We de ne a container to be a physical or virtual enclosure, a bounded region with a distinctive interior, boundary and exterior, in which another container, or ultimately a piece of information, may exist. 2.1.1

We model the world, in graph theoretic notion, as a nite-path-length, nite-degree, rooted trees in which nodes represent containers and directed edges represent containment. We call these trees Containment Trees. The niteness of a containment tree is guaranteed by the bounding characteristics of containers in conjunction with the existence of the minimum granularity container - the data object. Containers of class data object are always leaf nodes of a tree. The notion of the Containment Tree is similar to the notion of Information Tree in [ 6 ]. When we refer to containment with respect to a particular container we assume the sequence of containers from the containers tree root to the container. 2.2.1

Although we talk about modeling ”the state of the world” we do not envisage a holistic containmentbased picture of a ubiquitous system to exist in a centralized fashion, let alone that such a requirement would be infeasible considering the nature and inherent characteristics of the ubiquitous computing world. The model is devised to be established and maintained in an distributed and independent fashion, representing only small portions of what would be a true holistic ”state of the world”, posing no consistency issues and used locally by ubiquitous devices and infrastructural services.

A device or service that is resource capable to establish and maintain a portion of the model is called a model authority or simply authority. Portion of the model, maintained by a single authority, is called a model realm or just realm. In Figure 2 we can distinguish four realms enclosed in dash-lined squares and labeled with their respective authorities: the personal digital assistant (P.D.A.), the table top PC (T.PC), the mobile phone (M.P.) and the location service. The fact that the mobile phone is not a part of the location service's realm denotes that it is either not-locatable by the particular technology employed or is out of its reach. Realm authorities are not necessarily represented as a node in the model, as is the case with the location service in the above example, which depends on they themselves representing a container class relevant for the model application.

The granularity of the model provided by an authority depends on its model establishment and maintenance capabilities. To model the full range of physical and virtual containers and maintain their state an authority needs support and awareness at both the system and application layers. The former is required for device hardware and operating platform software container representation. The latter is needed for modeling the application level containers such as e.g. GUI windows, application level communications channel tunnels or le types. Thus, an authority's individual level of model support de nes the minimum local quality and quantity of service for the model application. 2.4

By exploiting container transparency, establishing context at any level in a containment tree allows us to determine its effects at any other level in the model. Consequently, contextual effects a data object is exposed to in a particular context can be determined by identifying a set of effects implicit in the context and reasoning about their propagation across boundaries of containers comprising in the data object's containment.

Figure 3 a) shows how a set of effects a container boundary is exposed to ( ) is affected by the boundary's transparency ( filtered) and combined together with a set of effects originating from inside the container ( i) propagated down a containment tree ( ) in set theoretic notation:

i = [ i=1::n i [ filtered

Figure 3 b) represents an illustration of how a contextual effect is propagated down a data object's containment. The changing thickness and solidity of the arrows representing the contextual effect denotes the effect of the container boundaries (horizontal lines).

Reasoning about contextual effect propagation is not to be confused with a much more general notion of inter-container context dependencies. A context dependency can be described as a situation in which a contextual state within a container depends on the contextual state of another container. These dependencies may span containers in ways which can not be expressed in the proposed containment-based model of the world. Resolving and acting upon context dependencies is seen as a job of context awareness mechanisms and techniques and it precedes reasoning about the contextual effects as presented here.

A container's boundary transparency, as stated previously, can change based on container's state, e.g. open vs. closed door of a room with respect to sound permeability. This enables, by controlling state of containers on the containment propagation path between the context occurrence and a data object, to affect the set and the degree of contextual effects experienced by the data object. Furthermore, the same can be accomplished by purposeful insertion of a new container on the path.

