smart-m3 security model
DESCRIPTION
TRANSCRIPT
![Page 1: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/1.jpg)
Distributed service environment (smart spaces) security model
development
Kirill Yudenok, Kirill KrinkinFRUCT LETI Lab,
Open Source & Linux LabFRUCT 12th, Oulu, November, 2012
![Page 2: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/2.jpg)
AgendaMotivation;Goal and tasks;Current Smart-M3 security;Security model development;Smart-M3 security realization:
HIP-agent;smart space RDF-graph mapping to the virtual filesystem (VFS);
What was done?Future research and development;
FRUCT 12th 8 Nov 2012 2
![Page 3: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/3.jpg)
Motivation
access control mechanism for the smart spaceplatform, for example Smart-M3;
protection information mechanism of the space;
research information security within the smartspace area.
FRUCT 12th 8 Nov 2012 3
![Page 4: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/4.jpg)
Goal and TasksThe project goal
Development a security model for distributed service environment (smart spaces, SS), access control algorithms and test developed components as a part of the SS Smart-M3 platform;
The main tasks of the projectinvestigation of the basic security models and creation ownsecurity solutions;development a security model for Smart Spaces;modeling and development security model components for theSmart-M3 platform;testing developed components and algorithms within theSmart-M3 platform;
FRUCT 12th 8 Nov 2012 4
![Page 5: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/5.jpg)
Smart-M3 securityWhat do we have?
access control at triple level [1];
context-based and access control policies;
security objects as triple patterns;
What do we want?
identification and authentication mechanism of the SSsubjects;authorization and access control mechanism of SS subjects;data privacy;
[1] A.D’Elia, J.Honkola, D.Manzaroli, T.S.Cinotii – Access Control at Triple Level: Specification and Enforcement of a Simple RDF Model to Support Concurrent Applications in Smart Environments, 2011.
FRUCT 12th 8 Nov 2012 5
![Page 6: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/6.jpg)
Security model developmentIdentification and authentication of space subjects:
HIP, PAM;
Authorization and access control of space subjects:
discretionary security model;
smart space RDF-graph mapping to the virtual filesystem (VFS);
named graphs;
access control ontology;
security extensions for smart space database.FRUCT 12th 8 Nov 2012 6
![Page 7: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/7.jpg)
Smart-M3 security realizationIdentification and authentication mechanisms
prospective architecture of HIP-agent;
interaction of HIP-agent components.
Authorization and access control mechanisms
smart space RDF-graph mapping to the VFS;
intermediate solution of the graph mapping;
implementation mechanism to the Smart-M3 platform.
FRUCT 12th 8 Nov 2012 7
![Page 8: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/8.jpg)
Prospective architecture of HIP-agent
Identification andauthentication of theclient:1. Client connection
request to the SS;
2. Request intercepting by the HIP-agent;
3. Protocol-based HIP identification and authentication of the client.
FRUCT 12th 8 Nov 2012 8
![Page 9: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/9.jpg)
Interaction of HIP-agent components
The process ofconnecting the client tothe space:1. Transmission the client
hash key to HIP-agent;2. Checking validity of the
hash key;3. Identification and
authentication of the client;
4. Connection to the SS.
SIB HIP-agent Client
hash valid?
hash, SS, request
hash valid
hash, SS, response
FRUCT 12th 8 Nov 2012 9
![Page 10: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/10.jpg)
Smart Space RDF-graph mapping
information of SS is stored in a relational database, smartspace database (SQLite);information of SS is presented in triple form (S, P, O);set of triples stored in specific database tables;
Solution: The virtual FS, that mapping information of SSin a certain directory structure.
FRUCT 12th 8 Nov 2012 10
![Page 11: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/11.jpg)
The updated directory structure of VFS
provide more accuracy right to triplets (information)of the space;
FRUCT 12th 8 Nov 2012 11
![Page 12: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/12.jpg)
The intermediate solution of the graph mapping
Working with SS database: get all triples and save themin memory of data structure (SQLite):
receiving all objects, subjects, predicates and theirvalues;
Creating a VFS directory structure based on the data:
creating of virtual FS using FUSE technology (fusekit),setting permissions;
FRUCT 12th 8 Nov 2012 12
![Page 13: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/13.jpg)
Implementation mechanism to the Smart-M3 platform
modification of Smart-M3 platform piglet module:
piglet proxy creation for new extensions;
replacement of all smart space databaseoperations to mapping FS operations;
determine and verify client access permissions;
testing operations on the client side.
FRUCT 12th 8 Nov 2012 13
![Page 14: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/14.jpg)
FRUCT 12th 8 Nov 2012 14
![Page 15: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/15.jpg)
What was done?analyzed and designed the HIP protocol-basedmechanism of identification and authentication;
the mechanism of authorization and SS subjects accesscontrol by mapping RDF-graph to the virtual file systemis developed; mechanism tested in the Smart-M3platform;
the implementation process of HIP-agent and mappingmechanism to the Smart-M3 platform is started;
FRUCT 12th 8 Nov 2012 15
![Page 16: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/16.jpg)
Future research and developmentMain
HIP-agent development;implementation of mapping model to Smart-M3platform;set permissions tool development for mapping FS;
Additionalnamed graph authorization system development;adding developed mechanisms to new version of Smart-M3 platform (Redland);
FRUCT 12th 8 Nov 2012 16
![Page 17: Smart-m3 Security Model](https://reader034.vdocuments.mx/reader034/viewer/2022042713/546458ebb4af9f493f8b4960/html5/thumbnails/17.jpg)
Questions & Answers
Kirill Yudenok, Kirill Krinkin{kirill.yudenok, kirill.krinkin}@gmail.com
Open Source & Linux Lab,http://osll.fruct.org, [email protected]
FRUCT 12th, Oulu, November, 2012