Abstract
In this paper we revisit the concept of mandatory access control and investigate its potential with personal digital assistants (PDA). Only if applications are clearly separated and Trojans cannot leak personal information can these PDAs become personal trusted devices. Limited processing power and memory can be overcome by using Web services instead of full-fledged applications – a trend also in non-mobile computing. Web services, however, introduce additional security risks, some of them specific for mobile users. We propose an identification scheme that can be effectively used to protect privacy and show how this system builds upon a light-weight version of mandatory access control.
Similar content being viewed by others
References
P. Agrawal and C.J. Sreenan, Get wireless: A mobile technology spectrum, IEEE IT Pro (July/August 1999) 18–23.
D.E. Bell and L.J. LaPadula, Secure computer system: Unified exposition and multics interpretation, Technical report MTR-2997, MITRE Corp., Bedford, MA (1976).
K.J. Biba, Integrity considerations for secure computer systems, ESDTR-76-372, USAF Electronic Systems Division (1977).
B. Brumitt, B. Meyers, J. Krumm, A. Kern and S. Shafter, EasyLiving: Technologies for intelligent environments, in: Handheld and Ubiquitous Computing, 2nd International Symposium, Bristol, UK (September 2000) pp. 12–29.
C. Dalton and T.H. Choo, An operating system approach to securing eservices, Communications of the ACM 44(2) (February 2001) 58–64.
A.K. Dey, Understanding and using context, Personal and Ubiquitous Computing 5(1) (2001) 4–7.
C. Eckert, Mobile devices in eBusiness ‐ New opportunities and new risks, in: Proc. Fachtagung Sicherheit in Informationssystemen (SIS), Zürich, Switzerland (5‐6 October 2000).
W. Essmayr and E. Weippl, Identity mapping: An approach to unravel enterprise security management policies, in: Information Security for Global Information Infrastructures, Proc. of the IFIP World Computer Congress (Kluwer Academic, Beijing, August 2000).
L. Gong, M. Mueller, H. Prafullchandra and R. Schemers, Going beyond the sandbox: An overview of the security architecture in the Java Development Kit 1.2, in: Proc. of the USENIX Symposium on Internet Technologies and Systems, Montery, CA (December 1997).
B.D.J. Joshi, W.G. Aref, A. Ghafoor and H.E. Spafford, Security models for Web-based applications, Communications of the ACM 44(2) (February 2001) 38–44.
W.H. Mangione-Smith, Mobile computing and smart spaces, IEEE Concurrency (October‐December 1998) 5–7.
MapBlast, http: //www.mapblast.com
MapQuest, http: //www.mapquest.com
C. Perkins (ed.), IP mobility support, RFC 2002, Proposed standard, IETF Mobile IP Working Group (October 1996).
A. Pfitzmann, B. Pfitzmann, M. Schunter and M. Waidner, Trusting mobile user devices and security modules, IEEE Computer (February 1997) 61–68.
B. Pfitzmann, J. Riordan, C. Stüble, M. Waidner and A. Weber, The PERSEUS system, Research report RZ 3335 (#93381) 04/09/01 (2001) http://www.semper.org/sirene/lit/sirene. lit.html
R.S. Sandhu and S. Jajodia, Honest databases that can keep secrets, in: Proc. of the 14th NIST-NCSC National Computer Security Conference (1991).
P.F. Syverson, M.G. Reed and D.M. Goldschlag, Onion routing access configurations, in: DISCEX 2000: Proceedings of the DARPA Information Survivability Conference and Exposition, Vol. 1, Hilton Head, SC (IEEE CS Press, January 2000) pp. 34–40.
US Department of Defense, DoD Trusted Computer System evaluation criteria (The Orange Book) DOD 5200.28-STD (1985).
J. Viega, T. Kohno and B. Potter, Trust and mistrust in secure applications, Communications of the ACM 44(2) (February 2001) 31–36.
G.U. Wilhelm, S.M. Staamann and L. Buttyan, A pessimistic approach to trust in mobile agent platforms, IEEE Internet Computing (September/October 2000) 40–48.
J. Zao, S. Kent, J. Gahm, G. Troxel, M. Condell, P. Helinek, N. Yuan and I. Castineyra, A public-key based secure Mobile IP, Wireless Networks 5(5) (1999) 373–390.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Weippl, E., Essmayr, W. Personal Trusted Devices for Web Services: Revisiting Multilevel Security. Mobile Networks and Applications 8, 151–157 (2003). https://doi.org/10.1023/A:1022237215026
Issue Date:
DOI: https://doi.org/10.1023/A:1022237215026