Containment: from Context Awareness to Contextual Effects Awareness Boris Dragovic and Jon Crowcroft the Computer Laboratory, University of Cambridge, UK {name.surname}@cl.cam.ac.uk Abstract tion or categorization. The former in general lack pre- cise, mathematical style, specification. They are also Context plays a key role, as recongnized by a wide highly application specific and tend to use natural lan- body of research, in application and entity adaptation guage geared often resulting in cyclic term definitions, in the ubiquitous computing world characterized by e.g. “context is a entity relevant state of environment”. extensive platform heterogenity and environment dy- Context categorization efforts suffer from a similar set namicity and unpredictability. Implicit in the notion of problems. Although a distinction can be made be- of context, as used by context-aware applications, is tween categorizations according to application domain the actual effects, including constraints, context has on and according to point of view [19] a single, unified, target entities. We believe that making a step further approach seems nowhere on the horizon. Contrary to from explicit reasoning about context to explicit rea- the efforts, universal context definition’s and catego- soning about its implicit effects will facilitate more ef- rization’s elusiveness might be a feature rather than a fective and flexible adaptation. In this work we present bug, showing us that the right way of thinking about an approach to modeling the world based on natural context in general is in its more abstract sense. notions of container and containment and show how Irrelevant of a particular context definition or cat- it enables explicit reasoning about and acting upon egorization the very notion of context as used in context-implied effects on target entities, data objects context-aware computing has two fundamental as- in particular. We also outline a practical use of the pects: a particular set of entities affected by a con- model through its application in a system for auto- text and a set of contextual effects of interest. Both nomic context-aware infromation security and privacy are application-specific. The mapping from context protection. description to a set of contextual effects affecting an entity is often implicit in application design or pol- 1 Introduction icy specification, e.g.: a set of constraints imposed by a device’s rendering capabilities on presentation The notion of context plays an important role in en- of a document; a set of options available in “activity- abling the vision of ubiquitous and pervasive comput- aware” decision support applications; a set of security ing [25]. Characterized by heterogeneity, environment and privacy threats present for a entity in its environ- unpredictability and dynamicity ubiquitous computing ment. requires explicit reasoning about context to provide for In this paper we neither offer a novel definition of relevant application and entity adaptation. To meet this context nor propose a context categorization approach. aim, the availability of contextual information is ex- What we are interested in is modeling, reasoning about ploited in a number of ways in pervasive computing and controlling effects that contextual states imply for [7]. target entities. The advent of ubiquitous and pervasive Despite the huge body of research and knowledge, computing has necessitated a move away from static as outlined and summarized in [19], the notion of con- security policies to more dynamic models [17], sup- text remains elusive with respect to its exact defini- porting explicit reasoning about context. In analogy, with a push towards autonomic computing [15] abil- IPSEC/SSL tunnel. Intermediate containers represent ity to analyze contextual effects explicitly and in a dy- a bridge between the physical and the virtual realms by namic fashion is required. Establishing dependencies being physical objects or a composition, in the UML between contextual effects of interest and environment sense, of physical objects but containing only virtual reconfigurations is one of the fundamental steps to- entities. Examples of intermediate containers are: a wards the goal. It will facilitate contextual effects con- mobile phone, a laptop, a storage device, a display, trol through a more flexible, effective and autonomic a communications link etc. Classification granularity means of adaptation. As the basis of our approach we impacts on the physical and intermediate class bound- offer the container paradigm as a foundation for struc- aries. turing the world, Section 2, and show how it may be We define a containable relationship to denote, for used to achieve the above goals. We also design the each container class, which container classes may model in an information centric-way i.e. we structure ”fit”, i.e. be contained, within it. For example, a file the model so that it facilitates reasoning about the con- system may