You are on page 1of 6

The Second International Conference on Emerging Security Information, Systems and Technologies

Controlling Access to Location-Based Services in Vehicular Mobile


Pervasive Environments
Sameerchand Pudaruth, Nevin Vunka Jungum, Soulakshmee D. Ghurbhurrun
and Leckraj Nagowah
Computer Science and Engineering Department, University of Mauritius, Rduit, Mauritius
s.pudaruth@uom.ac.mu, nevin.vunka@umail.uom.ac.mu, s.ghurbhurrun@uom.ac.mu,
l.nagowah@uom.ac.mu

Abstract To this end, questions that need to be asked are: why


are we not experiencing extensive proliferation of such
Management of access control to location-based systems? How far have deployed systems been accepted
services in vehicular mobile pervasive environments by the end-users, i.e., the drivers? How to ensure the
presents several new challenges such as invisibility, sustainable growth of such systems for the enhancement
localized scalability and privacy. To our knowledge, of peoples life? How far are end-users willing to give
merging location-based services in pervasive private/confidential information to have access to these
environments with vehicular mobile environments is personalised services? Answers to these questions are
still in its infancy. To this end, we present a descriptive subjective, but most would agree that security is
architecture for controlling access to services. Based on essential for the wide deployment and acceptance of
a comparative analysis of different access control such systems. We firmly believed that for the wide
models, we devised a new set of access control deployment and sustainable growth of such services,
requirements for such environments and show their security is important, more precisely, access control,
integration in the proposed architecture. i.e., controlling access to them.
For the development of a secure access control system,
Keywords: vehicular networks, location-based a well defined, modular and extensible structure and
services, access control, requirements, architecture, clearly defined architectural components are necessary.
pervasive environment Even though several access control models have been
developed, our work shows that none of them are
concrete and reliable enough to be deployed in a non-
1. Introduction simulated real life pervasive environment. The
fundamental requirements needed by an access control
Vehicular Ad-Hoc Network (VANET) communication system have been analyzed for deployment in a
has recently become an increasingly popular research pervasive environment. Precision and completeness in
topic in the area of wireless networking as well as the basic access control requirements formulation is of
automotive industries. The goal of VANET research is paramount importance as it is this foundation work that
to develop a vehicular communication system to enable will mostly influence the design of the access control
quick and cost-efficient distribution of data for the model. We performed an access control analysis to
benefit of passengers safety and comfort. Built on top verify the degree of importance of requirements for the
of such infrastructures are value-added services such as building up, support and completeness of an access
location-based services (LBS). In vehicular mobile control system.
environments, LBS are beneficial for drivers in the After comparative evaluation of the existing access
sense that they provide information about various control models, a new vital requirement is identified for
services such as restaurants, cinemas, shopping centers consideration by future models, namely autonomous
discounts and so on. Consider the scenario where a behavior, i.e. the ability of the access control system to
driver/ car passenger can actually browse a cinemas be able to monitor the users interaction patterns to
program and subsequently book seats while enable it to auto-correct future access control errors by
approaching the cinema hall despite of being some using knowledge gain from previous interactions.
100m away. Or consider the case of an employee who Hence, access control models should be self-healing.
can actually access a gate service, while approaching This work will be of great asset to researchers and
his workplace in his car. It is worthwhile to point-out designers in the field of access control for optimizing
that, technologies to enable such scenarios already exist the design of secure pervasive systems.
and the costs of such developments are relatively The rest of the paper is as follows: Section II
reasonable and within reach for developed countries. presents a vehicular mobile pervasive environment
transport service with some motivating scenarios.

