Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Capturing policies for fine-grained access control on mobile devices


Published on

As of 2016, there are more mobile devices than humans on earth. Today, mobile devices are a critical part of our lives and often hold sensitive corporate and personal data. As a result, they are a lucrative target for attackers, and managing data privacy and security on mobile devices has become a vital issue. Existing access control mechanisms in most devices are restrictive and inadequate. They do not take into account the context of a device and its user when making decisions. In many cases, the access granted to a subject should change based on context of a device. Such fine-grained, context-sensitive access control policies have to be personalized too. In this paper, we present the MITHRIL system, that uses policies represented in Semantic Web technologies and captured using user feedback, to handle access control on mobile devices. We present an iterative feedback process to capture user specific policy. We also present a policy violation metric that allows us to decide when the capture process is complete.

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Capturing policies for fine-grained access control on mobile devices

  1. 1. Capturing policies for fine grained access control on mobile devices PRAJIT KUMAR DAS, ANUPAM JOSHI, TIM FININ UMBC ebiquity lab
  2. 2. We present MITHRIL, a framework for capturing user access control policies that are fine-grained, context-sensitive and are represented using Semantic Web technologies and thereby manages access control decisions for user data on mobile devices. Motivation Android image source courtesy: Aha-Soft 2
  3. 3. Related Work • Policy Engineering: Requires substantial technical knowledge, understanding of access control issues (Feltus’08) • Most people are ‘Privacy Pragmatists’ (Kumaraguru’05) • Convergence of Enterprise usage and personal usage due to BYOD adoption (Kodeswaran, Chakraborty et. al.’13) • Users unsure of policy (Benisch, Sadeh’11) • Privacy profiles used for user preferences (Liu et. al.’14) 3
  4. 4. Image courtesy: Android App Market 4
  5. 5. Image courtesy: Android App Market 5
  6. 6. Image courtesy: Android App Market 6
  7. 7. Contributions MITHRIL has three key contributions • Policy representation • Expressing policy rules: extensible & expressive semantic model • RDF/OWL allows easy reuse/integration with concepts from DBpedia, Linked Data,,etc. • User-preferred & specific policy capture • Policy enforcement 7
  8. 8. System overview Observer mode 8
  9. 9. System overview Enforcer mode 9
  10. 10. System overview Enforcer mode 10
  11. 11. • Semantic Web Rule Language • antecedent => consequent • Attribute-Based Access Control model • Context pieces as attributes Rule representation 11
  12. 12. Rule representation A1: RequesterInfo = Facebook & A2: UserActivity = Work & A3: UserLocation = Office & A4: UserTime = Working hours on Week day & A5: ProtectedResource = Location -> C1: Prohibit When at work Professors do not share their location in FB Image courtesy: 12
  13. 13. Image courtesy: www.phdcomics.comGeneric Rule: Professors do not share their location on FB During lunch Professor Smith shares location This is Prof. Smith. He likes to check in to FB during lunch. 13 Rule learning
  14. 14. When out to lunch Professor Smith shares location with students if he has lunch scheduled with them and he is in town 14 Rule Learning – User Feedback Capture
  15. 15. Image courtesy: 15 This is Prof. Smith. Good policy The system either knows all his policies or it does not! Violation Metric
  16. 16. Image courtesy: 16 Bad policy The system either knows all his policies or it does not! Violation Metric
  17. 17. False violation: Use cases • Rule requires • Deletion • Antecedent generalization • Antecedent specialization • Delete conditions • Add conditions 17
  18. 18. Experimental Results 18 Consistent feedback
  19. 19. Emulating XPrivacy 19 Source: License: GNU General Public License version 3
  20. 20. Future Work • More experiments validating violation metric • Finer granularity capture of policy violation • Possible predictive model for policy generation • Using machine learning to generate policies • Inducing policy using logic programming 20
  21. 21. Conclusion We presented MITHRIL • Framework for capturing ABAC access control policies • User-preferred & specific policy capture • Fine-grained, context-sensitive • Uses Semantic Web technologies • Policy enforcement 21 UMBC ebiquity lab