Relationship-based access control policies and their policy languages
Proceedings of the 16th ACM symposium on Access control models and technologies
Relationship-based access control: its expression and enforcement through hybrid logic
Proceedings of the second ACM conference on Data and Application Security and Privacy
Aiding the detection of fake accounts in large scale social online services
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
A visualization tool for evaluating access control policies in facebook-style social network systems
Proceedings of the 27th Annual ACM Symposium on Applied Computing
On protection in federated social computing systems
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
In Face book-style Social Network Systems (FSNSs), which are a generalization of the access control model of Face book, an access control policy specifies a graph-theoretic relationship between the resource owner and resource access or that must hold in the social graph in order for access to be granted. Pseudonymous identities may collude to alter the topology of the social graph and gain access that would otherwise be forbidden. We formalize Denning's Principle of Privilege Attenuation (POPA) as a run-time property, and demonstrate that it is a necessary and sufficient condition for preventing the above form of Sybil attacks. A static policy analysis is then devised for verifying that an FSNS is POPA compliant (and thus Sybil free). The static analysis is proven to be both sound and complete. We also extend our analysis to cover a peculiar feature of FSNS, namely, what Fong et al. dubbed as Stage-I Authorization. We discuss the anomalies resulted from this extension, and point out the need to redesign Stage-I Authorization to support a rational POPA-compliance analysis.