An information flow control model in a topic-based publish/subscribe system

Abstract

A publish/subscribe (PS) model is an event-driven model of a distributed system. In traditional PS systems, each peer (process) can either publish or subscribe events. In this paper, we consider a peer-to-peer (P2P) type of topic-based PS model where each peer can both publish and subscribe events. In this paper, we newly propose a topic-based access control (TBAC) model for topic-based PS systems. Here, an access right is a pair $⟨ t, op ⟩$ of a topic t and a publish or subscribe operation $op$ . A peer is allowed to publish an event message with publication topics and subscribe interesting topics only if the publication and subscription access rights are granted to the peer, respectively. An event message e is delivered to a peer $p_{i}$ if the publication of e and subscription of $p_{i}$ include some common topic. If a peer $p_{i}$ publishes an event message $e_{2}$ after receiving an event message $e_{1}$ , the event message $e_{2}$ may bring some information of the event message $e_{1}$ . If a target peer $p_{j}$ is not allowed to subscribe at least one topic which is related with the event message $e_{1}$ , information in the peer $p_{i}$ illegally flows to the target peer $p_{j}$ . We newly propose a subscription-based synchronization (SBS) protocol to prevent illegal information flow. Here, an event message is banned by a target peer if the event message implies illegal information flow. However, event messages may be unnecessarily banned by a peer even if no illegal information flow to the peer occurs. In the evaluation, we show the number of event messages unnecessarily banned in the SBS protocol.

Keywords

Information flow control peer-to-peer (P2P) model topic-based publish/subscribe (PS) systems subscription-based synchronization (SBS) protocol topic-based access control (TBAC) model unnecessarily banned message

1. Introduction

In distributed systems, information in objects flows to other objects by transactions reading and writing data in the objects. Here, some information of an object may illegally flow to a subject which is not allowed to get the information of the object. Especially, a leakage of sensitive information is to be prevented from occurring [31]. In order to keep information systems secure, illegal information flow among objects has to be prevented. Types of synchronization protocols [13–16,19,20] are so far discussed based on read and write access rights in the role-based access control (RBAC) model [10,28,30] to prevent illegal information flow.

Context-based systems like publish/subscribe (PS) systems [2,9,11,33,34] and content-based access control (CBAC) models [37] are getting more important in various applications. A distributed system is composed of processes which are cooperating with one another by exchanging messages in networks [3]. A process is modeled to be a finite state machine, i.e. a sequence of events [2]. A publish/subscribe (PS) model [2,9,11,33,34] is an event-driven model [8] of a distributed system. In traditional PS models, each process either publishes or subscribes events. In this paper, we consider a peer-to-peer (P2P) model [35] of PS system (P2PPS model) [24,25] where each peer process (peer) can both publish and subscribe event messages. Here, a peer publishes an event message and then the event message is delivered to a peer which is interested in the event. Publications and subscriptions of peers and event messages are specified in terms of topics as discussed in topic-based PS systems [32].

In this paper, we newly propose a topic-based access control (TBAC) model in PS systems. Here, a peer manipulates topics, not objects, in publish ( $pb$ ) and subscribe ( $sb$ ) operations. An access rule $⟨ p_{i}, t, op ⟩$ means that a peer $p_{i}$ is allowed to manipulate a topic t in an operation $op$ ( $\in {pb, sb}$ ). Let A be a set of access rules in a system. An access right is a pair $⟨ t, op ⟩$ of a topic t and an operation $op$ , i.e. $pb$ or $sb$ . This means, a peer granted an access right $⟨ t, op ⟩$ is allowed to perform an operation $op$ on a topic t. A peer $p_{i}$ is allowed to publish an event message with a topic t only if the peer $p_{i}$ is granted a publication right $⟨ t, pb ⟩$ . A peer $p_{i}$ is allowed to subscribe a topic t only if the peer $p_{i}$ is granted a subscription right $⟨ t, sb ⟩$ . Let $p_{i} . P$ be the publication of a peer $p_{i}$ , which is a subset ${t ∣ ⟨ p_{i}, t, pb ⟩ \in A}$ of topics which the peer $p_{i}$ is allowed to publish. A peer $p_{i}$ is allowed to publish an event message e whose publication $e . P$ is a subset of the publication $p_{i} . P$ . Let $p_{i} . S$ be the subscription of a peer $p_{i}$ , which is also a subset ${t ∣ ⟨ p_{i}, t, sb ⟩ \in A}$ of topics which the peer $p_{i}$ is allowed to subscribe. An event message e published by a peer $p_{i}$ is delivered to a target peer $p_{j}$ if the subscription $p_{j} . S$ includes at least one common topic with the publication $e . P$ . Here, the peer $p_{j}$ does not care the other topics in the publication $e . P$ , i.e. $e . P - p_{j} . S$ . These topics in $e . P - p_{j} . S$ are referred to as forgotten topics of the event message e on the peer $p_{j}$ [21,22]. An event message e is related with forgotten topics but the peer $p_{j}$ forgets the topics even if the target peer $p_{j}$ receives the event message e. In addition, the peer $p_{i}$ may publish an event message $e_{2}$ after receiving another event message $e_{1}$ . The event message $e_{2}$ may be related with topics which are already brought to the peer $p_{i}$ by receiving the event message $e_{1}$ but the topics are not in the subscription $p_{j} . S$ of the peer $p_{j}$ . The topics are refereed to as hidden topics of the peer $p_{i}$ for the peer $p_{j}$ [17,18,23]. This means, the event message $e_{2}$ may bring information related with the hidden topics to the target peer $p_{j}$ but the peer $p_{j}$ cannot recognize the event message $e_{2}$ to be related with the hidden topics. Hidden or forgotten topics are referred to as implicit topics. Suppose a target peer $p_{i}$ receives an event message e which is related with implicit topics but the peer $p_{i}$ is not allowed to subscribe event messages on implicit topics. Here, if the peer $p_{i}$ publishes an event message e and the event message e is delivered to a target peer $p_{j}$ , information in the peer $p_{i}$ illegally precedes the peer $p_{j}$ ( $p_{i} \mapsto p_{j}$ ). In this paper, we define the illegal information flow relation ↦ among peers based on publication and subscription access rights in the TBAC model.

On the basis of the TBAC model, we newly propose a subscription-based synchronization (SBS) protocol to prevent illegal information flow among peers to occur by publishing and subscribing event messages in this paper. In the SBS protocol, event messages which may cause illegal information flow are banned at the destination peers. That is, event messages are delivered to a peer $p_{i}$ since some publication topics of the event message are included in the subscription of the peer $p_{i}$ but the event messages are not delivered to the peer $p_{i}$ . Whether or not illegal information flow to occur is decided based on the information flow relation among peers. If a peer $p_{i}$ illegally precedes a target peer $p_{j}$ ( $p_{i} \mapsto p_{j}$ ), the event message is banned at the target peer $p_{j}$ in the SBS protocol. On the other hand, even if an event message e is banned at a peer $p_{j}$ , the peer $p_{i}$ may not illegally precede the peer $p_{j}$ . Here, the event message e is unnecessarily banned at the peer $p_{j}$ . We evaluate the SBS protocol in terms of number of event messages unnecessarily banned. In the evaluation, we show about 4% of event messages are unnecessarily banned in the SBS protocol.

In Section 2, we overview related studies. In Section 3, we present a P2P model of the PS System. In Section 4, we discuss the legal information flow relation among peers in the P2PPS model. In Section 5, we discuss safe systems where no illegal information flow occurs among any peers. In Section 6, we propose the SBS protocol to prevent illegal information flow to occur in unsafe systems. In Section 7, we evaluate the SBS protocol.