contain a file, a communications link may textual effects affecting the information existing in an contain a TCP packet or an IPSEC tunnel etc. In the ubiquitous setting through its representation in a form general case, physical containers may contain further of data objects. To further support the proposed model physical or intermediate containers - based on their we present, in Section 3 an application in the area of physical characteristics, namely the size/volume; in- ubiquitous computing security that uses the model to termediate containers may contain intermediate or vir- provide autonomic context-adaptive information secu- tual containers while virtual containers may contain rity and privacy protection. only containers of the same class. We define the data object class as an atomic class 2 Containers and Containment: Modeling in a way that it denotes pure information content and the World may not contain any other container classes. The no- tion of a data object is different from the traditional 2.1 Container: The Definition notion of a file and represents a collection of informa- tion indivisible according to some criteria, e.g. a se- We define a container to be a physical or virtual curity classification. A file, being a virtual container, enclosure, a bounded region with a distinctive interior, may contain one or more data objects, e.g. a document boundary and exterior, in which another container, or containing distinctive paragraphs of text, pictures and ultimately a piece of information, may exist. tables. 2.1.1 Container Classification 2.1.2 Context and Container: The Transparency Containers are classified into a container class hierar- Inherent to the notion of container is its boundary, ei- chy based on their characteristics and primary func- ther physical or virtual. With respect to the container tionality. Container characteristics are inherited down boundary we can divide the context into internal and the hierarchy going from abstract towards more spe- external. To influence the internal context, effects im- cialized classes. An example classification is depicted plied by the external context have to cross the con- in Figure 1. At the top level, we define the classes tainer boundary. For example, if it is daylight and if a directly inheriting from the container as physical, in- room has an outside window then there is going to be termediate and virtual containers while the lower lev- daylight in the room as well; or if a person has physical els are application specific. Physical containers exist access to a mobile device and the device is not tamper in the physical world, i.e. are object of three dimen- resistant then physical access to the stored information sions, such as e.g. a room or a space within a secure is implicit. perimeter. Virtual containers, on the other hand, ex- Container transparency denotes filtering character- ist solely in the virtual, digital, realm such as e.g. a istics that a container’s boundary poses for different GUI window, a file system, a file, a TCP packet or a types of contextual effects crossing it. With respect <> Container <> <> <> Physical Space Intermediate Virtual ... ... ... AES File Room Display Mobile Phone Data Object ... Input Dev Comms Channel GUI Window 17" LCD ... ... Click Keyboard 802.11 Figure 1. Example container classification. to a specific contextual effect a container’s boundary sequence of containers from the containers tree root to may be: opaque, in which case the effect does not the container. cross the boundary and thus has no influence on con- tainer’s internal context; fully transparent, when the boundary poses no barrier for the effect; and partially 2.2.1 Containment Expressions transparent, when the boundary has an qualitative im- pact on the effect. Apart from being a function of con- Containment Expressions represent the syntax of Con- tainer’s class and contextual effect type, transparency tainment Trees and draw from Cardelli’s work on Am- is affected by the internal state of a container, e.g. the bient Calculus [6]. To present the syntax of contain- level to which glass in a window is dimmed impacts ment expressions we break them down into atomic ex- the amount and the specter of daylight that enters the pressions and provide a graphical representation of the room while the level of tamper resistance of a device matching containment tree fragment. We also use the determines the skill, determination and knowledge re- following conventions in any further reference to the quired to access the data stored within. expressions: lower-case Greek letters, e.g. α, are used to denote a particular container’s class without any of 2.2 Containment: the Model of the World its contents; capital letters from standard English al- phabet, e.g. P , are used to represent individual con- We model the world, in graph theoretic notion, as a tainment trees. finite-path-length, finite-degree, rooted trees in which To start, absence of contents at any