Skip to main content


about lujo bauer

Lujo BauerLujo Bauer is a Research Scientist with CyLab. His research interests include computer security— particularly in building usable access-control systems with sound theoretical underpinnings, and generally in narrowing the gap between a formal model and a usable system.

[ email ] | [profile]

CyLab Chronicles

Q&A with Lujo Bauer (2008)

posted by Richard Power

CyLab Chronicles: What aspect of research would you like to highlight?

BAUER: One aspect that's particularly interesting to me is usability: we're developing technology that improves on the state of the art in access control, but we're also trying to make sure that end users can actually use the technology effectively to do things that they previously couldn't, something that's often missing from this type of research.

CyLab Chronicles: What technology are you working on?

BAUER: Grey is a distributed access-control system in which smartphones are used as the vehicle by which users gain access to physical space in an office environmentbauerpic FULL (i.e., unlock doors) and log on to computers.  Unlike a system where all access-control policy is managed by a centralized administrator, Grey enables each user to delegate her authority to others, at her discretion. In this way, access-control policy is managed by end users in a distributed fashion, at a time and place of their choosing.  Policies can be created proactively, either through a wizard interface or by associating access rights with entries in a Grey address book, or reactively, in response to an attempted access that cannot succeed unless a principal with authority over the resource extends her policy to allow the access.

CyLab Chronicles:  What are the unique attributes of your work?

BAUER: Our approach has a number of attributes that collectively make it unique.  First, it allows flexible and expressive access-control policies that not only describe the conditions under which an access should be allowed but also entire the chain of authority by which a user gained access; e.g., not just that Bob is allowed to access the database during business hours, but that Alice was put in charge of the database by the CEO, that she delegated access to all employees who are in the HR department, and that Bob is an employee and works in HR. 

Encoding all this in the access-control system has a number of advantages,Grey Smart Phone including the following: (1) each access results in a detailed, certified entry in an audit log, which describes in detail why someone was able to gain access; (2) policies encoded in the system accurately represent the reasons why someone has authority, and can therefore easily be modified as those reasons change (e.g., when Bob moves from HR to another department, any access that he had by virtue of being in HR will automatically disappear); (3) when the policy doesn't permit an access, the system is able to intelligently suggest ways in which the policy could be extended in order for the access to be permitted.  Our use of smartphones as the vehicle by which a user exercises her authority makes it possible for policies to be created dynamically, whenever the need arises, regardless of where the user who can create policy is located.

Another unique aspect of Grey with respect to research in access control is that we strive to ensure that the technologies we develop are usable in practice.  To that end, we've deployed Grey on the 2nd floor of CIC.  The deployment has been going on for about two years, and Grey is used by about 30 people to control access to about 35 doors and computer logons.  In addition, we conduct ongoing studies to determine whether Grey is able to meet users' needs in practice, and, if not, how it could be changed to be able to do so.

CyLab Chronicles: What problem(s) does your work address?

Bauer: Current access-control technologies often don't allow users to express the policies they want.  Sometimes users are forced to give too much access or too little access because the access-control mechanism they're using (e.g., keys or swipe cards) is too clumsy to allow them to specify *exactly* what level of access that they want to delegate.

Current access control technologies are also limited in that different technical solutions are required for different domains (e.g., usernames and passwords for computer systems, keys and swipe cards for physical access).  Through the use of smartphones as a device that can interact with both physical and computer resources, Grey makes it possible to use a single system to control access to both physical and virtual resources.

CyLab Chronicles: What are the commercial implications of your work?

BAUER: It's not clear what the right path is for the technology to transition to industry (although it has been licensed by a start-up company), but it seems as if the technology should be applicable to many environments where there is a strong interest in keeping track of who has access to what (e.g., computer system, application, ability to execute a particular transaction within an application) and why, particularly when these access permissions need to be frequently adjusted.  Although we've focused on smartphones as the vehicle for exercising a user's authority, there is nothing about the technology that would prevent it from being applied in scenarios where smartphones aren't present.

See all CyLab Chronicles articles