Information Exposure Control through Data Manipulation
for Ubiquitous Computing
Boris Dragovic
Computer Laboratory
University of Cambridge
Boris.Dragovic@cl.cam.ac.uk
Jon Crowcroft
Computer Laboratory
University of Cambridge
Jon.Crowcroft@cl.cam.ac.uk
ABSTRACT
The vision of Ubiquitous Computing [22] creates the world in which
information is omnipresent, migrating seamlessly through the en-
vironment to be accessible whenever and wherever needed. Such
a vision poses substantial challenges to information security and
privacy protection.
Unlike in traditional, static, execution environments, information
in the Ubiquitous world is exposed, throughout its lifetime, to con-
stantly varying security and privacy threats caused by the inherent
dynamicity and unpredictability of the new computing environment
and its mobility. Existing data protection mechanisms, built for
non- or predictably slowly-changing environments, are unable to
strike the balance in the information availability vs. security and
privacy threat trade-off in the Ubiquitous world thus hindering the
feasibility of the overall vision.
In this paper, we present our initial work on a novel paradigm for in-
formation security and privacy protection in the ubiquitous world.
We model security and privacy threats through sets of contextual
attributes and mitigate the projected risks through proactive and
reactive data format transformations, subsetting and forced migra-
tions while trying to maximize information availability. We also try
to make the approach flexible, scalable and infrastructure indepen-
dent, as required by the very vision of the Ubiquitous Computing.
1. INTRODUCTION
Traditional computer applications expect a static execution envi-
ronment. Such environments imply non- or slowly-evolving infor-
mation security and privacy threat models. Existing security mod-
els and mechanisms have been built on the assumptions of such
environments. Ubiquitous computing is based on a fundamentally
different vision [22], aiming for computation being unobtrusively
and indistinguishably embedded in the environment around us, pro-
viding us with information whenever and wherever we need it. The
inherent dynamicity and unpredictability of such an environment
poses fundamental challenges to information security and privacy
protection [19].
Information, represented by data objects, is, throughout its lifetime
in a Ubiquitous system, whether contained on a device or within
a communications channel, exposed to constantly changing set of
security and privacy threats. This is due to the data objects migra-
tion, containing devices’ migration or other environmental, context,
changes. To facilitate the vision of information omnipresence we
need novel security paradigms which will ensure maximum infor-
mation availability while limiting its exposure to the threats. Con-
sidering the mere complexities involved in reasoning about infor-
mation security risks and the fact that one of the aims of the Ubiq-
uitous computing is for the computation to be transparent and dis-
appear into the periphery of our mental activity it is unfeasible to
expect humans to be able to reason and act effectively to protect the
information themselves.
Past research in the field of Ubiquitous systems security has fo-
cused mostly on adapting the existing security models and mech-
anisms to the new environment. One of the focal points has been
the recognition of the importance of the context information as the
means of adapting authentication and authorization mechanisms to
suit the Ubiquitous Computing requirements (e.g. [5, 18, 21, 4,
17] etc.). Adapting existing security mechanisms for application
in Ubiquitous systems certainly provides a sound foundation, how-
ever, it does not address the specific issues of the Ubiquitous com-
puting.
In the presented work, still in its very infancy, we propose a novel,
Ubiquitous computing specific, information security and privacy
protection paradigm. In [12] Myers and Liskov note that security
models have two goals: to prevent accidental or malicious destruc-
tion of information and to control the release and propagation of
information. The paradigm we propose falls into the latter cate-
gory. We address the problem of controlling information exposure
to the surrounding while it is being legitimately accessed by a au-
thenticated and authorized user.
For every data object existing in the Ubiquitous world, we assess
security and privacy risks in its environment, depending on its sen-
sitivity, type, access method etc. and try to mitigate the risks by:
manipulating its format and changing the environment to a less
risky one. The former relies on the fact that inherent in the data
format is the level of quality of represented information. The latter
tries to directly avoid the risk itself.
The model assumes a cooperating user scenario i.e. it is built as
an aid for users to effectively protect and reason about security and
privacy of the information in their possession.
