Analysis and Approach

The term “authorized transient control” is meant to describe an as- pect of how entities in a pervasive environment interact with each other and with resources. The difference from traditional computing is the degree of spontaneity and dynamics of interaction afforded in pervasive computing [4, 5]. This results in entities and resources being transiently related. However, there are still security and usability goals to be con- sidered when building applications in such environments, withstanding the great flexibility promised by pervasive computing. The security goal considered in this paper is that of authorization, while effective, reliable coordination of resource access and interaction control underpins a sys- tem meeting its usability goals [19]. An authorized subject is entitled to access and use a target resource for performing a set of operations provided a set of constraints hold. Authorization can therefore be repre- sented by the template where A is a subject or subject-role, B is a target resource, P is a set of permissions (operations to which A is entitled) and C is a set of constraints or conditions that apply to the permissions granted [14]. Secondly, the term transient applies to what is actually short in its duration or stay, as opposed to having preconceived intentions and natural tendencies to be long-term or permanent [15, 8]. If an authorization is considered transient, this implies that its constraints are modified by a situation S, where S could be a time-range or other sensed properties of the resource and its environment. Nevertheless, note that the term “transient” has an established meaning in the field of re- configurable control systems, referring to a phenomenon that arises when

a system switches from one operational mode to a next [13]. This second notion of transient is not discussed in this paper, but is marked as an issue that should be addressed as adaptive security does entail switching operating modes of a target system. Thirdly, if a subject A controls a target resource B, A monitors a set of control properties Rn that refer to B and its operational environment, compares them to a set of con- trol reference properties and generates an action O that counteracts the comparative error between and This definition of control is derived from Powers’ work on “Perceptual Control Theory” [10], which forms a part of the approach discussed later in this section. Other useful descriptions of the term “control” come from Petersen, who states that the role of a human operator [controller] is to bring about desired state changes (or non-changes) in a controlled system [9]. Therefore if A is an authorized transient controller of B, A is permitted to perform an action resultant from comparing the properties and in order to control the operational state of B to bring about for the validity of a situation S.

Considering the above definitions, resources in pervasive environments can be said to have multiple controllers with different references or oper- ational goals. However, only two types of controllers are considered for the purposes of this paper - the “Interaction Controller” and the “Ac- cess Controller”. The Access Controller carries out control operations on behalf of a fulltime controller or administrator, while the Interaction Controller acts on behalf of a transient controller or user of a resource. The two controllers therefore have different perceptions of the target resource, its situation and that of its environmental signals. Figure 1 depicts how these two different controllers are seen to operate on the same target resource.

Figure 1 has introduced new terms that may lack intuitive meaning for readers unfamiliar with perceptual control theory (PCT) [10]. PCT is based on the premise that dynamic systems do not plan and process repeatable actions; rather they plan and process perceptions (or desired views of a system), and hence producing repeatable results with varied conditions. The principles of PCT adopted in the controller model in figure 1 are defined below:

[Access/Interaction] Perception: this is the relevant view that a hu- man controller has of a resource dependent on its operational state. The operator need not know every detail of the resource’s operational state but sufficient detail for the support of effective control decision-making. The human controller may receive this directly from a resource, but in the model used here, there is an intermediate controller module or agent

Architecture and Protocol for Authorized Transient Control 117

Figure 1. Depicts multi-controller interaction with a target resource by an interac- tion controller and an access controller

that automatically adjusts the perception in order that in the best cases the human operator constantly receives an “ideal view” of the resource. [Access/Interaction] Perceptual Reference: this represents the “ideal view” that the controller wishes to receive from the resource. In the case of the fulltime controller (FTC) and Access Controller (AC), the source of the perceptual reference is authorization and obligation poli- cies. These policies are specified by the FTC and enforced by the AC. In the case of the transient controller (ATC) and interaction controller (IC), the source of the perceptual reference is the tasks the ATC wishes to carry out as well as the credentials that certify some set of rights.

[Access/Interaction] Perceptual Signal: this is the input that a con- troller receives from a sensor system, which represents the control state of the target resource, with respect to its observable properties, as well as that of its environment.

[Access/Interaction] Perceptual Error: this is the calculated compar- ative error between a perceptual signal and a perceptual reference. That is, this is the controller’s calculation of how much the actual perception of the target resource deviates from the ideal perception as defined by the perceptual reference.

Environment Disturbance & Feedback: these are both property sets sensed by a sensor system. “Feedback” is the actualized value of explic- itly monitored properties of the target resource, while the “environment disturbance” is monitored properties of the environment. The environ- ment disturbance may have either an indirect or direct effect on the target resource’s control state and hence perceptual signals.

From the above model it is observed that feedback from the target resource simultaneously results in two classes of perceptual signals, and that the resource may also simultaneously receive two forms of per- ceptual errors and control commands. Breemen and Vries discuss and reference a number of problems that arise in systems with multiple con- trollers [17], which also apply to the interpretation of multi-controller used here. Three of these multi-controller problems addressed by the architecture and protocol are conflicts, deadlocks and coordination of switching between controllers. Conflicts may arise as a result of con- trary perceptual references or if the controllers attempt to simultane- ously enforce a control on the target resource. In the context of the access and interaction controllers, a conflict arises if the authorizations and obligations specified at the AC do not support the tasks and cre- dentials of the IC or if the AC tries to perform an access control at the same time the IC performs an interaction control (and vice versa). Deadlocks refer to exceptional control situations which none of the con- trollers are prepared to handle. There could therefore be a case where an irresolvable perceptual error occurs at both the interaction and access controllers - e.g. hardware or software failure - which may render the target resource as unavailable. The coordination of switching between controllers means that rules have to be defined for when and how control is to be exchanged. Although the AC typically has a higher controller priority than the IC, there may be situations, such as the emergency re- sponse scenario, where this priority should be overridden to allow the IC to work more efficiently. This means that the AC will in this case need to adapt its perceptual reference to accept the new controllability of the target resource. The architecture provides more details on the design of a management system to computationally support the controller model, giving consideration to the issues discussed.