level is repre- nodes represent containers and directed edges repre- sented simply by 0. At the top level, on its own, 0 sent containment. We call these trees Containment represents an empty world. Trees. The finiteness of a containment tree is guar- A tree, with only a root node labeled α is written as anteed by the bounding characteristics of containers in the expression α: conjunction with the existence of the minimum gran- ularity container - the data object. Containers of class α α data object are always leaf nodes of a tree. The notion of the Containment Tree is similar to the notion of In- formation Tree in [6]. When we refer to containment A tree, with a root node labeled α, leading to a sub- with respect to a particular container we assume the tree represented by P is written as the expression α[P]: α α[P] P world ← world|world world ← pspace world ← intermediate A forest, consisting of two trees P and Q, is written pspace ← pspace|pspace as the expression P|Q: pspace ← pspace[pspace] pspace ← pspace[intermediate] pspace ←0 P|Q P Q intermediate ← intermediate|intermediate intermediate ← intermediate[intermediate] intermediate ← intermediate[virtual] intermediate ← 0 Multiple instances of the same tree P is written as the expression !P: virtual ← virtual|virtual virtual ← virtual[virtual] virtual ←0 !P P P ... P where pspace, intermediate and virtual represent instances of container classes physical, intermediate and virtual container or any inheriting classes respec- tively. The containable relationship needs to be obeyed A tree obtained by joining two trees P and Q at the at each level in a containment tree for it to be well- root α is written by the expression α[P|Q]: structured. Figure 2 represents a partial snapshot of a state of the world representing two containment trees. Double α circled nodes in the figure denote containers of data α[P|Q] object class. P Q To reflect dynamic changes in the configuration of the world we provide for updating the model through three operations: enter operation causes a container, or a containment, to enter another containment; leave op- eration is the converse; while migrate operation binds the previous two in an atomic way and denotes change of containment within a realm. 2.2.2 State of the World 2.2.3 Path Expressions To be able to reference a containment we use path ex- Using the containment syntax the state of the world at pressions. A path can be defined as a sequence of con- any point in time can be represented as: tainers linked by the contains relationship, written as Location Service Room Mobile Personal Digital Tabletop Phone Assistant Personal Computer ... M.P. P.D.A. T.PC Storage Display GPRS Device Storage Storage USB Wi-Fi Display Display Device Device Key ... ... ... Encrypted File Legend: = Data Object Figure 2. Partial snapshot of the Model of the World state. →. A sequence α → β denotes that β is contained 2.3 Containment Realms and Authorities within α and that α is its immediate, first-level, con- tainer i.e. direct parent in the Container Tree represen- Although we talk about modeling ”the state of the tation. Path expressions are specified using the follow- world” we do not envisage a holistic containment- ing syntax: based picture of a ubiquitous system to exist in a centralized fashion, let alone that such a requirement would be infeasible considering the nature and inher- element ← α ent characteristics of the ubiquitous computing world. |? The model is devised to be established and maintained path ← element in an distributed and independent fashion, representing only small portions of what would be a true holistic | path / element ”state of the world”, posing no consistency issues and | path / ... / element used locally by ubiquitous devices and infrastructural services. A matching set of a path expression is either an A device or service that is resource capable to es- empty set or a set with one element where: tablish and maintain a portion of the model is called a • A trivial expression element α matches a con- model authority or simply authority. Portion of the tainer of class α or of a more specialized class. model, maintained by a single authority, is called a model realm or just realm. In Figure 2 we can distin- • Expression element ? matches container of any guish four realms enclosed in dash-lined squares and class. labeled with their respective authorities: the personal digital assistant (P.D.A.), the table top PC (T.PC), the • Expression e1 /e2 matches α1 → α2 if e1 matches mobile phone (M.P.) and the location service. The α1 and e2 matches α2 . fact that the mobile phone is not a part of the location • Expression e1 /.../en matches α1 → ... → αn service’s realm denotes that it is either not-locatable if e1 matches α1 , en matches αn and all steps in by the particular technology employed or is out of its between obey the previous rule. reach. Realm authorities are not necessarily repre- sented as a node in the model, as is the