capturing policies for fine-grained access control on mobile devices

21
Capturing policies for fine grained access control on mobile devices PRAJIT KUMAR DAS, ANUPAM JOSHI, TIM FININ UMBC ebiquity lab

Upload: prajit-kumar-das

Post on 19-Jan-2017

44 views

Category:

Mobile


0 download

TRANSCRIPT

Page 1: Capturing policies for fine-grained access control on mobile devices

Capturing policies for fine grained access control

on mobile devicesPRAJIT KUMAR DAS, ANUPAM JOSHI, TIM FININ

UMBC ebiquity lab

Page 2: Capturing policies for fine-grained access control on mobile devices

2

We present MITHRIL, a framework for capturing user access control policies that are fine-grained, context-sensitive and are represented using Semantic Web technologies and thereby manages access control decisions for user data on mobile devices.

Motivation

Android image source courtesy: Aha-Soft

Page 3: Capturing policies for fine-grained access control on mobile devices

3

Related Work• Policy Engineering: Requires substantial technical

knowledge, understanding of access control issues (Feltus’08)

• Most people are ‘Privacy Pragmatists’ (Kumaraguru’05)• Convergence of Enterprise usage and personal usage due

to BYOD adoption (Kodeswaran, Chakraborty et. al.’13)• Users unsure of policy (Benisch, Sadeh’11) • Privacy profiles used for user preferences (Liu et. al.’14)

Page 4: Capturing policies for fine-grained access control on mobile devices

4

Image courtesy: Android App Market

Page 5: Capturing policies for fine-grained access control on mobile devices

5

Image courtesy: Android App Market

Page 6: Capturing policies for fine-grained access control on mobile devices

6

Image courtesy: Android App Market

Page 7: Capturing policies for fine-grained access control on mobile devices

7

Contributions MITHRIL has three key contributions• Policy representation• Expressing policy rules: extensible & expressive

 semantic model• RDF/OWL allows easy reuse/integration with concepts

from DBpedia, Linked Data, schema.org,etc.• User-preferred & specific policy capture• Policy enforcement

Page 8: Capturing policies for fine-grained access control on mobile devices

System overview Observer mode

8

Page 9: Capturing policies for fine-grained access control on mobile devices

System overview Enforcer mode

9

Page 10: Capturing policies for fine-grained access control on mobile devices

System overview Enforcer mode

10

Page 11: Capturing policies for fine-grained access control on mobile devices

• Semantic Web Rule Language• antecedent => consequent• Attribute-Based Access Control model• Context pieces as attributes

Rule representation

11

Page 12: Capturing policies for fine-grained access control on mobile devices

12

Rule representationA1: RequesterInfo = Facebook &A2: UserActivity = Work &A3: UserLocation = Office &A4: UserTime = Working hours on Week day &A5: ProtectedResource = Location->C1: Prohibit

When at work Professors do not share their location in FB

Image courtesy: www.phdcomics.com

Page 13: Capturing policies for fine-grained access control on mobile devices

13

Image courtesy: www.phdcomics.com

Generic Rule: Professors do not share their location on FB

During lunch Professor Smith shares locationThis is Prof. Smith. He likes to check in to FB

during lunch.

Rule learning

Page 14: Capturing policies for fine-grained access control on mobile devices

When out to lunch Professor Smith shares location with students if he has lunch scheduled with them

and he is in town

14

Rule Learning – User Feedback Capture

Page 15: Capturing policies for fine-grained access control on mobile devices

Image courtesy: www.phdcomics.com

15

This is Prof. Smith.

Good policy

The system either knows all his policies or it does not!

Violation Metric

Page 16: Capturing policies for fine-grained access control on mobile devices

Image courtesy: www.phdcomics.com

16

Bad policy

The system either knows all his policies or it does not!

Violation Metric

Page 17: Capturing policies for fine-grained access control on mobile devices

False violation: Use cases• Rule requires• Deletion• Antecedent generalization• Antecedent specialization• Delete conditions• Add conditions

17

Page 18: Capturing policies for fine-grained access control on mobile devices

ExperimentalResults

18

Consistent feedback

Page 19: Capturing policies for fine-grained access control on mobile devices

19

Emulating XPrivacy

Source: http://www.xprivacy.eu/License: GNU General Public License version 3

Page 20: Capturing policies for fine-grained access control on mobile devices

20

Future Work• More experiments validating violation metric• Finer granularity capture of policy violation• Possible predictive model for policy generation• Using machine learning to generate policies• Inducing policy using logic programming

Page 21: Capturing policies for fine-grained access control on mobile devices

21

ConclusionWe presented MITHRIL• Framework for capturing ABAC access control

policies• User-preferred & specific policy capture• Fine-grained, context-sensitive• Uses Semantic Web technologies• Policy enforcement

UMBC ebiquity lab