2. Related studies

An information system is composed of subjects and objects [4]. An object is an encapsulation of data and operations to manipulate the data. A subject issues an operation to an object to manipulate the data. Then, the operation is performed on the object [4]. Users and transactions are examples of subjects. Databases and files are examples of objects. Let S and O be sets of subjects and objects in a system, respectively. Let $OP$ be a set of operations on objects. In this paper, we assume each object o supports a pair a of basic operations read ( $rd$ ) and write ( $wr$ ), i.e. $OP = {rd, wr}$ . An access rule is a tuple $⟨ s, o, op ⟩$ ( $\in S \times O \times OP$ ) of a subject s, an object o, and an operation $op$ in the basic access control (BAC) model [4]. An access rule $⟨ s, o, op ⟩$ means that a subject s is allowed to manipulate an object o in an operation $op$ . A pair $⟨ o, op ⟩$ of an object o and an operation $op$ is an access right (or permission). An authorizer grants an access right $⟨ o, op ⟩$ to a subject s, i.e. an access rule $⟨ s, o, op ⟩$ is specified by the authorization. A subject s is allowed to manipulate an object o in an operation $op$ only if the subject s is granted an access right $⟨ o, op ⟩$ . Otherwise, the subject s is not allowed to manipulate the object o. A system is secure if and only if (iff) every object o is manipulated by an authorized subject s in an authorized operation $op$ according to an access rule $⟨ s, o, op ⟩$ .

In the role-based access control (RBAC) model [10,28,30], a role r ( $\subseteq O \times OP$ ) is a set of access rights. An authorizer grants a role r, i.e. set of access rights to a subject s without granting each access right to the subject s. Each person plays a role r in a society, e.g. a president role in a company. Each role r shows what can be done by a subject who plays the role r in a society. Let R be a collection of roles in a system, $R \subseteq 2^{O \times OP}$ . A subject s is granted a collection $s . R$ ( $\subseteq R$ ) of roles and issues a transaction T to manipulate objects. Here, a transaction is a sequence of operations on objects. A subject s grants a transaction T a subset $T . P$ ( $\subseteq s . R$ ) of the roles $s . R$ . A subset $T . P$ of the roles is referred to as purpose [6,7] of the transaction T. A transaction T is allowed to issue an operation $op$ to an object o only if an access right $⟨ o, op ⟩$ is in the purpose $T . P$ .

Illegal information flow to occur in the access control models are discussed as confinement problem [4]. Suppose a subject $s_{i}$ is granted a pair of a read access right $⟨ f, rd ⟩$ on a file object f and a write access right $⟨ g, wr ⟩$ on another file object g. Suppose another subject $s_{j}$ is granted an access right $⟨ g, rd ⟩$ . Here, suppose the subject $s_{i}$ reads data d in the file f and then writes the data d to the file g. The subject $s_{j}$ is not allowed to read data in the file f. However, the subject $s_{j}$ can obtain the data d in the file f by reading the data d stored in the file g. That is, information in the file f illegally flows into the subject $s_{j}$ via the subject $s_{i}$ and the file g.

In order to prevent illegal information flow, the lattice-based access control (LBAC) model [29] is proposed. Here, every entity e, i.e. subject or object, belongs to a security class $sc$ in a system.

In papers [5 –7], the role-based locking (RBL) protocols and schedulers of transactions are discussed to prevent illegal information flow to occur by performing transactions in the RBAC model [10,28,30]. Here, a role which includes more number of write access rights is more important. A transaction granted more important roles manipulates an object before another transaction.

In papers [7 ,16], the illegal information flow relation from a role $r_{i}$ to a role $r_{j}$ ( $r_{i} \mapsto r_{j}$ ) is defined. Let $In (r_{i})$ and $Out (r_{i})$ be sets of objects whose data are allowed to be read and written by a subject granted a role $r_{i}$ , respectively, i.e. $In (r_{i}) = {o ∣ ⟨ o, rd ⟩ \in r_{i}}$ and $Out (r_{i}) = {o ∣ ⟨ o, wr ⟩ \in r_{i}}$ . A role $r_{i}$ illegally flows to a role $r_{j}$ ( $r_{i} \mapsto r_{j}$ ) if and only if (iff) $Out (r_{i}) \cap In (r_{j}) \neq ϕ$ but $In (r_{i}) ⊈ In (r_{j})$ . Here, suppose a transaction $T_{1}$ with the role $r_{i}$ reads data in an object $o_{1}$ and writes data to an object $o_{2}$ . Here, some data x in the object $o_{1}$ may be brought to the object $o_{2}$ . Then, suppose another transaction $T_{2}$ with the role $r_{j}$ reads data in the object $o_{2}$ . If the role $r_{j}$ includes a read access right $⟨ o_{1}, rd ⟩$ , no illegal information flow occurs because the transaction $T_{2}$ is allowed to read data in the object $o_{1}$ . However, if $⟨ o_{1}, rd ⟩ \notin r_{j}$ , the transaction $T_{2}$ may illegally get the data x from the object $o_{2}$ as shown in Fig. 1.

Fig. 1.

Legal and illegal information flow among objects.

A transaction illegally reads data in an object iff the transaction reads data in the object which includes data in another object which is not allowed to be read [16]. Allowable information relation flow from an object $o_{1}$ to an object $o_{2}$ is also a priori defined by an administrator. A transaction suspiciously reads data in an object iff the transaction reads data in the object whose data is not allowed to be brought to other objects [13]. A transaction illegally writes data to an object iff the transaction writes data to the object after illegally reading data in another object [Fig. 2(a)] [13]. A transaction impossibly writes data to an object iff the transaction writes data to the object after suspiciously reading data in another object [Fig. 2(b)] [13].

Fig. 2.

Operations.

The write-abortion (WA) [13], read-write-abortion (RWA) [15], and flexible read-write-abortion (FRWA) [14] protocols are proposed to prevent illegal information flow. For each object $o_{i}$ and each transaction $T_{t}$ , a pair of variables $o_{i} . R$ and $T_{t} . R$ are manipulated. Initially, $o_{i} . R$ is empty and $T_{t} . R$ is a purpose $T_{t} . P$ of the transaction $T_{t}$ . Each time a transaction $T_{t}$ writes data to an object $o_{i}$ , roles in the variable $T_{t} . R$ are added to the variable $o_{i} . R$ , i.e. $o_{i} . R = o_{i} . R \cup T_{t} . R$ . If a transaction $T_{t}$ reads data in an object $o_{i}$ , $T_{t} . R = T_{t} . R \cup o_{i} . R$ . Here, if some role $r_{1}$ in $o_{i} . R$ illegally flows to a role $r_{2}$ in $T_{t} . R$ ( $r_{1} \mapsto r_{2}$ ), the read operation is illegal. In the WA protocol, a transaction aborts once issuing an illegal or impossible write operation to an object. Read operations performed after an illegal read operation before a write operation are meaningless. Because the transaction aborts once issuing the write operation and the read operations performed are rolled back. In the RWA protocol, a transaction aborts once issuing an illegal read operation or impossible write operation. Even if a transaction illegally reads data in an object, the transaction can commit if the transaction does not issue a write operation. Read operations are lost, which can be performed but are not performed after an illegal read operation is issued to an object. In the FRWA protocol, a transaction aborts if the transaction issues an illegal or impossible write operation to an object and aborts as well as the WA protocol. Furthermore, the transaction aborts with some probability $ap$ once issuing an illegal read operation. If $ap = 1$ and $ap = 0$ , the FRWA protocol is the same as the RWA protocol and the WA protocol, respectively.

The concepts of sensitivity of an object and safety of a role in the FRWA-O [19] and FRWA-RS [20] protocols are discussed. In the FRWA-O protocol, the abortion probability $ap$ of a transaction $T_{t}$ issuing an illegal read operation to an object $o_{i}$ depends on the sensitivity of the object $o_{i}$ . Here, the sensitivity of an object $o_{i}$ just monotonically increases each time a transaction aborts by issuing an illegal read operation to the object even if the transaction commits. On the other hand, in the FRWA-RS protocol, the role safety of a role $r_{i}$ increases and decreases each time a transaction $T_{t}$ holding the role $r_{i}$ commits and aborts, respectively, in order to reduce the number of transactions to abort. The abortion probability of each transaction $T_{t}$ is decided by the role safety of roles in the variable $T_{t} . R$ .

