A Formal Framework for Social Networking Nestor Catano Sorren Hanvey Carnegie Mellon University | Portugal Camilo Rueda Pon@ficia Universidad Javeriana
Social Networks • Social‐networks have become popular – E.g. Facebook , MySpace , LinkedIn , Hi5 , TwiLer , Sapo – Each suppor7ng millions of ac7ve users • Social‐networks and Media in general have replaced personal communica7on as communica7on force
Social Networks • To publish Media Content: pictures, video • To share personal info: gender, birthday, family situa7on • To make business contact and family connec7ons, to share interests
Social Networks • To publish Media Content: pictures, video • To share personal info: gender, birthday, family situa7on • To make business contact and family connec7ons, to share interests • Informa7on in social‐networks is security and privacy sensi7ve
Privacy and Security – R. Antone (2006) • The personal informa7on revealed by teenagers on these sites also aIracts sexual predators • There have been a number of reports of sexual predators loca7ng vic7ms through social networking sites
Privacy and Security – R. Gross and A. Acquis@ (2006) • Analyzed the behaviour of 4,000 CMU students on a social‐network catered to colleagues • Evaluated informa7on students disclose and study how they use social‐network site privacy seOngs • A minimal percentage of users change the highly permeable privacy preferences
Privacy and Security – Violent crime : hIp://news.bbc.co.uk/2/hi/uk_news/england/ staffordshire/7845946.stm – Losing your job : hIp://news.bbc.co.uk/2/hi/uk_news/england/essex/ 7914415.stm
Exis7ng Social Networks – Do not enforce privacy of media content – They have conflic@ng goals • E.g. Expanding the network vs. exposing users’ content
Social Networks ‐ MVC Model State State Change Query Change Modifica@on Controller View Events / GET and POST HTTPS Requests
Social Networks ‐ MVC Model State State Change Query Change Modifica@on Controller View Events / GET and POST HTTPS Requests
Model • Social network core implementa7on that enforces security and privacy policies • What op@mum policies for social networks would be? • How does friendship in social‐network affect social‐network privacy ?
Formal Methods • Characterize social network applica7ons more precisely • Provide logical founda7on to express and enforce privacy and security policies • Provide a mathema7cal framework to reason about social network applica7ons desirable proper7es
Parachute Strategy • Systems are first modeled at the most abstract level, then details are added to the model to refine the system behaviour
Program Refinement • Transforming an ini7al program ( the specifica@on ) into another mathema7cal model that is more concrete ( the code ) – Data refinement – Event refinement (Opera7on refinement) – Subs@tu@on refinement
Social Network Core • To write general privacy and security social network policies as an ini7al predicate calculus based abstract specifica@on • To refine the ini7al abstract specifica7on and obtain a social network core applica@on that adheres to s7pulated policies
Social Network Core • To write general privacy and security social network policies as an ini7al predicate calculus based abstract specifica@on • To refine the ini7al abstract specifica7on and obtain a social network core applica@on that adheres to s7pulated policies • Privacy is modeled as access permissions on content
Social Network Core Structure Principal Abstract Mandatory Content, Model content Page Field Permissions Friendship according to User Wall Rela@ons Friendship Suggest, Extend Find Add Plug‐in Func@onality Friends
Social Network Structure • Abstrac@on – Page content, content visibility, content ownership, access privileges • Refinement 1 – Principal content, page fields • Refinement 2 – Mandatory content • Refinement 3 – User wall, wall visible content, wall access privileges • Social Friends – Friendship rela7ons • Refinement 4 – Rela7ons among friendship, visibility and privileges
B Model SETS PERSON , RAWCONTENT , OPS = {view, edit} INVARIANTS person <: PERSON rawcontent <: RAWCONTENT content : person <-> rawcontent act : (rawcontent*OPS) <-> person
B Model OPERATIONS transmit_rc( rc , ow , pe ) = PRE rc : rawcontent & pe : person & ow = owner ( rc ) & ow /= pe & pe |-> rc /: content THEN content := content \/ { pe |-> rc} || act := act \/ {rc} * OPS * {pe} END
B Model INVARIANTS ∀ rc : rawcontent => ∀ op : OPS => rc |-> op |-> owner(rc) : act
B Model friendship : friend <-> friend & best_friends <: friendship & social_friends <: friendship & acquaintances <: friendship & best_friends /\ social_friends = {} & best_friends /\ acquaintances = {} & social_friends /\ acquaintances = {}
Func7onal Requirements • FUN1 The social network shall have users • FUN2 Social‐network users shall upload data • FUN3 Users will have controlled access to their data on the network based on privileges • FUN4 Users who uploads data shall be classified as the owner of the said data • FUN5 Users might choose what data available to them is viewed by them
Privacy and Security • PrivSec If a person appears to have permission to operate on some content (today), then this person has been given that permission (in the past) and has not been released that permission (meanwhile)
Privacy and Security ∀ (rc,op,pe). rc |-> op |-> pe : act <=> #i:dom(given). (owner(rc)|->(rc|->op|->pe)) : given(i) and not( #j:dom(removed) and j > i and (owner(rc) |-> (rc|->op |-> pe)) : removed(j) or (pe |-> (rc |-> op |-> pe)) : removed(j) )
Formalisa7on • A complete formalisa7on of social network applica7on in predicate calculus • Formalisa7on in AtelierB – 411 Proof Obliga7ons ( all discharged ) • We have not generated code yet.
Social Networks ‐ MVC Model State State Change Query Change Modifica@on Controller View Events / GET and POST HTTPS Requests
Social Networks ‐ MVC Model State State Change Query Change Modifica@on Controller View Events / GET and POST HTTPS Requests
Extending the Core Implementa7on • Plug‐ins implemen7ng func7onali7es • Social Network Plug‐in Validator – Proof Carrying Code (PCC), Necula, G.‐C. – Plug‐in consists of C implemen7ng the func7onality and a proof of adherence to the B model of social‐networks
Extending the Core Implementa7on • Non‐bypassable : the security func7ons cannot be circumvented • Tamper‐proof : subversive code cannot alter the func7on of the security func7ons by exhaus7ng resources or overrunning buffers.
MILS • High‐assurance security architecture • It’s accomplished by providing several types of separa7on – Data Isola@on – Control of Informa@on Flow – Fault Isola@on
Data Isola@on • Data in a par@@on is accessible for that par77on only • Private data remains private
Data Isola@on • Data in a par@@on is accessible for that par77on only • Private data remains private • par@@on ≈ friendship
Data Isola@on Social Network pe.remove(rc) friends(pe) pe
Recommend
More recommend