Abstract
People often share sensitive personal information through online social networks (OSNs) to keep in touch with their friends and families. Such sensitive information if leaked inadvertently to malicious third parties may have disastrous consequences on the lives of individuals. Access control policies need to be specified, analyzed, enforced, and managed in a simple manner for the regular OSN users. We demonstrate how this can be done. We first propose a simple model that captures the typical OSN features and show how to represent it using an Entity-Relationship Diagram. The numerous features of an OSN interact with each other in subtle ways – this makes it easy for the naïve user to make misconfiguration errors. Towards this end, we illustrate how our OSN model can be formalized in Alloy and its constraints adequately captured. Alloy has an embedded SAT solver which makes it amenable to analysis. We illustrate how potential misconfigurations caused by the user can be automatically detected by the SAT-solver. Finally, we show how OSN policies can be enforced, managed, and changed through Policy Machine which is an attribute-based access control framework.
R. France—Involved in the discussion of this work, but now deceased.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bennett, P.L., Ray, I., France, R.B.: Analysis of a relationship based access control model. In: C3S2E15 (2015)
Bruns, G., Fong, P.W.L., Siahaan, I., Huth, M.: Relationship-based access control: its expression and enforcement through hybrid logic. In: Bertino, E., Sandhu, R.S. (eds.) CODASPY. ACM (2012)
Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM Trans. Inf. Syst. Secur. 13(1), 6:1–6:38 (2009)
Cheng, Y., Park, J., Sandhu, R.S.: Relationship-based access control for online social networks: beyond user-to-user relationships. In: SocialCom/PASSAT, IEEE (2012)
Cheng, Y., Park, J., Sandhu, R.: A user-to-user relationship-based access control model for online social networks. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 8–24. Springer, Heidelberg (2012)
Ferraiolo, W.J.D., Gavrila, S.: Policy machine: Features, architecture, and specification. Technical report, NIST, December 2012
Ferraiolo, D., Atluri, V., Gavrila, S.: The policy machine: a novel architecture and framework for access control policy specification and enforcement. J. Syst. Archit. 57(4), 412–424 (2011)
Ferraiolo, D.F., Gavrila, S.I., Jansen, W.A.: Enabling an enterprise-wide, data-centric operating environment. IEEE Comput. 46(4), 94–96 (2013)
Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: Sandhu, R.S., Bertino, E. (eds.) CODASPY, pp. 191–202. ACM (2011)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge (2012)
Javed, Y., Shehab, M.: Access control policy misconfiguration detection in online social networks. In: SocialCom/PASSAT, pp. 544–549. IEEE, September 2013
Johnson, M.L., Egelman, S., Bellovin, S.M.: Facebook and privacy: it’s complicated. In: Cranor, L.F. (eds.) SOUPS, p. 9. ACM, July 2012
Madejski, M., Johnson, M.L., Bellovin, S.M.: A study of privacy settings errors in an online social network. In: PerCom Workshop, pp. 340–345. IEEE, March 2012
Squicciarini, A.C., Xu, A., Zhang, X.(L).: Cope: enabling collaborative privacy management in online social networks. J. Am. Soc. Inf. Sci. Technol. 62(3), 521–534 (2011)
Zhang, R.: Relation Based Access Control. Studies on the Semantic Web, vol. 5. IOS Press, Heidelberg (2010)
Zhang, R., Artale, A., Giunchiglia, F., Crispo, B.: Using description logics in relation based access control. In: Grau, B.C., Horrocks, I., Motik, B., Sattler, U. (eds.) Description Logics. CEUR Workshop Proceedings, vol. 477 (2009). CEUR-WS.org
Zhang, R., Giunchiglia, F., Crispo, B., Song, L.: Relation-based access control: an access control model for context-aware computing environment. Wirel. Pers. Commun. 55(1), 5–17 (2010)
Acknowledgement
This work was is based on research sponsored by NIST under agreement number 70NANB14H059, by an internal grant from Colorado State University, and by NSF under award number CCF-1018711.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bennett, P., Ray, I., France, R. (2015). Modeling of Online Social Network Policies Using an Attribute-Based Access Control Framework. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)