Browsing by Author "Fong, Philip"
Now showing 1 - 18 of 18
Results Per Page
Sort Options
Item Open Access Access Control Policy Analysis with a Visualization Tool for Social Network Systems(2011-03-17T16:27:12Z) Fong, Philip; Anwar, MohdUnderstanding privacy implications of access control policies is a complex task for the users of social network systems. Users need tool support to articulate on access scenarios and perform policy analysis. In this work, we develop a prototypical tool for reflective policy assessment (RPA) – a process in which a user examines her profile from the viewpoint of another user in her extended neighborhood in the social graph. Since an unrestricted view of one's extended neighborhood may compromise the privacy of others, our visualization tool approximates the extended neighborhood of a user in such a way that policy assessment can still be conducted in a meaningful manner, while the privacy of other users is preserved. We verify the utility and usability of our tool in a within-subject user study.Item Open Access Characterization of Periodic Network Traffic(2017) Haffey, Mackenzie; Williamson, Carey; Arlitt, Martin; Williamson, Carey; Arlitt, Martin; Aycock, John; Fong, PhilipThis thesis focuses on characterizing periodic communications in network traffic, which we refer to as network heartbeats. Heartbeat traffic can be used to assess the overall health of an operational network, based on the presence/absence of heartbeats for known network services, and also to detect unexpected/undesired network services, such as malicious traffic. We use a simple and flexible SQL-based method to detect a wide range of heartbeats in network traffic, using seven weeks of connection logs from a campus edge network. Our results show that heartbeat analysis is effective for detecting P2P, gaming, cloud, scanning, and botnet traffic flows, which often have periodic signatures.Item Open Access Context-Aware History-Based Access Control for IoT Devices(2023-01-04) Shadman, Shauvik; Fong, Philip; Safavi-Naeini, Reyhaneh; Yanushkevich, SvetlanaInternet-of-things (IoT) devices has taken over every aspect of our daily lives. They control the environment around us and collect personal data. Access to these devices need to be protected, specially in a post-pandemic world where patient data security is of utmost importance. The accessibility of IoT devices is often found to be context dependent, meaning that whether a user may interact with a device often depends on contextual information such as environmental parameters (e.g., time, temperature, pressure). This thesis is a proposal to add context dependency into a previously published distributed authorization system for IoT devices. In this authorization system, the more proof of context a requester can produce, the more access they are granted. A security property is also put forward to make sure that a malicious requester cannot gain more access by willfully withholding context information. I formally proved that the proposed authorization system satisfies this security property. This thesis also presents an implementation of this authorization system and evaluates its performance.Item Open Access A Framework for Expressing and Enforcing Purpose-Based Privacy Policies(2013-01-28) Jafari, Mohammad; Fong, Philip; Safavi-Naini, Reihaneh; Barker, KenPurpose is a key concept in privacy policies and has been mentioned in major privacy laws and regulations. Although some models have been proposed for enforcing purpose-based policies, little has been done in de ning formal semantics for purpose and therefore an e ective enforcement mechanism for policies has remained a challenge. In this paper, we develop a framework for formalizing and enforcing purpose-based privacy policies. Purpose is formally de ned as the dynamic situation of an action within the network of inter-related actions in the system. Accordingly, we propose a modal-logic language for formally expressing constraints about purposes of actions which can be used to model purpose-based policies. The semantics of this language are de ned over an abstract model of activities in the system which is directly derivable from business processes. Based on this formal framework, we discuss some properties of purpose and show how some well-known, as well as new forms of purpose constraints can be formalized using the proposed language. We also show how purpose-based constraints can be tied to other access control policies in the system. Finally, we present a model-checking algorithm for verifying whether a given state of the system complies with a given set of policies, followed by a discussion of how this can be used in an actual implementation of a purpose reference monitor.Item Open Access Higher-Order (Temporal) Relationship-Based Access Control(2022-02) Arora, Chahal; Fong, Philip; Reardon, Joel; Li, SimonWith the advent of technologies such as the Internet of Things, new type of relationships have emerged between users and devices. These relationships are transient, which means they can be activated and terminated over time. Existing Relationship-Based Access Control (ReBAC) models are not designed for handling such relationships efficiently. In this work, we present a ReBAC model that can incorporate such transient relationships, thus allowing the creation of access control policies that can use the transient nature of relationships to grant authorization. We call this model Higher-Order (Temporal) Relationship-Based Access Control (HO(T)-ReBAC) model. This thesis formalized the HO(T)-ReBAC model and defined a formal policy language for access control policies in HO(T)-ReBAC. We then discussed case studies based on real-world scenarios where HO(T)-ReBAC can be deployed for authorization decisions. After that, we designed and presented an efficient model implementation that can be used for large-scale projects in the real world. We empirically evaluated our implementation of HO(T)-ReBAC using a real-world social graph and the use case we discussed. Our evaluation found our implementation