Abstract
In an open Internet-of-Things (IoT) environment, the chance encounters of smart devices have made it difficult to articulate access control policies for complete strangers. Based on the metaphor of public sphere, the access control model SEPD is proposed to ease policy administration and facilitate trust inspiration for IoT devices. We articulate a system architecture for SEPD, and offer an in-depth study of its access control policies, known as presence policies. In particular, we characterize when presence policies are resilient against half-truth attacks, devise a policy language based on Temporal Constraint Networks, and empirically profile the efficiency of constructing proofs of compliance for presence policies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Policy specification can be extensional (enumerating all possible authorizations, as in access control matrices [18]), or intensional (articulating the abstract condition of authorization, as in ABAC [21], ReBAC [15], and distributed trust management [9]). Intensional policy specifications are preferred in IoT applications, as intensional specifications offer better scalability than extensional ones.
References
Ahmadi, A., Safavi-Naini, R.: Directional distance-bounding identification. In: Mori, P., Furnell, S., Camp, O. (eds.) ICISSP 2017. CCIS, vol. 867, pp. 197–221. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93354-2_10
Allen, J.F.: Maintaining knowledge about temporal intervals. Commun. ACM 26(11), 832–843 (1983)
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P.: Supporting location-based conditions in access control policies. In: Proceedings of ASIACCS 2006, pp. 212–222. ACM, Taipei (2006)
Bertin, E., Hussein, D., Sengul, C., Frey, V.: Access control in the internet of things: a survey of existing approaches and open research questions. Ann. Telecommun. J. 74(7–8), 375–388 (2019)
Bertino, E., Kirkpatrick, M.S.: Location-based access control systems for mobile users: concepts and research directions. In: Proceedings of ACM SIGSPATIAL SPRINGL 2011, pp. 49–52. ACM, Chicago (2011)
Bezawada, B., Haefner, K., Ray, I.: Securing home IoT environments with attribute-based access control. In: Proceedings of ABAC 2018, Tempe, AZ, USA, pp. 43–53 (2018)
Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_30
Bussard, L., Bagga, W.: Distance-bounding proof of knowledge to avoid real-time attacks. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IAICT, vol. 181, pp. 223–238. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25660-1_15
Chapin, P.C., Skalka, C., Wang, X.S.: Authorization in trust management: features and foundations. ACM Comput. Surv. 40(3), 1–48 (2008). Article no. 9
v. Cleeff, A., Pieters, W., Wieringa, R.: Benefits of location-based access control: a literature study. In: Proceedings of IEEE/ACM CPSCom 2010, pp. 739–746. IEEE, Hangzhou, December 2010
Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: a spatially aware RBAC. ACM Trans. Inf. Syst. Secur. 10(1), 1–42 (2007). Article no. 2
Decker, M.: Requirements for a location-based access control model. In: Proceedings of MoMM 2008, pp. 346–349. ACM, Linz (2008)
Fischlin, M., Onete, C.: Subtle kinks in distance-bounding: an analysis of prominent protocols. In: Proceedings of WiSec 2013, pp. 195–206. ACM, Budapest (2013)
Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, CA, USA, pp. 43–55, May 2004
Fong, P.W.: Relationship-based access control: protection model and policy language. In: Proceedings of CODASPY 2011, pp. 191–202. ACM, San Antonio (2011)
Gambs, S., Killijian, M.O., Roy, M., Traoré, M.: PROPS: a PRivacy-preserving lOcation proof system. In: Proceedings of the 33rd IEEE International Symposium on Reliable Distributed Systems (SRDS 2014), Nara, Japan, pp. 1–10, October 2014
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman & Co., New York (1990)
Graham, G.S., Denning, P.J.: Protection: principles and practice. In: AFIPS Conference Proceedings 1971 (Fall). ACM, Las Vegas (1971). https://doi.org/10.1145/1478873.1478928
Gupta, M., Benson, J., Patwa, F., Sandhu, R.: Dynamic groups and attribute-based access control for next-generation smart cars. In: Proceedings of CODASPY 2019, pp. 61–72. ACM, Richardson (2019)
Hermans, J., Peeters, R., Onete, C.: Efficient, secure, private distance bounding without key updates. In: Proceedings of WiSec 2013, pp. 207–218. ACM, Budapest (2013)
Hu, V.C., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. National Institute of Standards and Technology (2014). https://doi.org/10.6028/nist.sp.800-162
Kang, J., Cuff, D.: Pervasive computing: embedding the public sphere. Washington Lee Law Rev. 65, 93–146 (2005)
Kocher, P.C.: On certificate revocation and validation. In: Hirchfeld, R. (ed.) Financial Cryptography 1998, pp. 172–177. Springer, Heidelberg (1998)