A peer-to-peer (P2P) system [35] is composed of peers which are interconnected in overlay networks. In P2P systems, multiple peers are cooperating with one another by exchanging messages in networks. A peer is an autonomous process which makes a decision by itself through communicating with other peers. There is no centralized coordinator and peers autonomously leave and join the system.

A publish/subscribe (PS) system [2,9,11,33,34] is an event-driven [8] distributed system which is composed of processes interconnected in a network of brokers. A publisher process publishes an event message. An event message is delivered to only a subscriber process which is interested in the event message. In topic-based PS systems [32], a subscriber process specifies a subscription in terms of topics in which the subscriber process is interested. A publisher process publishes an event message with a publication which is also specified in terms of topics. If a publication of an event message and a subscription of the subscriber process have a common topic, the event message is notified to the subscriber process. In this paper, we discuss a P2P model of a PS system [24,25,36]. Here, every peer can publish and subscribe event messages and there is no centralized coordinator.

In paper [1], an access control model in the PS system is discussed based on the RBAC model. Here, information flow to occur by publishing and subscribing topics in the PS system is not discussed. In this paper, we newly discuss an access control model, topic-based access control (TBAC) model of a topic-based PS system. Here, access rights on topics are newly considered. We discuss illegal information flow to occur among peers based on the TBAC model in the P2P model of the PS system.

3. TBAC model in PS systems

3.1. P2PPS model

In traditional publish/subscribe (PS) systems, each process is either a publisher or a subscriber [2,9,11,33,34]. In this paper, we newly consider a peer-to-peer (P2P) model of a PS system (P2PPS model) [24,25] which is composed of peer processes (peers) $p_{1}, \dots, p_{pn}$ ( $pn ⩾ 1$ ). Let P be a set ${p_{1}, \dots, p_{pn}}$ of all the peers in a system. Each peer $p_{i}$ can play both publisher and subscriber roles in the P2PPS model while only a publisher process publishes event messages and a subscriber process just receives event messages in the PS model. Furthermore, there is no centralized coordinator. Event messages published by a peer are delivered to every target peer in the publishing order. However, a pair of event messages $e_{i}$ and $e_{j}$ published by different peers $p_{i}$ and $p_{j}$ may be delivered to different target peers in different orders. In papers [26,27], the authors propose how to causally [12] deliver event messages related with topics to target peers by using the topic vector and physical time.

In this paper, we consider a topic-based PS system [32]. Let T be a set ${t_{1}, \dots, t_{tn}}$ ( $tn ⩾ 1$ ) of all topics in a system. A peer $p_{i}$ specifies the publication $e . P$ for an event message e in a subset of the topic set T ( $e . P \subseteq T$ ). Each peer $p_{i}$ then publishes an event message e with the publication $e . P$ . Each peer $p_{i}$ also specifies the subscription $p_{i} . S$ in a subset of the topic set T ( $p_{i} . S \subseteq T$ ). An event message e is delivered to a target peer $p_{i}$ if the publication $e . P$ and the subscription $p_{i} . S$ include at least one common topic, i.e. $e . P \cap p_{i} . S \neq ϕ$ . Here, the peer $p_{i}$ is a destination peer of the event message e. A peer which publishes an event message e is a source peer of the event message e. Each peer $p_{i}$ receives only an event message e which includes interesting information, i.e. whose publication $e . P$ includes a topic subscribed by the peer $p_{i}$ , i.e. a topic in $p_{i} . S$ .

3.2. TBAC model

In this paper, we newly propose a topic-based access control (TBAC) model to make clear authorized access in a topic-based PS systems. Let $OP$ be a set of operations, i.e. $OP = {publish (pb), subscribe (sb)}$ . T and P are sets of topics and peers, respectively, in a PS system S. A TBAC access rule $⟨ p_{i}, t, op ⟩$ ( $\in P \times T \times OP$ ) means that a peer $p_{i}$ is allowed to manipulate a topic t in an operation $op$ . Here, an operation $op$ is a subscribe ( $sb$ ) or publish ( $pb$ ) operation, i.e. $op \in OP$ . Let A be a set of access rules in a system. A pair $⟨ t, op ⟩$ of a topic t and an operation $op$ shows an access right in the TBAC model. In this paper, we assume a centralized authorizer grants a peer $p_{i}$ an access right $⟨ t, op ⟩$ ( $\in T \times OP$ ) where t is a topic ( $t \in T$ ) and $op$ is an operation ( $op \in OP$ ). A peer $p_{i}$ is allowed to perform an operation $op$ on a topic t only if $⟨ p_{i}, t, op ⟩ \in A$ , i.e. an access right $⟨ t, op ⟩$ is granted to the peer $p_{i}$ . A peer $p_{i}$ is allowed to publish an event message e with publication $e . P$ ( $\subseteq T$ ) only if the peer $p_{i}$ is granted an access right $⟨ t, pb ⟩$ for every topic t in the publication $e . P$ . The publication $p_{i} . P$ ( $\subseteq T$ ) of a peer $p_{i}$ is a subset ${t ∣ ⟨ p_{i}, t, pb ⟩ \in A, i.e. an access right ⟨ t, pb ⟩ is granted to the peer p_{i}}$ of topics on which the peer $p_{i}$ is allowed to publish an event message. Suppose a peer $p_{i}$ publishes an event message e with publication $e . P$ and the event message e is delivered to a destination peer $p_{j}$ . The publication $e . P$ is a subset of the publication $p_{i} . P$ ( $e . P \subseteq p_{i} . P$ ).

Hidden topics.
Topics in the subscription $p_{i} . S$ which are not in the publication $e . P$ and are in the subscription $p_{j} . S$ , i.e. ${t ∣ t \in p_{i} . S but t \notin p_{j} . S}$ are hidden topics of the peer $p_{i}$ for the peer $p_{j}$ .

Fig. 3.
Implicit, hidden, and forgotten topics.

Hatched area shows a set of hidden topics in Fig. 3. A hidden topic t is a topic which may be related with an event message e but which is not subscribed by a target peer. Here, even if an event message e is delivered to a peer $p_{i}$ , the peer $p_{i}$ does not recognize that the event message e may be related with every hidden topic of the event message e.

A peer $p_{i}$ is allowed to subscribe a topic t only if an access right $⟨ t, sb ⟩$ is granted to the peer $p_{i}$ . The subscription $p_{i} . S$ ( $\subseteq T$ ) of a peer $p_{i}$ is a subset of topics on which a peer $p_{i}$ is allowed to receive event messages, i.e. ${t ∣ ⟨ t, sb ⟩ is granted to p_{i}, i.e. ⟨ p_{i}, t, sb ⟩ \in A}$ .

Suppose a peer $p_{i}$ publishes an event message e with a publication $e . P$ ( $\subseteq p_{i} . P$ ). Here, the peer $p_{i}$ is allowed to publish an event message e only if the publication $e . P$ is a subset of the publication $p_{i} . P$ , i.e. $e . P \subseteq p_{i} . P$ . The subscription $p_{j} . S$ of a peer $p_{j}$ shows topics in which the peer $p_{j}$ is interested. That is, a peer $p_{j}$ can receive an event message e if $p_{j} . S \cap e . P \neq ϕ$ . A peer $p_{j}$ is a $target$ peer of an event message e iff $e . P \cap p_{j} . S \neq ϕ$ , i.e. the subscription $p_{j} . S$ of a peer $p_{j}$ has a common topic with the publication $e . P$ of an event message e. An event message e is only delivered to a target peer $p_{j}$ in a system.
Forgotten topics.
A topic t which is in the publication $e . P$ but not in the subscription $p_{j} . S$ , i.e. $t \in e . P$ but $t \notin p_{j} . S$ , is a forgotten topic of the event message e with respect to the target peer $p_{j}$ .