case with the The use of container classes in matching path el- location service in the above example, which depends ements, rather than unique container identifiers, shall on they themselves representing a container class rele- be supported in the next section. vant for the model application. The granularity of the model provided by an author- may span containers in ways which can not be ex- ity depends on its model establishment and mainte- pressed in the proposed containment-based model of nance capabilities. To model the full range of physi- the world. Resolving and acting upon context depen- cal and virtual containers and maintain their state an dencies is seen as a job of context awareness mecha- authority needs support and awareness at both the sys- nisms and techniques and it precedes reasoning about tem and application layers. The former is required for the contextual effects as presented here. device hardware and operating platform software con- A container’s boundary transparency, as stated pre- tainer representation. The latter is needed for model- viously, can change based on container’s state, e.g. ing the application level containers such as e.g. GUI open vs. closed door of a room with respect to sound windows, application level communications channel permeability. This enables, by controlling state of con- tunnels or file types. Thus, an authority’s individ- tainers on the containment propagation path between ual level of model support defines the minimum local the context occurrence and a data object, to affect the quality and quantity of service for the model applica- set and the degree of contextual effects experienced by tion. the data object. Furthermore, the same can be accom- plished by purposeful insertion of a new container on 2.4 Contextual Effect Propagation the path. The main application target of the model is act- By exploiting container transparency, establishing ing upon analysis of contextual effects experienced by context at any level in a containment tree allows us to a data object in an environment. For this we lever- determine its effects at any other level in the model. age container transparency as specified by the relevant Consequently, contextual effects a data object is ex- container class. Thus using container classes, and not posed to in a particular context can be determined by unique container identifiers, to express containment identifying a set of effects implicit in the context and paths (Section 2.2.3) facilitates specifying policies to reasoning about their propagation across boundaries match all data objects affected by a set of contextual of containers comprising in the data object’s contain- effects; rather than having a policy rule on per con- ment. tainer instance basis causing unnecessary duplication. Figure 3 a) shows how a set of effects a container For example, a path /pda/storage device matches both boundary is exposed to (Ψ) is affected by the bound- /pda/hard drive and /pda/sd card, where sd card and ary’s transparency (Ψf iltered ) and combined together hard drive are specializations of storage device and with a set of effects originating from inside the con- where it is the storage device class that defines trans- tainer (λi ) propagated down a containment tree (Ω) - parency for the particular contextual effect. in set theoretic notation: 2.5 Other Modeling Approaches - Related Work i [ [ Ω= λi Ψf iltered i=1..n Spatial models have been a focus of research in sev- eral different areas of computer science such as mo- Figure 3 b) represents an illustration of how a con- bility theory, ubiquitous computing [14, 1] and spatial textual effect is propagated down a data object’s con- databases [21]. The very idea of a container as a basis tainment. The changing thickness and solidity of the for the proposed model stems from Egenhofer’s geo- arrows representing the contextual effect denotes the information systems work on spatial reasoning alge- effect of the container boundaries (horizontal lines). bras [10]. Reasoning about contextual effect propagation is Theoretical foundations of mobility models have not to be confused with a much more general notion been laid by the work on the π-calculus [16], aimed at of inter-container context dependencies. A context de- modeling distributed communications systems, and its pendency can be described as a situation in which a variants such as asynchronous, distributed or nomadic contextual state within a container depends on the con- π-calculi that added new concepts such as migration, textual state of another container. These dependencies site failure, located channels, permissions etc. The ap- Context ... ... State Container Ψ Boundary Context Effect ... Ψfiltered λ1,...,λn ... ... ... Ω Data ... Object a) Propagation across container boundary. b) Propagation down a containment. Figure 3. Contextual effect propagation. proaches to structuring the world in mobility models ations to control the degree of contextual