to be efficient for real-world large-scale projects.Item Open Access In-region Location Verification Using Distance Bounding(2016) Akand, Md Mamunur Rashid; Safavi-Naini, Reihaneh; Fong, Philip; Jacobson, Michael J. JrLocation-based services have grown rapidly in recent years. Determining the location of a service user, however, appears to come with two seemingly contradictory requirements: on one hand, the location information is needed to be accurate up to a certain level, and on the other hand, the user may want their location information to remain private. The first problem, determining the location of a user is challenging in untrusted settings. An untrusted user may always claim a false location to gain services from a service provider. Sometimes the user may want to claim a shorter distance, and other times a longer one, based on the requirements of the service provider. One of the prominent systems that is being used for the last two decades to validate such claims is distance bounding protocol. Distance (upper) bounding protocol is used to verify that a user (prover) is no farther than a given distance from the verifier. Distance upper bounding protocols have a number of applications, including: secure localization, secure location verification, authentication. A more recent work on distance bounding introduces the dual problem of verifying that a prover is no closer than a given distance from the verifier. The proposed protocol, which is named distance lower bounding, is applicable in scenarios where the privileges are provided to users located far away from the verifier. We propose Distance Range Bounding (DRB) as a new problem that requires a prover to show that its distance from the verifier is between two bounds: a given upper bound and a given lower bound. We provide a formal model that captures security requirements in this scenario. We design a distance range bounding protocol and prove its security with respect to our model. Our protocol is based on two secure distance bounding protocols: a distance upper bounding and a distance lower bounding protocol. We use the two protocols in a way that the new protocol preserves the security property of the original ones and has provable security in DRB model. The distance range obtained by our proposed protocol can be used in the localization algorithms. We use the protocol to design an efficient and robust in-region verification protocol, where the goal is to verify if a user is located within a bounded area/zone. An upfront requirement of location-based services is the users' desire not to reveal their exact location for privacy reasons. In-region location verification systems verify if a user is within a region. Our second contribution is the design of a privacy enhanced location verification system that uses an in-region location verification approach for a given policy area, and verifies whether a location claim is from within the area. The novelty of our work is to use distance range bounding to construct a pseudo-rectangle (P-rectangle) that provides the best coverage for the area, and verify the location claim with respect to the P-rectangle. We define the error in verification decision, and show that it can be reduced by subdividing the area and using multiple rectangles to cover it. We analyze the privacy of the system against an adversary who monitors the radio communication, and use it to infer the location of the prover, and provide methods of protecting against this attack. We discuss our results and propose directions for future research.Item Open Access Inference Attacks by Third-Party Extensions to Social Network Systems(2010-11-01T18:13:14Z) Ahmadinejad, Seyed Hossein; Anwar, Mohd; Fong, PhilipWe study inference attacks that can be launched via the extension API of Facebook. We explain the threat of these attacks through a reduction to authentication attacks, devise a taxonomy for such attacks, and propose a risk metric to help subscribers of third-party applications refine their privacy expectations.Item Open Access Multiple Ownership in Access Control(2016) Mehregan, Pooya; Fong, Philip; Safavi-Naeini, Reyhaneh; Aycock, John; Tawbi, Nadia; Bauer, MarkIn social computing, multiple users may share privacy stakes in a content. Contents contributed by a user may be annotated by other users (e.g., “like” or “comment”). Also users may get associated to a content that is contributed by other users (e.g., get tagged in a photo). In other scenarios, multiple users may co-contribute a piece of information (e.g., friendship articulation). These users, called co-owners in this thesis, share privacy stakes in these contents and they may want to control access to the contents. In this novel situation of multiple ownership a shared resource is administrated simultaneously by co-owners who may have conflicting privacy preferences and/or sharing needs. The study of access control schemes for multiple ownership in social computing has captured the imagination of researchers, and general-purpose schemes for reconciling the differences of privacy stakeholders have been proposed. One challenge of existing general-purpose multiple-ownership schemes is that they can be very complex. In the first part of this thesis, we consider the possibility of simplification in special cases. We identify two simple design patterns for handling a significant family of multiple-ownership scenarios. We discuss efficient implementation techniques that solely rely on standard SQL technology. We also identify scenarios in which general-purpose multiple-ownership schemes are necessary. Most of the general-purpose schemes in the literature are in the form of unsupervised conflict resolution mechanisms. In the second part of this thesis, driven by the need for human consent in organizational settings, we explore interactive policy negotiation, a different approach but complementary to that of prior work. Specifically, we propose an extension of Relationship-Based Access Control (ReBAC) to support multiple ownership, in which a policy negotiation protocol is