A target peer $p_{j}$ recognizes that an event message e is related with topics in $e . P \cap p_{j} . S$ but forgets that the event message e is related with the forgotten topics in $e . P - p_{j} . S$ .
Implicit topics.
Implicit topics of a peer $p_{i}$ are hidden or forgotten topics of event messages which the peer $p_{i}$ receives.

Let $e . H$ be a set of hidden topics of a source peer for a target peer $p_{i}$ . Let $p_{i} . I$ indicate a set of implicit topics of a peer $p_{i}$ . $p_{i} . I$ is initially ϕ. Each time a peer $p_{i}$ receives an event message e, the hidden topics $e . H$ and forgotten topics $e . F$ in the publication $e . P$ are added to the set $p_{i} . I$ , i.e. $p_{i} . I = p_{i} . I \cup e . H \cup e . F$ . Here, hidden topics in $e . H$ and forgotten topics in $e . F$ are implicit topics of an event message e.

If an event message e is delivered to a target peer $p_{i}$ , the event message e is related with the following topics:
Topics which the peer $p_{i}$ subscribes.

Forgotten topics in the publication $e . P$ .

Hidden topics which the peer $p_{i}$ is not allowed to subscribe.

4. Legal information flow

We discuss information flow relations among peers on the basis of access rights in the TBAC model. We consider a P2P model of a topic-based PS system (P2PPS model), which is composed of multiple peers $p_{1}, \dots, p_{pn}$ ( $pn ⩾ 1$ ) interconnected in reliable networks. That is, if a peer publishes event messages, every destination peer receives the event messages without loss and duplication of event messages in the publishing order.

Each peer $p_{i}$ can publish and subscribe event messages according to the TBAC access rules. First, let us consider the following example.

Example 1.
Suppose there are three peers $p_{i}$ , $p_{j}$ , and $p_{k}$ in a system. $P_{1}$ is a set ${p_{i}, p_{j}, p_{k}}$ of the peers in the system. Suppose a peer $p_{i}$ is granted a pair of access rights $⟨ y, pb ⟩$ and $⟨ y, sb ⟩$ , i.e. the publication $p_{i} . P$ is ${y}$ and the subscription $p_{i} . S$ is ${y}$ . Suppose another peer $p_{j}$ is granted three access rights $⟨ x, pb ⟩$ , $⟨ y, pb ⟩$ , $⟨ x, sb ⟩$ , and $⟨ y, sb ⟩$ , i.e. $p_{j} . P$ ( $= {x, y}$ ) and $p_{j} . S$ ( $= {x, y}$ ) and the other peer $p_{k}$ is granted three access rights $⟨ z, pb ⟩$ , $⟨ x, sb ⟩$ , and $⟨ z, sb ⟩$ , i.e. $p_{k} . P$ ( $= {z}$ ) and $p_{k} . S$ ( $= {x, z}$ ). First, the peer $p_{i}$ publishes an event message $e_{1}$ with publication $e_{1} . P = {y}$ ( $\subseteq p_{i} . P$ ). The event message $e_{1}$ is delivered to the peer $p_{j}$ since $e_{1} . P \cap p_{j} . S = {y} \neq ϕ$ . Here, the peer $p_{i}$ may receive event messages about the topic y before publishing the event message $e_{1}$ since the peer $p_{i}$ is granted the access right $⟨ y, sb ⟩$ . Here, the event message $e_{1}$ may carry information on the topic y.

Next, suppose a peer $p_{j}$ publishes an event message $e_{2}$ with publication $e_{2} . P = {x}$ ( $\subseteq p_{j} . P$ ). The event message $e_{2}$ is delivered to the peer $p_{k}$ since $e_{2} . P \cap p_{k} . S = {x} \neq ϕ$ . Since the event message $e_{2}$ is published by the peer $p_{j}$ after the event message $e_{1}$ is delivered to the peer $p_{j}$ , the event message $e_{1}$ causally precedes the event message $e_{2}$ according to the causality theory [12]. This means, the event message $e_{2}$ may carry event information of the event message $e_{1}$ . Hence, the event message $e_{2}$ carries event information on not only the topic x in the publication $e_{2} . P = {x}$ but also the implicit topic y of the event message $e_{1}, e_{2} . I = {y}$ . Since $e_{2} . P (= {x}) \cap p_{k} . S (= {x, z}) = {x} \neq ϕ$ , the event message $e_{2}$ is delivered to the peer $p_{k}$ . However, the peer $p_{k}$ is not granted the implicit topic y of the event message $e_{2}$ , i.e. the topic y is not in the subscription $p_{k} . S$ . This means, information on a topic which the peer $p_{k}$ is not allowed to subscribe can be delivered to the peer $p_{k}$ . Here, information illegally flow to the peer $p_{k}$ from the peer $p_{j}$ .

If the peer $p_{j}$ publishes the event message $e_{2}$ for the target peer $p_{k}$ , the peer $p_{k}$ can obtain some information related with the topic y although the topic y is not subscribed, i.e. $y \notin p_{k} . S$ . Here, the information related with the topic y illegally flows into the peer $p_{k}$ as shown in Fig. 4.

Fig. 4.
Illegal information flow ( $p_{j} \mapsto p_{k}$ ).

If the publication $p_{i} . P$ of a peer $p_{i}$ and the subscription $p_{j} . S$ of another peer $p_{j}$ include at least one common topic ( $p_{i} . P \cap p_{j} . S \neq ϕ$ ), an event message published by the peer $p_{i}$ is delivered to the peer $p_{j}$ in the topic-based PS system. Otherwise, no event message published by the peer $p_{i}$ is delivered to the peer $p_{j}$ . We define an information flow relation among peers as follows:
Definition.
A peer $p_{i}$ precedes a peer $p_{j}$ with respect to information flow ( $p_{i} \to p_{j}$ ) iff $p_{i} . P \cap p_{j} . S \neq ϕ$ .

We consider a pair of peers $p_{i}$ and $p_{j}$ . The information flow relation $p_{i} \to p_{j}$ means an event message published by the peer $p_{i}$ is allowed to be delivered to the peer $p_{j}$ . Topics which a peer $p_{j}$ subscribes are in the publication of the event message published by a peer $p_{i}$ . A pair of different peers $p_{i}$ and $p_{j}$ are equivalent with respect to information flow ( $p_{i} \leftrightarrow p_{j}$ ) iff $p_{i} \to p_{j}$ and $p_{j} \to p_{i}$ . A peer $p_{i}$ is compatible with a peer $p_{j}$ with respect to information flow ( $p_{i} ⇀ p_{j}$ ) iff $p_{i} ↛ p_{j}$ , i.e. $p_{i} . P \cap p_{j} . S = ϕ$ . There is no information flow relation from the peer $p_{i}$ to the peer $p_{j}$ if $p_{i}$ is compatible with $p_{j}$ ( $p_{i} ⇀ p_{j}$ ). A pair of peers $p_{i}$ and $p_{j}$ are compatible with one another with respect to information flow ( $p_{i} ⇌ p_{j}$ ) iff $p_{i} ⇀ p_{j}$ and $p_{j} ⇀ p_{i}$ .

