Resource Access Control in the Facebook Model

Konstantinos Chronopoulos, Maria Gouseti, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook’s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.
Original languageEnglish
Title of host publicationCryptology and Network Security
Subtitle of host publication12th International Conference, CANS 2013, Paraty, Brazil, November 20-22. 2013. Proceedings. Springer 2013 Lecture Notes in Computer Science
PublisherSpringer International Publishing
Pages179-198
Number of pages20
ISBN (Electronic)978-3-319-02937-5
ISBN (Print)978-3-319-02936-8
DOIs
Publication statusPublished - 2013

Publication series

NameLecture Notes in Computer Science (LNCS)
PublisherSpringer International Publishing
Volume8257
ISSN (Print)0302-9743

Fingerprint

Dive into the research topics of 'Resource Access Control in the Facebook Model'. Together they form a unique fingerprint.

Cite this