Analysis domain model for shared virtual environments

The field of shared virtual environments, which also encompasses online games and social 3D environments, has a system landscape consisting of multiple solutions that share great functional overlap. However, there is little system interoperability between the different solutions. A shared virtual environment has an associated problem domain that is highly complex raising difficult challenges to the development process, starting with the architectural design of the underlying system. This paper has two main contributions. The first contribution is a broad domain analysis of shared virtual environments, which enables developers to have a better understanding of the whole rather than the part(s). The second contribution is a reference domain model for discussing and describing solutions - the Analysis Domain Model

Cyber security threats and challenges in collaborative mixed-reality

Collaborative Mixed-Reality (CMR) applications are gaining interest in a wide range of areas including games, social interaction, design and health-care. To date, the vast majority of published work has focused on display technology advancements, software, collaboration architectures and applications. However, the potential security concerns that affect collaborative platforms have received limited research attention. In this position paper, we investigate the challenges posed by cyber-security threats to CMR systems. We focus on how typical network architectures facilitating CMR and how their vulnerabilities can be exploited by attackers, and discuss the degree of potential social, monetary impacts, psychological and other harms that may result from such exploits. The main purpose of this paper is to provoke a discussion on CMR security concerns. We highlight insights from a cyber-security threat modelling perspective and also propose potential directions for research and development toward better mitigation strategies. We present a simple, systematic approach to understanding a CMR attack surface through an abstraction-based reasoning framework to identify potential attack vectors. Using this framework, security analysts, engineers, designers and users alike (stakeholders) can identify potential Indicators of Exposures (IoE) and Indicators of Compromise (IoC). Our framework allows stakeholders to reduce their CMR attack surface as well understand how Intrusion Detection System (IDS) approaches can be adopted for CMR systems. To demonstrate the validity to our framework, we illustrate several CMR attack surfaces through a set of use-cases. Finally, we also present a discussion on future directions this line of research should take

Privacy in DOSN: un approccio basato su controllo degli accessi

La Tesi tratta lo sviluppo di un sistema distribuito per il social networking, dove il controllo degli accessi e la persistenza dei dati vengono gestiti tramite un framework di Access Control XACML. La valutazione delle performance è effettuata attraverso una simulazione con dataset reali

Privacy in DOSN: un approccio basato su controllo degli accessi

La Tesi tratta lo sviluppo di un sistema distribuito per il social networking, dove il controllo degli accessi e la persistenza dei dati vengono gestiti tramite un framework di Access Control XACML. La valutazione delle performance è effettuata attraverso una simulazione con dataset reali

CBiX a model for content-based billing in XML environments

The new global economy is based on knowledge and information. Further- more, the Internet is facilitating new forms of revenue generation of which one recognized potential source is content delivery over the Internet. One aspect that is critical to ensuring a content-based revenue stream is billing. While there are a number of content-based billing systems commercially available, as far as can be determined these products are not based on a common model that can ensure interoperability and communication between the billing sys- tems. This dissertation addresses the need for a content-based billing model by developing the CBiX (Content-based Billing in XML Environments) model. This model, developed in a phased approach as a family of billing models, incorporates three aspects. The rst aspect is access control. The second as- pect is pricing, in the form of document, element and inherited element level pricing for content. The third aspect is XML as the platform for information exchange. The nature of the Internet facilitates information interchange, exible web business models and exible pricing. These facts, coupled with CBiX being concerned with billing for content over the Internet, leads to a number of decisions regarding the model: The CBiX model has to incorporate exible pricing. Therefore pricing is evolved through the development of the family of models from doc- ument level pricing to element level pricing to inherited element level pricing. The CBiX model has to be based on a platform for information inter- change that enables content delivery. XML provides a broad family of standards that is widely supported and creating the next generation Internet. XML is therefore selected as the environment for information exchange for CBiX. The CBiX model requires a form of access control that can provide access to content based on user properties. Credential-based Access Control is therefore selected as the method of access control for CBiX, whereby authorization is granted based on a set of user credentials. Furthermore, this dissertation reports on the development of a prototype. This serves a dual purpose: rstly, to assist the author in understanding the technologies and principles involved; secondly, to illustrate CBiX0 and therefore present a proof-of-concept of at least the base model. The CBiX model provides a base to guide and assist developers with regards to the issues involved with developing a billing system for XML- based environments

