Srdjan Marinovic

Collaborative Privacy Policy Authoring in a Social Networking Context

Recent years have seen a significant increase in the popularity of social networking services. These online services enable users to construct groups of contacts, referred to as friends, with which they can share digital content and communicate. This sharing is actively encouraged by the social networking services, with users’ privacy often seen as a secondary concern. In this paper we first propose a privacy-aware social networking service and then introduce a collaborative approach to authoring privacy policies for the service. In addressing user privacy, our approach takes into account the needs of all parties affected by the disclosure of information and digital content.

Monitoring Compliance Policies over Incomplete and Disagreeing Logs

When monitoring system behavior to check compliance against a given policy, one is sometimes confronted with incomplete knowledge about system events. In IT systems, such incompleteness may arise from logging infrastructure failures and corrupted log files, or when the logs produced by different system components disagree on whether actions took place. In this paper, we present a policy language with a three-valued semantics that allows one to explicitly reason about incomplete knowledge and handle disagreements. Furthermore, we present a monitoring algorithm for an expressive fragment of our policy language. We illustrate through examples how our approach extends compliance monitoring to systems with logging failures and disagreements.

Distributed Orchestration of Pervasive Services

Pervasive systems are increasingly being designed using a service-oriented approach where services are distributed across wireless devices of varying capabilities. Service orchestration is a simple and popular method to coordinate web-based services but introduces a single point of failure and lacks the flexibility to cope with the greater variability of pervasive environments. Choreography in contrast advocates explicitly modelling systems as interacting peers that conform to rules of interaction. Choreography offers greater reliability and flexibility but leads to systems that are much harder to validate. In this paper we describe a novel intermediate approach, where given a logically centralised service orchestration, we automatically generate a distributed implementation that correctly enforces the orchestration behaviour. Our system handles all the synchronisation and consensus issues and ensures correctness. The system also incorporates a number of abstractions for grouping pervasive peers and coordinating pervasive peer-to-peer interactions.

Monitoring of Temporal First-Order Properties with Aggregations

Compliance policies often stipulate conditions on aggregated data. Current policy monitoring approaches are limited in the kind of aggregations that they can handle. We rectify this as follows. First, we extend metric first-order temporal logic with aggregation operators. This extension is inspired by the aggregation operators common in database query languages like SQL. Second, we provide a monitoring algorithm for this enriched policy specification language. Finally, we experimentally evaluate our monitor’s performance.

Rumpole: An Introspective Break-Glass Access Control Language

Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subjects attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fittings bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic langauge, and as such, is strictly more expressive than current many-valued logic programming languages.

Monitoring of temporal first-order properties with aggregations

In system monitoring, one is often interested in checking properties of aggregated data. Current policy monitoring approaches are limited in the kinds of aggregations they handle. To rectify this, we extend an expressive language, metric first-order temporal logic, with aggregation operators. Our extension is inspired by the aggregation operators common in database query languages like SQL. We provide a monitoring algorithm for this enriched policy specification language. We show that, in comparison to related data processing approaches, our language is better suited for expressing policies, and our monitoring algorithm has competitive performance.

Decentralized Composite Access Control

Formal foundations for access control policies with both authority delegation and policy composition operators are partial and limited. Correctness guarantees cannot therefore be formally stated and verified for decentralized composite access control systems, such as those based on XACML 3. To address this problem we develop a formal policy language BelLog that can express both delegation and composition operators. We illustrate, through examples, how BelLog can be used to specify practical policies. Moreover, we present an analysis framework for reasoning about BelLog policies and we give decidability and complexity results for policy entailment and policy containment in BelLog.

Commune: Shared Ownership in an Agnostic Cloud

Cloud storage platforms promise a convenient way for users to share files and engage in collaborations, yet they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because, for example, one owner can delete files and revoke access without consulting the other collaborators. In this paper, we first formally define a notion of shared ownership within a file access control model. We then propose a solution, called Commune, to the problem of distributed enforcement of shared ownership in agnostic clouds, so that access grants require the support of an agreed threshold of owners. Commune can be used in existing clouds without modifications to the platforms. We analyze the security of our solution and evaluate its performance through an implementation integrated with Amazon S3.

Teleo-Reactive workflows for pervasive healthcare

There is growing interest in using workflows to describe, monitor and direct a wide-range of medical procedures in hospitals. Unlike their well-established business counterparts, medical workflows require a high degree of execution flexibility since it is impossible to anticipate all the possible circumstances that might influence their execution and it is important that staff are permitted to respond to situations flexibly. Medical workflows also need to be unobtrusive, since requiring staff to continually acknowledge task execution or enter workflow data will get in the way of delivering medical healthcare. In this paper we present a new approach to workflow specification based on Teleo-Reactive programs, where a workflow is not defined as a set of discrete steps, but rather as a goal-driven process. Workflow tasks are modelled as continuous context conditions or durative actions. TR workflows offer a high degree of flexibility and an easier way to model human-centric tasks than the traditional graph-based workflow models. We illustrate the approach with a small pervasive healthcare example and show how we also apply the approach to managing workflow resources and security.

Teleo-Reactive Policies in Ponder2

Policies could potentially be an important and cost-effective technique for building and managing pervasive systems. Historically, policy-based systems have been built using a policy environment that supports the specification and enforcement of policies for a range of management concerns such as adaptation and security. In this short paper we describe our experiences with challenges in building human-centric pervasive systems. As a result of these experiences we introduce a novel management policy type based on teleo-reactive procedures that replace traditional ECA management policies.