Computer Science Department 11/19/2018 Designing Universal Framework for Building Collaborative Applications in Heterogeneous Computing Environment Kangseok Kim kakim@cs.indiana.edu Computer Science Department Indiana University 11/19/2018

Outline of PhD Thesis Proposal 11/19/2018 Outline of PhD Thesis Proposal Motivation and Research objectives Problem statement Literature Survey Research Issues Research Designs Milestones Contributions

Shared whiteboard with annotation on both mobile and non-mobile device

Motivation and Research Objectives I 11/19/2018 Motivation and Research Objectives I Heterogeneous community collaboration Most heterogeneous community collaboration systems cannot communicate with each other. e.g. H.323 <-> AG, AG <-> SIP We need wider range of collaboration by building integrated collaboration environment, which combines collaborative applications as well as other collaboration into a single easy-to-use environment. Universal collaboration and access Mean capability of multiple users to link together with disparate access modes to access collaborative systems. Make systems more usable and more useful, and enable people to work together with others remotely.

Motivation and Research Objectives II 11/19/2018 Motivation and Research Objectives II Access control in collaboration system Access control policy in heterogeneous community collaboration systems has not been adequately addressed. Access control policies and mechanisms are needed to restrict unauthorized access to a variety of protected information and resources. Group coordination support As the number of collaborating users increases, a user may have to contend with other users for access to the collaboration elements. To maintain consistent shared state at application level, we need to control competing accesses and mitigate race conditions for shared resources.

Problem Statement What is a generic solution to build 11/19/2018 Problem Statement What is a generic solution to build integrated collaboration environment which combines mobile and non-mobile collaborative applications as well as Heterogeneous community collaboration into a single easy-to-use environment?

Conferencing Technologies 11/19/2018 Literature Survey Conferencing Technologies H.323 SIP Access Grid VRVS Others Access Control Schemes Access Matrix RBAC PERMIS CAS Others

Literature Survey (1) Conferencing Technologies 11/19/2018 Literature Survey (1) Conferencing Technologies H.323 ITU standard for exchange of voice, video, and data SIP (Session Initiation Protocol) Light-weight generic signaling protocol of interactive communication sessions between users designed by IETF. AG (Access Grid) Designed for group-to-group collaboration across high-performance networks initiated by Argonne National Lab VRVS (Virtual Rooms Videoconferencing System) A web oriented collaboration system for videoconferencing and collaborative work over IP networks.

Comparisons of Conference Control Frameworks 11/19/2018 Comparisons of Conference Control Frameworks H.323 SIP Access Grid VRVS Conference Management Support No Data Collaboration Limited Whiteboard File transfer Powerpoint Chat Desktop sharing and Chat Floor Control Mechanism Heterogeneous Community Collaboration

Literature Survey (2) Access Control Schemes 11/19/2018 Literature Survey (2) Access Control Schemes Access Matrix Authorization is performed by operations that subjects are allowed to objects RBAC (Role Based Access Control) Privileges (permissions) to use resources are connected to a role and not to a specific user PERMIS (Privilege and Role Management Infrastructure Standards) Role based PMI (Privilege Management Infrastructure) CAS (Community Authorization Service) Implement RBAC using an authorization server

Comparisons of Access Control Schemes 11/19/2018 Comparisons of Access Control Schemes Access Matrix RBAC PERMIS CAS Fine-grained Control Lack Good Scalability Not good Dynamic change (permission) at runtime (But, dynamicity within predefined policies delegated from resource provider)

11/19/2018 Research Issues I Designing a framework for controlling sessions, accesses, and floors for heterogeneous community collaboration on mobile devices as well as non-mobile devices Handle collaboration (Session control) Heterogeneous control protocols have to be translated into general control protocol The general session control protocol manages session users and resources in communities Access control Scalable, dynamic, fine-grained access control

Research Issues II Group coordination (Floor control) An approach to deal with race conditions in resource sharing for system and shared state consistency at application level Fault-tolerant role in collaboration system A recovery approach from failure-prone system Design issues for building applications on mobile devices An approach to overcome technical limitation occurring as porting applications from desktop computers (moderate screen size) to mobile devices (small screen size)

Research Designs (1) XGSP (XML based General Session Protocol) 11/19/2018 Research Designs (1) XGSP (XML based General Session Protocol) Our lab’s conference collaboration framework for integrating multiple heterogeneous communities General session protocol defined in XML to handle collaboration Built on both mobile and non-mobile devices XGSP current capabilities Manage membership Maintain connectivity Organize sessions Support collaborative applications Support heterogeneous communities (H.323, SIP) XGSP missing / desired futures Integration access and floor control mechanism into XGSP framework Fault-tolerant role capability

11/19/2018 Research Designs (1) XGSP (XML based General Session Protocol) Framework Components Conference manager Registries of all scheduled conferences Registries of collaborative applications User accounts Policies Node manager User interface for XGSP conference management service Factories for all kinds of applications XGSP conference control Conference management service Application management service Access control service Floor control service User node Conference Manager Conference Calendar Application Registry User Accounts user roster session application Instance 0 application Instance 1 User node Node manager Chair node Service / Message System