effect propa- range from flat, in M obadtl [11], to hierarchical, as in gation. Join-Calculus [12] or Ambient Calculus [5]. Scott’s approach, being more practical, is founded The presented model is significantly influenced by on premises of pervasive location service and embed- Cardelli’s work on Ambient Calculus for mobile ambi- ding of a notion of an owner to the entities which both ents [6] and draws from the later specialization of the bare scalability issues. The proposed model, being in- model by Scott et al. [20]. Both the notion of a mobile herently distributed in an independent fashion poses no ambient and of an entity, their nesting and migration, such issues. One of the consequences of this is a sup- as used by Cardelli and Scott respectively resemble the port for variable levels of granularity at which different role of a container and containment. However, both realms are maintained - which greatly aids the model the Ambient Calculus, in a more formal way and with deployment in ubiquitous computing environments. more expressive power, and Scott’s work deal with en- forcing policies on migrations of mobile computations 3 Model Application and mobile agents respectively. The key difference is in the underlying philosophy. The presented containment-based model of the We model the world using passive entities, containers, world is suitable for a class of context-aware appli- that have no computational power whatsoever. Rather cations that satisfy the following two fundamental re- than being concerned about the legality of migrations, quirements: the world can be structured as a forest of i.e. model updates, and control over them we are in- containment trees based on container classes that have terested in the way in which the represented entities an explicit role in reasoning about an external set of affect external forces imposed on them, i.e. contex- forces, e.g. contextual effects; those forces can be ex- tual effects, passively. We go further to analyse how plicitly identified, e.g. application-specific effects im- compositions, i.e. nesting, of such entities and model plicit in context. Model flexibility allows for its appli- reconfigurations affect contextual effects propagation. cation in a wide variety of settings. We depart from a binary, allow-deny, decision model We briefly present our application of the model in to provide for a plethora of container and model oper- an Autonomic System for Context-Adaptive Informa- tion Security and Privacy Protection. threat class involve sensitive information being: dis- played in a form and on a screen visually accessible 3.1 Motivation by a third party [?] [?]; taken out of a secure perimeter on a mobile computing or storage device unaccounting Ubiquitous computing vision [25] has brought for the shift in threat model; transmitted in plain-text about a number of challenges for security and privacy over a corporate wireless link whose signal penetrates of information stemming from a number of technolog- into a publicly accessible area, etc. ical and socio-technological reasons [24]. Some of the Expecting users to reason about and act upon se- problems can be solved by adapting existing solutions curity issues of such complexity is highly unrealis- from traditional distributed systems while the others tic and contrary to the vision of the ”disappearing need novel solutions. Examples of the latter would be computer”. Thus, we develop an autonomic sys- secure device associations [23], location limited chan- tem for context-adaptive information security and pri- nels for authentication [3] or methods addressing spe- vacy protection founded on the previously presented cific usability issues [22]. containment-based model of the world. The main The availability of contextual information plays an goal of the system is to provide maximum informa- important part in reasoning about information secu- tion availability for information custodian while pro- rity and privacy in the face of frequent and unpre- tecting its security and privacy according to the per- dictable context changes, as inherent in the ubiquitous ceived threat level implied in current context at any computing world. In more traditional environments, point in time. characterized by the existence of a secure perimeter and its implications together with the limited means 3.2 Levels of Exposure of information access and usage, contextual factors, being predictable, are reasoned about implicitly and An information exposure threat has two main char- built into static security policies. For adequate infor- acteristics: type and degree. The former determines mation security and privacy protection in ubiquitous the nature of a threat while the latter denotes the ac- computing we need explicit reasoning about the con- tual risk or the likelihood of the particular threat ma- text, this is especially true for authorization and access terializing in the given context. The notion of infor- control mechanisms [8] and