A PHR system with policy-based fine-grained access control and revocation mechanism

Collaborative sharing of information is becoming much more needed technique to achieve complex goals in today's fast-paced tech-dominant world. Personal Health Record (PHR) system has become a popular research area for sharing patients informa- tion very quickly among health professionals. PHR systems store and process sensitive information, which should have proper security mechanisms to protect patients' private data. Thus, access control mechanisms of the PHR should be well-defined. Secondly, PHRs should be stored in encrypted form. Cryptographic schemes offering a more suitable solution for enforcing access policies based on user attributes are needed for this purpose. Attribute-based encryption can resolve these problems, we propose a patient-centric framework that protects PHRs against untrusted service providers and malicious users. In this framework, we have used Ciphertext Policy Attribute Based Encryption scheme as an efficient cryptographic technique, enhancing security and privacy of the system, as well as enabling access revocation. Patients can encrypt their PHRs and store them on untrusted storage servers. They also maintain full control over access to their PHR data by assigning attribute-based access control to selected data users, and revoking unauthorized users instantly. In order to evaluate our system, we implemented CP-ABE library and web services as part of our framework. We also developed an android application based on the framework that allows users to register into the system, encrypt their PHR data and upload to the server, and at the same time authorized users can download PHR data and decrypt it. Finally, we present experimental results and performance analysis. It shows that the deployment of the proposed system would be practical and can be applied into practice.

Fuzzy logic-based implicit authentication for mobile access control

In order to address the increasing compromise of user privacy on mobile devices, a Fuzzy Logic based implicit authentication scheme is proposed in this paper. The proposed scheme computes an aggregate score based on selected features and a threshold in real-time based on current and historic data depicting user routine. The tuned fuzzy system is then applied to the aggregated score and the threshold to determine the trust level of the current user. The proposed fuzzy-integrated implicit authentication scheme is designed to: operate adaptively and completely in the background, require minimal training period, enable high system accuracy while provide timely detection of abnormal activity. In this paper, we explore Fuzzy Logic based authentication in depth. Gaussian and triangle-based membership functions are investigated and compared using real data over several weeks from different Android phone users. The presented results show that our proposed Fuzzy Logic approach is a highly effective, and viable scheme for lightweight real-time implicit authentication on mobile devices.

Secure, dynamic and distributed access control stack for database applications

In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: 1) if policies are complex, their enforcement can lead to performance decay of database servers; 2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

Secure, dynamic and distributed access control stack for database applications

In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: (1) if policies are complex, their enforcement can lead to performance decay of database servers; (2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

Efficient implementation of a dominance protocol for wireless medium access

Mestrado em Engenharia Electrotécnica e de Computadores

Traceability-based access recommendation

Devido à grande quantidade de dados disponíveis na Internet, um dos maiores desafios no mundo virtual é recomendar informação aos seus utilizadores. Por outro lado, esta grande quantidade de dados pode ser útil para melhorar recomendações se for anotada e interligada por dados de proveniência. Neste trabalho é abordada a temática de recomendação de (alteração de) permissões acesso sobre recursos ao seu proprietário, ao invés da recomendação do próprio recurso a um potencial consumidor/leitor. Para permitir a recomendação de acessos a um determinado recurso, independentemente do domínio onde o mesmo se encontra alojado, é essencial a utilização de sistemas de controlo de acessos distribuídos, mecanismos de rastreamento de recursos e recomendação independentes do domínio. Assim sendo, o principal objectivo desta tese é utilizar informação de rastreamento de acções realizadas sobre recursos (i.e. informação que relaciona recursos e utilizadores através da Web independentemente do domínio de rede) e utiliza-la para permitir a recomendação de privilégios de acesso a esses recursos por outros utilizadores. Ao longo do desenvolvimento da tese resultaram as seguintes contribuições: A análise do estado da arte de recomendação e de sistemas de recomendação potencialmente utilizáveis na recomendação de privilégios (secção 2.3); A análise do estado da arte de mecanismos de rastreamento e proveniência de informação (secção 2.2); A proposta de um sistema de recomendação de privilégios de acesso independente do domínio e a sua integração no sistema de controlo de acessos proposto anteriormente (secção 3.1); Levantamento, análise e especificação da informação relativa a privilégios de acesso, para ser utilizada no sistema de recomendação (secção 2.1); A especificação da informação resultante do rastreamento de acções para ser utilizada na recomendação de privilégios de acesso (secção 4.1.1); A especificação da informação de feedback resultante do sistema de recomendação de acessos e sua reutilização no sistema de recomendação(secção 4.1.3); A especificação, implementação e integração do sistema de recomendação de privilégios de acesso na plataforma já existente (secção 4.2 e secção 4.3); Realização de experiências de avaliação ao sistema de recomendação de privilégios, bem como a análise dos resultados obtidos (secção 5).

