Secure Domain Transition of Calvin Actors

Sammanfattning: Calvin, an Ericsson application framework for Internet of Things (IoT), simplifies the development and deployment of applications for IoT systems where many heterogeneous devices are deployed and connected through the Internet. The application engineer just needs to design and codify the application applying Calvin syntax. The Calvin environment is formed by runtimes and applications. The runtime provides the engine to execute applications abstracting the device to the application itself. These applications follow the actor pattern such that actors and the connections among them complete an application design. When an application is deployed in a runtime, the actors are instantiated and subsequently they can be migrated to another runtime that will host the actors and give them its resources. Calvin is still being developed and several parts are lacking or are immature. One of these issues has been analysed in the case that many application domains form the environment. Currently the assumption is, from a given domain point of view, that the runtimes, applications and users are trusted. However, this simple view changes when one starts to consider interactions with others domains which are expected to be untrusted. As long as actor migrations are possible, domain crossing is feasible and actors can move among different domain runtimes. This exposes the domain to risks and non authorized access to resources of actors working on behalf of untrusted users. This thesis considers a solution and its implementation in Calvin code that tries to enhance security and reduce risks with respect to domain crossing. Roughly, by identifying every actor in the domain and applying a policy, we realize a managed access to the domain resources. In addition, a translation policy is introduced that will allow identities from another domain to be translated into identities in a receiving domain. Hence all actors have identities that are valid in the domain’s namespace. The translated identities are still considered untrusted, but their actions are limited in the domain due to the policy applied. The translation is stateless and involves only the target receiver domain. We also discuss the limitations of this approach and discuss ways to extend this work.