On protection in federated social computing systems

Ebrahim Tarameshloo, Philip W.L. Fong, Payman Mohassel
2014 Proceedings of the 4th ACM conference on Data and application security and privacy - CODASPY '14  
Nowadays, a user may belong to multiple social computing systems (SCSs) in order to benefit from a variety of services that each SCS may provide. To facilitate the sharing of contents across the system boundary, some SCSs provide a mechanism by which a user may "connect" his accounts on two SCSs. The effect is that contents from one SCS can now be shared to another SCS. Although such a connection feature delivers clear usability advantages for users, it also generates a host of privacy
more » ... s. A notable challenge is that the access control policy of the SCS from which the content originates may not be honoured by the SCS to which the content migrates, because the latter fails to faithfully replicate the protection model of the former. In this paper we formulate a protection model for a federation of SCSs that support content sharing via account connection. A core feature of the model is that sharable contents are protected by access control policies that transcend system boundary -they are enforced even after contents are migrated from one SCS to another. To ensure faithful interpretation of access control policies, their evaluation involves querying the protection states of various SCSs, using Secure Multiparty Computation (SMC). An important contribution of this work is that we carefully formulate the conditions under which policy evaluation using SMC does not lead to the leakage of information about the protection states of the SCSs. We also study the computational problem of statically checking if an access control policy can be evaluated without information leakage. Lastly, we identify useful policy idioms. Definition 8. Given a function f : B n → B, suppose I, J ⊆ {1, . . . , n} such that I = ∅ and I ∩ J = ∅. Let k = |I| and m = |J|. Function f is input nondeducible for I despite J if and only if for every a ∈ B m and b ∈ B, if there exists w ∈ B n such that proj J ( w) = a and f ( w) = b, then for every v ∈ B k , there exists u ∈ B n such that proj I ( u) = v, proj J ( u) = a, and f ( u) = b. If I is a singleton set {i}, then we simply say f is i'th input nondeducible despite J. Note that Definition 7 is a special case of the definition above (when J = ∅). The set J is essentially the set of inputs
doi:10.1145/2557547.2557555 dblp:conf/codaspy/TarameshlooFM14 fatcat:qrl7z7wrxndxzgs32qyfgdhlaq