NSPW 2004 Nova Scotia Canada
© 2005 ACM 1-59593-076-0/05/05…$5.00
Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full cit ation on the first page. To copy otherwise, to
republish, to post on servers, or to redistribute to lists, requires prior
specific permission and/or a fee.
57
2. MOTIVATION
The advent of mobile computing, in the form of laptops, Personal
Digital Assistants (PDAs), mobile phones etc. together with the
advances in communications technologies has enabled us to access
information, and thus work, on the move and has increased our ef-
ficiency and quality of life. As a consequence, we break well estab-
lished security perimeters by taking wealth of sensitive information
with us, on our mobile devices.
Consider how many times in the past several years has media re-
ported about confidential information (trade secrets, intelligence
information, personal information etc.) leaked by laptops, PDAs,
mobile phones etc. being stolen from pockets, handbags, cars etc.
in public places. Imagine how many times such information has
leaked by conversations being overheard, displays being peeked at
over shoulders, data transmissions over publicly open communi-
cations links, residual data left on public output devices such as
displays or printers, etc. In all of the situations the information
was legitimately stored on the devices and accessed by authorized
users. The existing security mechanisms were unable to prevent the
exposure, mitigate the risks in the environment or simply warn the
users.
To ensure data availability, information omnipresence, to legitimate
users on the move, and still balance it with the security and privacy
risks present in the environment we need security paradigms de-
signed to balance the information content provided to a legitimate
user while maintaining the risk of the information exposure to the
surrounding at an acceptable level.
Part of the motivation for proposing such an approach stems from
the observation of human everyday behavior. How many times
have we lowered the volume of our voice, switched from a speaker-
phone to telephone headset or changed topics when we realized our
conversation could be overheard? This is nothing else but matching
the form and characteristics of information to the perceived secu-
rity and privacy risks in the environment. In this project, we try to
mimic that behavior in the Ubiquitous computing arena and thus
maximize the information availability versus security and privacy
risk exposure trade-off.
The most obvious application is within the area of user interfaces.
Projects like the Personal Servers [20], Steerable User Interfaces
[8], Virtual Network Computing (VNC) [14] etc. emphasizes the
use of environmental output devices (displays, audio interfaces etc.)
for accessing information stored on Ubiquitous devices. However,
the approach is applicable to all data objects, throughout their life-
time in the Ubiquitous world, as, depending on their sensitivity,
characteristics of the devices they are stored on and environmen-
tal attributes, they are constantly exposed to certain security risks.
For example, a mobile phone containing data is under a higher risk
of being stolen in a public place than in an individual’s office, let
alone if the owner is not in its immediate proximity.
We also draw from the access control paradigm. However, the pro-
posed approach differs in three fundamental ways: it controls ad-
verse information exposure level to the surrounding while it is be-
ing accessed by legitimate, access control authorized, user - thus
operating at a different level; we drift away from binary access
decisions and create an continuum between granting and refusing
access by performing fine-grained information content exposure
control through proactive and reactive protective actions; data is
protected throughout its lifetime, by being constantly tracked and
security risks reevaluated triggered by context changes. The pro-
posed approach can be seen as complementary to traditional notion
of access control and is not intended to replace it as it addresses a
different issue.
Traditional security mechanisms were designed to operate in en-
vironments with well established data security and privacy threats
and within secure perimeters. Their main task was granting or re-
fusing access to information. Ubiquitous computing vision breaks
this model by making the notion of a secure perimeter deprecated
and requiring information to be available where and when the users
need it. To ensure the information availability we need mechanisms
to protect it in the environments in which it exists.
3. CONTAINMENT - DATA OBJECT CEN-
TRIC MODEL OF THE WORLD
Our work focuses on assessing information security and privacy
risks in the Ubiquitous Computing environments and providing ad-
equate protection. The term used for a particular information rep-
resentation throughout this text is data object. As data objects rep-
resent a central focal point in our research we model the world ad-
equately.
