Research Interests

Gray Girling

Location Information Security

In recent years a number of sources of location information have become available with different geographical scopes (from room-wide to global) and precisions.  Examples include: This is providing an opportunity for a wide variety of location-using services which will be facilitated by networked location services.  Location, however can be a personal attribute for which individuals may wish an element of confidentiality.  

This "element of confidentiality" constitutes a new type of security service: it is not simply that location is wished to be unavailable - an individual may wish to take advantage of location-using services - but may also wish information to be provided with a limited geographical and temporal granularity.  This security service amounts to the qualitative control, on a consumer-by-consumer basis, of the information it protects: a kind of cross between access control and confidentiality, which might be called "accessible quality control".

Different location information generating mechanisms provide different levels of vulnerability with respect to this security service.  For example: location information is normally derived within a GPS sensing node from the environment - its operation presenting no real vulnerability; however, the "Bat" system operates using locally generated radio signals that those nearby could identify - so its operation does provide a local threat to an accessible quality control service.   In each mechanism there are potentially a number of threats that must each be countered.  For example, Jackson's Thesis, addresses the mechanisms suitable for protecting the "Bat" system.

Once (properly protected) location information becomes available on a network, the question of animating the accessible quality control policies that individuals specify require becomes relevant.  This animation will involve mechanisms controlling information provided to identified recipients. Appropriate security mechanisms need to be provided simply to prevent the service's existence implicitly "giving away" more location information than policies require.  Further complexity is required to address the possibility of collusion between information recipients.  It is likely that not all combinations of individual policies can be supported by the location service and a means to specify, manipulate and identify contradictions in accessible quality control policies is necessary.  Many of these topics are to be addressed in Beresford's forthcoming thesis.

Having directed Jackson and Beresford's research I would very much like to take this area forward.

Quiver - Intermediate language between Policy and Mechanism

Policies (in a broad sense of the word) identify the circumstances in which some quality of something should be available (for example, whether it is accessible in an access control policy, or what state it should be in the case of a home control policy).  In addition to being able to describe such rules, a policy specification might also have to describe the interaction between different (e.g. conflicting or hierarchically related) rules.  

A language that supports such policy specification might ideally also support the manipulation of separate policies - for example to generate a new policy representing the combination of two others (with some relevant treatment of conflicts).  In practice, the ability to transfer such specifications across a network for this kind of manipulation, or for its animation, would go some way towards providing the basis of a distributed control system.

"Quiver" was one simple example of such a language, developed at AT&T research.  It was produced for the control of very simply mobile sensors and actuators - ubiquitously embedded in an environment (e.g. in the home).  In addition to the ability to specify, manipulate and transfer policies the language was also sufficient to drive local mechanisms through which the requirements of policies could be manifest (for example, turning on a fan, or, potentially, updating a local accessible quality entry).

That language was designed for a particular environment (low power) and may not be as feature rich as would be appropriate in other circumstances.  Also a number of lessons have been learnt that might find audience in a different implementation.

Conceptually the position of such languages is similar to that of the page definition language, Postscript.  Real users do not use Postscript directly to express their requirements - they use a variety of front-ends that machine-generate Postscript (which, in many cases, is on the face of it "too powerful" for the original task).  Postscript is then used to represent the user's requirements in such a way that they can be realized on a variety of different (page rendering) mechanisms.  On a given printer there may be additional Postscript that helps fill the abstraction gap between the page model assumed and the actual device used.  Languages such as Quiver fill a similar function with respect to the specification of policies.

Having specified and implemented Quiver I would welcome the chance to develop a similar language optimized for policy representation and manipulation and investigate its relationship with domain specific de facto policy representations (e.g. the XML Access Control Language XACL).