Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider

Today's social networking services require users to trust the service provider with the confidentiality and integrity of their data. But with their history of data leaks and privacy controversies, these services are not always deserving of this trust. Indeed, a malicious provider could not only violate users' privacy, it could equivocate and show different users divergent views of the system's state. Such misbehavior can lead to numerous harms including surreptitious censorship. In light of these threats, this paper presents Frientegrity, a framework for social networking applications that can be realized with an untrusted service provider. In Frientegrity, a provider observes only encrypted data and cannot deviate from correct execution without being detected. Prior secure social networking systems have either been decentralized, sacrificing the availability and convenience of a centralized provider, or have focused almost entirely on users' privacy while ignoring the threat of equivocation. On the other hand, existing systems that are robust to equivocation do not scale to the needs social networking applications in which users may have hundreds of friends, and in which users are mainly interested the latest updates, not in the thousands that may have come before. To address these challenges, we present a novel method for detecting provider equivocation in which clients collaborate to verify correctness. In addition, we introduce an access control mechanism that offers efficient revocation and scales logarithmically with the number of friends. We present a prototype implementation demonstrating that Frientegrity provides latency and throughput that meet the needs of a realistic workload.

[1]  Cynthia Dwork,et al.  Wherefore art thou r3579x?: anonymized social networks, hidden patterns, and structural steganography , 2007, WWW '07.

[2]  Prateek Mittal,et al.  DECENT: A decentralized architecture for enforcing privacy in online social networks , 2011, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[3]  Ramón Cáceres,et al.  Vis-à-Vis: Privacy-preserving online social networking via Virtual Individual Servers , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[4]  Claudio Soriente,et al.  Hummingbird: Privacy at the Time of Twitter , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[6]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[7]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[8]  Dan S. Wallach,et al.  High throughput asynchronous algorithms for message authentication , 2010 .

[9]  Dennis Shasha,et al.  Building secure file systems out of byzantine storage , 2002, PODC '02.

[10]  Dan S. Wallach,et al.  Birds of a FETHR: open, decentralized micropublishing , 2009, IPTPS.

[11]  Prateek Mittal,et al.  EASiER: encryption-based access control in social networks with efficient revocation , 2011, ASIACCS '11.

[12]  Marvin Theimer,et al.  Managing update conflicts in Bayou, a weakly connected replicated storage system , 1995, SOSP.

[13]  David R. Karger,et al.  Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web , 1997, STOC '97.

[14]  Josep Domingo-Ferrer,et al.  Privacy homomorphisms for social networks with private relationships , 2008, Comput. Networks.

[15]  Idit Keidar,et al.  Fail-Aware Untrusted Storage , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[16]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[17]  Srinath T. V. Setty,et al.  Depot: Cloud Storage with Minimal Trust , 2010, TOCS.

[18]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Michael Stonebraker,et al.  The Case for Shared Nothing , 1985, HPTS.

[20]  Karl Aberer,et al.  Privacy-Aware and Highly-Available OSN Profiles , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[21]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.

[22]  Peter Triantafillou,et al.  eXO: Decentralized Autonomous Scalable Social Networking , 2011, CIDR.

[23]  D. Stallknecht FACT SHEET , 2006 .

[24]  Dan S. Wallach,et al.  Super-Efficient Aggregating History-Independent Persistent Authenticated Dictionaries , 2009, ESORICS.

[25]  Barbara Carminati,et al.  Privacy-Aware Collaborative Access Control in Web-Based Social Networks , 2008, DBSec.

[26]  GhemawatSanjay,et al.  The Google file system , 2003 .

[27]  Cecilia R. Aragon,et al.  Randomized search trees , 2005, Algorithmica.

[28]  David Mazières,et al.  Beyond One-Third Faulty Replicas in Byzantine Fault Tolerant Systems , 2007, NSDI.

[29]  Alec Wolman,et al.  Lockr: better privacy for social networks , 2009, CoNEXT '09.

[30]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[31]  Helen Nissenbaum,et al.  Adnostic: Privacy Preserving Targeted Advertising , 2010, NDSS.

[32]  Jure Leskovec,et al.  Planetary-scale views on a large instant-messaging network , 2008, WWW.

[33]  Yuguang Fang,et al.  A Privacy-Preserving Scheme for Online Social Networks with Efficient Revocation , 2010, 2010 Proceedings IEEE INFOCOM.

[34]  Michael Backes,et al.  A Security API for Distributed Social Networks , 2011, NDSS.

[35]  Ramón Cáceres,et al.  Confidant: Protecting OSN Data without Locking It Up , 2011, Middleware.

[36]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[37]  Sonja Buchegger,et al.  PeerSoN: P2P social networking: early experiences and insights , 2009, SNS '09.

[38]  Ariel J. Feldman,et al.  SPORC: Group Collaboration using Untrusted Cloud Resources , 2010, OSDI.

[39]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[40]  Werner Vogels,et al.  Dynamo: amazon's highly available key-value store , 2007, SOSP.

[41]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[42]  Sudheendra Hangal,et al.  PrPl: a decentralized social networking infrastructure , 2010, MCS '10.

[43]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[44]  Idit Keidar,et al.  Venus: verification for untrusted cloud storage , 2010, CCSW '10.

[45]  H. Apte,et al.  Serverless Network File Systems , 2006 .

[46]  Refik Molva,et al.  Safebook: A privacy-preserving online social network leveraging on real-life trust , 2009, IEEE Communications Magazine.

[47]  Mahesh Balakrishnan,et al.  Contrail: Enabling Decentralized Social Networks on Smartphones , 2011, Middleware.