3.1 The Data Model
When describing a particular information representation we use the
term data object as suggested by Policroniades [13]. A data object
is not an equivalent to the traditional notion of a file, although it
can be regarded as such. Data objects bind data of certain common
attribute, e.g. within a HTML file, a picture can be an data object,
each paragraph can be a separate data object etc. One of the ad-
vantages of such data model is a high degree of flexibility in data
manipulation it provides. In our research, data objects represent
collections of data of the same security sensitivity, as determined
by a security policy. For example, traditionally, a classification
level of a document containing information of heterogeneous in-
dividual sensitivities is dictated by the most restrictive constituent
label. By regarding the document as a collection of data objects,
we can provide higher degree of information availability and finer-
grained access controls by matching individual data objects’ classi-
fications, within a document, to the threat level they are potentially
exposed to e.g. in some situations, we would be able to grant access
to certain paragraphs of text, classified at secret, omitting satellite
images classified at top secret. The data model resembles research
efforts into multilevel database management systems [1].
3.2 Containers and Containment
We define a container to be physical or virtual enclosure in which
an data object or a lower level container exists, either fully or par-
tially. Examples of containers are storage devices (e.g. a device’s
memory, hard drive, etc.), displays, audio devices, communications
links, virtual circuits etc. Further, containers are PDAs, mobile
phones etc. just as well as physical spaces in which these reside.
Naturally, containers can be nested in a container hierarchy. How-
ever, unlike in the location hierarchies, elements, nodes, in con-
tainer hierarchies are not necessarily unique. Containers are identi-
fied by their classification based on a set of characteristics, depend-
ing on which multiple instances of a particular container may exist
concurrently. For example, we may define a container to be de-
termined by a set of cryptographic protocols available over a com-
munications channel. Thus, any communications link providing
the specified services represents an instance of the container. In
58
this work, we define containers as with respect to perceived threat
model related attributes. Container nesting is equivalent to physical
nesting, e.g. a storage device within a mobile node etc.
Every container has an internal state, for example the traditional
notion of context applicable to physical spaces. Container state is
inherited down the container hierarchy as constrained by container
transparency rules. In other words, every container creates an en-
vironmental state for its contents. A state is expressed in therms of
a set of state attributes and their respective values.
Containers can be classified orthogonally by their type and their
class. The latter denotes the container’s primary functionality: a
room, a display, a storage device, a communications channel etc.
We say that two containers are of a type if they are transparent
to the same set of state attributes and their values when exposed
to equivalent set of state attributes and their values from a parent
container.
Containment denotes the state of a container or a data object being
within a container together with any relevant state attributes, their
values, and any applicable rules, such as the transparency rules.
By definition, the leaf nodes of the container hierarchy represent
data objects. A data object may migrate among the containers but
must remain at the bottom of the hierarchy. Containers that are the
direct parents of data objects are called first-level containers. For
example, storage devices, displays, communications channels can
be classified as firs-level containers. In simple terms, a device or
medium on which a data object directly resides and can be extracted
from.
4. THREAT MODELING
4.1 Threats - an Informal Definition
In Section 3 we specified the role of state attributes and their values
in our model of the world. The attributes that we use are chosen
to describe potential threats as perceived at the data object level in
the environment. At any point in time, security and privacy threat a
data object is exposed to is represented by a set of set state attributes
and their values the respective first-level container is transparent to.
This may be illustrated by an example where contents of a display
residing within a glass-walled room are visible outside the room as
opposed to a display within a room with solid concrete walls.
Now, we can provide a higher-level definition of a first-level con-
tainer type. Two first-level containers are of the same type if a same
data object is exposed to the equivalent security and privacy threat
in both containers under the same environmental states (security
relevant state attributes and their values the first level-container is
affected by).
4.2 Levels of Exposure (LoEs)
Security and privacy savvy users often find asking themselves: is
the information displayed on my screen visible to anyone apart
from me? Can the audio I am listening to, or the conversation I
am conducting, be overheard by someone? What is the risk of ad-
verse information exposure, or simply exposure in this context in
the rest of the paper, if a particular communications link is used?
etc.
