CERT-SEI

Secure and Assured Mobile Computing Components

First responders and soldiers in the field require support for computationally intense application operating of handheld devices. The variety of languages, architectures, platforms, and APIs challenge software portability, interoperability, security, and assurance. Users need agile software components that they can trust and execute to provide results across the spectrum of computer platforms. This research aims to provide a secure and assured digital container format for mobile computing components.

Our technology will perform face detection and recognition from images and video taken from multiple vantage points of a large crowd of up to hundreds or thousands of people. After soldiers or law enforcement officers take pictures of or film a large crowd of people, they may want to locate specific individuals within that crowd. But the task of "knitting" the images and video together and performing face detection and recognition requires more computation power than is available through handheld mobile devices. So mobile devices will carry prepackaged computing components that can offload the computation to a local "cloudlet" computing capability. 

The research focuses on the design of the digital container and automated provisioning on the cloudlets. The mobile computing component (running on a nearby cloudlet) will first detect all the faces in the crowd and return a measure of the crowd's mood. Next, the component will proceed to systematically examine all the faces in the scene and identify persons of interest (POIs). These POIs may be either positive (translator, civic leader, other first responders off duty, etc.) or negative (known felons, persons with a warrant, suspected terrorists, known crowd agitators, etc.). As the faces are recognized and identified, the component transmits the results back and makes them available to the handheld devices. Location information will be communicated to direct POIs to the closest mobile device in the crowd for contact, to aid the mobile device user or initiate apprehension.

We aim to package a face detection and recognition capability using at least three different portability mechanisms. Alternatives will come from the following spectrum of possible software portability mechanisms:

  • Virtual machine: Achieves portability across computing platforms and architectures via a virtual machine, either with a host OS or a hypervisor
  • Emulation: Achieves portability via a machine emulator
  • Platform: Achieves portability via a common, standards-based platform such as a web browser (potentially enabling byte code and interpreted portability)
  • Byte code: Achieves portability via prior or just-in-time compilation to a common byte code and virtual-machine layer
  • Interpreted: Achieves portability with a common interpreter running on multiple computing platforms
  • API: Achieves portability via source code recompilation using a standard API
  • Distribution: Achieves portability via package distribution and repositories supporting various computing platforms, either by binary distribution or source code distribution
  • Binary: Achieves portability when binary executables run natively on different platforms with no recompilation or run as embedded systems
  • Service: Achieves portability when existing cloud service provides a solution and connectivity, where it is available and secure

The service on the mobile device will collaborate with a service provider on the cloudlet to optimize the choice of container and cloudlet to be used. The initial optimization metric will be time to result. Future optimizations might include the ability to minimize bandwidth, maximize accuracy, minimize risk, or maximize security.

In addition to enabling dynamic computing component migration and provisioning, we will provide software security and assurance, inherent to the digital container. We will provide software security by using existing cryptographic mechanisms, including digital signatures and code signing. We will provide software assurance by including the ability to assert input/output format verification and pre/post condition and invariant enforcement. The runtime environment on the cloudlet will provide sandboxing as well.

Publications

Boleng, Jeff; Lewis, Grace; Shenoy, Vignesh; Tibrewal, Varun; & Subramaniam, Manoj. "Automated Provisioning of Cloud and Cloudlet Applications." Presented at the Software Engineering Institute Architecture Technology User Network (SATURN) Conference, Minneapolis, MN, May 2013.