for development of more mation exposure, as we define it, assumes information dynamic, context-adaptive, security policies [18]. access. For illustrative purposes only we can typify in- In our work on context-adaptive security, presented formation exposure threats according to the nature of in detail in a companion publication [9], we address a information access implied as: physical, visual, audio subset of information leakage threats particularly ex- and network access. Thus, for example, we could say acerbated in the ubiquitous computing scenarios that that an information exposure threat described in natu- we call information exposure threats. Their distin- ral language as ”mobile device outside secure perime- guishing characteristic is that they do not involve a ter” implies a risk of physical access to information malicious custodian1 . Information exposure threats stored on the device due to increased likelihood of de- represent information leakage into the environment vice abduction. as a side-effect of the information management and Unlike the usual binary, nothing or all, decision handling procedures deployed in a particular context. model of authorization policies we strive to provide They stem from a mismatch between: information sen- maximum information availability while adequately sitivity; context surrounding the information - deter- protecting its security and privacy. The perceived or mining the threat model; and a particular information estimated degree of an information exposure threat management procedure employed - granting a level plays an important role in this process. While the of protection in the context. Simple instances of the mere presence or absence of a threat would force a 1 A person in a legitimate possession or access to information binary protective action employment such as e.g. in- as determined by external authentication and authorization mech- formation destruction i.e. deletion in the presence of anisms. a threat, the degree allows for a choice of matching actions which balance information availability with For example, consider a piece of information classi- its exposure. For example, considering the following fied as SECRET within containment specified using a three contexts: ”inside a secure perimeter”, ”outside a path expression as /pda/hard drive/encrypted file and secure perimeter” and ”outside secure perimeter and a threat described as ”outside secure perimeter” char- owner away”; we could establish the respective de- acterized with types physical, visual and audio access grees of physical access to information stored on a mo- and a degree of 8 out of 10. The LoE establishment for bile device as: low, medium and high. This enables us the relevant data object would proceed as follows: con- to perform, for example, the following protective ac- tainer class hard drive is opaque for threats of visual tions: none i.e. retain the information in its current and audio access but it is fully transparent for threats form, encrypt the information and erase the informa- of the type physical access, therefore only the physical tion, respectively. Similar considerations would ap- access threat of degree 8 is propagated further down ply for a piece of sensitive information displayed on a the containment tree; container class encrypted file is public screen exposed to threats described as: ”inside partially transparent for the threat and impacts its de- a secure perimeter” and ”a third-person present” or gree by 40%, the reasoning being that it is much eas- ”outside a secure perimeter”. To mitigate these threats ier to access information stored as plain-text than in the GUI window hosting the information representa- an encrypted fashion, provided that the encryption key tion could be shrunk or migrated to an available mo- is secure; the resulting threat that the data object is bile phone’s display lowering the observability of the exposed to is of type physical access with the degree information. of 4.8; considering that the information is classified Levels of Exposure (LoEs) are introduced to quan- as SECRET the degree may imply the LoE defined tify the degree or likelihood of information exposure as HIGH which requires information destruction, in due to a specific threat or collection of threats present other words, the information is not allowed to leave in an context and are used to discriminate between ap- the secure perimeter. For another data object classi- propriate protective actions to be applied as hinted at fied at CONFIDENTIAL the same threat type and de- above. As information of different sensitivity classes gree might have implied a LoE of LOW thereby de- is expected to have different handling policies in the noting that information of that classification level may face of information exposure threats we specify LoE leave the secure perimeter stored on the hard drive models on per information sensitivity class basis. The if encrypted. Although simplistic, the