Continuously available virtual environments

This thesis presents a framework for continuously available persistent collaborative virtual environments which is fundamentally more flexible than current approaches. Whereas existing systems allow the artefacts in the environment and the application behaviours of those artefacts to be changed at run time, they still need to be shut down if the infrastructure mechanisms of the system need to be changed. The framework presented by this thesis pushes run-time extensibility to a lower level allowing previously static infrastructure mechanisms and application level behaviours to be replaced and extended in a uniform way. By associating infrastructure mechanisms with artefacts in the same way that application behaviours are associated, the framework allows multiple alternative infrastructure mechanisms to coexist within the virtual environment system. Rather than applying a single infrastructure mechanism to all artefacts in a virtual environment, mechanisms can be tailored to an artefact’s role, optimising the operation of each artefact. This allows a wider range of artefact behaviours and so applications to be supported by a single virtual environment. Infrastructure level behaviours may implement a single infrastructure mechanism or multiple mechanisms, allowing the framework to explicitly present the complex interdependencies which can exist between infrastructure mechanisms such as persistence and consistency. In addition to providing greater run-time flexibility for continuously available persistent virtual environments, the framework allows infrastructure mechanisms to be easily developed, compared, tested and configured, making it a useful test bed for the development of future infrastructure mechanisms. After reviewing existing virtual environment systems and related systems, the thesis presents an experiment which reveals some of the problems existing with current approaches to persistence in virtual environments. The thesis then describes the framework discussed above and the issues involved in its realisation before evaluating the current prototype. Finally some conclusions are presented and future work discussed

Convergence et sécurité d'accès dans les systèmes d'édition collaborative massivement répartis

