Digital Rights Enforcement for Pervasive Computing Applications

Abstract

Increasingly, application software is expanding from the desktop into mobile application environments, such as handset devices and embedded systems which are more limited in resources and volatile in their network connectivity. An integrated architecture that can protect intellectual property for both types of environments should offer the promise of reduced software maintenance costs. Software licensing is an existing mechanism by which specific license agreements are enforced between a software provider and the users of the software. Usually, the license terms are activated by a unique activation code delivered to the user. Digital Rights Management (DRM) is a more recent development that covers the description, identification, trading, protection, monitoring, and tracking of all forms of rights usage over both tangible and intangible assets. This includes the management of Rights Holder relationships with the help of special purpose rights expression languages (REL). Both, software licensing and DRM approaches have failed to address the new challenges posed by protecting intellectual property for mobile application software. This thesis, therefore, proposes a solution to merge the best of both approaches for the special case of application software rights enforcement. It is targeted to mobile computing platforms to meet the challenges in that area. Existing distributed software licensing systems were originally designed for fixed network applications and typically assume the immediate availability of a network connection to verify and validate rights with a rights server. Yet, this approach is not feasible for mobile environments, because of occasional connected network characteristics. Moreover, software licensing systems do not implement an existing standard for the description of license terms which cause interoperability issues with asset management software. The focus of the DRM community to date has been on rights management for media content, which has left many issues unresolved for the specific case of rights management for application software.

The difficulties of developing an all-encompassing DRM solution for the media industry has left standards based work on the enforcement of rights for application software under-specified. This is mainly because the media industry requires a broad consensus of hardware and software manufacturers to implement an agreed standard, whereas application software does not require runtime support of the underlying hardware or any third party applications. The existing rights expression languages supported by DRM systems lack the support for the explicit specification of application-level features. Existing usage-based restrictions on digital work usually include display, print, play, and execute permissions. Also, the assumption of immediate or constant network connectivity to a rights management server cannot be made for the validation and enforcement of rights on a pervasive computing platform, because factors such as network unavailability have to be anticipated. Therefore, the introduction of more flexible rights models for occasionally connected mobile environments is required. This is achieved through the specification and implementation of novel rights models, such as audit-based and feature-based models. The introduction of these flexible rights models poses new challenges to designing an enforcement architecture for pervasive environments. The enforcement architecture has to deal with resource constraints on mobile devices, such as limited memory and processor power, while at the same time provide an extensible set of APIs so that it can be adapted for different computing platforms. This thesis proposes a solution to enforce and deliver application software rights implemented in a generic enforcement framework, based on an extended version of the Open Digital Rights Language (ODRL), called PARMA REL, that accounts for the characteristics of applications in pervasive environments. In particular, the architecture supports the enforcement of audit-based and feature-based rights models. While the architecture in this thesis has specific support for mobile environments, it has also been designed to operate in a fixed network environment. A further contribution of this thesis is to present a pervasive application rights enforcement framework which does not make any assumptions on the target platform by basing the design on the dependency inversion and Hollywood principles. The architecture is designed in a way that decouples functional and rights enforcement logic. It supports the association of rights with application-level features by leveraging aspect-oriented software engineering techniques to weave the enforcement as an orthogonal service into any existing J2ME, J2SE, or J2EE application. This makes it possible to restrict access to certain modules at runtime. Developer support is provided by tools to generate aspects based on the rights description and the target platform. Furthermore, a MDA-oriented development process is introduced to cover the generation and weaving of rights into the application in a non-intrusive manner. Consequently, the rights models designed for pervasive computing environments combined with the flexible enforcement architecture enable the enforcement of rights of applications in new, sophisticated and standard-compliant ways. The enforcement architecture is evaluated with respect to the ability to adapt to different platforms, to operate in resource-constrained environments, and to guard against potential attacks. Also the execution and runtime overhead of the enforcement logic is evaluated and the architecture is compared with existing enforcement architectures. The enforcement architecture is implemented for two platforms, J2ME and J2SE.