1. What are the contributions of the paper? - This paper introduce an access-control algorithm that avoids piracy violations caused by context-sensitive services. (main contribution) - Concepts of access-rights graphs are introduced, these graphs nicely represent the conditions under which access should be granted. The algorithm to build and resolve access-rights graph is also presented. - Hidden constraint algorithm is proposed to avoid information leaks by keeping constraints specification secret. - A distributed, context-sensitive access-control architecture that avoids piracy violations is proposed. The implementation and evaluation of this architecture shows the feasibility of the proposed access-control algorithm. ----------------------------------------------------------------------------------------------------------------------------------------------------------- 2. What is the quality of the presentation? The authors have carefully introduced and defined terms used in the algorithm. Real scenarios are used which greatly helps the audience to understand the algorithm. The presentation is solid. ----------------------------------------------------------------------------------------------------------------------------------------------------------- 3. What are the strengths of the paper? - This paper addresses one of the hot topic of today security issues, piracy. - This paper not only provides enough details for the audience to understand the algorithm, it also gives a concrete implementation and evaluation. - Interested audience can seek for extra relevant details in a extension version of the paper. ------------------------------------------------------------------------------------------------------------------------------------------------------------ 4. What are its weaknesses? - Why the title mention Context in general. The scenarios in this paper only give examples of location information leak. A scenario which illustrates other type of information leak would be nice. - The lack of discussion about the case: Conflict graph. ------------------------------------------------------------------------------------------------------------------------------------------------------------ 5. What is some possible future work? - Consider the order of the constrains. This could save time when resolving the access-rights graph. For example, among 3 constrains: is in the building, have a university degree, and is a millionaire, resolving the node "is a millionaire" first would save time in most of the cases. - Look into the case where multiple access rights are correlated. For example, if a client has multiple access-rights which are related, they could be combined to prune the graph that needed to be resolved. - Look into time issue. What if when there are hundred of constrains, some of the constrains have limited live time, but the algorithm takes longer than the live time to run. Does this mean the client can never use the service? ============================================================================= What are the contributions of the paper? Presented a systematic investigation of information leaks for context- sensitive services. Introduced algorithms for building and resolving access- rights graphs. Proposed hidden constraints, which make it possible to implement more flexible constrains by keeping constraints secret. Presented a distributed, certificate-based access-control architecture that exploits these algorithms in order to provide context-sensitive services that do not leak confidential information. What is the quality of the presentation? High. What are the strengths of the paper? It introduced access-rights graphs, hidden constraints, and presented architecture which implemented the access-control algorithm. It prevent privacy violation according to perfomance analysis. The strength of the paper is that it gives systematic investigation and presents effective solution. What are its weaknesses? What is some possible future work? To deploy the access-control infrastructure in additional services in order to investigate what kind of access rights and constraints on them users define. ============================================================================= What are the contributions of the paper? Firstly, previous related works did not pay enough attention to the information leak problem for both the entity who issues the access right and the entity who wants to get access right caused by context-sensitive services. However, this paper systematically explains what information leak is and how important it is by giving lots of concrete examples. Secondly, aiming at the question of information leak, a useful tool, access- rights graph is firstly defined and then is used to make a context-sensitive access decision. Hidden constrains is also introduced and help to allow for some flexible access control. In addition, the paper presents a client-based access control model and context-sensitive access-control architecture to avoid leaking confidential information. Finally, the implementation result demonstrates its feasibility What is the quality of the presentation? The presentation of his paper is good. The organization of the paper is very clear which makes the motivation and the main focus of this paper easy to follow. There are many complicated whereas similar concepts like primary service, constraint service etc. However, with the help of lots of explanations and examples, these concepts are finally easy to understand. Later, based on these concepts, the paper presents an access-rights graphs and then access-control architecture to solve the issue addressed before. The paper presents the simulation results of different cases to support the algorithms. But the simulation result is not well explained. The English is very good. There are many figures presented in the paper to illustrate what the author want to express which make the central ideas easy to understand. What are the strengths of the paper? Firstly, the topic is very practical and used for current security issues. Particularly for pervasive computing, privacy issues are imperative to solve. Secondly, the author solve the problem that information leaks caused by context-sensitive