Collaborative Policy Administration

Policy-based management is a very effective method to protect sensitive information. However, the overclaim of privileges is widespread in emerging applications, including mobile applications and social network services, because the applications' users involved in policy administration have little knowledge of policy-based management. The overclaim can be leveraged by malicious applications, then lead to serious privacy leakages and financial loss. To resolve this issue, this paper proposes a novel policy administration mechanism, referred to as collaborative policy administration (CPA for short), to simplify the policy administration. In CPA, a policy administrator can refer to other similar policies to set up their own policies to protect privacy and other sensitive information. This paper formally defines CPA and proposes its enforcement framework. Furthermore, to obtain similar policies more effectively, which is the key step of CPA, a text mining-based similarity measure method is presented. We evaluate CPA with the data of Android applications and demonstrate that the text mining-based similarity measure method is more effective in obtaining similar policies than the previous category-based method.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  Ravi S. Sandhu,et al.  The ARBAC99 model for administration of roles , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[3]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[4]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[5]  Dinesh C. Verma,et al.  Simplifying network administration using policy-based management , 2002, IEEE Netw..

[6]  Elisa Bertino,et al.  X-GTRBAC admin: a decentralized administration model for enterprise wide access control , 2004, SACMAT '04.

[7]  Ninghui Li,et al.  Administration in role-based access control , 2007, ASIACCS '07.

[8]  Emil C. Lupu,et al.  Policy based management , 2008 .

[9]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[10]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[11]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[12]  Yuval Elovici,et al.  Google Android: A State-of-the-Art Review of Security Mechanisms , 2009, ArXiv.

[13]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[14]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[15]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[16]  Dick Hardt,et al.  The OAuth 2.0 Protocol , 2010 .

[17]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[18]  Z. Hasan A Survey on Shari’Ah Governance Practices in Malaysia, GCC Countries and the UK , 2011 .

[19]  Handbook of Network and System Administration , 2011 .

[20]  Wenyuan Xu,et al.  Poster: collaborative policy administration , 2011, CCS '11.

[21]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[22]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[23]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[24]  Weili Han,et al.  A survey on policy languages in network and security management , 2012, Comput. Networks.

[25]  Mohamed Shehab,et al.  Recommendation Models for Open Authorization , 2012, IEEE Transactions on Dependable and Secure Computing.

[26]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[27]  Ninghui Li,et al.  Android permissions: a perspective combining risks and benefits , 2012, SACMAT '12.

[28]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[29]  Mohamed Shehab,et al.  Policy-by-example for online social networks , 2012, SACMAT '12.

[30]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.