In Example 1, the peer $p_{i}$ precedes the peer $p_{j}$ ( $p_{i} \to p_{j}$ ) since $p_{i} . P (= {y}) \cap p_{j} . S (= {x, y}) \neq ϕ$ . The peer $p_{i}$ publishes the event message $e_{1}$ with publication $e_{1} . P = {y}$ . Here, the event information included in the event message $e_{1}$ may be related with the topic y since the peer $p_{i}$ subscribes the topic y, i.e. $y \in p_{i} . S$ and an event message $e_{3}$ with a topic y may be delivered to the peer $p_{i}$ before the peer $p_{i}$ publishes the event message $e_{1}$ . The peer $p_{j}$ can subscribe the topic y. Hence, if the peer $p_{j}$ receives the event message $e_{1}$ which the peer $p_{i}$ publishes, no illegal information flow occurs from the peer $p_{i}$ to the peer $p_{j}$ . The peer $p_{j}$ precedes the peer $p_{k}$ ( $p_{j} \to p_{k}$ ) since $p_{j} . P (= {x, y}) \cap p_{k} . S (= {x, z}) \neq ϕ$ . However, if the event message $e_{2}$ published by the peer $p_{j}$ is delivered to the peer $p_{k}$ , the peer $p_{k}$ can obtain some information related with the implicit topic y. That is, illegal information flow via the peer $p_{j}$ might occur as presented here.

We first define a legal information flow relation (⇒) among peers as follows:
Definition.
A peer $p_{i}$ legally precedes a peer $p_{j}$ with respect to information flow ( $p_{i} \Rightarrow p_{j}$ ) iff one of the following conditions holds:
$p_{i} . S \neq ϕ$ , $p_{i} \to p_{j}$ , and $p_{i} . S \subseteq p_{j} . S$ .

For some peer $p_{k}$ , $p_{i} \Rightarrow p_{k}$ and $p_{k} \Rightarrow p_{j}$ .

The legal information flow relation ⇒ is transitive but not symmetric. Suppose $p_{i} \Rightarrow p_{j}$ for a pair of peers $p_{i}$ and $p_{j}$ . If the peer $p_{i}$ publishes an event message to the peer $p_{j}$ , information in the peer $p_{i}$ legally flows to the peer $p_{j}$ .

We consider a pair of peers $p_{i}$ and $p_{j}$ . If the peer $p_{i}$ precedes the peer $p_{j}$ ( $p_{i} \to p_{j}$ ), i.e. $p_{i} . P \cap p_{j} . S \neq ϕ$ , an event message published by a peer $p_{i}$ can be delivered to a peer $p_{j}$ . Otherwise, no information from the peer $p_{i}$ flows into the peer $p_{j}$ . The condition $p_{i} . S \subseteq p_{j} . S$ shows that every topic in the subscription $p_{i} . S$ is also in the subscription $p_{j} . S$ . This means, an event message from the peer $p_{i}$ to the peer $p_{j}$ includes no hidden topic for the peer $p_{j}$ .

In Example 1, the peer $p_{i}$ legally precedes the peer $p_{j}$ ( $p_{i} \Rightarrow p_{j}$ ) since the peer $p_{i}$ precedes the peer $p_{j}$ ( $p_{i} \to p_{j}$ ) and $p_{i} . S (= {y}) \subseteq p_{j} . S (= {x, y})$ . However, $p_{j} ⇏ p_{i}$ since $p_{j} \to p_{i}$ but $p_{j} . S ⊈ p_{i} . S$ . Thus, the information flow relation ⇒ is not symmetric.

A pair of peers $p_{i}$ and $p_{j}$ are legally equivalent with one another ( $p_{i} \Leftrightarrow p_{j}$ ) iff $p_{i} \Rightarrow p_{j}$ and $p_{j} \Rightarrow p_{i}$ . It is noted $p_{i} . S = p_{j} . S$ if $p_{i} \Leftrightarrow p_{j}$ .
Theorem.
For a pair of peers $p_{i}$ and $p_{j}$ , if $p_{i} \Rightarrow p_{j}$ and $p_{i} . S \neq p_{j} . S$ , $p_{j} \Rightarrow p_{i}$ does not hold.
Proof.
Suppose $p_{i} \Rightarrow p_{j}$ and $p_{i} . S \neq p_{j} . S$ . Since $p_{i} . S \subset p_{j} . S$ , $p_{j} \Rightarrow p_{i}$ does not hold. □

This means, the legal information flow relation ⇒ is acyclic.

Fig. 5.
Legal information flow ( $p_{j} \Rightarrow p_{k}$ ).
Example 2.
In Fig. 5, there are three peers $p_{i}$ , $p_{j}$ , and $p_{k}$ . Here, $p_{i} . P = {y}$ , $p_{i} . S = {y}$ , $p_{j} . P = {x}$ , $p_{j} . S = {x, y}$ , $p_{k} . P = {z}$ , and $p_{k} . S = {x, y, z}$ . Here, the peer $p_{i}$ legally precedes the peer $p_{j}$ ( $p_{i} \Rightarrow p_{j}$ ) since $p_{i} . S \subseteq p_{j} . S$ and $p_{i} . P \cap p_{j} . S \neq ϕ$ . In addition, $p_{j} \Rightarrow p_{k}$ . Thus, the peer $p_{i}$ precedes the peer $p_{j}$ ( $p_{i} \to p_{j}$ ) and the peer $p_{j}$ precedes the peer $p_{k}$ ( $p_{j} \to p_{k}$ ), i.e. $p_{i} \to p_{j} \to p_{k}$ but $p_{k} ⇏ p_{i}$ .

In Example 1, the peer $p_{j}$ precedes the peer $p_{k}$ ( $p_{j} \to p_{k}$ ) since $p_{j} . P \cap p_{k} . S \neq ϕ$ but $p_{j} ⇏ p_{k}$ . As presented in Example 1, illegal information flow occurs from the peer $p_{j}$ to the peer $p_{k}$ if the event message $e_{2}$ which the peer $p_{j}$ publishes is delivered to the peer $p_{k}$ .

We define an illegal information flow relation (↦) among peers as follows:
Definition.
A peer $p_{i}$ illegally precedes a peer $p_{j}$ with respect to information flow ( $p_{i} \mapsto p_{j}$ ) iff $p_{i} \to p_{j}$ but $p_{i} ⇏ p_{j}$ .

In Example 1, the peer $p_{j}$ illegally precedes the peer $p_{k}$ ( $p_{j} \mapsto p_{k}$ ). The illegal information flow relation ↦ is not transitive, differently from the transitive legal information flow relation ⇒. Even if $p_{i} \mapsto p_{j}$ and $p_{j} \mapsto p_{k}$ , $p_{i} \Rightarrow p_{k}$ may hold.

The following property holds on the illegal information flow relations ↦:
Theorem.
Let $p_{i}$ and $p_{j}$ be a pair of peers. Assume the peer $p_{i}$ does not illegally precede the peer $p_{j}$ ( $p_{i} \mapsto p_{j}$ ), i.e. $p_{i} \Rightarrow p_{j}$ or $p_{i} ⇀ p_{j}$ . There occurs no illegal information flow from the peer $p_{i}$ to the peer $p_{j}$ if the event message which the peer $p_{i}$ publishes is delivered to the peer $p_{j}$ .
Proof.
First, suppose the peer $p_{i}$ legally precedes the peer $p_{j}$ ( $p_{i} \Rightarrow p_{j}$ ). An event message which the peer $p_{i}$ publishes might be delivered to the peer $p_{j}$ . According to the definition, the peer $p_{j}$ can subscribe the topic x if the peer $p_{i}$ is granted a subscription access right $⟨ x, sb ⟩$ . That is, every event message which the peer $p_{i}$ publishes can be delivered to the peer $p_{j}$ . □
5. Safe systems

Let P be a set of peers $p_{1}, \dots, p_{pn}$ ( $pn ⩾ 1$ ) in a system S. We discuss a safe system where no illegal information flow occur in whatever order publications and subscriptions are issued by peers.

Definition.
A peer set P is safe iff one of the following conditions holds for every pair of peers $p_{i}$ and $p_{j}$ in the peer set P:
$p_{i} \Leftrightarrow p_{j}$ .

