LUP Student Papers

Secure Domain Transition of Calvin Actors

• Mark

Abstract

Calvin, an Ericsson application framework for Internet of Things (IoT), simplifies
the development and deployment of applications for IoT systems where many
heterogeneous devices are deployed and connected through the Internet. The
application engineer just needs to design and codify the application applying
Calvin syntax. The Calvin environment is formed by runtimes and applications.
The runtime provides the engine to execute applications abstracting the device
to the application itself. These applications follow the actor pattern such that
actors and the connections among them complete an application design. When an
application is deployed in a runtime, the actors are instantiated and subsequently
they can be migrated to another... (More)

Calvin, an Ericsson application framework for Internet of Things (IoT), simplifies
the development and deployment of applications for IoT systems where many
heterogeneous devices are deployed and connected through the Internet. The
application engineer just needs to design and codify the application applying
Calvin syntax. The Calvin environment is formed by runtimes and applications.
The runtime provides the engine to execute applications abstracting the device
to the application itself. These applications follow the actor pattern such that
actors and the connections among them complete an application design. When an
application is deployed in a runtime, the actors are instantiated and subsequently
they can be migrated to another runtime that will host the actors and give them
its resources.

Calvin is still being developed and several parts are lacking or are immature.
One of these issues has been analysed in the case that many application domains
form the environment. Currently the assumption is, from a given domain point
of view, that the runtimes, applications and users are trusted. However, this simple
view changes when one starts to consider interactions with others domains
which are expected to be untrusted. As long as actor migrations are possible, domain
crossing is feasible and actors can move among different domain runtimes.
This exposes the domain to risks and non authorized access to resources of actors
working on behalf of untrusted users.

This thesis considers a solution and its implementation in Calvin code that
tries to enhance security and reduce risks with respect to domain crossing. Roughly,
by identifying every actor in the domain and applying a policy, we realize a managed
access to the domain resources. In addition, a translation policy is introduced
that will allow identities from another domain to be translated into identities
in a receiving domain. Hence all actors have identities that are valid in the
domain’s namespace. The translated identities are still considered untrusted, but
their actions are limited in the domain due to the policy applied. The translation
is stateless and involves only the target receiver domain. We also discuss the
limitations of this approach and discuss ways to extend this work. (Less)

Popular Abstract

The Internet of Things technology (IoT) will become a reality in the following
years. IoT refers to the connection of many devices via the Internet. For instance,
a lamp, a fridge, a temperature sensor, a car, etc. Applications such as alarm reception
because the fridge is open, or traffic control thanks to car sensors will be
usual. What is characteristic here is that devices will be heterogeneous: different
type of hardware and software characterize them. This makes application development
a tricky task. Fortunately, application frameworks are available and
they abstract the device and other issues for the application developer, i.e.,the
framework hides the complexity so the developer just can focus on designing the
application... (More)

The Internet of Things technology (IoT) will become a reality in the following
years. IoT refers to the connection of many devices via the Internet. For instance,
a lamp, a fridge, a temperature sensor, a car, etc. Applications such as alarm reception
because the fridge is open, or traffic control thanks to car sensors will be
usual. What is characteristic here is that devices will be heterogeneous: different
type of hardware and software characterize them. This makes application development
a tricky task. Fortunately, application frameworks are available and
they abstract the device and other issues for the application developer, i.e.,the
framework hides the complexity so the developer just can focus on designing the
application functionality. Calvin, developed by Ericsson, is one of such frameworks.
Calvin manages connections, operative systems, resources, etc. such that
an application can be executed.

Applications in Calvin are formed by actors, that are small programs that can
be connected to form the whole application function. For instance, one actor can
be a calculator and another a display, such that the result of the calculator can be
printed in the display actor. The applications (and thereby actors) are executed
on runtimes, a software installed in the device, which, as said, abstracts the device
to the application and executes it. Actors can be migrated and executed in
other runtimes beyond the first runtime on which the actor was created. Hence
the device that executes the actor may change and the actor is not fixed to a specific
device or runtime. This is another reason why the framework is important.
The conditions change but the application needs to be executed in the same way
irrespective of the actual device or runtime. Of course, all what is said about
migration supposes that the rutime one migrates to is able to host the actor.

It is expected that different domains can be established. A domain will be a
defined group of runtimes, users, and a namespace for identities. For instance,
a domain could be a company which has some hardware and some employees
running applications. As mentioned before, it is assumed that these elements are
trusted within the domain and others domain are untrusted since one can not
control them. Foreign domains could have malicious users, malicious software,
etc. Hence, migrations out of or in to the domain are risky operations. Currently,
Calvin lacks any useful countermeasure beyond disabling migration among different
domains. This thesis has accomplished a solution to handle domain crossing
and enhance the security. All users in a domain will have an identity and
actors executed by these users will handle the respective identifier. A policy will
authorized to use the resources requested by the actor. But the problem of migrations
is still there. If an actor identified from other domain arrives to the domain,
the identifier is not valid and a translation will be performed to adapt it to the
new domain. One can imagine that each domain speaks a different language, or
gives names to its users independently of each other. Hence it may well be that
different domains cannot "understand" each other in the sense that names used
in one domain are either not understood or could actually map to other users.
The use of a translation table will give an incoming actor a new identifier and
through a correct combination with the runtime policy the migrated actor will
not be deployed if it attempts to use resources that are not possible for it.

The work performed goes from the study of Calvin and the study of the domain
crossing problem, to the design of a solution and the implementation in
Calvin. Several discussions related to the solution conclude this work. (Less)