Resource Access Control in the Facebook Model

Konstantinos Chronopoulos; Maria Gouseti; Aggelos Kiayias

doi:10.1007/978-3-319-02937-5_10

Resource Access Control in the Facebook Model

Konstantinos Chronopoulos, Maria Gouseti, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook’s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.

Original language	English
Title of host publication	Cryptology and Network Security
Subtitle of host publication	12th International Conference, CANS 2013, Paraty, Brazil, November 20-22. 2013. Proceedings. Springer 2013 Lecture Notes in Computer Science
Publisher	Springer
Pages	179-198
Number of pages	20
ISBN (Electronic)	978-3-319-02937-5
ISBN (Print)	978-3-319-02936-8
DOIs	https://doi.org/10.1007/978-3-319-02937-5_10
Publication status	Published - 2013

Publication series

Name	Lecture Notes in Computer Science (LNCS)
Publisher	Springer International Publishing
Volume	8257
ISSN (Print)	0302-9743

Access to Document

10.1007/978-3-319-02937-5_10

http://link.springer.com/chapter/10.1007/978-3-319-02937-5_10

Cite this

Chronopoulos, K., Gouseti, M., & Kiayias, A. (2013). Resource Access Control in the Facebook Model. In Cryptology and Network Security: 12th International Conference, CANS 2013, Paraty, Brazil, November 20-22. 2013. Proceedings. Springer 2013 Lecture Notes in Computer Science (pp. 179-198). (Lecture Notes in Computer Science (LNCS); Vol. 8257). Springer. https://doi.org/10.1007/978-3-319-02937-5_10

@inproceedings{6dd5f4245f7b4bd9bfa6c3185308ddc0,

title = "Resource Access Control in the Facebook Model",

abstract = "We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook{\textquoteright}s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.",

author = "Konstantinos Chronopoulos and Maria Gouseti and Aggelos Kiayias",

year = "2013",

doi = "10.1007/978-3-319-02937-5_10",

language = "English",

isbn = "978-3-319-02936-8",

series = "Lecture Notes in Computer Science (LNCS)",

publisher = "Springer",

pages = "179--198",

booktitle = "Cryptology and Network Security",

address = "United Kingdom",

}

Chronopoulos, K, Gouseti, M & Kiayias, A 2013, Resource Access Control in the Facebook Model. in Cryptology and Network Security: 12th International Conference, CANS 2013, Paraty, Brazil, November 20-22. 2013. Proceedings. Springer 2013 Lecture Notes in Computer Science. Lecture Notes in Computer Science (LNCS), vol. 8257, Springer, pp. 179-198. https://doi.org/10.1007/978-3-319-02937-5_10

Resource Access Control in the Facebook Model. / Chronopoulos, Konstantinos; Gouseti, Maria; Kiayias, Aggelos.
Cryptology and Network Security: 12th International Conference, CANS 2013, Paraty, Brazil, November 20-22. 2013. Proceedings. Springer 2013 Lecture Notes in Computer Science. Springer, 2013. p. 179-198 (Lecture Notes in Computer Science (LNCS); Vol. 8257).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Resource Access Control in the Facebook Model

AU - Chronopoulos, Konstantinos

AU - Gouseti, Maria

AU - Kiayias, Aggelos

PY - 2013

Y1 - 2013

N2 - We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook’s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.

AB - We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook’s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.

U2 - 10.1007/978-3-319-02937-5_10

DO - 10.1007/978-3-319-02937-5_10

M3 - Conference contribution

SN - 978-3-319-02936-8

T3 - Lecture Notes in Computer Science (LNCS)

SP - 179

EP - 198

BT - Cryptology and Network Security

PB - Springer

ER -

Resource Access Control in the Facebook Model

Abstract

Publication series

Access to Document

Fingerprint

Cite this