Modeling of Online Social Network Policies Using an Attribute-Based Access Control Framework

People often share sensitive personal information through online social networks OSNs to keep ini¾źtouch with their friends and families. Such sensitive information if leaked inadvertently to malicious third parties may have disastrous consequences on the lives of individuals. Access control policies need to be specified, analyzed, enforced, and managed in a simple manner for the regular OSN users. We demonstrate how this can be done. We first propose a simple model that captures the typical OSN features and show how to represent it using an Entity-Relationship Diagram. The numerous features of an OSN interact with each other in subtle ways --- this makes it easy for the naive user to make misconfiguration errors. Towards this end, we illustrate how our OSN model can be formalized in Alloy and its constraints adequately captured. Alloy has an embedded SAT solver which makes it amenable to analysis. We illustrate how potential misconfigurations caused by the user can be automatically detected by the SAT-solver. Finally, we show how OSN policies can be enforced, managed, and changed through Policy Machine which is an attribute-based access control framework.

[1]  Steven M. Bellovin,et al.  A study of privacy settings errors in an online social network , 2012, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[2]  Indrakshi Ray,et al.  Analysis of a Relationship Based Access Control Model , 2015, C3S2E.

[3]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[4]  Vijayalakshmi Atluri,et al.  The Policy Machine: A novel architecture and framework for access control policy specification and enforcement , 2011, J. Syst. Archit..

[5]  Steven M. Bellovin,et al.  Facebook and privacy: it's complicated , 2012, SOUPS.

[6]  David F. Ferraiolo,et al.  Policy Machine: Features, Architecture, and Specification , 2014 .

[7]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[8]  Mohamed Shehab,et al.  Access Control Policy Misconfiguration Detection in Online Social Networks , 2013, 2013 International Conference on Social Computing.

[9]  Yuan Cheng,et al.  A User-to-User Relationship-Based Access Control Model for Online Social Networks , 2012, DBSec.

[10]  Fausto Giunchiglia,et al.  Using Description Logics in Relation Based Access Control , 2009, Description Logics.

[11]  Michael Huth,et al.  Relationship-based access control: its expression and enforcement through hybrid logic , 2012, CODASPY '12.

[12]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[13]  Yuan Cheng,et al.  Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[14]  David F. Ferraiolo,et al.  Enabling an Enterprise-Wide, Data-Centric Operating Environment , 2013, Computer.

[15]  Heng Xu,et al.  CoPE: Enabling collaborative privacy management in online social networks , 2011, J. Assoc. Inf. Sci. Technol..

[16]  Fausto Giunchiglia,et al.  Relation-Based Access Control: An Access Control Model for Context-Aware Computing Environment , 2010, Wirel. Pers. Commun..