Research Designs (2) XRBAC (XML Role Based Access Control) 11/19/2018 Research Designs (2) XRBAC (XML Role Based Access Control) Define policies in XML to enable only authorized users to access protected collaboration environments Authorization is performed by explicitly conference chair or implicitly a user authorized by predefined policies Performed dynamically at runtime by activation rules or statically by predefined policies Fine-grained control Allow a user of a group in a role to access resources at certain time Allow groups of users to access resource attributes Push and pull policy mode Push mode policies are passed to a user by conference manager at conference join time this lead to policy consistency Pull mode policies are retrieved from internal store of a user node at access time Benefits easy of understanding, management, scalability, and dynamic fine-grained control

11/19/2018 Research Designs (2) Architectural design of Integrating XRBAC service into XGSP Framework Conference Manager Push Policies Push Policies Activation / Deactivation Service Access Decision Service Authentication Service Local Policy Store Pull Policies Activation / Deactivation Service Access Decision Service Authentication Service Local Policy Store Pull Policies Decision Response Service / Message System Access Request Chair node User node KMC (Key Management Center)

Milestones Designed and built general conference control framework on both mobile device (cell phone) and non-mobile device Define general session protocol in XML (XGSP) Designed and implemented collaborative applications on both non-mobile and mobile device (cell phone) Define definitions and rules of collaboration roles Define access control policies Define role-based access control policies in XML (XRBAC) Integrate access control mechanism into collaboration system Integrate floor control mechanism into collaboration system Define floor control policies in XML (XFLOOR) Design and Implement fault-tolerant role mechanism

Contributions Provides an approach for heterogeneous community collaboration A mechanism that makes systems more usable and more useful to maximize the use of various collaborative capabilities to collaborator Provides an approach for universal collaboration and access with mobile devices like cell phone A mechanism that users can access collaborative systems independent of their access device and their physical capabilities Provides an approach for access control on collaboration system A mechanism that only authorized users can access to a variety of protected information and resources Provides an approach for maintaining system and shared state consistency at application level A mechanism that users allow to attain exclusive control without access conflicts on shared resources in static or dynamic fine-grained control

ITU standard for exchange of voice, video, and data 11/19/2018 Literature Survey (1) H.323 ITU standard for exchange of voice, video, and data A set of standards for group communication TCP call setup and control UDP for audio/video

Literature Survey (2) SIP (Session Initiation Protocol) 11/19/2018 Literature Survey (2) SIP (Session Initiation Protocol) Designed by IETF. Light-weight generic signaling protocol of interactive communication sessions between users Defines how to establish, maintain, and terminate Internet sessions including multimedia conferences. Provides basic functions such as user location resolution, capability negotiation, and call management. Designed in a text format and took request/response protocol style like HTTP. Difference : SIP is used for human-to-human communication and to locate individual users

Literature Survey (3) AG (Access Grid) 11/19/2018 Literature Survey (3) AG (Access Grid) A project initiated by Argonne National Lab Designed for group-to-group collaboration across high-performance networks. A form of collaborative technology that uses synchronous communications. Uses IP multicast for audio/video

Literature Survey (4) VRVS (Virtual Rooms Videoconferencing System) A web oriented collaboration system for videoconferencing and collaborative work over IP networks. Composed of two different parts web server : users’ interface to connect to videoconferences and launch AV applications reflector : a specific software to distribute information (audio, video, and data) to collaborating users to Interconnect each user to a Virtual Room

Literature Survey (5) Access Matrix 11/19/2018 Literature Survey (5) Access Matrix Authorization is performed by operations that subjects are allowed to objects Access Control List (ACL) expressed by columns Capability list expressed by rows Shortcomings doesn’t allow fine-grained access control to object attributes File 1 File 2 File 3 Alice R Own, R, W W Bob File 1 File 2 File 3 Bob Alice ACL Alice Bob File 1 File 2 File 3 Capability List

Literature Survey (6) RBAC (Role Based Access Control) 11/19/2018 Literature Survey (6) RBAC (Role Based Access Control) Privileges (permissions) to use resources are connected to a role and not to a specific user roles are assigned to users (role assignment) and access permissions are assigned to roles (permission assignment) Benefit scalable – because users can be easily reassigned from one role to another Shortcomings lacks ability to specify fine-grained control on individual users in certain roles and on individual resource instances Users Target Submit Role policy Read Users Roles Permissions Role assignment Permission

Retrieve Policy and Role ACs 11/19/2018 Literature Survey (7) PERMIS (Privilege and Role Management Infrastructure Standards) Role based PMI Policies are written in XML and stored as X.509 AC (Attribute Certificate) residing in an LDAP directory Access control enforcement function (AEF) Authenticate user and ask ADF if the user is allowed to perform the requested action on target resource Access control decision function (ADF) Access LDAP to retrieve authorization policy and role AC for the user and make a decision based on these Authentication Service AEF ADF PERMIS PMI API Decision Request LDAP Retrieve Policy and Role ACs User Submit Access Present Application Gateway Target

Literature Survey (8) CAS (Community Authorization Service) 11/19/2018 Literature Survey (8) CAS (Community Authorization Service) Implement RBAC using an authorization server (CAS server) Fine-grained access control can be delegated to administrator of community Shortcomings single point of failure of CAS server lack of dynamic change (permission) at runtime CAS Server Resource User 1. issue request 2. issue CAS credential with capability 3. access request with issued CAS credential delegate decision role to administrator Community 4. response