A scalable and efficient approach for obtaining measurements in CAN-Based control systems

The availability of small inexpensive sensor elements enables the employment of large wired or wireless sensor networks for feeding control systems. Unfortunately, the need to transmit a large number of sensor measurements over a network negatively affects the timing parameters of the control loop. This paper presents a solution to this problem by representing sensor measurements with an approximate representation-an interpolation of sensor measurements as a function of space coordinates. A priority-based medium access control (MAC) protocol is used to select the sensor messages with high information content. Thus, the information from a large number of sensor measurements is conveyed within a few messages. This approach greatly reduces the time for obtaining a snapshot of the environment state and therefore supports the real-time requirements of feedback control loops.

WiDom: a dominance protocol for wireless medium access

In this paper, we address the problem of sharing a wireless channel among a set of sporadic message streams where a message stream issues transmission requests with real-time deadlines. We propose a collision-free wireless medium access control (MAC) protocol which implements static-priority scheduling, supports a large number of priority levels and is fully distributed. It is an adaptation to a wireless channel of the dominance protocol used in the CAN bus. But, unlike that protocol, our protocol does not require a node having the ability to receive an incoming bit from the channel while transmitting to the channel. The evaluation of the protocol with real embedded computing platforms is presented to show that the proposed protocol is in fact collision-free and prioritized. We measure the response times of our implementation and show that the response-time analysis developed for the protocol offers an upper bound on the response times.

Delay-bounded medium access for unidirectional wireless links

Consider a wireless network where links may be unidirectional, that is, a computer node A can broadcast a message and computer node B will receive this message but if B broadcasts then A will not receive it. Assume that messages have deadlines. We propose a medium access control (MAC) protocol which replicates a message in time with carefully selected pauses between replicas, and in this way it guarantees that for every message at least one replica of that message is transmitted without collision. The protocol ensures this with no knowledge of the network topology and it requires neither synchronized clocks nor carrier sensing capabilities. We believe this result is significant because it is the only MAC protocol that offers an upper bound on the message queuing delay for unidirectional links without relying on synchronized clocks.

Preliminary discussion on globally prioritized medium access for multi-channel wireless systems

We discuss the development of a simple globally prioritized multi-channel medium access control (MAC) protocol for wireless networks. This protocol provides “hard” pre-run-time real-time guarantees to sporadic message streams, exploits a very large fraction of the capacity of all channels for “hard” real-time traffic and also makes it possible to fully utilize the channels with non real-time traffic when hard real-time messages do not request to be transmitted. The potential of such protocols for real-time applications is discussed and a schedulability analysis is also presented.

Implementation of a dominance protocol for wireless medium access

Consider the problem of scheduling sporadic message transmission requests with deadlines. For wired channels, this has been achieved successfully using the CAN bus. For wireless channels, researchers have recently proposed a similar solution; a collision-free medium access control (MAC) protocol that implements static-priority scheduling. Unfortunately no implementation has been reported, yet. We implement and evaluate it to find that the implementation indeed is collision-free and prioritized. This allows us to develop schedulability analysis for the implementation. We measure the response times of messages in our implementation and find that our new response-time analysis indeed offers an upper bound on the response times. This enables a new class of wireless real-time systems with timeliness guarantees for sporadic messages and it opens-up a new research area: schedulability analysis for wireless networks.

Collision-free prioritized medium access in the presence of hidden nodes without relying on out-of-band signaling

Consider the problem of sharing a wireless channel between a set of computer nodes. Hidden nodes exist and there is no base station. Each computer node hosts a set of sporadic message streams where a message stream releases messages with real-time deadlines. We propose a collision-free wireless medium access control (MAC) protocol which implements staticpriority scheduling. The MAC protocol allows multiple masters and is fully distributed. It neither relies on synchronized clocks nor out-of-band signaling; it is an adaptation to a wireless channel of the dominance protocol used in the CAN bus. But unlike that protocol, our protocol does not require a node having the ability to receive an incoming bit from the channel while transmitting to the channel. Our protocol has the key feature of not only being prioritized and collision-free but also dealing successfully with hidden nodes. This key feature enables schedulability analysis of sporadic message streams in multihop networks.

Energy-efficient diversity combining for different access schemes in a multi-path dispersive channel

Dissertação para obtenção do Grau de Doutor em Engenharia Electrotécnica e Computadores

Gestió d'espais i control d'accés en edificis públics

El present projecte desenvolupa una aplicació de gestió d’espais i control d’accés per a la l’Edifici d’Estudiants-ETC de la Universitat Autònoma de Barcelona. Aquest edifici ofereix serveis a la comunitat universitària i compta amb un conjunt d’espais i equipaments ben divers: despatxos, sales de reunió, sales d’assaig, sala d’ordinadors, cinema i teatre. Els usuaris d’aquestes instal·lacions són els propis treballadors de l’edifici, alumnes dels cursos i tallers, estudiants beneficiaris d’algun servei i col·lectius d’estudiants. La gestió i l’assignació d’aquests espais, així com el control d’accés són realitzats manualment per part del personal de l’ETC a la recepció de l’edifici (anomenat Punt de Serveis). L’aplicació desenvolupada implementa els processos existents, tals com la gestió i reserva d’espais, l’inventari de claus o el control d’accés a les sales. Tanmateix introdueix nous processos i funcionalitats, com la gestió, reserva i cessió de material propietat de l’edifici.