed in mixed policy environments. In this paper, we present a deployment model that is object-oriented and addresses the instantiation, distribution and enabling of policies as well as the disabling, unloading and deletion of policies. The model defines objects for policies, for domains, and for the policy enforcement agent and outlines the interactions needed between them. The model also caters for changes in the memberships of domains since such changes also effect policy enforcement. The model forms part of the run-time support for Ponder; a new policy language that combines structuring ideas from object-oriented languages with a common set of policy basic types.

Structuring parallel and distributed programs

Darwin is a configuration language which allows distributed and parallel programs to be structured in terms of groups of process instances which communicate by message passing. In addition to expressing static structure, Darwin can be used to express structures which change dynamically as execution progresses. The authors present a set of examples illustrating the use of Darwin in constructing parallel programs. Since processes can be considered to be an abstraction of physical processors, Darwin can also be used to describe the hardware structure of distributed memory multicomputers in terms of processors and their interconnection. The authors illustrate this for a multicomputer constructed from transputers and show its use in the process of mapping the logical structure of a parallel program to the physical hardware.

A constructive development environment for parallel and distributed programs

Regis is a programming environment aimed at supporting the development and execution of parallel and distributed programs. It embodies a constructive approach to the development of programs based on separating program structure from communication and computation. The emphasis is on constructing programs from multiple parallel computational components which cooperate to achieve the overall goal. The environment is designed to easily accommodate multiple communication mechanisms and primitives. Both the computational and communication elements of Regis programs are programmed in the object oriented programming language C++. The elements are combined into parallel and distributed programs using the configuration language Darwin. The paper describes programming in Regis through a set of small example programs.<<ETX>>

Regis: a constructive development environment for distributed programs

Regis is a programming environment aimed at supporting the development and execution of distributed programs. It embodies a constructive approach to the development of programs based on separating program structure from communication and computation, The emphasis is on constructing programs from multiple parallel computational components which cooperate to achieve the overall goal. The environment is designed to easily accommodate multiple communication mechanisms and primitives. Both the computational and communication elements of Regis programs are programmed in the object oriented programming language C++. The elements are combined into distributed programs using the configuration language Darwin. The paper describes programming in Regis through a set of small example programs drawn from the implementation of an Active Badge system.

Ponder2: A Policy System for Autonomous Pervasive Environments

Policies form an important part of management and can be an effective means of implementing self-adaptation in pervasive systems. Most policy-based systems focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking ¿exibility and extensibility. This paper presents Pon- der2, a novel policy system that is suitable for a wide range of environments and applications. The design and implementation of Ponder2 emphasises simplicity, ¿exibil- ity and extensibility and provides users with the ability to interact easily with the managed system. Ponder2 can interact with other software and hardware components and is being used in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. We also describe PonderTalk, a high-level object orientated language inspired by Smalltalk for con¿guring and controlling Ponder2 systems.large scale systems. It advocates a similar de-centralised model of autonomous agents co-operating with each other and composing into more complex con¿gurations. However, many existing policy-based frameworks have not been conceived for such environments. Their design is dependent on centralised infrastructure support such as LDAP directories and CIM repositories. Their deploy- ment model is often based on centralised provisioning and decision-making that does not offer the means for policy execution components to interact with each other, collabo- rate or federate into larger structure. Policy speci¿cation is seen as an off-line activity, and policy frameworks do not easily interact with the managed system. Consequently such frameworks are dif¿cult to install, run and experiment with. Additionally, they usually do not scale to smaller devices omnipresent in pervasive systems.

Ponder2 - A Policy Environment for Autonomous Pervasive Systems

Policies form an important part of management activities and are an effective means of implementing self-adaptation in pervasive systems. Many policy- based systems designed to date focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking flexibility and extensibility. This demonstration presents Ponder2, a self-contained, stand-alone policy environment that is suitable for a wide range of applications in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. Ponder2 environments can be federated giving a consistent view of the name spaces within the environments and the ability to propagate events in a transparent manner.

Configuring object-based distributed programs in REXX

The popularity of the object-oriented programming paradigm has stimulated research into its use for parallel and distributed programming. The major issues that affect such use are concurrency control, object interfaces, binding and inheritance. In this paper, we discuss the relative merits of current solutions to these issues and describe an approach based on the use of active objects with essentially explicit interfaces and bindings, and composition as a pragmatic alternative to inheritance. The key feature of our approach is the use of a configuration language to define program structure as a set of objects and their bindings. The configuration language includes facilities for hierarchic definition of composite objects, parameterisation of objects, conditional configurations and recursive definition of objects. This separate and explicit description of program structure complements object-oriented programming. The approach is illustrated by examples from the REX environment for the development of parallel and distributed software.