RÉSUMÉ Parmi les défis des systèmes d'édition collaborative figure la cohérence des objets partagés. Dans la perspective d'une édition cohérente, le système doit garantir la convergence. Pour assurer la cohérence des objets partagés, la littérature propose plusieurs solutions. Les différentes approches majeures proposées sont : l'approche des types de données commutatives répliquées (CRDT) et l'approche de la transformée opérationnelle (OT). L'approche CRDT considère des opérations commutatives qui peuvent être exécutées dans un ordre différent. L'une des difficultés auxquelles CRDT se bute réside en la commutativité des opérations. Toutes les opérations d'édition doivent être commutatives afin d'être exécutées dans un ordre quelconque. L'approche de la transformée opérationnelle quant à elle propose une transformation des opérations distantes reçues par rapport aux opérations qui lui sont concurrentes ; même si elles sont déjà exécutées. Pour effectuer les transformations, l'approche OT utilise un algorithme de transformation inclusive (IT). Dans la littérature, plusieurs travaux ont prouvé que les principaux algorithmes de transformation inclusive proposés ne satisfont pas le critère de convergence. Outre la cohérence, la sécurisation des interactions est un autre défi des systèmes d'édition collaborative. Le contrôle d'accès est l'un des modèles de politiques de sécurité applicable dans ce cadre. Il s'agit d'autoriser ou d'interdire l'édition à certains utilisateurs. Le contrôle d'accès doit être uniformément déployé pour éviter de compromettre la cohérence des opérations d'édition. Une opération d'édition valide sur un site doit l'être partout. Une opération refusée sur un site doit être refusée partout. Dans le contexte étudié, le protocole de sécurité est fiable s'il préserve la cohérence du système. Fournir cette preuve de fiabilité est une tâche ardue. Le nombre de cas à examiner est infini. De plus, pour une vérification automatique, le défaut de ressources survient si des techniques appropriées ne sont pas exploitées. Dans cette thèse, nous nous intéressons aux défis que constituent la convergence et le contrôle d'accès dans les systèmes d'édition collaborative répartis. Nous considérons un objet textuel à structure linéaire qui est massivement édité dans une architecture répartie. L'approche de gestion de cohérence utilisée est la transformée opérationnelle. Ainsi, chaque utilisateur a sa copie locale du document partagé. Les opérations générées sur un site sont aussitôt diffusées aux autres utilisateurs. Elles peuvent être exécutées dans un ordre quelconque. Les types d'opérations d'édition sont : l'insertion d'un caractère et la suppression de caractère. Nous intégrons également un protocole de contrôle d'accès à l'édition collaborative. Notre thèse se présente sous la forme de trois articles scientifiques, chacun traitant d'une problématique bien spécifique. Dans le premier article, nous abordons la problématique de la convergence. Nous avons adopté une démarche en plusieurs étapes. Une exploration a été initialement faite afin de vérifier s'il est possible d'avoir une fonction IT convergente. En utilisant la méthode de la synthèse de contrôleur et les automates de jeu, nos investigations ont révélé qu'aucune IT basée uniquement sur le caractère et la position ne peut garantir une convergence. L'identification des causes de divergence a permis d'amorcer la résolution du « problème de synthèse de contrôleur ». Ainsi, un troisième paramètre a été ajouté aux opérations d'insertion. Il permet de manipuler le nombre de caractères supprimés avant la position d'insertion indiquée. Une fonction de détermination de la valeur de ce paramètre a été proposée. Une fonction IT a été par la suite proposée, en tenant compte des propositions précédentes. En utilisant la vérification sur modèle (model-checking), la preuve a été apportée que notre IT garantit bien la convergence. Le deuxième article propose l'intégration d'un protocole de sécurité optimiste. L'article aborde la problématique de la fiabilité du protocole dans un espace d'états infini. Il est déployé au dessus de protocole de synchronisation du système d'édition collaborative. Nous faisons l'hypothèse que le système vérifie la propriété de cohérence en l'absence du contrôle d'accès. Pour affronter les difficultés relatives à la preuve de fiabilité, l'approche du model-checking symbolique a été préférée. Le model-checking borné a été utilisé avec l'outil Alloy. L'exploration faite pour des instances dont la taille maximale est de treize « signatures », a permis de conclure la préservation de la cohérence par le protocole de contrôle d'accès. Notons que ces instances ne sont pas massives mais la combinatoire résultante n'est pas négligeable. Le troisième article aborde la problématique de réduction de système. Des investigations ont été menées afin d'avoir un modèle fini équivalent au système d'édition collaborative, au regard de la propriété de cohérence. Le modèle abstrait proposé comporte trois sites coopératifs, dont l'un est administrateur. Ce modèle à espace d'états fini étant prouvé équivalent par rapport à la propriété de cohérence, au système à espace d'états infini, il a servi de cadre pour la vérification automatique. En utilisant l'outil Uppaal et le formalisme d'automate, nous avons prouvé par model-checking que le modèle abstrait préserve la cohérence. Par conséquent, le protocole de contrôle d'accès préserve la cohérence de système d'édition collaborative. Nos travaux comportent quelques limitations liées à leur portée. Nous avons manipulé des objets textuels à structure linéaire sur lesquels ne sont appliquées que des opérations d'insertion et de suppression de caractères. De plus, la gestion des droits d'accès est basée sur un modèle mono-administrateur. La performance du protocole de contrôle d'accès n'a pas non plus été prise en compte. Les travaux auraient sans doute plus d'envergure s'ils couvraient plusieurs types d'objets, plusieurs types d'opérations d'édition, plusieurs administrateurs et une étude de performance. Nos futures travaux pourraient être consacrés à l'élargissement de la portée de la présente thèse.----------ABSTRACT The consistency of the shared documents is one of the most important challenges in collaborative editing systems. To achieve consistency, a solution must ensure the convergence criteria. Several solutions are proposed in litterature to achieve consistency of the shared documents. The major approaches are: commutative replicated data type (CRDT) and operational transformation (OT). CRDT considers some commutative operations which could be executed in different order. The main difficulty of CRDT is to compute commutative operations. OT approach proposes to transform remote operations against their concurrent operations, even if they are already executed. An inclusive transformation function is used to compute the transformations. In the litterature, several works show that the main inclusive transformation (IT) functions proposed do not ensure convergence. Besides consistency, security of the edition is another challenge in distributed collaborative systems. Access control is a model of security policy that could be used. It consists of granting or revoking editing authorizations for users. Access control must be uniformly deployed to not compromise the consistency of the system. A valid editing operation at one site must be valid at all other sites. As the same time, an invalid operation at one site, must be invalid everywhere. In the current context, the security protocol is reliable if it preserves the consistency of the system. Produce the proof of reliability is difficult. It requires examining infinite number of cases. In addition, with automatic verification, ressources become insufficient if appropriate techniques are not used. This thesis is interested in consistency and access control challenges in distributed collaborative editing systems. It considers a textual object with a linear structure that is massively edited in a distributed architecture. OT is used to manage consistency. Each user has a local copy of the shared document. Locally-generated operations are immediately broadcast to other users. Operations could be executed in any order. Their types are inserting and deleting characters. To ensure security, collaborative edition is combined with an access control protocol. The thesis consists of three scientific articles. Each of them deals with a specific problem. In the first article, we adress the problem of consistency and proceed in several steps. Initially, we explore the existence of convergent IT functions of OT, which ensure data consistency. Using the controller synthesis approach and game automata, we conclude that there is no IT function, based only on character and position as parameters of insert and delete operations, which ensure data consistency. The investigation of the causes of divergence led to solve the controller synthesis problem. Thus, a new parameter is added to the insert operation signature. It handles the number of characters deleted before the inserting position. The function needed to compute the value of this parameter is provided. Finally, based on these contributions, we propose an IT function and show that it ensures convergence. The proof is achieved by a symbolic model-checking emulated using the tool Uppaal. The second article adresses the reliability of security protocol in an infinite state space. An optimist access control protocol is considered to be deployed over any correct synchronization protocol. The symbolic model-checking approach is choosen to deal with the proof of reliabi--lity. For this purpose, bounded model-checking is used with the tool Alloy. Exploration made with instances whose maximum size is thirteen allow to conclude the preservation of consistency by the access control protocol. These instances are not massive but the resulting combinatorial is important. The third article adresses the problem of system reduction. In this article, we investigate a finite model equivalent to a distributed collaborative editing system, with regard to consistency. The abstract model proposed consists of three cooperative sites including the administrator. This finite state model is proved by model-checking to preserve consistency. Consequently, the access control protocol preserves consistency of any correct distributed collaborative editing system. The model-checking techniques exploits Uppaal tool and automata. Our work has several limitations. We consider textual objects with linear structure. These objects are edited by applying some operations which are inserting and deleting characters. In addition, the management of access rights is based on one-administrator model. The performance study of the access control protocol is not done. The work would probably be more extensive if it covered several types of objects, several types of editing operations, many administrators and the performance study. Our future work could be devoted to the widening of the scope of this thesis

