Federica Paci

Collective privacy management in social networks

Social Networking is one of the major technological phenomena of the Web 2.0, with hundreds of millions of people participating. Social networks enable a form of self expression for users, and help them to socialize and share content with other users. In spite of the fact that content sharing represents one of the prominent features of existing Social Network sites, Social Networks yet do not support any mechanism for collaborative management of privacy settings for shared content. In this paper, we model the problem of collaborative enforcement of privacy policies on shared data by using game theory. In particular, we propose a solution that offers automated ways to share images based on an extended notion of content ownership. Building upon the Clarke-Tax mechanism, we describe a simple mechanism that promotes truthfulness, and that rewards users who promote co-ownership. We integrate our design with inference techniques that free the users from the burden of manually selecting privacy preferences for each picture. To the best of our knowledge this is the first time such a protection mechanism for Social Networking has been proposed. In the paper, we also show a proof-of-concept application, which we implemented in the context of Facebook, one of todays most popular social networks. We show that supporting these type of solutions is not also feasible, but can be implemented through a minimal increase in overhead to end-users.

A privacy-preserving approach to policy-based content dissemination

We propose a novel scheme for selective distribution of content, encoded as documents, that preserves the privacy of the users to whom the documents are delivered and is based on an efficient and novel group key management scheme. Our document broadcasting approach is based on access control policies specifying which users can access which documents, or subdocuments. Based on such policies, a broadcast document is segmented into multiple subdocuments, each encrypted with a different key. In line with modern attribute-based access control, policies are specified against identity attributes of users. However our broadcasting approach is privacy-preserving in that users are granted access to a specific document, or subdocument, according to the policies without the need of providing in clear information about their identity attributes to the document publisher. Under our approach, not only does the document publisher not learn the values of the identity attributes of users, but it also does not learn which policy conditions are verified by which users, thus inferences about the values of identity attributes are prevented. Moreover, our key management scheme on which the proposed broadcasting approach is based is efficient in that it does not require to send the decryption keys to the users along with the encrypted document. Users are able to reconstruct the keys to decrypt the authorized portions of a document based on subscription information they have received from the document publisher. The scheme also efficiently handles new subscription of users and revocation of subscriptions.

Access Control and Authorization Constraints for WS-BPEL

Computerized workflow systems have attracted considerable research interest. More recently, there have been several XML-based languages proposed for specifying and orchestrating business processes, culminating in WS-BPEL. A significant omission from WS-BPEL is the ability to specify authorization information associating users with activities in the business process and authorization constraints on the execution of activities such as separation of duty. In this paper, we address these deficiencies by developing the RBAC-WS-BPEL and BPCL languages. The first of these provides for the specification of authorization information associated with a business process specified in WS-BPEL, while BPCL provides for the articulation of authorization constraints

PP-trust-X: A system for privacy preserving trust negotiations

Trust negotiation is a promising approach for establishing trust in open systems, in which sensitive interactions may often occur between entities with no prior knowledge of each other. Although, to date several trust negotiation systems have been proposed, none of them fully address the problem of privacy preservation. Today, privacy is one of the major concerns of users when exchanging information through the Web and thus we believe that trust negotiation systems must effectively address privacy issues in order to be widely applicable. For these reasons, in this paper, we investigate privacy in the context of trust negotiations. We propose a set of privacy-preserving features for inclusion in any trust negotiation system, such as the support for the P3P standard, as well as a number of innovative features, such as a novel format for encoding digital credentials specifically designed for preserving privacy. Further, we present a variety of interoperable strategies to carry on the negotiation with the aim of improving both privacy and efficiency.

Access control enforcement for conversation-based web services

Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume a Web service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web services access control policies and the need to disclose to clients the portion of access control policies related to the conversations they are interested in. This is important to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. We introduce the concept of k-trustworthiness that defines the conversations for which a client can provide credentials maximizing the likelihood that it will eventually hit a final state.