More generally, Levels of Exposure (LoEs) quantify and qualify the
extent to which a piece of information is accessible to its surround-
ing at any particular moment i.e. the degree of possible information
Exposed
Not-Exposed
LoE
Lattice
Figure 1: Two-level LoE model.
leakage. LoEs do not account for type of degree of data access as
exercised by a legitimate, as determined by an complementary au-
thorization mechanism, data user.
LoEs model is defined at an organizational level, along a wider
security policy. Its semantics is uniform across the ubiquitous sys-
tem. LoEs apply to all the data objects existing within the system
and depend directly on each individual data object sensitivity level,
as determined by a security model employed. For every instance of
a data object, throughout its lifetime in a ubiquitous system, there
may be only one LoE active at any particular moment. Each of the
LoEs is associated with a set of proactive actions to mitigate the
implied security and privacy risks.
The simplest, and possibly sufficient for majority of applications,
Levels of Exposure model is a ”not-exposed”, ”exposed” two-level
model. The levels denote cases in which there is none or a credible
possibility of information leakage to any third party respectively.
The two levels can be regarded as the two extremes of a LoE lattice
representing a finer-grained model (as depicted in Figure 4.2). This
simplistic model shall be used in all further discussion about LoEs
models.
4.3 LoE Modeling
Consider a piece of classified data being displayed on an overhead
screen. Depending on the contained information sensitivity, if the
screen is within a possible visibility field of a third party, the data
would be labeled at the ”exposed” LoE. An instance of the same in-
formation, contained on a storage device would be unaffected under
the same circumstances. However, should the proximity of the de-
vice to the owner decrease, the LoE of the stored data object would
be changed to ”exposed”. Unclassified data would not be affected
in either case and would permanently remain at ”not-exposed” LoE.
The example illustrates that environmental state triggering any par-
ticular LoE for a data object depends directly on: the data object’s
security sensitivity, as determined by a wider security policy; and
on the container type the data object resides on. Therefore, for each
sensitivity level and for each container type, we define one or more
sets of, possibly overlapping, state attributes and their values that
trigger every applicable LoE. Depending on the LoE model, not all
exposure levels need to be defined for all first-level container types
or data-object sensitivity levels.
Figure 4.3 depicts a mapping of the two-level LoE model to a
lattice-based security model and the influence of container types
on state attributes and their values triggering each of the exposure
levels. Representation of the trigger attributes and their values in
59
the figure is rather simplistic whereas practice it would consist of
first-order logic expressions.
5. CONTEXT RELATED ISSUES
The previous Sections have shown high dependence of the pro-
posed model on the context-related information for establishing
container attributes for building containment hierarchies and evalu-
ating security and privacy threats. To provide continuous model op-
eration and its graceful degradation we have to insure the continuity
of context-information availability with guaranteed minimums.
According to the nature of the contextual attributes we can roughly
divide containers into two categories: first-level containers (Sec-
tion 3); and higher-level containers. First-level containment is de-
termined by tracking data objects and its attributes are expected to
be pre-set e.g. through a certification process. Higher-level con-
tainment, on the other hand, along with the security attributes de-
termining threat models need to be ”sensed”.
We envisage three ways of establishing context-related informa-
tion:
We envisage three ways for establishing context:
• Ubiquitous Unit’s individual capabilities.
• Via trust-based collaboration groups.
• Use of dedicated infrastructure.
5.1 Ubiquitous Units’ Context Provision
A ubiquitous unit is defined as any computationally capable indi-
vidual entity in a ubiquitous system e.g. a PDA, a mobile phone
etc. A unit may comprise several containers e.g. a storage device,
a display etc. Although very few devices today have built-in ded-
icated context sensing capabilities they can provide a guaranteed
minimum of context-information necessary for the model opera-
tion.
Firstly, a minimum of the first-level in the containment hierarchy
is determined form a pre-set specifications, in terms of attribute
sets, transparency rules etc. of all containers within the device.
To track data objects’ migrations among the first-level contain-
ers system-level mechanisms are utilized. This provides the most
coarse grained model operation.
