Implementing A Multi-Hat PDA
Matthew Johnson and Frank Stajano
University of Cambridge Computer Laboratory
The Problem
- The PDA is obviously designed as a single-user machine
- Some functions of a PDA we want to be passworded:
- Some functions do not not need a password:
- Just using a calculator requires a password.
- Still cannot lend the calculator without giving access to email.
The many hats idea
- PDA may be a single-user machine, but it doesn't have a single policy.
- User can assume several roles with different privileges and credentials.
- Roles may be changed between without interrupting sessions in progress.
- One role can be accessed with no credentials.
Multi-hat security rules
- Hats.
The machine supports a finite number of hats which have credentials. One of these is the null hat, which has no credentials.
- Sessions.
The machine supports simultaneous sessions, each belonging to a hat, each active or locked.
- Session Unicity.
For each hat there is at most one session.
- Hat Selection.
There is a convenient way to select any hat. This activates or, if necessary, creates the session for that hat.
- Switching Sessions.
To activate a session you must present the credentials of its hat.