The main application target of the model is acting upon analysis of contextual effects experienced by a data object in an environment. For this we leverage container transparency as speci ed by the relevant container class. Thus using container classes, and not unique container identi ers, to express containment paths (Section 2.2.3) facilitates specifying policies to match all data objects affected by a set of contextual effects; rather than having a policy rule on per container instance basis causing unnecessary duplication. For example, a path /pda/storage device matches both /pda/hard drive and /pda/sd card, where sd card and hard drive are specializations of storage device and where it is the storage device class that de nes transparency for the particular contextual effect. 2.5

Other Modeling Approaches ­ Related Work Spatial models have been a focus of research in several different areas of computer science such as mobility theory, ubiquitous computing [ 14, 1 ] and spatial databases [ 21 ]. The very idea of a container as a basis for the proposed model stems from Egenhofer's geoinformation systems work on spatial reasoning algebras [ 10 ].

Theoretical foundations of mobility models have been laid by the work on the -calculus [ 16 ], aimed at modeling distributed communications systems, and its variants such as asynchronous, distributed or nomadic -calculi that added new concepts such as migration, site failure, located channels, permissions etc. The ap...

Y Yfiltered l1,...,ln

Context

State Container Boundary Context Effect Data Object a) Propagation across container boundary.

b) Propagation down a containment. proaches to structuring the world in mobility models range from at, in M obadtl [ 11 ], to hierarchical, as in Join-Calculus [ 12 ] or Ambient Calculus [ 5 ].

The presented model is signi cantly in uenced by Cardelli's work on Ambient Calculus for mobile ambients [ 6 ] and draws from the later specialization of the model by Scott et al. [ 20 ]. Both the notion of a mobile ambient and of an entity, their nesting and migration, as used by Cardelli and Scott respectively resemble the role of a container and containment. However, both the Ambient Calculus, in a more formal way and with more expressive power, and Scott's work deal with enforcing policies on migrations of mobile computations and mobile agents respectively.

The key difference is in the underlying philosophy. We model the world using passive entities, containers, that have no computational power whatsoever. Rather than being concerned about the legality of migrations, i.e. model updates, and control over them we are interested in the way in which the represented entities affect external forces imposed on them, i.e. contextual effects, passively. We go further to analyse how compositions, i.e. nesting, of such entities and model recon gurations affect contextual effects propagation. We depart from a binary, allow-deny, decision model to provide for a plethora of container and model operations to control the degree of contextual effect propagation.

Scott's approach, being more practical, is founded on premises of pervasive location service and embedding of a notion of an owner to the entities which both bare scalability issues. The proposed model, being inherently distributed in an independent fashion poses no such issues. One of the consequences of this is a support for variable levels of granularity at which different realms are maintained - which greatly aids the model deployment in ubiquitous computing environments. 3

Ubiquitous computing vision [ 25 ] has brought about a number of challenges for security and privacy of information stemming from a number of technological and socio-technological reasons [ 24 ]. Some of the problems can be solved by adapting existing solutions from traditional distributed systems while the others need novel solutions. Examples of the latter would be secure device associations [ 23 ], location limited channels for authentication [ 3 ] or methods addressing speci c usability issues [ 22 ].

The availability of contextual information plays an important part in reasoning about information security and privacy in the face of frequent and unpredictable context changes, as inherent in the ubiquitous computing world. In more traditional environments, characterized by the existence of a secure perimeter and its implications together with the limited means of information access and usage, contextual factors, being predictable, are reasoned about implicitly and built into static security policies. For adequate information security and privacy protection in ubiquitous computing we need explicit reasoning about the context, this is especially true for authorization and access control mechanisms [ 8 ] and for development of more dynamic, context-adaptive, security policies [ 18 ].