$p_{i} \Rightarrow p_{j}$ and $p_{j} ⇀ p_{i}$ .

$p_{i} ⇌ p_{j}$ .

In Example 2, there are three peers $p_{i}$ , $p_{j}$ , and $p_{k}$ , i.e. $P_{2}$ is a set ${p_{i}, p_{j}, p_{k}}$ of the peers. Here, the peer $p_{i}$ legally precedes the peer $p_{j}$ ( $p_{i} \Rightarrow p_{j}$ ), $p_{j} \Rightarrow p_{k}$ , and $p_{i} \Rightarrow p_{k}$ . In addition, the peer $p_{k}$ is compatible with the peer $p_{i}$ ( $p_{k} ⇀ p_{i}$ ), $p_{k} ⇀ p_{j}$ , and $p_{j} ⇀ p_{i}$ . Hence, the peer set $P_{2} = {p_{i}, p_{j}, p_{k}}$ is safe. Suppose a pair of peers $p_{i}$ and $p_{j}$ publish event messages $e_{i}$ and $e_{j}$ in this sequence. Since $p_{i} \Rightarrow p_{j}$ and $p_{i} \Rightarrow p_{k}$ , the event message $e_{i}$ is delivered to the peers $p_{j}$ and $p_{k}$ . The event message $e_{j}$ published by the peer $p_{j}$ is also delivered to the peer $p_{k}$ since $p_{j} \Rightarrow p_{k}$ . Hence, no illegal information flow occurs since $p_{i} \Rightarrow p_{j}$ , $p_{i} \Rightarrow p_{k}$ , and $p_{j} \Rightarrow p_{k}$ .

Next, suppose the peer $p_{k}$ first subscribes three topics x, y, and z and then the peer $p_{j}$ publishes the event message $e_{j}$ with publication $e_{j} . P = {x}$ . Then, the peer $p_{j}$ subscribes a pair of topics x and y and the peer $p_{i}$ publishes the event message $e_{i}$ . Here, since the peer $p_{k}$ is compatible with the peer $p_{j}$ ( $p_{k} ⇀ p_{j}$ ), $p_{k} ⇀ p_{i}$ , and $p_{j} ⇀ p_{i}$ , no illegal information flow occurs. Thus, no illegal information flow occurs even if the peers $p_{i}$ , $p_{j}$ , and $p_{k}$ publish and subscribe event messages in any order. However, the peer set $P_{1} = {p_{i}, p_{j}, p_{k}}$ shown in Fig. 4 is not safe because $p_{j} \to p_{k}$ but $p_{j} ⇏ p_{k}$ . Here, if the message $e_{j}$ published by the peer $p_{j}$ is delivered to the peer $p_{k}$ , illegal information flow may occur.

From the definitions, the following theorem holds: Theorem.
If a peer set P is safe, no illegal information flow occurs even if peers publish and receive event messages in any order.
Proof.
From the definitions, for every pair of peers $p_{i}$ and $p_{j}$ in a safe peer set P, if $p_{i} \to p_{j}$ and $p_{i} \Rightarrow p_{j}$ . If $p_{i} ⇀ p_{j}$ , any event message published by a peer $p_{i}$ is not delivered to the peer $p_{j}$ , i.e. no illegal information flow. □

6. Synchronization protocol

6.1. Subscription-based synchronization (SBS) protocol

We consider an unsafe system, where a peer set $P = {p_{1}, \dots, p_{pn}}$ is not safe. Here, it depends on the order in which peers publish event messages and event messages are delivered to peers whether or not illegal information flow to occur.

A peer $p_{i}$ is granted publication topics in the publication $p_{i} . P$ and subscription topics in the subscription $p_{i} . S$ . A peer $p_{i}$ is allowed to issue a publication operation $pb$ on a topic t only if $t \in p_{i} . P$ , i.e. publication access right $⟨ t, pb ⟩$ is granted to the peer $p_{i}$ . In addition, a peer $p_{i}$ is allowed to issue a subscription operation $sb$ on a topic t only if $t \in p_{i} . S$ , i.e. an access right $⟨ t, sb ⟩$ is granted to the peer $p_{i}$ .

In this paper, we propose a subscription-based synchronization (SBS) protocol to prevent illegal information flow in the TBAC model. In the SBS protocol, each peer $p_{i}$ keeps in record every publication topic of each message e which is delivered. A peer $p_{i}$ manipulates a variable $p_{i} . T$ to store topics carried by event messages. The variable $p_{i} . T$ is initially empty. Each time the peer $p_{i}$ receives an event message e published by a peer $p_{j}$ , the topics which the event message carries are added to the variable $p_{i} . T$ , i.e. $p_{i} . T = p_{i} . T \cup p_{j} . S$ .

Subscription-based synchronization (SBS) protocol.
A peer $p_{i}$ publishes an event message e and the peer $p_{i}$ precedes a peer $p_{j}$ with respect to information flow ( $p_{i} \to p_{j}$ ).
If $p_{i} . T \subseteq p_{j} . S$ , the event message e is delivered to a peer $p_{j}$ and $p_{j} . T = p_{j} . T \cup p_{i} . S$ .

Otherwise, the event message e is banned at the peer $p_{j}$ .
If $p_{i}$ illegally precedes $p_{j}$ ( $p_{i} \mapsto p_{j}$ ), the event message e published by a peer $p_{i}$ is banned at a destination peer $p_{j}$ in the SBS protocol.

Suppose there are three peers $p_{i}$ , $p_{j}$ , and $p_{k}$ as shown in Fig. 6. Here, the publications of the peers are $p_{i} . P = {y}$ , $p_{j} . P = {x}$ , and $p_{k} . P = {z}$ where x, y, and z are topics. The subscriptions $p_{i} . S = {y}$ , $p_{j} . S = {x, y}$ , and $p_{k} . S = {x, z}$ . The topic sets $p_{i} . T$ , $p_{j} . T$ , and $p_{k} . T$ are initially ϕ. First, the peer $p_{i}$ publishes an event message with publication ${y}$ ( $\subseteq p_{i} . P$ ). Here, the event message is delivered to the peer $p_{j}$ since $p_{i} \to p_{j}$ and $p_{i} . T \subseteq p_{j} . S$ . The topic set $p_{j} . T$ of the peer $p_{j}$ is changed with a set ${y}$ of topics since $p_{j} . T = p_{i} . S (= {y}) \cup p_{j} . T (= ϕ) = {y}$ . Then, the peer $p_{j}$ publishes an event message e with publication ${x}$ ( $\subseteq p_{j} . P$ ). Here, the illegal information flow from the peer $p_{j}$ to the peer $p_{k}$ occurs since $p_{j} . T ⊈ p_{k} . S$ . Hence, the event message e from the peer $p_{j}$ is banned at the peer $p_{k}$ .
Properties.
For every pair of peers $p_{i}$ and $p_{j}$ , the SBS protocol has the following properties:
If the peer $p_{i}$ illegally precedes the peer $p_{j}$ ( $p_{i} \mapsto p_{j}$ ), every event message published by the peer $p_{i}$ is banned at the target peer $p_{j}$ .

Even if some event message published by the peer $p_{i}$ is banned at the peer $p_{j}$ , $p_{i} \mapsto p_{j}$ may not hold.

An event message e is unnecessarily banned at the peer $p_{j}$ iff the event message e is banned at the peer $p_{j}$ but $p_{i} \mapsto p_{j}$ .

Fig. 6.
SBS protocol.
6.2. Implementation

The variables $p_{i} . P$ , $p_{i} . S$ , and $p_{i} . T$ of a peer $p_{i}$ are implemented in a bitmap. Each bitmap of a peer $p_{i}$ is composed of $tn$ ( $⩾ 1$ ) bits for number $tn$ of topics $t_{1}, \dots, t_{tn}$ in the topic set T.