constrains, whereas no related work before touched this problem. Thirdly, the paper presents access-rights graphs, which can capture relationships between access rights and constrains on them, and allow for easy detection of potential problems of information leaks, loops and conflicting constraints. Thus using graphs to present problems can make questions more straightforward to solve. Finally, a client-based access-control architecture is presented, which can supports access rights with context-sensitive constraints .So it can avoid information leaks. What are its weaknesses? The paper spends lots of words on the background, concepts and analytical models, but after it comes to the solution part (Section 5 Hidden Constraints and Architecture), it is hard to understand because there are no concrete real world examples and these parts are not detailed discussed. In my opinion, it is better to use a flow chart in stead of using programming code in Figure 4. ============================================================================= The paper investigates possible information leaks caused by context-sensitive services and provides novel algorithms, access-right graph and hidden constraints, to solve such problem effectively. The paper is well structured and provides a lot of examples and figures to help readers to understand their terminology and ideas. The strength of the paper is that their solution supports hiding constraints from a service in the client-based access control model, which avoids a major source of information leak. However, the solution cannot support hiding constraints from the client, but it could be a desirable feature sometimes. For example, I allow my friend’s friend to use my laptop if my laptop is locked on the desk, but I do not want him to know that I do not completely trust him. Therefore, I may intend to hide the constraint from him. Another problem could be that the paper suggests not storing access rights in a publicly accessible database, but does not suggest a way to spread access rights efficiently. If I want people to access my blog when I am at home, and I want my blog to be as popular as possible, how can I spread the access right quickly? The possible future work could be to solve the above two problems and to investigate the usability of the model. ============================================================================= The paper highlights the current problems with context sensitive services and offers solutions as to how to solve them. Specifically, the paper shows that the current method in which most context sensitive services are implemented, often allows the various entities involved in the system to gain information about the other entities that they may not be authorized to view. The paper also then goes on to describe a practical solution to this problem by hiding the specifics of communications within the system from all but the entities that are required to see them. The solution offered, does indeed seem to be practical, and there are test results to prove it. The paper also offered a method for determining when access to services should be granted though the use of access rights graphs. Over all, this paper was able to demonstrate a problem in current context sensitive services and offer a feasible solution. The overall quality of the presentation was quite good. The paper was laid out well, and the sections flowed in a logical order with each previous section providing the necessary background information to understand later sections. The use of flow charts also helped the presentation of the topic and illustrated the system being described well. The inclusion of tools such as access rights graphs and possible code for generating them also help the reader visualize the systems better. There were several main strengths to this paper. First, there were very good use of examples in the opening sections which helped to clearly define exactly what a privacy violation in a context sensitive service is. Further, the opening sections defined all the terms and concepts (such as what constitutes an information leak and what assess rights are) extremely well, which made reading the rest of the paper much easier. As was stated before, the use of flow diagrams and the access rights graphs also helped to describe the system accurately. Finally, the existence of an optional extended version of the paper which is referenced several times is also an excellent feature of this paper, since it gives readers searching for more detailed information a place to look. The only main weakness of this paper was the lack of many practical examples after the opening sections. Though examples aren’t necessary for the understanding of this paper, their use in several of the sections (such as when describing client-based access control) would have made it much easier for readers who are not necessarily familiar with context sensitive services to gain a concrete foundation in the area. This one weakness may, in fact, already be addressed in the extended version of the paper. The main area where future work could be done in area of avoiding privacy violations in context sensitive services would probably be by further optimizing the ideas that have been expressed in this paper. Caching the decrypted ciphertexts did seem to improve the performance of the system and investigation into further optimizations definitely seem like they would be warranted. ============================================================================= > CONTRIBUTIONS The authors investigate privacy violations caused by context-sensitive services. They propose an access control algorithm which builds and resolves a conflict-free access-rights graph. This algorithm is then used in a distributed certificate-based access-control architecture also developed by the authors. A new concept called "hidden constraints" is introduced which allows this archtecture to avoid information leaks by keeping constraint specs secret. Details of a Java-based implementation of this architecture and an evaluation of its performance on a Linux box complete the paper. > QUALITY The paper is clear and concise. The authors have made good use of diagrams to explain concepts such as client-based