978-0-7695-3329-2/08 $25.00 2008 IEEE 22


DOI 10.1109/SECURWARE.2008.41
Section III describes the fundamental requirements of 2300 hrs) information before deciding upon the
an access control system, followed by an analysis of allocation of a resource.
existing access control models to verify whether they
meet the requirements discussed. The access control
architecture is illustrated in Section IV with detailed
description of the different components involved.
Section V explains how the access control architecture Newton St.

manages the access control process. Finally, Section VI


concludes the paper. X

2. Motivating Scenario William St.

King St.
Vehicles participating in the vehicular service
infrastructure (Figure 1) are equipped with an X Workplace
embedded microprocessor with a display interface, a
GPS receiver, a class 1 Bluetooth sensor node, and an
onboard diagnostics (ODI) interface. Some vehicles
may have alternative wireless network connectivity Traffic direction
support based on an on-board cellular communication Wireless station
Building

device. The ODI is used to acquire a small set of data Bluetooth Connection Vehicle

values from mechanical and electronic sensors mounted


Figure 1. Access to services in an IVC scenario
on the vehicle. All subsystems (GPS, ODI, wireless
networking and Bluetooth links) are connected and
3. Access Control Requirements
forward data to the embedded microprocessor. A
navigation software system enables the association of
Pervasive environments impose new security
the vehicles geographic position to an internal data-
requirements, especially in the domain of access control
structure representing the road networks of a large
such as interoperability, scalability, usability, privacy
geographic area around the vehicle. This type of data
and trust management [1][2]. In this section, the
structure is easily constructed from publicly available
functional requirements of an access control model
geographic referencing systems [23], [24].
implemented in a vehicular mobile pervasive computing
Alternatively, the vehicle can also be equipped with a
system are discussed. The aim is to highlight some of
Bluetooth-enabled mobile phone onto which the client
the unique characteristics brought on by the vehicular
application supports collaborative navigation system.
ad-hoc networks and pervasive computing, to point out
Consider the scenario in Figure 2 again. The driver of
access control architectural implications.
vehicle X is moving to the west of William Street to
reach the last building in that street where he actually A. Flexibility in the definition of access policies
works. While he approaches the building with his car, One very important requirement is the ability to create
the wireless stations of his workplace along the roadside and maintain flexible access control policies [3] to
detect his presence and automatically alert him via the make easy the management task of specifying and
navigation system, running on a computer embedded in maintaining the security specifications. The access
his vehicle or mobile phone, whether he wants the gate control system should be expressive for specifying in a
to be opened. He chooses yes and soon as he was flexible way different protection requirements that can
only a few meters away from the gate, the latter opens be imposed on different objects. An example of
automatically. This scenario clearly indicates that ensuring flexibility, is by the inclusion of contextual
access to relevant resources in a mobile pervasive information [4][5] to influence access control decisions.
environment is not only based on the users authenticity The model should define a generic access control policy
or domain of access but also largely influenced by the and later be able to customize it for specific scenarios
location of the user. An additional piece of information by the incorporation of external rules/events and
that this service could have considered before parameters. Contextual information [5] includes the
authorizing access to a resource is time. If it was around users security policy, systems security policy,
2300 hours and the employee of vehicle X is not environmental parameters, position of the interacting
scheduled to work during night time, then the gate entities, user interaction type, etc. Flexibility also means
service alert would never have been sent. the ability of adding new, removing, and/or modifying
To handle the above scenario and access control existing security constraints. Hence, the generated
management in general, a flexible and dynamic access access control policies during run-time of the
control framework is required to be integrated within application should be simple to facilitate the
the service infrastructure that uses contextual management of the maintenance of the policies in real-
information such as users information (e.g., working time.
schedule), location (e.g., near workplace) and time (e.g.,