In our work on context-adaptive security, presented in detail in a companion publication [ 9 ], we address a subset of information leakage threats particularly exacerbated in the ubiquitous computing scenarios that we call information exposure threats. Their distinguishing characteristic is that they do not involve a malicious custodian1. Information exposure threats represent information leakage into the environment as a side-effect of the information management and handling procedures deployed in a particular context. They stem from a mismatch between: information sensitivity; context surrounding the information - determining the threat model; and a particular information management procedure employed - granting a level of protection in the context. Simple instances of the 1A person in a legitimate possession or access to information as determined by external authentication and authorization mechanisms. threat class involve sensitive information being: displayed in a form and on a screen visually accessible by a third party [?] [?]; taken out of a secure perimeter on a mobile computing or storage device unaccounting for the shift in threat model; transmitted in plain-text over a corporate wireless link whose signal penetrates into a publicly accessible area, etc.

Expecting users to reason about and act upon security issues of such complexity is highly unrealistic and contrary to the vision of the ”disappearing computer”. Thus, we develop an autonomic system for context-adaptive information security and privacy protection founded on the previously presented containment-based model of the world. The main goal of the system is to provide maximum information availability for information custodian while protecting its security and privacy according to the perceived threat level implied in current context at any point in time. 3.2

An information exposure threat has two main characteristics: type and degree. The former determines the nature of a threat while the latter denotes the actual risk or the likelihood of the particular threat materializing in the given context. The notion of information exposure, as we de ne it, assumes information access. For illustrative purposes only we can typify information exposure threats according to the nature of information access implied as: physical, visual, audio and network access. Thus, for example, we could say that an information exposure threat described in natural language as ”mobile device outside secure perimeter” implies a risk of physical access to information stored on the device due to increased likelihood of device abduction.

Unlike the usual binary, nothing or all, decision model of authorization policies we strive to provide maximum information availability while adequately protecting its security and privacy. The perceived or estimated degree of an information exposure threat plays an important role in this process. While the mere presence or absence of a threat would force a binary protective action employment such as e.g. information destruction i.e. deletion in the presence of a threat, the degree allows for a choice of matching actions which balance information availability with its exposure. For example, considering the following three contexts: ”inside a secure perimeter”, ”outside a secure perimeter” and ”outside secure perimeter and owner away”; we could establish the respective degrees of physical access to information stored on a mobile device as: low, medium and high. This enables us to perform, for example, the following protective actions: none i.e. retain the information in its current form, encrypt the information and erase the information, respectively. Similar considerations would apply for a piece of sensitive information displayed on a public screen exposed to threats described as: ”inside a secure perimeter” and ”a third-person present” or ”outside a secure perimeter”. To mitigate these threats the GUI window hosting the information representation could be shrunk or migrated to an available mobile phone's display lowering the observability of the information.

Levels of Exposure (LoEs) are introduced to quantify the degree or likelihood of information exposure due to a speci c threat or collection of threats present in an context and are used to discriminate between appropriate protective actions to be applied as hinted at above. As information of different sensitivity classes is expected to have different handling policies in the face of information exposure threats we specify LoE models on per information sensitivity class basis. The granularity of a LoE model for a sensitivity class depends directly on context capturing capabilities of the policy enforcement device and on the range of available protective actions. Individual LoE models can take the form anywhere from independent points in the threat-action space to structures like hierarchies or lattices. 3.3

Information exposure threats are, as outlined previously, implicit in the context. We classify containers according to their primary functionality, e.g. a display, a keyboard or a storage device, but choose classes to be represented based on their distinctive transparency characteristics. Transparency of each of the container class' boundary is de ned in terms of threat types, e.g. physical, visual, audio or network access, and its impact on the threat degree.