Li, N., Feigenbaum, J.: Nonmonotonicity, user interfaces, and risk assessment in certificate revocation. In: Syverson, P. (ed.) FC 2001. LNCS, vol. 2339, pp. 166–177. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46088-8_16
Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3), 1–39 (2009). Article no. 19
Ligozat, G.: Qualitative Spatial and Temporal Reasoning. Wiley, Hoboken (2013)
Ray, I., Kumar, M., Yu, L.: LRBAC: a location-aware role-based access control model. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 147–161. Springer, Heidelberg (2006). https://doi.org/10.1007/11961635_10
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Saroiu, S., Wolman, A.: Enabling new mobile applications with location proofs. In: Proceedings of HotMobile 2009. ACM, Santa Cruz (2009)
Sastry, N., Shankar, U., Wagner, D.: Secure verification of location claims. In: Proceedings of WiSe 2003, pp. 1–10. ACM, San Diego (2003)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Sicari, S., Rizzardi, A., Grieco, L., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Elsevir Comput. Netw. J. 76, 146–164 (2015)
Tandon, L., Fong, P.W.L., Safavi-Naini, R.: HCAP: a history-based capability system for IoT devices. In: Proceedings of SACMAT 2018. ACM, Indianapolis (2018)
Tarameshloo, E., Fong, P.W.L.: Access control models for geo-social computing systems. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014), London, Ontario, Canada, pp. 115–126, June 2014
Vilain, M., Kautz, H.: Constraint propagation algorithms for temporal reasoning. In: Proceedings of AAAI 1986, pp. 377–382. AAAI Press, Philadelphia (1986)
Wang, X., Pande, A., Zhu, J., Mohapatra, P.: STAMP: enabling privacy-preserving location proofs for mobile users. IEEE/ACM Trans. Netw. 24(6), 3276–3289 (2016)
Yang, Y., Wu, L., Yin, G., Li, L., Zhao, H.: A survey on security and privacy issues in internet-of-things. IEEE Internet Things J. 4(5), 1250–1258 (2017)
Zhang, Y., Wu, X.: Access control in internet of things: a survey. In: Proceedings of APTEC 2017, pp. 1544–1557. DEStech, Kuala Lumpur (2017)
Zhu, Z., Cao, G.: Applaus: a privacy-preserving location proof updating system for location-based services. In: Proceedings IEEE INFOCOM 2011, pp. 1889–1897 (2011)
Acknowledgements
This work is supported in part by an NSERC Discovery Grant (RGPIN-2014-06611) and a Canada Research Chair (950-229712).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Temporal Constraint Networks
Allen identifies 13 basic relations between any two time intervals [2, 26]. Those relations are precedes (p), meets (m), overlaps (o), starts (s), during (d), finishes (f), and their respective converse relations (i.e., preceded by [si], met by [mi], overlapped by [o], started by [si], contains [di], and finished by [fi]), as well as equality (eq). Table 1 gives the definition of these relations. These 13 basic relations capture all the possible relations between two intervals.
Let \(\mathbf B = \{p, pi, m, mi, o, oi, s, si, d, di, f, fi, eq\}\) be the set of all basic relations. \(\mathbf B \) is called the universal relation. We write \(X \mathbf{r } Y\) to assert that interval X is related to interval Y in the basic relation \(\mathbf{r }\). Given \(X, Y \in \mathsf {Int} \), there exists exactly one basic relation \(\mathbf{r } \in \mathbf B \) such that \(X \mathbf{r } Y\). Given \(\mathbf{R } \subseteq \mathbf B \), we write \(X \mathbf{R } Y\) to assert that there exists \(\mathbf{r } \in \mathbf{R } \) such that \(X \mathbf{r } Y\). The set \(\mathbf{R }\) is called a disjunctive relation.
A temporal constraint network (TCN) is an edge-labeled, complete, directed graph \(\varTheta = (N, C)\), so that each directed edge \((u, v) \in N \times N\) is associated with a disjunctive relation \(C(u, v) \subseteq \mathbf B \). An instantiation of \(\varTheta \) is a function \(m : N \rightarrow \mathsf {Int} \). Instantiation m satisfies \(\varTheta \) if and only if \(m(u) \,C(u, v)\, m(v)\) for every edge \((u, v) \in N \times N\). We say that \(\varTheta \) is consistent if and only if there exists an instantiation that satisfies \(\varTheta \).
B Proofs
1.1 B.1 Proof of Theorem 1
Statement (1): Suppose \(P\) is semantically monotonic. Consider \(\varPi , \varPi ' \in \mathsf {PoC} \) and \(t \in \mathbb {R} \). If \(\varPi \sqsubseteq _R \varPi '\) via the function \(f : \varPi \rightarrow \varPi '\), then we have the following containment:
which, by semantic monotonicity, implies \(P ( \varPi ) \rightarrow P ( \varPi ' )\). \(P\) is therefore R-resilient.
Statement (2): We begin by proving that R-resiliency implies syntactic monotonicity. Suppose \(P\) is R-resilient. Consider \(\varPi , \varPi ' \in \mathsf {PoC} \) where \(\varPi \subseteq \varPi '\). Construct \(f : \varPi \rightarrow \varPi '\) so that \(f(I) = I \). Thus \(\varPi \sqsubseteq _R \varPi '\). By the R-resiliency of \(P\), we have \(P ( \varPi ) \rightarrow P ( \varPi ' )\) as required by syntactic monotonicity.