in place for co-owners to come up with and give consent to an access control policy in a structured manner. During negotiation, the quality of the draft policy is assessed by a set of novel and formally defined availability criteria: policy satisfiability, feasibility and resiliency, which all belong to the second level of the polynomial hierarchy. We then propose efficient tool support for deciding these availability criteria.Item Open Access Preventing Sybil Attacks by Privilege Attenuation: A Design Principle for Social Network Systems(2011-03-03T16:04:08Z) Fong, PhilipIn Facebook-style Social Network Systems (FSNSs), which are a generalization of the access control model of Facebook, an access control policy speci es a graph- theoretic relationship between the resource owner and resource accessor that must hold in the social graph in order for access to be granted. Pseudonymous identities may collude to alter the topology of the social graph and gain access that would otherwise be forbidden. We formalize Denning's Principle of Privilege Attenuation (POPA) as a run-time property, and demonstrate that it is a necessary and su cient condition for preventing the above form of Sybil attacks. A static policy analysis is then devised for verifying that an FSNS is POPA compliant (and thus Sybil free). The static analysis is proven to be both sound and complete. We also extend our analysis to cover a peculiar feature of FSNS, namely, what Fong et al. dubbed as Stage-I Authorization. We discuss the anomalies resulted from this extension, and point out the need to redesign Stage-I Authorization to support a rational POPA-compliance analysis.Item Open Access Preventing Sybil Attacks by Privilege Attenuation: A Design Principle for Social Network Systems(2010-12-02T22:31:55Z) Fong, PhilipIn Facebook-style Social Network Systems (FSNSs), which are a generalization of the access control model of Facebook, an access control policy specifies a graphtheoretic relationship between the resource owner and resource accessor that must hold in the social graph in order for access to be granted. Pseudonymous identities may collude to alter the topology of the social graph and gain access that would otherwise be forbidden. We formalize Denning’s Principle of Privilege Attenuation (POPA) as a run-time property, and demonstrate that it is a necessary and sufficient condition for preventing the above form of Sybil attacks. A static policy analysis is then devised for verifying that an FSNS is POPA compliant (and thus Sybil free). The static analysis is proven to be both sound and complete. We also extend our analysis to cover a peculiar feature of FSNS, namely, what Fong et al. dubbed as Stage-I Authorization. We discuss the anomalies resulted from this extension, and point out the need to redesign Stage-I Authorization to support a rational POPA-compliance analysis.Item Open Access A Privacy Preservation Model for Facebook-Style Social Network Systems(2009-04-29T17:18:39Z) Fong, Philip; Anwar, Mohd; Zhao, ZhenRecent years have seen unprecedented growth in the popularity of social network systems, with Facebook being an archetypical example. The access control paradigm behind the privacy preservation mechanism of Facebook is distinctly different from such existing access control paradigms as Discretionary Access Control, Role-Based Access Control, Capability Systems, and Trust Management Systems. This work takes a first step in deepening the understanding of this access control paradigm, by proposing an access control model that formalizes and generalizes the privacy preservation mechanism of Facebook. The model can be instantiated into a family of Facebook-style social network systems, each with a recognizably different access control mechanism, so that Facebook is but one instantiation of the model. We also demonstrate that the model can be instantiated to express policies that are not currently supported by Facebook but possess rich and natural social significance. This work thus delineates the design space of privacy preservation mechanisms for Facebook-style social network systems, and lays out a formal framework for policy analysis in these systems.Item Open Access ReBAC2015: Interoperability of Relationship- and Role-Based Access Control(2015-09-16) Rizvi, Syed Zain; Fong, PhilipRelationship-Based Access Control (ReBAC) is a general-purpose access control paradigm for application domains in which authorization must take into account the relationship between the access requestor and the resource owner. This thesis presents an evolution of Fong's ReBAC model in two steps. First, I formalize and extend the first time implementation of ReBAC into a production-scale medical records system, OpenMRS. This extension incorporates sophisticated authorization schemes recently proposed in the literature, as well as a performance evaluation of these schemes. Second, the model is further extended to incorporate the notion of demarcations and authorization-time constraints. These extensions allow ReBAC to interoperate with legacy Role-Based Access Control at a fine-grained level, and significantly increase the expressiveness of the model. Also presented are the design of two authorization procedures (one of which has an algorithmic structure akin to an SMT solver) along with optimization techniques.Item Open Access Relational Abstraction in Community-Based Secure Collaboration(2013-11-29) Fong, Philip; Mehregan, Pooya; Krishnan, RamUsers of an online community are willing to share resources because they can expect reasonable behaviour from other members of the community. Such expectations are known as social contracts. In this work, we study the specification and enforcement of social contracts in a computer mediated collaboration environment. Specifically, we examine social contracts that contain both relationship- and history-based elements. A series of policy languages, all based on modal and temporal logics, with increasing expressiveness, have been proposed to express social contracts. Reference monitors are designed to