access control which would otherwise have probably made for some very tedious reading. They also outline out their contributions in the introduction, making writing this review for a grad course easier :p. > STRENGTHS The paper is a complete package -- it recognises a problem, analyses it, proposes a solution and then demonstrations the feasibility of this solution. The brief review of related work in section 8 shows that other work in this field has largely ignored the problem of information leaks caused by context-sensitive constraints. As such, the authors have addressed an open problem. The concept of "hidden constraints" is cool. > WEAKNESSES The pseudocode algorithm might have been spaced out a bit more to make it easier to read, but I guess thats just a question of coding style. Another point I'm not too sure about but will mention anyway, is the test setup. The hardware selected is realistic and typical of desktops and laptops used by most people, but what about handheld devices such as those described in the introduction? If the access-control algorithm is to run on the client, how would it perform on a mobile device such as a smart phone? I imagine wireless connectivity would also slow things down a bit. > FUTURE WORK The authors propose trying their solution out on other services, so that takes care of the first point I would make. The only other thing I can think of is running the architecture on a handheld device such as a smart phone. If its built entirely in Java, I imagine this shouldn't be too hard. ============================================================================= 1. Contributions: This paper addresses the privacy challenges that may arise when using context-sensitive services. After generally illustrating possible privacy violations through some examples it tries to further specify the problem. To do this the authors introduce a "system model" consisting of: --"Access Right": Consists of four parts, issues, subject, information and tuple of constraints. --"Constraint": Consists of information and a set of permitted values. --"Client Based Access Control": In which the client proves that it is authorized to the 'primary service'. The proof contains the access right to the information and assurances for the constraints in the access right. --"Security Model": In the proposed security model the goal of an attacker is to access confidential information for which he/she is not authorized. Next the authors define "information leak" as a state in which one or more entities use the constraint specification in an access right and the outcome of a request to infer information that they are not authorized to have. Knowing this, the authors conclude that in the simple client based access control it is possible for the primary service or for the issuer to exploit information leak. To further clarify the problem "restricted constraint" concept is introduced, so that a client can decide whether to grant access to the constraint information or not. As a formal way of resolving access control and detecting conflicts and information leaks the "Access Rights Graph" model is proposed. In each graph that is built for a particular information each node represents information and each outgoing edge from a node, represents a constraint. Based on this model, a "conflict-free" graph is defined, and traversing this graph to ensure that all constraints are satisfied is called "resolving." Another contribution of the paper is introduction of a concept named "Hidden Constraints." Since access rights and assurances are implemented as certificates, it is possible to design access rights in a way that it is not possible for the primary service to become aware of the constraints. The authors provide sufficient details, to achieve this purpose using public/private key signatures. After that, the authors describe their proposed architecture for a distributed client based access control and present performance results for it. 2. Presentation: The choice of sections and subsections of the paper has been intelligently. This neat layout is very helpful for the presentation of the idea, however consider the following sample statement form the paper: "if an entity has a constrained access right to constraint information, the entity's access rights to the constraint information in that access right are not constrained." Understanding such a sentence needs reading it for a few times! Much of the text of the paper is very similar to this sentence. It could be very helpful if the authors kept giving examples in all the sections of the paper as the introduction. It also seems that using more figures and illustrations could have been helpful. Apparently the authors have been struggling with page limitations and it seems that the "limitation" has defeated them. 3. Strengths The most glowing feature of this paper is its neat and clear modeling. The authors have successfully tackled a vague and undefined problem through a elegant system and attack models. The second important property of the paper is its neat structure (i.e. sections, subsections, etc. ) Other good aspects are: including results from a real world implementations (vs. simulation) and giving a relatively complete solution (vs. many partial and vague solutions in research literature) 4. Weaknesses As a research paper, the authors could enjoy from the concise language or mathematics. For example the could have replace two or three paragraphs of explanation with a few lines of mathematical proof. In this way they could use the available space for a few examples. The authors could have use the pseudopod for the access control algorithm for a formal proof. But the pseudopod has only been put there for further information and has only been referenced once. 5. Possible Future work As the authors claim to have a complete solution (and they do) there is not much space left for future work. Especially the existence of reference number 10 is very interesting. It is a documents, in which most of the possible extensions and questions has been explained and answered. To make the work more concrete, it is possible to implement the ideas of the paper in other existing UbiComp systems and test different aspects of it in the real world.