http://hdl.handle.net/1880/47051 Wed, 19 Jun 2013 06:06:57 GMT 2013-06-19T06:06:57Z http://hdl.handle.net/1880/49351 Title: A Framework for Expressing and Enforcing Purpose-Based Privacy Policies Authors: Jafari, Mohammad; Fong, Philip; Safavi-Naini, Reihaneh; Barker, Ken Abstract: Purpose is a key concept in privacy policies and has been mentioned in major privacy laws and regulations. Although some models have been proposed for enforcing purpose-based policies, little has been done in de ning formal semantics for purpose and therefore an e ective enforcement mechanism for policies has remained a challenge. In this paper, we develop a framework for formalizing and enforcing purpose-based privacy policies. Purpose is formally de ned as the dynamic situation of an action within the network of inter-related actions in the system. Accordingly, we propose a modal-logic language for formally expressing constraints about purposes of actions which can be used to model purpose-based policies. The semantics of this language are de ned over an abstract model of activities in the system which is directly derivable from business processes. Based on this formal framework, we discuss some properties of purpose and show how some well-known, as well as new forms of purpose constraints can be formalized using the proposed language. We also show how purpose-based constraints can be tied to other access control policies in the system. Finally, we present a model-checking algorithm for verifying whether a given state of the system complies with a given set of policies, followed by a discussion of how this can be used in an actual implementation of a purpose reference monitor. Mon, 28 Jan 2013 00:00:00 GMT http://hdl.handle.net/1880/49351 2013-01-28T00:00:00Z http://hdl.handle.net/1880/48922 Title: The Specification and Compilation of Obligation Policies for Program Monitoring Authors: Xu, Cheng; Fong, Philip Abstract: The core component of an extensible software system must protect its resources from being abused by untrusted software extensions. The access control policies of extensible software systems are traditionally enforced by some form of reference monitors. Recent studies of access control policies advocate the use of obligation policies, which impose behavioural constraints on the future actions of the accessor even after the access is granted. It is argued that obligation policies provide continuous protection to the system. We envision the workflow of developing an obligation policy for program monitoring to involve three stages: specification, implementability check and implementation. In this work, we develop a series of tools to facilitate each stage of the workflow. First, we propose a policy language for formulating obligation policies. Second, we devise a type system for syntactically identifying if an obligation policy is enforceable or not. The type checker guides the policy developer in refining an obligation policy into an enforceable one. Finally, we design a compilation algorithm, which compiles well-typed obligation policies to a representation of reference monitors, called Obligation Monitor (OM). The OM is designed to facilitate monitor inlining. Mon, 26 Mar 2012 17:20:16 GMT http://hdl.handle.net/1880/48922 2012-03-26T17:20:16Z http://hdl.handle.net/1880/48453 Title: Access Control Policy Analysis with a Visualization Tool for Social Network Systems Authors: Fong, Philip; Anwar, Mohd Abstract: Understanding privacy implications of access control policies is a complex task for the users of social network systems. Users need tool support to articulate on access scenarios and perform policy analysis. In this work, we develop a prototypical tool for reflective policy assessment (RPA) – a process in which a user examines her profile from the viewpoint of another user in her extended neighborhood in the social graph. Since an unrestricted view of one's extended neighborhood may compromise the privacy of others, our visualization tool approximates the extended neighborhood of a user in such a way that policy assessment can still be conducted in a meaningful manner, while the privacy of other users is preserved. We verify the utility and usability of our tool in a within-subject user study. Thu, 17 Mar 2011 16:27:12 GMT http://hdl.handle.net/1880/48453 2011-03-17T16:27:12Z http://hdl.handle.net/1880/48433 Title: Preventing Sybil Attacks by Privilege Attenuation: A Design Principle for Social Network Systems Authors: Fong, Philip Abstract: In Facebook-style Social Network Systems (FSNSs), which are a generalization of the access control model of Facebook, an access control policy speci es a graph- theoretic relationship between the resource owner and resource accessor that must hold in the social graph in order for access to be granted. Pseudonymous identities may collude to alter the topology of the social graph and gain access that would otherwise be forbidden. We formalize Denning's Principle of Privilege Attenuation (POPA) as a run-time property, and demonstrate that it is a necessary and su cient condition for preventing the above form of Sybil attacks. A static policy analysis is then devised for verifying that an FSNS is POPA compliant (and thus Sybil free). The static analysis is proven to be both sound and complete. We also extend our analysis to cover a peculiar feature of FSNS, namely, what Fong et al. dubbed as Stage-I Authorization. We discuss the anomalies resulted from this extension, and point out the need to redesign Stage-I Authorization to support a rational POPA-compliance analysis. Thu, 03 Mar 2011 16:04:08 GMT http://hdl.handle.net/1880/48433 2011-03-03T16:04:08Z