Secondly, much of the today’s ubiquitous devices’ built-in func-
tionality can be used for limited context inference. For example,
a reachability of local wired LAN may mean physical presence
within a secure perimeter, similar applies to the visibility of land-
marks via some communications technology; Bluetooth connectiv-
ity to a tag user wears, e.g. a personal mobile phone most of us
constantly carry around, may be used to determine owner’s prox-
imity; audio analysis combined with high level diary information
or a local mobility model may yield the fact of an activity taking
place, etc.
5.2 Collaboration Groups
We expect users to carry multiple ubiquitous units at any one time
each of which will possibly have different capabilities commensu-
rate with their primary functionality. Collaboration groups, based
on trust [18], can be formed among such sets of units for aided con-
text awareness or simply increased confidence. The above example
where device proximity, through short-range Bluetooth visibility, is
used to determine owner’s presence illustrates this point.
In infrastructure-rich environments, dedicated, high-confidence, con-
text awareness services can be used, by joining a unit’s collabora-
tion group. For example, while in an Active Bat [9] enabled envi-
ronment, a unit may form a collaboration group with the location
service to obtain accurate and high-confidence location informa-
tion.
5.3 LoE Establishment Confidence
As specified in Section 4 every LoE is defined by a one or more
sets of attributes and their values that trigger it. With every at-
tribute value a capturing confidence is associated. Only when the
confidence of all the values in a set are above a threshold is the
particular LoE triggered.
Furthermore, every ubiquitous unit has to be certified for each LoE
it can establish for any information sensitivity level at any avail-
able container type within the unit. This mechanism may be used
to determine the maximum sensitivity of the data a unit may ac-
commodate - should it not be certified to establish LoEs above a
certain sensitivity level.
5.4 Context Abstraction and Modularity
Abstracting away low-level sensory information from multiple sources
possibly spanning multiple devices, capturing and reasoning about
errors and confidence is outside the scope of this project. For this
purpose we refer to the work done on the Context Toolkit [7]. Con-
text Toolkit provides a framework for building a modular and flex-
ible context mapping from local and remote low-level sensory in-
formation to a higher level context descriptions through a set of:
widgets, abstracting away the notion of sensors; interpreters, rais-
ing the level of abstraction of a piece of context information; and
aggregators, collecting multiple pieces of logically related context
information. The framework was designed with to aid rapid pro-
totyping of context aware applications. Context Toolkit does not
support the notion of trust, confidence or dynamically, run-time,
resizing context-establishment collaboration groups in the form we
require them. We intend to adapt the Context Toolkit approach to
our needs. Figure 3 depicts schematically the process of abstracting
low-level contextual information both locally and form a remote
sensing unit.
6. PROTECTIVE ACTIONS
Once a credible risk of a threat for a data object within a container
is established, resulting in a LoE activation, protective actions need
to be taken to mitigate the implied security and privacy risks. The
result of performing the actions is lowering the LoE of the data ob-
ject. Possible protective actions are classified into three categories:
• Data object’s format transformations.
• Subsetting.
• Container hopping.
By manipulating a data object’s format we exploit the fact that
different forms in which data exists in different contexts provides
varying levels of information content to its surrounding. We can
divide the transformations into two orthogonal sets of categories
60
TS
S
UC
Exposed
Not-Exposed
FL Container Type I
FL Container Type II
FL Container Type III
FL Container Type X
{(attr1, value range),
(attr2, value range),
...,
(attrN, value range)}
Data Lattice Security Model LoE Model First-Level Container Types LoE Triggers
TS - Top Secret
S - Secret
UC - Unclasified
Figure 2: LoE mapping.
Sensor
...
Sensor
Widget Widget
Interpreter Interpreter
...
Aggregator
Sensor
Widget
Interpreter
...
...
Aggregator
Policy
enforcement
Aggregators: per LoE,
per container type
Collaboration group
Ubiquiotus unit
Ubiquiotus unit/
Service
Figure 3: Context establishment w/o collaboration group.
61