23
B. Invisibility access control system to ensure privacy protection is by
One of the key motivators of pervasive environment frequently changing pseudonyms or by generating a
advocated by Langherich [6] is the invisibility issue. multiple digital identities so that users are avoided from
Providing high degree of invisibility is extremely being identified by the locations they visited but at the
important [5]. After all, the automation of daily same time they can fully enjoy a service that require
activities is one of the aims of pervasive computing their location information.
technology. Therefore it is ideal to provide entirely E. Overall Performance
human-free interactions [7]. Complete disappearance of
An access control system should be fast and consume
pervasive computing technology should be considered
minimal amount of resources. Designing the flow of
in access control applications. An access control
data in the system must not be complex. The overheads
mechanism [8] must work with minimal active
associated with it must be minimized. For example, if
participation from the user. Determining access rights
the access control system is able to collect sufficient
correctly requires the consideration of a complex set of
credentials about its users without putting their privacy
drivers representing relationships between entities and
at stake, this will result in a reduction of the overheads
the current context governing those entities. Hence, for
associated with the repeated exchange of information at
authorizing an access to a service, it is necessary to
different authentication points.
gather sufficient and different credentials of the user.
The framework should hide the existence of real F. Autonomous behaviour
interactions that will also result in less user distraction. The model needs to be able to monitor the users
C. Critical Events interaction patterns to enable it to auto-correct future
access control errors or enhance services list, by using
Most of the actual existing access control mechanisms
knowledge gained from previous interactions. That is, it
do not take critical events [9] into consideration.
should be self-healing.
Examples are Role-Based [10], Time-Based [11],
Location-Based [12], Proximity-Based [13], Task- TABLE I. ANALYZING ROLE AND IMPACT OF REQUIREMENTS
Based [14], Team-Based [15], Attribute-Based [16],
Token-Based [17] and Context-Aware Role-Based [18].
Requirements Role and impact on an access control
In general, all systems have two modes: normal and model
abnormal. Critical events occur when a system is in an - The model should define a basic/generic
abnormal state, thus service requirements may changed access control policy and later be able to
radically. In a pervasive environment covering, for e.g., customize it for specific scenarios.
Flexibility in - The model should be simple to ease the
a small city, standard access control policies may the definition of management of the different tasks and
prevent, for e.g., fire brigades, access to certain access policies maintenance of the security specifications.
buildings which are on fire. For example, fire brigades - It must be flexible enough to add new,
brought in from neighboring cities in response to a fire remove and/or modify existing security
constraints.
disaster may not automatically be granted access to - Usage of contextual information to further
buildings in the smart city. enhance the flexibility of the model.
A pervasive computing system needs to be able to - The model must be able to gather sufficient
observe its environment continually and to take Invisibility credentials to authenticate a user but at the
same time hide the interactions between the
corrective measures in case of environmental changes user and the system.
which can cause the system to enter an abnormal state. - The model must have a component that will
Such an environmental change is known as Critical be responsible for continuously monitoring
Events. Once a critical event has been detected, the the system in case a critical event occurs.
Critical events - The model should be able to change
system should take immediate (as soon as the criticality policies in response to a critical event.
is detected) action to control its effects. - Changes in policies should not affect the
normal working of the system.
D. Privacy/Anonymity/Client-side Restriction - Configuration of privacy access control
The more a system knows about the users and the policies.
Privacy/Anonymity/ - Management of privacy requirements of the
application environment, the more it can provide fine- Client-side owner of the information, that of the collector
grained access control to protected resources. But this restriction and possible privacy laws.
also implies an increase in the risk of compromising the - Privacy rules must be attached to the data
users privacy. An example is location privacy [19]. during their movement in the system among
different parties.
Location information of users captured by sensors on - Consumers of the data must manage the
an ongoing basis generate an enormous amount of data only by following the privacy rules.
potentially sensitive information. Privacy of location - The model should allow users to specify
information is about controlling access to this their own restrictions when their information
is accessed by a third party.
information. This cannot be stopped because some - The system must not be resource greedy,
applications use this information to provide useful Overall minimize overheads and must follow a
services, but it should be in control. One way for an performance simple design.

24
- The model need to be able to monitor the discussed in Section II. We proceed with the detailed
Autonomous users interaction patterns to enable it to description of the different components of the
behavior auto-correct errors by using knowledge gain
from previous interactions, that is, it should architecture.
be self-healing.