For example, consider a piece of information classied as SECRET within containment speci ed using a path expression as /pda/hard drive/encrypted le and a threat described as ”outside secure perimeter” characterized with types physical, visual and audio access and a degree of 8 out of 10. The LoE establishment for the relevant data object would proceed as follows: container class hard drive is opaque for threats of visual and audio access but it is fully transparent for threats of the type physical access, therefore only the physical access threat of degree 8 is propagated further down the containment tree; container class encrypted le is partially transparent for the threat and impacts its degree by 40%, the reasoning being that it is much easier to access information stored as plain-text than in an encrypted fashion, provided that the encryption key is secure; the resulting threat that the data object is exposed to is of type physical access with the degree of 4.8; considering that the information is classi ed as SECRET the degree may imply the LoE de ned as HIGH which requires information destruction, in other words, the information is not allowed to leave the secure perimeter. For another data object classied at CONFIDENTIAL the same threat type and degree might have implied a LoE of LOW thereby denoting that information of that classi cation level may leave the secure perimeter stored on the hard drive if encrypted. Although simplistic, the example illustrates the containment based reasoning about context implied information security and privacy threats. 3.4

From the point of view of information security and privacy protection the goal of the system is to maintain the lowest LoE for all data objects in all contexts what we call the state of homeostasis. This is accomplished by two sets of protective actions: containment manipulation and information reduction. Containment modi cation actions are aimed at blocking threats before they reach data objects in question by exploiting container transparency characteristics. Containment modi cation actions consist of: a new container insertion somewhere on the threat's propagation path, e.g. le encryption, SSL tunneling; state alteration of an container already on the path, e.g. GUI window shrinking or a data object migration to a different containment. Information reduction [ 13, 2 ] actions are aimed at reducing information content so as to lower its sensitivity classi cation and thus the LoE.

Ubiquitous device's context sensing capabilities, including user pro ling i.e. context information solicitation, and containment-model granularity supported by the platform determines the granularity of the protective actions that may be applied ranging from: the binary, all or nothing, decision model to ne-grained container manipulation and information reduction techniques. Our system for autonomic context-adaptive security [ 9 ], thus, forms a speci c set of policies based on nite state automata with tautness functions [ 4 ] for each of the enforcement devices based on their platform pro les to maximize information availability while enforcing appropriate information protection with respect to perceived information exposure threats. 4 4.1

Scalability. The main factor considering model scalability is the possible size of the container classi cation hierarchy. Individual container classes to be represented are chosen based on their distinguishing transparency characteristics for model application-relevant set of contextual effects. Thus, comparing to the envisaged software and hardware heterogeneity in the ubiquitous world, we expect the size of the classi cation to remain manageable. For example, considering the presented model application, we can divide all available storage devices into: xed and removable, denoting the level of available control over stored data at all times; and tamper-resistant and otherwise, denoting the ease of physical access to the stored information.

The size of the model at every individual authority will, in-line with the container classi cation granularity, depend on container classes supported by the authority as determined by its hardware and software con guration. Representation of the model at an authority may range, application-speci cally, from implicit, in cases where model is used only in an abstract way, e.g. to form policies, and there is no actual data structure representing the model, to explicit, in cases where containment con guration is needed run-time for reasoning about contextual effects or otherwise. Formal methods may be used to approximate individual containers into larger ones, maintaining model correctness while reducing its overall size.

Complexity. Complexities involved in model maintenance and use are highly application speci c. Although the model maintenance overheads depend on the chosen representation, judging by its structure and the nature of update operations, we expect them to be close to trivial. Model use involved complexities may vary from, again, trivial where the model is used just for querying environment con guration at a point in time to substantially more signi cant in cases where explicit contextual effect reasoning process is performed on the model. 4.2

In this work we have presented a model that provides a uni ed representation of space, joining physical and virtual realms, based on the notions of a container and containment. We leverage inherent characteristics of a container, and its class, to model contextual effects propagation across its boundary. Together, these two pieces of work facilitate reasoning about and provide a means of localized reaction to the quality and quantity of contextual effects as experienced by a target entity in a dynamically recongurable environment. The model allows for independent and distributed maintenance at granularities matching available resources and capabilities of devices it is deployed on. This provides for minimum level of service guarantees to the model applications - making it particularly attractive for ubiquitous computing environments. To demonstrate its effectiveness we have brie y presented the use of model in a system for autonomic, context-adaptive, and ne-grained information security protection.