Next, we demonstrate that R-resiliency implies R-reducibility. Suppose \(P\) is R-resilient. Consider \(\varPi \in \mathsf {PoC} \) where there exists distinct intervals \(I _1, I _2 \in \varPi \) such that \(I _1 \subseteq _R I _2\). Construct \(f : \varPi \rightarrow \varPi \setminus \{ I _1 \}\) so that:
Function f thus witnesses to the fact that \(\varPi \sqsubseteq _R \varPi \setminus \{ I _1 \}\). By R-resiliency, we know that \(P ( \varPi ) \rightarrow P ( \varPi \setminus \{ I _1 \} )\).
So far, we have demonstrated that R-resiliency implies the conjunction of syntactic monotonicity and R-reducibility. We complete the proof of Statement (1) by showing that syntactic monotonicity and R-reducibility jointly imply R-resiliency. Suppose \(P\) is both syntactically monotonic and R-reducible. Consider \(\varPi , \varPi ' \in \mathsf {PoC} \). If \(\varPi \sqsubseteq _R \varPi '\) via the function \(f : \varPi \rightarrow \varPi '\), then the following implication holds:
1.2 B.2 Proof of Theorem 2
Let \(\chi = (\mathsf {wd}, \mathsf {ad}, \mathsf {ag})\), and \(\mathcal {P} ^\chi = \{ P _t \}_{t \in \mathbb {R}}\). Suppose \(\varPi \sqsubseteq _R \varPi '\) via the function \(f : \varPi \rightarrow \varPi '\). We show in the three steps below that \(P _t (\varPi ) \rightarrow P _t (\varPi ')\).
Step 1. We show that \(\varPi /W \sqsubseteq _R \varPi '/W \) for every \(W \in \mathsf {Int} \). To this end, we construct a function \(g : \varPi /W \rightarrow \varPi '/W \) so that \(X \subseteq _R g(X)\) for every \(X \in \varPi /W \).
Consider an interval \(I \in \varPi \). Since \(I \subseteq _R f(I)\), we know the following two facts: (1) If \(I \cap W \ne \emptyset \), then \(f(I) \cap W \ne \emptyset \). (2) \(I \cap W \subseteq _R f(I) \cap W \). Therefore, by having g maps \(I \cap W \) to \(f(I) \cap W \) when \(I \cap W \ne \emptyset \), the requirement of \(X \subseteq _R g(X)\) will be satisfied.
The problem with the above construction is that the resulting mapping g may not be functional. The latter happens when there are distinct intervals \(I _1, I _2 \in \varPi \) for which \(I _1 \cap W = I _2 \cap W \). To correct this, observe that if \(X \subseteq _R Y _1\) and \(X \subseteq _R Y _2\), then either \(Y _1 \subseteq _R Y _2\) or \(Y _2 \subseteq _R Y _1\), and thus we have (a) \(X \subseteq _R Y _1 \cup Y _2\), and (b) either \(Y _1 = Y _1 \cup Y _2\) or \(Y _2 = Y _1 \cup Y _2\). We therefore define g as follows:
The function g witnesses to the fact that \(\varPi /W \sqsubseteq _R \varPi '/W \).
Step 2. We demonstrate that \( admissible ( \varPi , t) \subseteq admissible ( \varPi ', t )\). By definition, a window \(W\) belongs to \( admissible ( \varPi , t )\) whenever \(\mathsf {ad} (\varPi /W)\). But we showed in Step 1 that \(\varPi /W \sqsubseteq _R \varPi '/W \). Therefore, by the R-resiliency of \(\mathsf {ad}\), we also have \(\mathsf {ad}(\varPi '/W)\) as a result, meaning \(W \in admissible ( \varPi ', t )\). Consequently, every member of \( admissible ( \varPi , t)\) is also a member of \( admissible ( \varPi ', t )\).
Step 3. We can now conclude that \(P _t (\varPi ) \rightarrow P _t (\varPi ')\), because the syntactic monotonicity of \(\mathsf {ag}\) guarantees that \(\mathsf {ag}( admissible ( \varPi , t) ) \rightarrow \mathsf {ag}( admissible ( \varPi ', t) )\).
1.3 B.3 Proof of Theorem 3
That is in \(\mathsf {NP}\) is obvious. We demonstrate \(\mathsf {NP}\)-hardness by a reduction from graph k-colorability [17]. Given an instance \(G = (V, E)\) of graph k-colorability, the reduction produces an instance \((\varTheta , DB )\) of , where \( DB \) contains k distinct intervals, and \(\varTheta \) is the ETCN \((V, V, \emptyset , \emptyset , C, \emptyset , \emptyset )\), such that \(C(u, v) = \mathbf B \setminus \{ eq \}\) if \(uv \in E\), but \(C(u, v) = \mathbf B \) if \(uv \not \in E\). It is easy to see that G is k-colorable if and only if .
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Pereira, H.G.G., Fong, P.W.L. (2019). SEPD: An Access Control Model for Resource Sharing in an IoT Environment. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)