SAFE: A Declarative Trust-Agile System with Linked Credentials

Secure Access For Everyone (SAFE), is an integrated system for managing trust

using a logic-based declarative language. Logical trust systems authorize each

request by constructing a proof from a context---a set of authenticated logic

statements representing credentials and policies issued by various principals

in a networked system. A key barrier to practical use of logical trust systems

is the problem of managing proof contexts: identifying, validating, and

assembling the credentials and policies that are relevant to each trust

decision.

SAFE addresses this challenge by (i) proposing a distributed authenticated data

repository for storing the credentials and policies; (ii) introducing a

programmable credential discovery and assembly layer that generates the

appropriate tailored context for a given request. The authenticated data

repository is built upon a scalable key-value store with its contents named by

secure identifiers and certified by the issuing principal. The SAFE language

provides scripting primitives to generate and organize logic sets representing

credentials and policies, materialize the logic sets as certificates, and link

them to reflect delegation patterns in the application. The authorizer fetches

the logic sets on demand, then validates and caches them locally for further

use. Upon each request, the authorizer constructs the tailored proof context

and provides it to the SAFE inference for certified validation.

Delegation-driven credential linking with certified data distribution provides

flexible and dynamic policy control enabling security and trust infrastructure

to be agile, while addressing the perennial problems related to today's

certificate infrastructure: automated credential discovery, scalable

revocation, and issuing credentials without relying on centralized authority.

We envision SAFE as a new foundation for building secure network systems. We

used SAFE to build secure services based on case studies drawn from practice:

(i) a secure name service resolver similar to DNS that resolves a name across

multi-domain federated systems; (ii) a secure proxy shim to delegate access

control decisions in a key-value store; (iii) an authorization module for a

networked infrastructure-as-a-service system with a federated trust structure

(NSF GENI initiative); and (iv) a secure cooperative data analytics service

that adheres to individual secrecy constraints while disclosing the data. We

present empirical evaluation based on these case studies and demonstrate that

SAFE supports a wide range of applications with low overhead.

Fluid flow control with transformation media.

We introduce a new concept for the manipulation of fluid flow around three-dimensional bodies. Inspired by transformation optics, the concept is based on a mathematical idea of coordinate transformations and physically implemented with anisotropic porous media permeable to the flow of fluids. In two situations-for an impermeable object placed either in a free-flowing fluid or in a fluid-filled porous medium-we show that the object can be coated with an inhomogeneous, anisotropic permeable medium, such as to preserve the flow that would have existed in the absence of the object. The proposed fluid flow cloak eliminates downstream wake and compensates viscous drag, hinting at the possibility of novel propulsion techniques.

Using decision analysis to improve malaria control policy making.

Malaria and other vector-borne diseases represent a significant and growing burden in many tropical countries. Successfully addressing these threats will require policies that expand access to and use of existing control methods, such as insecticide-treated bed nets (ITNs) and artemesinin combination therapies (ACTs) for malaria, while weighing the costs and benefits of alternative approaches over time. This paper argues that decision analysis provides a valuable framework for formulating such policies and combating the emergence and re-emergence of malaria and other diseases. We outline five challenges that policy makers and practitioners face in the struggle against malaria, and demonstrate how decision analysis can help to address and overcome these challenges. A prototype decision analysis framework for malaria control in Tanzania is presented, highlighting the key components that a decision support tool should include. Developing and applying such a framework can promote stronger and more effective linkages between research and policy, ultimately helping to reduce the burden of malaria and other vector-borne diseases.

The Emergence of Access Controls in Small-Scale Fishing Commons: A Comparative Analysis of Individual Licenses and Common Property-Rights in Two Mexican Communities

Addressing global fisheries overexploitation requires better understanding of how small-scale fishing communities in developing countries limit access to fishing grounds. We analyze the performance of a system based on individual licenses and a common property-rights regime in their ability to generate incentives for self-governance and conservation of fishery resources. Using a qualitative before-after-control-impact approach, we compare two neighbouring fishing communities in the Gulf of California, Mexico. Both were initially governed by the same permit system, are situated in the same ecosystem, use similar harvesting technology, and have overharvested similar species. One community changed to a common property-right regime, enabling the emergence of access controls and avoiding overexploitation of benthic resources, while the other community, still relies on the permit system. We discuss the roles played by power, institutions, socio-historic, and biophysical factors to develop access controls. © 2012 The Author(s).

Opportunistic Control Over Shared Wireless Channels

© 2015 IEEE.We consider a wireless control architecture with multiple control loops over a shared wireless medium. A scheduler observes the random channel conditions that each control system experiences over the shared medium and opportunistically selects systems to transmit at a set of non-overlapping frequencies. The transmit power of each system also adapts to channel conditions and determines the probability of successfully receiving and closing the loop. We formulate the optimal design of channel-aware scheduling and power allocation that minimize the total power consumption while meeting control performance requirements for all systems. In particular, it is required that for each control system a given Lyapunov function decreases at a specified rate in expectation over the random channel conditions. We develop an offline algorithm to find the optimal communication design, as well as an online protocol which selects scheduling and power variables based on a random observed channel sequence and converges almost surely to the optimal operating point. Simulations illustrate the power savings of our approach compared to other non-channel-aware schemes.