Pervasive Networks: A Security Nightmare?

If nothing else, the promise of pervasive networks--those ubiquitous systems that integrate computation into our environment via high-speed wireless communication--is exciting. But from a security perspective, they're a nightmare.

Securing pervasive networks requires systems that support adaptive security mechanisms that automatically change in response to events. There are any number of projects that are developing such systems, including Mobius, SERENITY, and BIONETS.

The Mobius project, short for "Mobility, Ubiquity and Security," is using the ProofCarryingCode (PCC) paradigm which allows individual components to gain trust by providing verifiable certificates of their trustworthiness--an approach than can complement centralized trust mechanisms that may sometimes be difficult to deploy. PCC also supports system component downloading, which is essential for remote maintenance of network devices.

According to Mobius coordinator Gilles Barthe, "we have identified and modeled the scenarios and security requirements that must be tackled, and defined the core security architecture." He goes on to add that the project "will focus on Java-enabled global computers. This will also allow us to implement our security architecture and evaluate it on case studies from a range of application domains."

Likewise, engineers for the SERENITY project, short for "System Engineering for Security and Dependability," are developing a framework to support the automated integration, configuration, monitoring and adaptation of security and dependability (S&D) in Ambient Intelligence (AmI) ecosystems. All this is achieved by capturing the necessary knowledge about S&D solutions so that they can be selected and applied by automated means.

"The most relevant issue is that the combination of heterogeneity and dynamism will make it impossible for security engineers to foresee all the possible situations that may arise and to create solutions for them," says Antonio Mana, scientific coordinator for the SERENITY project. He adds, however, that "SERENITY does not aim at always providing the most robust security, so it is always 'best effort'. Personally, I like the term 'appropriate security' to describe a level of security that is adapted to the value of the protected element and the possibilities of attack."

Yet security issues in new networks are not about unknown problems. Networks themselves are transforming beyond all recognition. "The general rise of pervasive computing is a challenge to the traditional paradigm," says Daniele Miorandi, scientific coordinator of the BIONETS project, funded under the IST’s Future and Emerging Technologies (FET) initiative. "There are issues of scalability, complexity and heterogeneity. There is no longer any centralised control."

The BIONETS project, on the other hand, take a biologically-inspired approach based on paradigms from nature and society, for localized autonomic communication services that do not need central control. Such an approach would allow high-level services to evolve spontaneously. Autonomic services are self-configuring, self-healing, self-protecting and self-managing, much like the natural immune system of the human body. While researchers focusing on BIONETS, short for "BIOlogically inspired NETwork and Services," are mainly looking at autonomic services where networks arise so spontaneously that the idea of distinct networks and devices disappears, they are also dealing with security issues from the outset.

"In the past," says Joachim Posegga, co-lead on the BIONETS security work package, "security specialists could work only on already established systems. With dynamic networks there's no fixed infrastructure, the stable part is reduced or disappears, so we need to integrate security into the system from the very beginning." Daniel Schreckling, the second co-lead on the BIONETS security work package, adds that "we want to establish what is the minimum core required to respond to security needs."

The good news is that we're on the way of meeting the goal of mobile/ubiquitous computing--that is, to provide computing and communication services all the time, everywhere, and invisibly to users. The bad news is that there is still a lot of work to do, particularly when it comes to security.

Posted by Jon Erickson at 08:26 AM  Permalink