Continuously available virtual environments

This thesis presents a framework for continuously available persistent collaborative virtual environments which is fundamentally more flexible than current approaches. Whereas existing systems allow the artefacts in the environment and the application behaviours of those artefacts to be changed at run time, they still need to be shut down if the infrastructure mechanisms of the system need to be changed. The framework presented by this thesis pushes run-time extensibility to a lower level allowing previously static infrastructure mechanisms and application level behaviours to be replaced and extended in a uniform way. By associating infrastructure mechanisms with artefacts in the same way that application behaviours are associated, the framework allows multiple alternative infrastructure mechanisms to coexist within the virtual environment system. Rather than applying a single infrastructure mechanism to all artefacts in a virtual environment, mechanisms can be tailored to an artefact’s role, optimising the operation of each artefact. This allows a wider range of artefact behaviours and so applications to be supported by a single virtual environment. Infrastructure level behaviours may implement a single infrastructure mechanism or multiple mechanisms, allowing the framework to explicitly present the complex interdependencies which can exist between infrastructure mechanisms such as persistence and consistency. In addition to providing greater run-time flexibility for continuously available persistent virtual environments, the framework allows infrastructure mechanisms to be easily developed, compared, tested and configured, making it a useful test bed for the development of future infrastructure mechanisms. After reviewing existing virtual environment systems and related systems, the thesis presents an experiment which reveals some of the problems existing with current approaches to persistence in virtual environments. The thesis then describes the framework discussed above and the issues involved in its realisation before evaluating the current prototype. Finally some conclusions are presented and future work discussed

An access control framework for multi-user collaborative environments

A vital component of any application or environment is security, and yet this is often one of the lower priorities, losing out to performance and functionality issues, if it is considered at all. This paper considers a spatial approach to enabling, understanding and managing access control that is generally applicable across a range of collaborative environments and applications. Access control is governed according to the space within which subjects and objects reside, and the ability to traverse space to get close to an object. We present a framework that enables the SPACE access model [4], previously presented as an access model solely for collaborative virtual environments, to be applied across a number of collaborative systems. This framework is exemplified through mappings of the model to 3D and 2D collaborative environments, namely Spline [1], TeamRooms [19] and Orbit [16]. One particularly interesting feature of the model is the way in which it handles group access by considering how group credentials are determined. These credentials are presented to the model in the usual manner. We conclude by presenting some limitations of our approach, and workarounds