example illus- granularity of a LoE model for a sensitivity class de- trates the containment based reasoning about context pends directly on context capturing capabilities of the implied information security and privacy threats. policy enforcement device and on the range of avail- able protective actions. Individual LoE models can 3.4 Protective Actions take the form anywhere from independent points in the threat-action space to structures like hierarchies or lat- From the point of view of information security and tices. privacy protection the goal of the system is to main- tain the lowest LoE for all data objects in all contexts - 3.3 The Role of the Containment Model what we call the state of homeostasis. This is accom- plished by two sets of protective actions: containment Information exposure threats are, as outlined previ- manipulation and information reduction. Containment ously, implicit in the context. We classify containers modification actions are aimed at blocking threats be- according to their primary functionality, e.g. a display, fore they reach data objects in question by exploiting a keyboard or a storage device, but choose classes to container transparency characteristics. Containment be represented based on their distinctive transparency modification actions consist of: a new container in- characteristics. Transparency of each of the container sertion somewhere on the threat’s propagation path, class’ boundary is defined in terms of threat types, e.g. e.g. file encryption, SSL tunneling; state alteration physical, visual, audio or network access, and its im- of an container already on the path, e.g. GUI win- pact on the threat degree. dow shrinking or a data object migration to a different containment. Information reduction [13, 2] actions are for reasoning about contextual effects or otherwise. aimed at reducing information content so as to lower Formal methods may be used to approximate individ- its sensitivity classification and thus the LoE. ual containers into larger ones, maintaining model cor- Ubiquitous device’s context sensing capabilities, in- rectness while reducing its overall size. cluding user profiling i.e. context information so- licitation, and containment-model granularity sup- Complexity. Complexities involved in model main- ported by the platform determines the granularity tenance and use are highly application specific. Al- of the protective actions that may be applied rang- though the model maintenance overheads depend on ing from: the binary, all or nothing, decision model the chosen representation, judging by its structure and to fine-grained container manipulation and informa- the nature of update operations, we expect them to tion reduction techniques. Our system for autonomic be close to trivial. Model use involved complexi- context-adaptive security [9], thus, forms a specific set ties may vary from, again, trivial where the model is of policies based on finite state automata with taut- used just for querying environment configuration at a ness functions [4] for each of the enforcement devices point in time to substantially more significant in cases based on their platform profiles to maximize informa- where explicit contextual effect reasoning process is tion availability while enforcing appropriate informa- performed on the model. tion protection with respect to perceived information exposure threats. 4.2 Conclusion 4 Discussion and Conclusion In this work we have presented a model that pro- vides a unified representation of space, joining physi- 4.1 Discussion cal and virtual realms, based on the notions of a con- tainer and containment. We leverage inherent charac- Scalability. The main factor considering model scal- teristics of a container, and its class, to model con- ability is the possible size of the container classifica- textual effects propagation across its boundary. To- tion hierarchy. Individual container classes to be repre- gether, these two pieces of work facilitate reasoning sented are chosen based on their distinguishing trans- about and provide a means of localized reaction to parency characteristics for model application-relevant the quality and quantity of contextual effects as ex- set of contextual effects. Thus, comparing to the envis- perienced by a target entity in a dynamically recon- aged software and hardware heterogeneity in the ubiq- figurable environment. The model allows for inde- uitous world, we expect the size of the classification pendent and distributed maintenance at granularities to remain manageable. For example, considering the matching available resources and capabilities of de- presented model application, we can divide all avail- vices it is deployed on. This provides for minimum able storage devices into: fixed and removable, denot- level of service guarantees to the model applications ing the level of available control over stored data at - making it particularly attractive for ubiquitous com- all times; and tamper-resistant