Let $x . T$ denotes bitmaps of topics in a peer of an event message x. Here, $x . T^{k}$ shows the kth bit in a bitmap $x . T$ where an entity x stands for a peer $p_{i}$ . In the topic bitmap $x . T$ , if a topic $t_{k}$ is included in a variable $x . T$ , the kth bit $x . T^{k}$ is 1. For example, the subscription variable $p_{2} . S = {t_{1}, t_{3}, t_{5}}$ of a peer $p_{2}$ is represented in a bitmap $101010 \dots 0$ . The union $x . A \cup y . B$ of bitmaps $x . A$ and $y . B$ is realized by taking a disjunction of the bitmaps $x . A$ and $y . B$ . The length of a topic bitmap $x . T$ is $O (tn)$ for number $tn$ of topics $t_{1}, \dots, t_{tn}$ . Each event message e carries the publication $e . P$ in a bitmap form. Each peer $p_{i}$ also holds the subscription $p_{i} . S$ , the publication $p_{i} . P$ , and the topic set $p_{i} . T$ in a bitmap form. Intersection and union of publication and subscription are easily performed in the bitmap operation.

7. Evaluation

There occur no illegal information flow among peers in the SBS protocol as discussed in the preceding section. Next, we evaluate the SBS protocol in terms of event messages banned on a topic set T and peer set P. If an event message may be illegally delivered to a peer $p_{i}$ , the event message is banned in the SBS protocol. In the SBS protocol, the topic set $p_{i} . T$ is updated each time an event message is delivered to the peer $p_{i}$ . We assume an event message can be reliably broadcast to every target peer.

In the evaluation, there are $tn$ ( $⩾ 1$ ) topics $t_{1}, \dots, t_{tn}$ , i.e. $T = {t_{1}, \dots, t_{tn}}$ . A pair of publish ( $pb$ ) and subscribe ( $sb$ ) operations are supported on each topic $t_{k}$ . There are $pn$ ( $⩾ 1$ ) peers $p_{1}, \dots, p_{pn}$ in a system, i.e. $P = {p_{1}, \dots, p_{pn}}$ . Each peer $p_{i}$ is granted the publication $p_{i} . P$ and subscription $p_{i} . S$ . Topics in the subsets $p_{i} . P$ and $p_{i} . S$ are randomly selected from the topic set T, i.e. subscription and publication access rights are randomly granted to each peer $p_{i}$ . The publication $p_{i} . P$ of each peer $p_{i}$ is composed of $p t n_{i}$ ( $⩽ tn$ ) topics. In the evaluation, the number $p t n_{i}$ of topics in the publication $p_{i} . P$ of each peer $p_{i}$ is randomly selected out of numbers $0, 1, \dots, tn$ . The subscription $p_{i} . S$ of each peer $p_{i}$ is composed of ${stn}_{i}$ ( $⩽ mstn$ ) topics. In the evaluation, the number ${stn}_{i}$ of topics in the subscription $p_{i} . S$ of each peer $p_{i}$ is randomly selected out of numbers $0, 1, \dots, mstn$ . The topic set $p_{i} . T$ of a peer $p_{i}$ are initially empty. In the SBS protocol, the more number of event messages exchanged by publication and subscription are performed, the more number of event messages are banned.

First, a peer $p_{i}$ is randomly selected in the peer set P. Then, the peer $p_{i}$ publishes an event message with a topic t included in the publication $p_{i} . P$ to every destination peer $p_{j}$ whose subscription $p_{j} . S$ includes the topic t. In the SBS protocol, each time an event message is delivered to a target peer $p_{j}$ , it is checked if illegal information flow to occur as discussed in this paper. If illegal information flow might occur, the event message is banned. Thus, no illegal information flow from the peer $p_{i}$ to the peer $p_{j}$ occurs but some event message banned may not cause illegal information flow.

In the evaluation, we consider twenty topics ( $tn = 20$ ) and fifty peers ( $pn = 50$ ), i.e. $T = {t_{1}, \dots, t_{20}}$ and $P = {p_{1}, \dots, p_{50}}$ . First, publications and subscriptions of each peer $p_{i}$ are randomly generated on twenty topics $t_{1}, \dots, t_{20}$ in the set T. n shows the total number of publications of event messages published by the peers $p_{1}, \dots, p_{50}$ . Here, $0 ⩽ n ⩽ 500$ . The number n of publications are performed on the topic set T in the SBS protocol. We randomly create a peer set P on the topic set T seven hundred times for each n. The maximum number $mstn$ of topics in each subscription is eight ( $mstn = 8$ ). This means, the number of topics in the subscription of each peer is randomly selected out of numbers $0, \dots, 8$ . One peer $p_{i}$ is randomly selected in the peer set P and one topic t is randomly selected in $p_{i} . P$ . Then, the peer $p_{i}$ publishes an event message e with the topic t. The event message e is delivered to a target peer $p_{j}$ . Then, the legal information flow condition is checked. If not satisfied, the event message e is banned. This step is iterated n times. For a given peer set P, n publications are performed seven hundred times in the SBS protocol.

Fig. 7.

Number of event messages banned in the SBS protocol.

Figure 7 shows the number of event messages banned for number n of publications in the SBS protocol. The dotted line with crosses (×) shows the total number of event messages published by the peers. For example, if 500 event messages are published ( $n = 500$ ), totally 2,850 peers receive the event messages. This means, one event message is on average delivered to 6 peers. The dotted line with boxes (□) indicates the total number of event messages which cause illegal information flow. For example, about 1,300 event messages are illegal out of 2,850 event messages for $n = 500$ . The straight line shows the total number of event messages banned in the SBS protocol, which is about 4% larger than the dotted line with boxes (□). This means, every illegal information flow is prevented but about 4% of event messages which do not cause illegal information flow are unnecessarily banned in the SBS protocol. The more number n of publications are performed, the more number of event messages are banned. For example, if fifty publications are performed ( $n = 50$ ), about 100 event messages are banned where about 10 event messages are unnecessarily banned. If five hundred publications are performed ( $n = 500$ ), about 1,350 event messages are banned where about 60 event messages are unnecessarily banned.

8. Concluding remarks

In this paper, we newly proposed the topic-based access control (TBAC) model in topic-based publish/subscribe (PS) systems. Then, we discussed the legal information flow among peers in a peer-to-peer PS (P2PPS) system based on the TBAC model. We first defined the legal information flow relation $p_{i} \Rightarrow p_{j}$ among a pair of peers $p_{i}$ and $p_{j}$ based on the TBAC model. This means, if an event message published by a peer $p_{i}$ is delivered to a peer $p_{j}$ , no illegal information flow occurs. Then, we defined a safe system where no illegal information flow occurs in whatever order of event messages are published and delivered by the peers. In this paper, we proposed the subscription-based synchronization (SBS) protocol to prevent illegal information flow in an unsafe system. In the SBS protocol, the event messages which may cause illegal information flow are banned. However, some event messages which cause illegal information flow are unnecessarily banned. We evaluated the SBS protocol in terms of number of event messages banned. In the evaluation, we showed about 4% of legal event messages are unnecessarily banned in the SBS protocol. We are now discussing a synchronization protocol to ban only and every event message which causes illegal information flow.

Footnotes

Acknowledgements

This work was supported by Japan Society for the Promotion of Scienc (JSPS) KAKENHI and Grant-in-Aid for JSPS Research Fellow grant numbers 15H0295 and 17J00106, respectively. The authors would like to thank JSPS for the support.

References

Bacon,

D.M.

Eyers,

Singh and

P.R.

Pietzuch, Access control in publish/subscribe systems, in: Proc. of the 2nd International Conference on Distributed Event-Based Systems, 2008, pp. 23–34.

Blanco and

Alencar, Event models in distributed event based systems, in: Principles and Applications of Distributed Event-Based Systems, 2010, pp. 19–42. doi:10.4018/978-1-60566-697-6.ch002.