We further analyzed five existing access control models J2SE Environment


to verify their degree of validity in such environment, Policy
Manager
i.e., we have checked whether they meet the above Pattern Identifier
Policy
requirements or to what extent, as shown in Table III. Information
The scaling of 1 to 5 is used, where 1 denotes No
Consideration and 5 denote Absolute Consideration. Access Control
Engine
Refer to Table II below for more scaling details. Service
User
Manager Manager
Service
TABLE II. SCALING LEVEL USED FOR MODEL ANALYSIS Information User
Information
Privacy
Rating Degree of consideration Authorization
Unit
Manager

1 Nil / No consideration Critical Unit


2 Weakly / Less than average
3 Partially / Medium / Reasonable
4 Mostly / But not complete
5 Fully / Strongly / Absolute consideration Service
Request / Response
TABLE III. AC MODELS REQUIREMENTS ANALYSIS
Figure 2. Access Control Architecture
Role Location Attribute Team C-A
Based Based Based Base Role Controlling access to services in this system is based on
Requirements [10] [12] [16] d [15] Based
[18] an extended client-server computing model. In this
Flexibility 2 5 5 5 5 model, a driver located in a particular road, requests for
Invisibility 5 5 5 5 5 a service via a Bluetooth-enabled mobile device. This
Critical events 1 1 1 1 1 request is sent toward the wireless base station of that
Privacy 3 3 3 3 3 road segment. The server processes the request and
Overall Perf. 3 3 3 3 3 decides whether access should be granted or not.
Auto. Behavior 1 1 1 1 1
Below are the functions of the different components of
the architecture:
At design time of Role Based AC model, there is The Service Manager (SM) deals with all the services
moderate flexibility to specify complex context-aware hosted on the server. It has the responsibility of
authorization policies. In Context-Aware Role Based managing the services stored in the Service Information
AC, there is the Policy Adaptation mechanism to ensure (SI) repository.
a smooth flow of operations in new scenarios and rules The Policy Manager (PM) has the task of adding new
have to adapt to unforeseen events. policy and deleting existing ones when required in the
Team Based AC mechanism allows us to create a Policy Information (PI) repository. Adding new policies
general structure (class/definition) of a team with role- occurs when new services are added by the SM. The
based permission assignments to object-types. PM is also accountable to identify conflicts between
However, when a team is instantiated, the user context fired rules and to resolve them. A conflict occurs when,
can be used to tailor the role-based permissions defined based on the current context, more than one policy is
on object types to user-specific permissions on fired while some of them result in granting the access
individual object instances considered to be part of a while others result in revoking the access. Works such
team's resources. as [20][21] discusses conflict detection and resolution
As pointed out above, the model needs to be able to based on the context changes.
monitor the users interaction patterns to enable it to The User Manager (UM) deals with user information.
autocorrect future access control errors by using The UM authenticate users based on their request to
knowledge gained from previous interactions, that is, it access services. The UM manages the users
should be self-healing. But none of the models above information stored in the User Information (UI)
takes this requirement into consideration. The same repository. It also provides users preferences
applies for critical events. information and profiles when required by the Access
Control Engine (ACE).
4. Access Control Architecture The Privacy Unit (PU) ensures the privacy protection
of users. It is responsible to frequently change the users
In this section, we present an access control architecture pseudonyms so that the users are avoided from being
(Figure 2) that takes into consideration the requirements identified by the locations they visited through man-in-

25
the-middle attacks and at the same time can fully enjoy 5. Authorization: Firstly, the AM puts all service
a service that require their location information. names and their corresponding ids, extracted from the
The Pattern Identifier (PI) identifies patterns in the accept stack list, in an authorized service list. Secondly,
users interaction behavior so as to enhance services it will listen for input from the CU in case of critical
retrieval list and reduces processing time. It uses events. In there are no critical events, the input
information stored in the UI repository. This component parameter supplied by the CU to the AM is NULL. On
ensures the autonomous characteristic of the access the contrary, a critical list comprising of serviceIDs is
control model. supplied and this is compared with the reject stack list.
The Access Control Engine (ACE) uses location serviceID that matches, are quickly added to the
information, time, user information and policies to authorized service list together with the corresponding
decide whether to grant or revoke access to services. serviceName attribute. This process is looped until the
The Authorization Manager (AM) receives different critical list is empty. Once the latter is empty, the
access requests for different services. It passes the authorized service list is assumed to be complete and is
requests to the ACE. Based on the response obtained thus sent to the concerned vehicle.
from the ACE and the Critical Unit (CU), the AM There is some additional processing that is performed.
decides whether access should be granted or not. In stage 3, when a request is sent to the UM for
In the case of critical events as described in Section II additional information, the latter invoke the PI with
(C), the Critical Unit can largely influence access userID as parameter to identify behavioural patterns of
control decision made by the AM thus overriding the concerned user. An example of a typical data set is
policies if necessary. shown in Figure 3 below.

