Route-based Authorization and Discovery for Personal Data EuroDW - - PowerPoint PPT Presentation

route based authorization and discovery for personal data
SMART_READER_LITE
LIVE PREVIEW

Route-based Authorization and Discovery for Personal Data EuroDW - - PowerPoint PPT Presentation

Dec 26, 2022 152 likes •308 views

Route-based Authorization and Discovery for Personal Data EuroDW 2017 Yousef Amar 2017-04-23 Research Context The Databox Platform Research Context The Databox Platform Databox Databox Sensors & Dash- Manager Actuators board User

slide-1
SLIDE 1

Route-based Authorization and Discovery for Personal Data

EuroDW 2017

Yousef Amar

2017-04-23

slide-2
SLIDE 2

Research Context

The Databox Platform

slide-3
SLIDE 3

Research Context

The Databox Platform

App Store

3rd Parties

Databox Databox

Manager Sensors & Actuators

Driver Driver

Collects Actuates Collects Emits

Export

Arbiter

Permission Records

App App Driver

Pushes to Requests Points to

Hypercat Catalog

Publish to

Social Media IoT Devices Dash- board

User

slide-4
SLIDE 4

Research Context

The Databox Platform

App Store

3rd Parties

Databox Databox

Manager Sensors & Actuators

Driver Driver

Collects Actuates Collects Emits

Export

Arbiter

Permission Records

App App Driver

Pushes to Requests Points to

Hypercat Catalog

Publish to

Social Media IoT Devices Dash- board

User

How can we design safe, scalable access control systems with arbitrary restrictions in this context?

slide-5
SLIDE 5

Implementation

The Route

◮ Triad of target, path, and method ◮ The container as a host ◮ RESTful APIs for all operations ◮ Direct mapping of HTTP methods to

CRUD functions

◮ Per-route granular permissions { "target": "smartphone -store", "path": "/ accelerometer /ts/latest", "method": "POST" } { "target": "smartphone -store", "path": "/( sub|unsub)/gps /*", "method": "GET" }

slide-6
SLIDE 6

Implementation

Delegated Authorization

◮ Google Research: Macaroons

◮ A standard similar to signed cookies ◮ Can be attenuated by “caveats” ◮ Embedded permissions ◮ Minting and verification can be separated

through shared secret keys

target = smartphone -store path = /( sub|unsub)/gps /* method = GET time < 1489405851417 target = smartphone -store path = /light/ts/range method = GET startTimestamp >= 1489405234352 endTimestamp <= 1489405259525

slide-7
SLIDE 7

Implementation

Resource Discovery

◮ API for describing APIs ◮ Directory servers ◮ Many competing standards

◮ Resource Description Framework (RDF) ◮ Web Application Description Language (WADL) ◮ Web Services Description Language (WSDL) ◮ eXtensible Resource Descriptor (XRD)

◮ Subject-predicate-object style pervalent ◮ Different formats and applications — XML for REST, SOAP, OpenID

slide-8
SLIDE 8

Implementation

Resource Discovery

◮ Hypercat: Recently joined BSI Group ◮ IoT-first specification design ◮ JSON/REST over XML/SOAP ◮ Only cataloguing; ontologies and

authorisation extensible

◮ Discoverability vs accessibility ◮ Catalogues can be nested, allowing

decentralisation and distribution

{ "catalogue -metadata": [{ "rel": "urn:X-hypercat:rels: isContentType ", "val": " application /vnd.hypercat.catalogue+json" }, { "rel": "urn:X-hypercat:rels: hasDescription :en", "val": "A Databox Store" }], "items": [{ "href": "http://some -store/light", "item -metadata": [{ "rel": "urn:X-hypercat:rels: hasDescription :en", "val": "Light Datasource " }, { "rel": "urn:X-databox:rels:hasVendor", "val": "Databox Inc ." }, { "rel": "urn:X-databox:rels:isActuator ", "val": false }] }] }

slide-9
SLIDE 9

Implementation

The Arbiter

App Store

3rd Parties

Databox Databox

Manager Sensors & Actuators

Driver Driver

Collects Actuates Collects Emits

Export

Arbiter

Permission Records

App App Driver

Pushes to Requests Points to

Hypercat Catalog

Publish to

Social Media IoT Devices Dash- board

User

slide-10
SLIDE 10

Implementation

Transcription of Permissions

  • 1. Drivers/apps come packaged with a manifest

◮ Contain image metadata ◮ Enumerate granular permissions for sources,

concurrency, external access, and hardware

  • 2. Users generate a Service-level Ageement (SLA)
  • 3. The arbiter records granted permissions
  • 4. Tokens are minted based on these

Manifest SLA Token

{ "name": "app", "author": "amar", " permissions ": [ { "source": "twitter" "required": true }, { "source": "gps" }, {}, {} ] }

slide-11
SLIDE 11

Evaluation

Scalability

  • 50

100 150 200 5 10 15

Stores Inserts/s

Figure: Inserts/s over Stores under Maximum Load

slide-12
SLIDE 12

Evaluation

Scalability

25 50 75 100 50 100 150

Time (s) Stores Launched Experiment

With Arbiter Registration Without Arbiter Registration

Figure: Stores Launched over Time

slide-13
SLIDE 13

Next Steps

◮ Arbiter token minting under load

evaluation

◮ Performance vs security when

modifying token expiry

◮ Many areas to research, e.g.

watermarking

◮ Many example apps and drivers, with

multipurpose datavis and transformation

slide-14
SLIDE 14

Thank you for your attention!

Questions?

More info: http://www.databoxproject.uk/ Contribute: https://github.com/me-box