correctly and efficiently enforce the specified policies. A technique called “relational abstraction” is employed to reduce the reference monitor into a purely relationship-based protection system, that is, what is commonly known as a social network system.Item Open Access Relationship-Based Access Control Policies and Their Policy Languages(2011-01-24T17:29:45Z) Fong, Philip; Siahaan, IdaThe Relationship-Based Access Control (ReBAC) model was recently proposed as a general-purpose access control model. It supports the natural expression of parameterized roles, the composition of policies, and the delegation of trust. Fong proposed a policy language that is based on Modal Logic for expressing and composing ReBAC policies. A natural question is whether such a language is representationally complete, that is, whether the language is capable of expressing all ReBAC policies that one is interested in expressing. In this work, we argue that the extensive use of what we call Relational Policies is what distinguishes ReBAC from traditional access control models. We show that Fong’s policy language is representationally incomplete in that certain previously studied Relational Policies are not expressible in the language. We introduce two extensions to the policy language of Fong, and prove that the extended policy language is representationally complete with respect to a well-defined subclass of Relational Policies.Item Open Access Relationship-Based Access Control: Protection Model and Policy Language(2010-09-22T17:42:25Z) Fong, PhilipSocial Network Systems pioneer a paradigm of access control that is distinct from traditional approaches to access control. Gates coined the term Relationship-Based Access Control (ReBAC) to refer to this paradigm. ReBAC is characterized by the explicit tracking of interpersonal relationships between users, and the expression of access control policies in terms of these relationships. This work explores what it takes to widen the applicability of ReBAC to application domains other than social computing. To this end, we formulate an archetypical ReBAC model to capture the essence of the paradigm, that is, authorization decisions are based on the relationship between the resource owner and the resource accessor in a social network maintained by the protection system. A novelty of the model is that it captures the contextual nature of relationships. We devise a policy language, based on modal logic, for composing access control policies that support delegation of trust. We use a case study in the domain of Electronic Health Records to demonstrate the utility of our model and its policy language. This work provides initial evidence to the feasibility and utility of ReBAC as a general-purpose paradigm of access control.Item Open Access Scoping and Execution Monitoring for IoT Middleware(2018-01-23) Fuentes Carranza, Juan Carlos; Fong, Philip; Cockett, Robin; Safavi-Naini, Rei; Fong, PhilipExisting Internet of Things architectures rely on middleware (cloud services) to host coordination logic among devices. This middleware is based on Event Based Systems where the Broker architecture and the Publish/Subscribe design pattern are used to deal with heterogeneous environments and for decoupling purposes, being the MQTT protocol one of the most extensively used Event Based Systems for Internet of Things Solutions. Two prominent security issues in these type middleware are: possible network interruptions between devices and the middleware, and potentially compromised devices. This thesis proposes Scoping and Execution Monitoring in Event Based Systems to cope with possible network disconnections, and to deal with misbehavior of faulty or compromised devices. I define a mathematical model for Event Based Systems where the interplay between Scoping and Execution monitoring is formalized, and empirically evaluate the performance of these security mechanisms.Item Open Access The Specification and Compilation of Obligation Policies for Program Monitoring(2012-03-26T17:20:16Z) Xu, Cheng; Fong, PhilipThe core component of an extensible software system must protect its resources from being abused by untrusted software extensions. The access control policies of extensible software systems are traditionally enforced by some form of reference monitors. Recent studies of access control policies advocate the use of obligation policies, which impose behavioural constraints on the future actions of the accessor even after the access is granted. It is argued that obligation policies provide continuous protection to the system. We envision the workflow of developing an obligation policy for program monitoring to involve three stages: specification, implementability check and implementation. In this work, we develop a series of tools to facilitate each stage of the workflow. First, we propose a policy language for formulating obligation policies. Second, we devise a type system for syntactically identifying if an obligation policy is enforceable or not. The type checker guides the policy developer in refining an obligation policy into an enforceable one. Finally, we design a compilation algorithm, which compiles well-typed obligation policies to a representation of reference monitors, called Obligation Monitor (OM). The OM is designed to facilitate monitor inlining.Item Open Access Visualizing Privacy Implications of Access Control Policies in Social Network Systems(2009-05-08T16:08:00Z) Anwar, Mohd; Fong, Philip; Yang, Xue-Dong; Hamilton, HowardWe hypothesize that, in a Facebook-style social network system, proper visualization of one’s extended neighborhood could help the user understand the privacy implications of her access control policies. However, an unrestricted view of one’s extended neighborhood may compromise the privacy of others. To address this dilemma, we propose a privacy-enhanced visualization tool, which approximates the extended neighborhood of a user in such a way that policy assessment can still be conducted in a meaningful manner, while the privacy of other users is preserved.