A Traceable Capability-based Access Control for IoT

Delegation mechanism in Internet of Things (IoT) allows users to share some of their permissions with others. Cloud-based delegation solutions require that only the user who has registered in the cloud can be delegated permissions. It is not convenient when a permission is delegated to a large number of temporarily users. Therefore, some works like CapBAC delegate permissions locally in an offline way. However, this is difficult to revoke and modify the offline delegated permissions. In this work, we propose a traceable capability-based access control approach (TCAC) that can revoke and modify permissions by tracking the trajectories of permissions delegation. We define a time capability tree (TCT) that can automatically extract permissions trajectories, and we also design a new capability token to improve the permission verification, revocation and modification efficiency. The experiment results show that TCAC has less token verification and revocation/modification time than those of CapBAC and xDBAuth. TCAC can discover 73.3% unvisited users in the case of delegating and accessing randomly. This provides more information about the permissions delegation relationships, and opens up new possibilities to guarantee the global security in IoT delegation system. To the best of our knowledge, TCAC is the first work to capture the unvisited permissions.     

Mobile Cloud Middleware

Mobile Cloud Computing (MCC) is arising as a prominent research area that is seeking to bring the massive advantages of the cloud to the constrained smartphones. Mobile devices are looking towards cloud-aware techniques, driven by their growing interest to provide ubiquitous PC-like functionality to mobile users. These functionalities mainly target at increasing storage and computational capabilities. Smartphones may integrate those functionalities from different cloud levels, in a service oriented manner within the mobile applications, so that a mobile task can be delegated by direct invocation of a service. However, developing these kind of mobile cloud applications requires to integrate and consider multiple aspects of the clouds, such as resource-intensive processing, programmatically provisioning of resources (Web APIs) and cloud intercommunication. To overcome these issues, we have developed a Mobile Cloud Middleware (MCM) framework, which addresses the issues of interoperability across multiple clouds, asynchronous delegation of mobile tasks and dynamic allocation of cloud infrastructure. MCM also fosters the integration and orchestration of mobile tasks delegated with minimal data transfer. A prototype of MCM is developed and several applications are demonstrated in different domains. To verify the scalability of MCM, load tests are also performed on the hybrid cloud resources. The detailed performance analysis of the middleware framework shows that MCM improves the quality of service for mobiles and helps in maintaining soft-real time responses for mobile cloud applications.     

基于Web技术的委托网络管理

本文利用现有的Ｗｅｂ技术，提出了一种实时委托网络管理的方案，该方案通过对通用Ｗｅｂ浏览器、服务器的扩展、来传送和处理请求，响应，事件等网络管理信息。     

Can Addresses be Types?: A case study: objects with delegation

We adapt the aliasing constraints approach for designing a flexible typing of evolving objects. Types are singleton types (addresses of objects, as a matter of fact) whose relevance is mainly due to the sort of safety property they guarantee. In particular we provide a type system for an imperative object based calculus with delegation and which supports method and delegate overriding, addition, and removal.     

无线移动网络跨可信域的直接匿名证明方案?

基于信任委托的思想,提出一种移动环境下的跨可信域的直接匿名(direct anonymous attestation,简称DAA)证明方案,采用代理签名技术和直接匿名证明方法,实现对移动终端在多可信域之间漫游时的可信计算平台认证,并在认证过程中协商会话密钥,增强了远程证明体系的安全性。利用 Canetti-Krawczyk(CK)模型对方案的认证协议的认证安全性和匿名安全性进行了形式化分析和证明。分析表明,该方案能够抵抗平台伪装攻击和重放攻击,其性能适用于无线网络环境。     

基于委托的工作流访问控制模型

从工作流访问控制模型与流程模型分离的角度,提出一种基于委托的工作流访问控制（DBWAC）模型．为了管理流程中执行任务需要的权限,引入了虚拟委托用户的概念．在DBWAC模型中,虚拟委托用户是流程中任务的抽象和访问控制实施的基本单元,权限同虚拟委托用户相关联．在任务开始执行时,虚拟委托用户将权限委托给任务的执行用户并在任务执行完成后将委托撤销,使用委托约束、委托条件保证委托的可控性．通过该模型不仅可以满足工作流访问控制的要求,并且可以实现委托,提供了一种具有柔性和可控的授权方式．     

基于角色的权限代理模型及其实现*

提出了一种基于角色的授权代理模型——SBDM,讨论了SBDM的基本思想、体系结构、组成要素以及权限代理约束和判定,并提供了一种有参考价值的实现权限代理模型的设计思路,它将在大型分布式网络、工作流管理系统中有广泛应用。     

国际多式联运中委托代理的合作风险研究

针对国际多式联运绝大多数都是通过委托代理合作来完成的现状,指出了这种委托代理合作存在信息不对称、逆向选择和道德风险等问题,国际多式联运的承运人应特别加以关注和重视.通过基于博弈论的激励约束模型和期望效益模型的建立,对潜在盟员的综合素质进行评估,设计利润分配最优化体系,可以有效地降低委托代理合作企业的合作风险,从而为国际多式联运的承运人有效管理联盟团队提供理论依据.     

带权强分离信任委托路径搜索*

在委托证书路径搜索和一致性证明时,在Keynote提出的证书图的基础上,采用有向图中深度优先遍历的思想以及图的动态特性,提出了一种新的一致性验证算法,通过找出一条最佳的带权分离委托路径可以表达否定安全凭证,同时通过有向图的搜索边标记提高搜索效率并有效避免回路循环搜索的问题.     

基于委托转发技术的延迟容忍网络组播路由算法*

针对延迟容忍网络中的组播路由问题,提出了一种基于委托转发技术的组播路由算法。该算法是在详细分析组播路由设计需求的基础上,结合延迟容忍网络中节点移动特性,对委托转发技术中节点属性值和节点对转发标准进行重新设计。其节点属性值是面向组播会话的,节点对转发标准是动态适应网络状态的。仿真结果表明,相比于其他基于复制方式的组播路由算法,该算法具有更好的性能,尤其是在对网络开销的控制方面,因此,更适用于延迟容忍网络。