User Tasks and Access Control overWeb Services

Web services are a successful technology for enterprise information management, where they are used to expose legacy applications on the corporate intranet or in business-to-business scenarios. The technologies used to expose applications as Web services have matured, stabilized, and are defined as W3C standards. Now, the technology used to build applications based on Web services, a process known as orchestration, is also maturing around the Web Services Business Process Execution Language (WS-BPEL). WS-BPEL falls short on one feature though: as it is focused on orchestration of fully automatic Web-services, WS- BPEL does not provide means for specifying human interactions, even less their access-control requirements. Human interactions are nonetheless needed for flexible business processes. This lacking feature of WS-BPEL has been highlighted in a white paper issued jointly by IBM and SAP, which describes scenarios where users are involved in business processes, and defines appropriate extensions to WS-BPEL to address these. These extensions, called BPEL4People, are well explained, but their implementation isnt. In this paper, we propose a language for specifying these extensions, as well as an architecture to support them. The salient advantage of our architecture is that it allows for the reuse of existing BPEL engines. In addition, our language allows for specifying these extensions within the main BPEL script, hence preserving a global view of the process. We illustrate our extensions by revisiting the classic loan approval BPEL example.

An Adaptive Access Control Model for Web Services

This paper presents an innovative access control model, referred to as Web service Access Control Version 1 (Ws-AC1), specifically tailored to Web services. The most distinguishing features of this model are the flexible granularity in protection objects and negotiation capabilities. Under Ws-AC1, an authorization can be associated with a single service and can specify for which parameter values the service can be authorized for use, thus providing a fine access control granularity. Ws-AC1 also supports coarse granularities in protection objects in that it provides the notion of service class under which several services can be grouped. Authorizations can then be associated with a service class and automatically propagated to each element in the class. The negotiation capabilities of Ws-AC1 are related to the negotiation of identity attributes and the service parameters. Identity attributes refer to information that a party requesting a service may need to submit in order to obtain the service. The access control policy model of Ws-AC1 supports the specification of policies in which conditions are stated, specifying the identity attributes to be provided and constraints on their values. In addition, conditions may also be specified against context parameters, such as time. To enhance privacy and security, the actual submission of these identity attributes is executed through a negotiation process. Parameters may also be negotiated when a subject requires use of a service with certain parameters values that, however, are not authorized under the policies in place. In this paper, we provide the formal definitions underlying our model and the relevant algorithms, such as the access control algorithm. We also present an encoding of our model in the Web Services Description Language (WSDL) standard for which we develop an extension, required to support Ws-AC1.

Verification of Access Control Requirements in Web Services Choreography

Web services choreography is used to design peer-to-peer applications where each peer is potentially a Web service. It defines the required behavior of participating Web services along with their interactions through message exchanges. Implementing a complex system described by a choreography requires selecting actual Web services whose individual behaviors are compatible with the overall behavior described by the choreography. Although the selected Web services implement the specified behavior, they may not be able to interact due to the policies they enforce to protect their resources. A Web service resource can be an operation or a credential type to be submitted to be able to invoke an operation. In this paper, we propose a novel approach to determine at design time whether a choreography can be implemented by a set of Web services based on their access control policies and the disclosure policies regulating the release of their credentials. We model both Web services and Web services choreography as transition systems and represent Web services credential disclosure policies as directed graphs. We then verify that all possible conversations of the Web services choreography can be implemented by matching credential disclosure policies of the invoker Web service with the access control policy of the Web services being invoked. We propose a resource release graph to enable this verification.

Authorization and User Failure Resiliency for WS-BPEL Business Processes

We investigate the problem of WS-BPEL processes resiliency in RBAC-WS-BPEL, an authorization model for WS-BPEL that supports the specification of authorizations for the execution of WS-BPEL process activities by roles and users and authorization constraints, such as separation and binding of duty. The goal of resiliency is to guarantee that even if some users becomes unavailable during the execution of a WS-BPEL process, the remaining users can still complete the execution of the process. We extend RBAC-WS-BPEL with a new type of constraints called resiliency constraints and the notion of user failure resiliency for WS-BPEL processes and propose an algorithm to determine if a WS-BPEL process is user failure resilient.

An Interoperable Approach to Multifactor Identity Verification

Naming heterogeneity occurs in digital identity management systems when the various parties involved in managing digital identities use different vocabularies to denote identity attribute names. To resolve potential interoperability issues due to naming heterogeneity, the authors propose a new protocol that uses lookup tables, dictionaries, and ontology mapping techniques.