Combining Theory and Systems Building Experiences and Challenges Sotirios Terzis University of Strathclyde

Pervasive and Global Computing SECURE Project (1)  Explore the human notion of trust as a basis for access control decision-making in a global computing environment  Subjective nature of trust – autonomous decision- making  Dynamic character of trust – form and evolve opinions about the likely behaviour of entities on the basis of evidence of their past behaviour  Observations and recommendations  Three models  A trust model – formally grounded  A risk model  A collaboration model  A trust-based decision making engine

Pervasive and Global Computing SECURE Project (2)  Theoretical outcomes  Abstract trust model  Trust domain with information and trustworthiness orderings  Entity trustworthiness as the fixed point of a global trust function (local trust policies with references)  Concrete instantiation of the trust model  Trust values as evidence (observable events) in support, inconclusive and in conflict to interaction outcome (event configurations)  Trust model operationalisation  Techniques for distributed computation of fixed point approximations in a global computing environment  A calculus for trust management enabling abstract description of entity behaviour with equivalence notions from process algebra  Reasoning techniques used to provide provable security guarantees in the trust model

Pervasive and Global Computing SECURE Project (3)  Systems building outcomes  Risk model  Risk as the combination of the likelihood of a trust- mediated action outcome occurring and its associated costs/benefits  Collaboration model  Decision-making process  Trust evaluation process  Risk evaluation process  A framework architecture for trust-based access control decision-making  SECURE kernel a Java-based instantiation –Generic implementation of the event-based instantiation of the trust model  Entity recognition scheme  Evidence distribution framework

Pervasive and Global Computing Challenges (1)  Largely separate theoretical and systems building research communities each with extensive literature  Limited awareness of progress to date and open challenges  Combine experts from both fields  Ensure research scope allows for contribution in both fields  Get experts from both fields involved from the beginning  Communication between theoreticians and systems builders can be difficult  Build a common basis for communication –Scenarios for concept exploration –Consistent and clearly defined terminology

Pervasive and Global Computing Challenges (2)  The real challenge lies in managing abstraction –Abstract models are useful only in so far as they support the analysis and development of real systems – theoretical models must be operational –Implementations should not muddle the differences between accidental and real complexities of the problem domain – systems builders should consider widely different implementations  Establishing good and open working relationship is key –Setting a clear common target is particularly useful  Some researchers trade on the boundary!  Have an important role to play in addressing the collaboration challenge  Recognising the potential benefits of a combined approach – the underlying challenge

Pervasive and Global Computing Addressing the challenges in SECURE (1)  Security domain particularly conducive to a combined approach  Potential benefits are clear  Security policy and protocol verification is a core requirement – set clearly the expected contribution of each field  Researchers quite often trade on the boundaries  Project strategy facilitated the combined approach  Researchers from both fields and trading on the boundary involved from the outset  SECURE kernel implementing models that enable policy verification set as a key objective

Pervasive and Global Computing Addressing the challenges in SECURE (2)  Emphasis on application scenarios facilitated communication  A key scenario (simple but with a great scope for development) played a central role  Independent development of multiple scenarios demonstrated the wide variation of approaches possible  Maintenance of a project glossary removed terminology problems  Emphasis on operationalisation & open collaboration  Management of abstraction through formal model instantiation  Distributed calculation of fixed point approximations motivated from emphasis  Wealth of literature on trust-related concepts was helpful

Pervasive and Global Computing Pervasive Computing Perspective  Significant work on the challenges of both fields is already taking place, but is currently largely separate  Research project combining researchers from both fields are not yet common  The need for a combined approach is advocated, but where the concrete benefits will be derived from is still unclear  Research on areas traditional trading on the boundary could be the way forward  A variety of independent implementation approaches are beginning to make the core characteristics clear, but there is still no consensus on central concepts  Lack of comparative studies makes things worse