We describe the design and implementation of Grey, a set of software extensions that convert an off-the-shelf smartphone-class device into a tool by which its owner exercises and delegates her authority to both physical and virtual resources. We describe the software architecture and user interfaces of Grey, and then detail two initial case studies in which we have converted infrastructure to accommodate requests from Grey-enabled devices. The first is two floors (nearly 30,000 square feet) of office space, in which we are equipping over 65 doors for access control using Grey for a population of roughly 150 persons. The second is modifications to Windows XP that permit login via Grey-enabled phones. We provide preliminary evaluations of these efforts and directions for research to further the vision of a unified authorization framework for both physical and virtual resources.

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover and analyze the access-control policies that users actually want to implement. We report on a user study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with a smartphone-based distributed access-control system. We develop a methodology that allows us to show quantitatively that the smartphone system allowed our users to implement their ideal policies more accurately and securely than they could with keys, and we describe where each system fell short.

Grey is a smartphone-based system by which a user can exercise her authority to gain access to rooms in our university building, and by which she can delegate that authority to other users. We present findings from a trial of Grey, with emphasis on how common usability principles manifest themselves in a smartphonebased security application. In particular, we demonstrate (i) aspects of the system that gave rise to failures, misunderstandings, misperceptions, and unintended uses; (ii) network effects and new flexibility enabled by Grey; and (iii) the implications of these for user behavior. We argue that the manner in which usability principles emerged in the context of Grey can inform the design of other such applications. 2

users to interact with embedded systems located in their proximity using Smart Phones. We have identified four models of interaction between a Smart Phone and the surrounding environment: universal remote control, dual connectivity, gateway connectivity, and peer-to-peer. Although each of these models has different characteristics, our architecture provides a unique framework for all of the models. Central to our architecture are the hybrid communication capabilities incorporated in the Smart Phones. These phones have the unique feature of incorporating shortrange wireless connectivity (e.g., Bluetooth) and Internet connectivity (e.g., GPRS) in the same personal mobile device. This feature together with significant processing power and memory can turn a Smart Phone into the only mobile device that people will carry wherever they go.

The integration of Bluetooth service discovery protocol (SDP), and GPRS internet connectivity into phones provides a simple yet powerful infrastructure for accessing services in nomadic environments. In this paper, we discuss the design and implementation of SDIPP, a protocol for provisioning services on Smart Phones. Although several service discovery protocols have been proposed earlier, such as SLP, Jini, UPnP, Salutation, they all have their own infrastructure requirements and target audiences. Bluetooth SDP is an on-the-fly service discovery protocol. However, it is not nearly as powerful as its counterparts. SDIPP works by augmenting Bluetooth SDP with web access and personalization. Payment of services has been overlooked in the protocols proposed earlier. SDIPP provides a novel protocol for anonymous payment, based on the idea of Millicent scrips. We have implemented a few services to illustrate our protocol. We report on our experiences and experimental results. In particular, we analyze and provide an application level solution to the Bluetooth inquiry clash problem that was discovered in the process. 1

In an ubiquitous computing environment, principals can use at any time different devices (displays, input devices, workstations, laptops, mobile phones, PDAs etc.) interconnected by different kinds of networks (Ethernet, Wi-Fi, IrDA, Bluetooth etc.). Some time later, these devices can be off line or disconnected. Principals, as well as devices, come and go. In this scenario, a lightweight security scheme is necessary to add authentication, secrecy and integrity without depending on connections to centralized services. This scheme must support disconnection and delegation. Also, it has to be easy to use and to deploy. Neither classic security schemes that are used in common open network systems nor security schemes proposed for ubiquitous environments comply with some of these requirements. In this paper we propose SHAD, a human centered security scheme designed for a new operating system named Plan B. SHAD avoids the use of centralized entities and it is designed to be agile in a Peer-to-Peer environment.

Smart Phone is a recently emerged technology that supports Java program execution and provides both shortrange wireless connectivity (Bluetooth/IrDA) and Internet connectivity (GPRS/3G). Smart Phones represent the first viable ubiquitous computing devices because they are becoming an integral part of our daily life. Although these phones are closed systems with limited resources, we believe that a multitude of distributed applications in which Smart Phones act as peers in ad hoc networks can be developed. To realize the potential, there is a need for a middleware that supports such applications and a systematic study of the communication/computation trade-offs. The middleware should provide functionality to support service execution, discovery and migration and should be able to score well on three criteria: portability, security, and performance. To achieve this goal, we have implemented and evaluated Split Smart Messages (SSM), a lightweight middleware architecture similar to mobile agents, that exploits dual connectivity on Smart Phones. Services can be executed, discovered, and migrated on top of the SSM middleware. To facilitate portability, we have designed an execution migration scheme that works on top of unmodified Java virtual machines. To improve upon security while preserving performance, code is uploaded to and downloaded from a trusted web server, while data and state are transferred across the local network. We have implemented an SSM prototype on Sony Ericsson P800/P900 Smart Phones and compared its performance with that achieved on HP iPAQ PDAs.

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little work has been done to evaluate these theoretically interesting systems in practical situations with real users, and few attempts have been made to discover and analyze the accesscontrol policies that users actually want to implement. In this paper we report on a study in which we derive the ideal access policies desired by a group of users for physical security in an office environment. We compare these ideal policies to the policies the users actually implemented with keys and with Grey, a smartphone-based distributed access-control system. We show quantitatively that Grey allowed our users to implement their ideal policies more accurately and securely than they could with keys, and describe where each system fell short. As part of this evaluation we identify conditions that users commonly required in their desired policies and explain how these conditions can or cannot be implemented with keys and Grey. Our results and experience can serve to inform the designers of access-control systems about which features these systems should include if they are to successfully meet users ’ needs. 1

In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don’t always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.

In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don’t always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.