OceanStore is a utility infrastructure designed to span the globe and provide continuous access to persistent information. Since this infrastructure is comprised of untrusted servers, data is protected through redundancy and cryptographic techniques. To improve performance, data is allowed to be cached anywhere, anytime. Additionally, monitoring of usage patterns allows adaptation to regional outages and denial of service attacks; monitoring also enhances performance through pro-active movement of data. A prototype implementation is currently under development. 1

We describe the design and implementation of Grey, a set of software extensions that convert an off-the-shelf smartphone-class device into a tool by which its owner exercises and delegates her authority to both physical and virtual resources. We describe the software architecture and user interfaces of Grey, and then detail two initial case studies in which we have converted infrastructure to accommodate requests from Grey-enabled devices. The first is two floors (nearly 30,000 square feet) of office space, in which we are equipping over 65 doors for access control using Grey for a population of roughly 150 persons. The second is modifications to Windows XP that permit login via Grey-enabled phones. We provide preliminary evaluations of these efforts and directions for research to further the vision of a unified authorization framework for both physical and virtual resources.

After thirty years of work on computer security, why are almost all the systems in service today extremely vulnerable to attack? The main reason is that security is expensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there’s been little damage, people decide that they don’t need much security. In addition, setting it up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security. In a distributed system with no central management like the Internet, security requires a clear story about who is trusted for each step in establishing it, and why. The basic tool for telling this story is the “speaks for ” relation between principals that describes how authority is delegated, that is, who trusts whom. The idea is simple, and it explains what’s going on in any system I know. The many different ways of encoding this relation often make it hard to see the underlying order. 1

Multi-agent systems (MASs) are societies whose individuals are software-delegatees (agents) acting on behalf of their owners or delegators (people or organizations). When deployed in an open network such as the Internet, MASs face some trust and security issues. Agents come and go, and interact with strangers. Assumptions about security and general trustworthiness of agents and their deployers are inadequate in this context. In this paper, we present the design of a security infrastructure applicable to MASs in general. Our design addresses both security threats and trust issues. In our design, we have mechanisms for ensuring secure communication among agents and secure naming and resource location services. And two types of trusts are addressed: trust that agents will not misbehave and trust that agents are really delegatees of whom they claim to be. To establish the first type of trust, we make deployers of agents liable for the actions of their agents; to establish the second type o...

We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.

Many boundaries impede the flow of authorization information, forcing applications that span those boundaries into hop-by-hop approaches to authorization. We present a unified approach to authorization. Our approach allows applications that span administrative, network, abstraction, and protocol boundaries to understand the end-to-end authority that justifies any given request. The resulting distributed systems are more secure and easier to audit. We describe boundaries that can interfere with end-to-end authorization, and outline our unified approach. We describe the system we built and the applications we adapted to use our unified authorization system, and measure its costs. We conclude that our system is a practical approach to the desirable goal of end-to-end authorization.

SPKI/SDSI is a language for expressing distributed access control policy, derived from SPKI and SDSI. We provide a first-order logic (FOL) semantics for SDSI, and show that it has several advantages over previous semantics. For example, the FOL semantics is easily extended to additional policy concepts and gives meaning to a larger class of access control and other policy analysis queries. We prove that the FOL semantics is equivalent to the string rewriting semantics used by SDSI designers, for all queries associated with the rewriting semantics. We also provide a FOL semantics for SPKI/SDSI and use it to analyze the design of SPKI/SDSI. This reveals some problems. For example, the standard proof procedure in RFC 2693 is semantically incomplete. In addition, as noted before by other authors, authorization tags in SPKI/SDSI are algorithmically problematic, making a complete proof procedure unlikely. We compare SPKI/SDSI with RT C 1, which is a language in the RT Role-based Trust-management framework that can be viewed as an extension of SDSI. The constraint feature of RT C 1, based on Constraint Datalog, provides an alternative mechanism that is expressively similar to SPKI/SDSI tags, semantically natural, and algorithmically tractable. 1

We analyze the notion of "local names" in SPKI/SDSI. By interpreting local names as distributed groups, we develop a simple logic program for SPKI/SDSI's linked localname scheme and prove that it is equivalent to the nameresolution procedure in SDSI 1.1 and the 4-tuple-reduction mechanism in SPKI/SDSI 2.0. This logic program is itself a logic for understanding SDSI's linked local-name scheme and has several advantages over previous logics, e.g., those of Abadi [1] and Halpern and van der Meyden [13]. We then

The field of ubiquitous computing envisages an era when the average consumer owns hundreds or thousands of mobile and embedded computing devices. These devices will perform actions based on the context of their users, and therefore ubiquitous systems will gather, collate and distribute much more personal information about individuals than computers do today. Much of this personal information will be considered private, and therefore mechanisms which allow users to control the dissemination of these data are vital. Location information is a particularly useful form of context in ubiquitous computing, yet its unconditional distribution can be very invasive.

OceanStore is a utility infrastructure designedto span the globe and provide continuous access to persistent information. Since this infrastructure is comprised of untrusted servers, data is protected through redundancy and cryptographic techniques. To improve performance, data is allowedtobe cached anywhere, anytime. Finally, monitoring of usage patterns allows adaptation to regional outages and denial of service attacks; monitoring also enhances performancethrough pro-active movement of data. A prototype implementation is currently under development.