5. Access Control Process


This section explains how the access control model
deals with incoming service requests and manages the
access control process. The process is divided into five
main stages. The description of each stage is as follows:
1. Initiation: When a vehicle enters a serviced zone and
is detected by a server which requests for its
authentication information (e.g., userID and
userPassword). If the user is a valid one, the server will
next try to find a list of services for that user.
2. Service Discovery: The ACE passes the userID
reference as parameter to the SM. Upon receipt of a
request for a list of services based on the received
parameter, the SM starts to find a set of suitable
services. It then makes a service list comprising of
serviceID and serviceName as attributes which
represents the id of a service and its corresponding Figure 3. A typical data set
name respectively. This service list is then sent as a
response to the ACE request. To extract behavioural patterns in the User
3. Firing Policies: The ACE needs some policies for Interaction Data Set, shown in Figure 3 above, two sets
making decision for each and every service in the of pattern are considered: firstly, patterns in user service
service list. After sending a request for some policies invocation and secondly, patterns in user location
based on the current context such as time, date, location and/or time. Sequence analysis [22] identifies
and serviceID to the PM, policies will be fired. If there sequential patterns in a large volume of transaction
is a need for some extra-information about the user, a data. A sequential pattern consists of a sequence of
request for them will be send to the UM. items that frequently occur in the data. A possible
4. Decision Process: The ACE will then decide pattern could be: Seminar Restaurant. This indicates
whether access to a service is granted or not based on that when the user visited a Seminar service he also
the policies. If it is granted, the service will be put in an subsequently visited the Restaurant service.
accept stack list to be sent later to the AM. If it is
revoked, the ACE will add this service to a reject stack 6. Conclusions
list which will also be sent to the AM. It will then check
the service list to see if another service exists, and the In this paper, we performed a comprehensive
whole process starts again until the service list becomes analysis of access control requirements reported in the
empty, after which, the accept stack list and reject stack literature for the past ten years. Based on our
list are both sent to the AM. evaluation, we conclude the event criticality is a key
ingredient for access control models. Some works