and otherwise, denoting puting environments. To demonstrate its effectiveness the ease of physical access to the stored information. we have briefly presented the use of model in a sys- The size of the model at every individual author- tem for autonomic, context-adaptive, and fine-grained ity will, in-line with the container classification gran- information security protection. ularity, depend on container classes supported by the authority as determined by its hardware and software References configuration. Representation of the model at an au- [1] N. Adly, P. Steggles, and A.Harter. Spirit: a resource thority may range, application-specifically, from im- database for mobile users. In Proceedings of The plicit, in cases where model is used only in an abstract ACM CHI’97 Workshop on Ubiquitous Computing, way, e.g. to form policies, and there is no actual data 1997. structure representing the model, to explicit, in cases [2] D. E. Bakken, R. Parameswaran, D. M. Blough, A. A. where containment configuration is needed run-time Franz, and T. J. Palmer. Data obfuscation: Anonymity and desensitization of usable data sets. IEEE Security IEEE Conference on Pervasive Computing and Com- and Privacy, 2(6):34–41, November/December 2004. munications Workshops, 2004. [3] D. Balfanz, D. K. Smetters, P. Stewart, and H. C. [18] G. K. Most?faoui and P. Br?zillon. Modeling context- Wong. Talking to strangers: Authentication in ad-hoc based security policies with contextual graphs. In wireless networks. In Proceedings of Network and Workshop on Context Modeling and Reasoning, 2004. Distributed System Security Symposium, 2002. [19] G. K. Most?faoui and J. Pasquier-Rocha. Context- [4] J. Baliosian and J. Serrat. Finite state transducers for aware computing: A guide for the pervasive compting policy evaluation and conflict resolution. In IEEE 5th community. In The IEEE/ACS International Confer- International Workshop on Policies for Distributed ence on Pervasive Services (ICPS’04), July 2004. Systems and Networks, 2004. [20] D. Scott, A. Beresford, and A. Mycroft. Spatial secu- [5] L. Cardelli. Semistructured computation. In 7th Inter- rity policies for mobile agents in a sentient comput- national Workshop on Database Programming Lan- ing environment. In Proceedings of The FASE 2003, guages: Research Issues in Structured and Semistruc- 2003. tured Database Programming, September 1999. [21] S. Shekhar, S. Chawla, S. Ravada, S. Fetterer, and [6] L. Cardelli and A. D. Gordon. Mobile ambients. In C. Liu. Spatial databases: Accomplishments and re- Proceedings of The FOSSACS ’98, 1998. search needs. IEEE Trans on Knowledge and Data [7] D. Chalmers. Contextual Mediation to Support Ubiq- Engineering, 11(1):45–55, 1999. uitous Computing. PhD thesis, Department of Com- [22] F. Stajano. One user, many hats; and, sometimes, no puting, Imperial College London, 2002. hat?towards a secure yet usable pda. In Proceedings [8] M. J. Covington, W. Long, S. Srinivasan, A. K. Dev, of Security Protocols Workshop, 2004. M. Ahmad, and G. Abowd. Securing context-aware [23] F. Stajano and R. Anderson. The resurrecting duck- applications using environmental roles. In Proceed- ling: Security issues for ubiquitous computing. IEEE ings of the 6th ACM symposium on Access Controls Computer Supplement on Security and Privacy, pages models and technologies, pages 10–20, 2001. 22–26, April 2002. [9] B. Dragovic, J., P. Vidales, and J. Crowcroft. Auto- [24] F. Stajano and J. Crowcroft. The Butt of the Ice- nomic system for context adaptive security in ubiqui- berg: Hidden Security Problem of Ubiquitous System. tous computing environments. Submitted for publica- Kluwer, 2003. tion at ESORICS 2005. [25] M. Weiser. The computer for the 21st century. Scien- [10] M. Egenhofer and A. Rodr?guez. Relation algebras tific American, 265(3):94–104, September 1991. over containers and surfaces: An ontological study of a room space. Spatial Cognition and Computation, 1(2):155–180, 1999. [11] G. Ferrari, C. Montagnero, L. Semini, and S. Sem- prini. The mobadtl model and method to design net- work aware applications. Technical report, Computer Science Dept., University of Pisa, 2003. [12] C. Fournet and G. Gonthier. The reflexive chemi- cal abstract machine and the join-calculus. In 23rd ACM Symposium on Principles of Programming Lan- guages, 1996. [13] A. Heuer and A. Lubinski. Data reduction - an adap- tation technique for mobile environments. In Inter- active Apllications of Mobile Computing (IMC’98), 1998. [14] J. Hightower, B. Brumitt, and G. Borriello. The loca- tion stack: A layered model for location in ubiquitous computing. In 4th Intl. Workshop on Mobile Comput- ing Systems and Applications (WMCSA 2002), 2002. [15] IBM. Autonomic computing manifesto. WWW, Oc- tober 2001. [16] R. Milner. Communicating and Mobile Systems: The Pi Calculus. Cambridge University Press, 1999. [17] G. K. Mostefaoui and P. Brezillon. Context-based se- curity policies: A new modeling approach. In 2nd