Coulouris,

Dollimore,

Kindberg and

Blair, Distributed Systems Concepts and Design, Addison Wesley, 2011.

D.E.R.

Denning, Cryptography and Data Security, Addison Wesley, 1982.

Enokido and

Takizawa, A legal information flow (LIF) scheduler based on role-based access control model, International Journal of Computer Standard and Interfaces 31(5) (2009), 906–912. doi:10.1016/j.csi.2008.03.013.

Enokido and

Takizawa, A purpose-based synchronization protocol for secure information flow control, International Journal of Computer Systems Science and Engineering 25(2) (2010), 25–32.

Enokido and

Takizawa, Purpose-based information flow control for cyber engineering, IEEE Transactions on Industrial Electronics 58(6) (2011), 2216–2225. doi:10.1109/TIE.2010.2051393.

Esposito,

Castiglione,

Palmieri,

Ficco and

K.-K.R.

Choo, A publish/subscribe protocol for event-driven communications in the Internet of things, in: Proc. of the IEEE 14th International Conference on Dependable, Autonomic and Secure Computing, 2016, pp. 376–383.

P.T.

Eugster,

P.A.

Felber,

Guerraoui and

A.-M.

Kermarrec, The many faces of publish/subscribe, ACM Computing Surveys 35(2) (2003), 114–131. doi:10.1145/857076.857078.

10.

D.F.

Ferraiolo,

D.R.

Kuhn and

Chandramouli, Role-Based Access Controls, 2nd ed., Artech, 2007.

11.

Google alert. http://www.google.com/alerts.

12.

Lamport, Time, clocks, and the ordering of event in a distributed systems, Communications of the ACM 21(7) (1978), 558–565. doi:10.1145/359545.359563.

13.

Nakamura,

Duolikun,

Enokido and

Takizawa, A write abortion-based protocol in role-based access control systems, International Journal of Adaptive and Innovative Systems 2(2) (2015), 142–160. doi:10.1504/IJAIS.2015.072139.

14.

Nakamura,

Duolikun,

Enokido and

Takizawa, A flexible read-write abortion protocol to prevent illegal information flow among objects, Journal of Mobile Multimedia 11(3–4) (2015), 263–280.

15.

Nakamura,

Duolikun,

Enokido and

Takizawa, A read-write abortion (RWA) protocol to prevent illegal information flow in role-based access control systems, International Journal of Space-Based and Situated Computing 6(1) (2016), 43–53. doi:10.1504/IJSSC.2016.076564.

16.

Nakamura,

Duolikun and

Takizawa, Read-abortion (RA) based synchronization protocols to prevent illegal information flow, Journal of Computer and System Sciences 81(8) (2015), 1441–1451. doi:10.1016/j.jcss.2014.12.020.

17.

Nakamura,

Enokido and

Takizawa, Subscription initialization (SI) protocol to prevent illegal information flow in peer-to-peer publish/subscribe systems, in: Proc. of the 19th International Conference on Network-Based Information Systems (NBiS-2016), 2016, pp. 42–49.

18.

Nakamura,

Enokido and

Takizawa, Topic-based synchronization (TBS) protocols to prevent illegal information flow in peer-to-peer publish/subscribe systems, in: Proc. of the 11th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA-2016), 2016, pp. 57–68.

19.

Nakamura,

Enokido and

Takizawa, Sensitivity-based synchronization protocol to prevent illegal information flow among objects, International Journal of Web and Grid Services (IJWGS) 13(3) (2017), 315–333. doi:10.1504/IJWGS.2017.085147.

20.

Nakamura,

Enokido and

Takizawa, A flexible read-write abortion protocol with role safety concept to prevent illegal information flow, Journal of Ambient Intelligence and Humanized Computing (AIHC) (accepted).

21.

Nakamura,

Ogiela,

Enokido and

Takizawa, Flexible synchronization protocol to prevent illegal information flow in peer-to-peer publish/subscribe systems, in: Proc. of the 11th International Conference on Complex, Intelligent, and Software Intensive Systems (CISIS-2017), 2017, pp. 82–93.

22.

Nakamura,

Ogiela,

Enokido and

Takizawa, Evaluation of flexible synchronization protocol to prevent illegal information flow in P2PPS systems, in: Proc. of the 20th International Conference on Network-Based Information Systems (NBiS-2017), 2017, pp. 66–77.

23.

Nakamura,

Ogiela,

Enokido and

Takizawa, Evaluation of protocols to prevent illegal information flow in peer-to-peer publish/subscribe systems, in: Proc. of IEEE the 31st International Conference on Advanced Information Networking and Applications (AINA-2017), 2017, pp. 631–638.

24.

Nakayama,

Duolikun,

Enokido and

Takizawa, Selective delivery of event messages in peer-to-peer topic-based publish/subscribe systems, in: Proc. of the 18th International Conference on Network-Based Information Systems (NBiS-2015), 2015, pp. 379–386.

25.

Nakayama,

Duolikun,

Enokido and

Takizawa, Reduction of unnecessarily ordered event messages in peer-to-peer model of topic-based publish/subscribe systems, in: Proc. of IEEE the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), 2016, pp. 1160–1167.

26.

Nakayama,

Nakamura,

Enokido and

Takizawa, Topic-based causally ordered delivery of event messages in a peer-to-peer (P2P) model of publish/subscribe systems, in: Proc. of the 7th International Workshop on Heterogeneous Networking Environments and Technologies (W-HETNET-2016), 2016, pp. 348–354.

27.

Nakayama,

Ogawa,

Nakamura,

Enokido and

Takizawa, Topic-based selective delivery of event messages in peer-to-peer model of publish/subscribe systems in heterogeneous networks, in: Proc. of the 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA-2017), 2017, pp. 327–334.

28.

Osborn,

R.S.

Sandhu and

Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security 3(2) (2000), 85–106. doi:10.1145/354876.354878.

29.

R.S.

Sandhu, Lattice-based access control models, IEEE Computer 26(11) (1993), 9–19. doi:10.1109/2.241422.

30.

R.S.

Sandhu,

E.J.

Coyne,

H.L.

Feinstein and

C.E.

Youman, Role-based access control models, IEEE Computer 29(2) (1996), 38–47. doi:10.1109/2.485845.

31.

Sarath and

Eric, Controlling privacy disclosure of third party applications in online social networks, International Journal of Web Information Systems (IJWIS) 12(2) (2016).

32.

Setty,

van Steen,

Vitenberg and

Voulgaris, PolderCast: Fast, robust, and scalable architecture for P2P topic-based pub/sub, in: Proc. of ACM/IFIP/USENIX 13th International Conference on Middleware (Middleware 2012), 2012, pp. 271–291.

33.

Tarkoma, Publish/Subscribe System: Design and Principles, 1st edn., John Wiley and Sons, Ltd, 2012. doi:10.1002/9781118354261.

34.

Tarkoma,

Ain and

Visala, The publish/subscribe Internet routing paradigm (PSIRP): Designing the future Internet architecture, in: Future Internet Assembly, 2009, pp. 102–111.

35.

A.B.

Waluyo,

Taniar,

Rahayu,

Aikebaier,

Takizawa and

Srinivasan, Trustworthy-based efficient data broadcast model for P2P interaction in resource-constrained wireless environments, Journal of Computer and System Sciences (JCSS) 78(6) (2012), 1716–1736. doi:10.1016/j.jcss.2011.10.019.

36.

Yamamoto and

Hayashibara, Merging topic groups of a publish/subscribe system in causal order, in: Proc. of the 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA-2017), 2017, pp. 172–177.

37.

Zeng,

Yang and

Luo, Content-based access control: Use data content to assist access control for large-scale content-centric databases, in: IEEE International Conference on Big Data, 2014, pp. 701–710.