26
reviewed propose access control for pervasive [10] Sandhu R., Coyne E., Feinstein H., Youman C., Role-
environments, but most of them do not take an Based Access Control Models, IEEE Computer, vol. 29,
num. 2, p. 38-47, 1996.
extensive context requirement of the user and the [11] Bertino A.E., Bonatti P.A., Ferrari E., TRBAC: A
system into account in a satisfying way, though it must Temporal Role-based Access Control Model, ACM
be central in pervasive environments. These models do Transactions on Information and System Security, 4(3),
not address some pervasive-related issues. The August 2001, pages 191-233.
originality of our analysis relies in the specification [12] Ray I., and Kumar M., Towards a Location-Based
Mandatory Access Control Model, Computers &
possibilities to define access control requirements Security, 25(1), February 2006.
precisely and easily secure policies useful in a vehicular [13] Gupta S. K. S., Mukherjee T., Venkatasubramanian K.
mobile pervasive environment, thanks to a strong K. and Taylor T. B., Proximity Based Access Control in
theoretical background. We then present an access Smart-Emergency Departments in PerCom Workshops
control architecture that satisfies the requirements 2006, pp 512-516.
identified and furthermore describe the access control [14] Zhang C-x., Hu Y-x., and Zhang G-b., Task-Role Based
Dual System Access Control Model, IJCSNS
process. Currently, we are developing a low-cost International Journal of Computer Science and Network
prototype based on Bluetooth technology to finally Security, VOL. 6 No. 7B, July 2006.
proceed with testing in a real environment. [15] Thomas R. K., Team-based Access Control (TMAC): A
Primitive for Applying Role-based Access Controls in
Collaborative Environments, in proceedings of the
References RBAC 97 Fairfax Va USA, 1997.
[1] Yeun C., Lua E., and Crowcroft J., Security for [16] Wang L., Wijesekera D., and Jajodia S., A Logic-based
Emerging ubiquitous networks, IEEE International Framework for Attribute based Access Control, in
Conference one-Vehicular Technology, Volume 2, pp. proceedings of the CCS04, October, 2004.
1242-1248, 25-28 September 2005.
[17] Iachello G., and Abowd G. D., A Token-based Access
[2] Wang J., Yang Y., and Yurcik W., Secure Smart Control Mechanism for Automated Capture and Access
Environments: Security Requirements, Challenges and Systems in Ubiquitous Computing Georgia Institute of
Experiences in Pervasive Computing, NSF Technology GVU Center Technical Report GIT-GVU-
Infrastructure Experience 2005, NSF/CISE/CNS 05-06.
Pervasive Computing Infrastructure Experience
Workshop , Siebel Center for Computing Science [18] Shen H. and Hong F., A Context-Aware Role-Based
University of Illinois at Urbana-Champaign, July 27, Access Control Model for Web Services proceedings of
2005. the ICEBE 2005, pp 220-223.
[3] Iachello G., and Abowd G. D., A Token-based Access [19] Beresford A. R., and Stajano F., Location Privacy in
Control Mechanism for Automated Capture and Access Pervasive Computing, Pervasive Computing Magazine,
Systems in Ubiquitous Computing, GIT Technical 2003.
Report GIT-GVU-05-06, Georgia Institute of [20] Syukur E., Loke S.W., and Stanski P., Methods for
Technology, GVU Center, 2005. Policy Conflict Detection and Resolution in Pervasive
[4] Damiani E., De Capitani di Vimercati S., and Samarati Computing Environments, In Policy Management for
P., New Paradigms for Access Control in Open Web workshop in conjunction with WWW2005
Environments, Proceedings of the Fifth IEEE Conference, Chiba, Japan, 10-14 May 2005.
International Symposium on Volume , Issue , 18-21 Dec. [21] Kamoda H., Yamaoka M., Matsuda S., Broda K., and
2005 Page(s): 540 545 Sloman M., Policy Conflict Analysis Using Free
[5] Javanmardi S., Hemmati H., and Jalili R., An Access Variable Tableaux for Access Control in Web Services
Control Framework For Pervasive Computing Environments, Policy Management for Web, A
Environments, presented at International Conference on WWW2005 Workshop 14th International World Wide
Pervasive Systems & Computing PSC'06, Nevada, USA, Web Conference, 10 May 2005, Chiba, Japan, pp. 5-12,
2006. May, 2005.
[6] Langeheinrich M., Privacy by Design Principles of [22] Srikant R. and Agrawal R., Mining sequential patterns:
Privacy Aware Ubiquitous Systems, in UBICOMP Generalizations and performance improvements,
2001, LNCS 2201, pp 273-291, 2001. Technical Report, IBM Almaden Research Centre, 1999.
[7] Garlan D., Siewiorek D.P., Smailagic A., and Steenkiste, [23] U.S. Census Bureau. Topologically Integrated
Project Aura: toward distraction-free pervasive Geographic Encoding and Referencing system,
computing, Pervasive Computing IEEE, Volume 1, pp. http://www.census.gov/geo/www/tiger/ (accessed on 31st
22 31, Issue 2, April-June 2002. January 2008).
[8] Kottahachchi B., ACCESS: Access Controls for [24] T. Nadeem, S. Dashtinezhadd, C. Liao, and L. Iftode,
Cooperatively Enabled Smart Spaces, In MIT Student Trafficview: Traffic data dissemination using car-to-car
Oxygen Workshop. Ashland, MA. September, 2004. communication, ACM Sigmobile Mobile Computing and
Communications Review, Special Issue on Mobile Data
[9] Gupta S. K. S., Mukherjee T., and Venkatasubramanian Management, vol. 8, no. 3, pp. 619, July 2004.
K., Criticality Aware Access Control Model for
Pervasive Applications, In Proc of 4th IEEE Conf on
Pervasive Computing, Pisa, Italy, March 2006.

27