Resource Access Control in the Facebook Model

We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The "facebook model", which treats the server as a trusted party, suggests two fundamental properties, "owner privacy" and "server consistency", and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook's implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.

[1]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[2]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[3]  Fausto Giunchiglia,et al.  The Semantic Web - ASWC 2006, First Asian Semantic Web Conference, Beijing, China, September 3-7, 2006, Proceedings , 2006, ASWC.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[6]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[7]  Bo Lang Trust Degree Based Access Control for social networks , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[8]  Sunil Kumar,et al.  Formal Verification of OAuth 2.0 Using Alloy Framework , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[9]  Bhavani M. Thuraisingham,et al.  A semantic web based framework for social network access control , 2009, SACMAT '09.

[10]  Charanjit S. Jutla,et al.  Universally Composable Security Analysis of OAuth v2.0 , 2011, IACR Cryptol. ePrint Arch..

[11]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[12]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[13]  Prateek Mittal,et al.  EASiER: encryption-based access control in social networks with efficient revocation , 2011, ASIACCS '11.

[14]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.

[15]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[16]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[17]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[18]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Qi Xie,et al.  FaceCloak: An Architecture for User Privacy on Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.