AFormalFrameworkforSocialNetworking NestorCatano SorrenHanvey - - PowerPoint PPT Presentation

A
Formal
Framework
for
Social
Networking


Nestor
Catano
 Sorren
Hanvey
 Carnegie
Mellon
University
|
Portugal
 Camilo
Rueda
 Pon@ficia
Universidad
Javeriana


Social
Networks


• Social‐networks
have
become
popular



– E.g.
Facebook,
MySpace,
LinkedIn,
Hi5,
TwiLer,
 Sapo
 – Each
suppor7ng
millions
of
ac7ve
users


• Social‐networks
and
Media
in
general
have


replaced
personal
communica7on
as
 communica7on
force


Social
Networks


• To
publish
Media
Content:
pictures,
video

• To
share
personal
info:
gender,
birthday,
family


situa7on


• To
make
business
contact
and
family


connec7ons,
to
share
interests


Social
Networks


• To
publish
Media
Content:
pictures,
video

• To
share
personal
info:
gender,
birthday,
family


situa7on


• To
make
business
contact
and
family


connec7ons,
to
share
interests


• Informa7on
in
social‐networks
is
security
and


privacy
sensi7ve




Privacy
and
Security


– R.
Antone
(2006)


• The
personal
informa7on
revealed
by
teenagers
on


these
sites
also
aIracts
sexual
predators


• There
have
been
a
number
of
reports
of
sexual


predators
loca7ng
vic7ms
through
social
 networking
sites


Privacy
and
Security


– R.
Gross
and
A.
Acquis@
(2006)


• Analyzed
the
behaviour
of
4,000
CMU
students
on


a
social‐network
catered
to
colleagues


• Evaluated
informa7on
students
disclose
and
study


how
they
use
social‐network
site
privacy
seOngs


• A
minimal
percentage
of
users
change
the
highly


permeable
privacy
preferences



Privacy
and
Security


– Violent
crime:



 hIp://news.bbc.co.uk/2/hi/uk_news/england/ staffordshire/7845946.stm


– Losing
your
job:



hIp://news.bbc.co.uk/2/hi/uk_news/england/essex/ 7914415.stm



Exis7ng
Social
Networks


– Do
not
enforce
privacy
of
media
content
 – They
have
conflic@ng
goals


• E.g.
Expanding
the
network
vs.
exposing
users’


content


Social
Networks
‐
MVC


View
 Controller
 Model


State
 Query
 State
 Change
 Events
/
GET
and
POST
HTTPS
 Requests
 Change
 Modifica@on


Social
Networks
‐
MVC


View
 Controller
 Model


State
 Query
 State
 Change
 Events
/
GET
and
POST
HTTPS
 Requests
 Change
 Modifica@on


Model


• Social
network
core
implementa7on
that


enforces
security
and
privacy
policies


• What
op@mum
policies
for
social
networks


would
be?


• How
does
friendship
in
social‐network
affect


social‐network
privacy?


Formal
Methods


• Characterize
social
network
applica7ons
more


precisely


• Provide
logical
founda7on
to
express
and


enforce
privacy
and
security
policies


• Provide
a
mathema7cal
framework
to
reason


about
social
network
applica7ons
desirable
 proper7es


Parachute
Strategy


• Systems
are
first
modeled
at
the
most
abstract


level,
then
details
are
added
to
the
model
to
 refine
the
system
behaviour



Program
Refinement


• Transforming
an
ini7al
program
(the


specifica@on)
into
another
mathema7cal
 model
that
is
more
concrete
(the
code)


– Data
refinement
 – Event
refinement
(Opera7on
refinement)
 – Subs@tu@on
refinement


Social
Network
Core


• To
write
general
privacy
and
security

social


network
policies
as
an
ini7al
predicate
calculus
 based
abstract
specifica@on


• To
refine
the
ini7al
abstract
specifica7on
and

• btain
a
social
network
core
applica@on
that


adheres
to
s7pulated
policies


Social
Network
Core


• To
write
general
privacy
and
security

social


network
policies
as
an
ini7al
predicate
calculus
 based
abstract
specifica@on


• To
refine
the
ini7al
abstract
specifica7on
and

• btain
a
social
network
core
applica@on
that


adheres
to
s7pulated
policies


• Privacy
is
modeled
as
access
permissions
on


content


Social
Network
Core
Structure


Abstract
 Model
 Principal
 Content,
 Page
Field
 Mandatory
 content
 Friendship
 Rela@ons
 Permissions
 according
to
 Friendship
 User
Wall
 Suggest,
 Find
 Friends
 Extend
 Func@onality
 Add
Plug‐in


Social
Network
Structure


• Abstrac@on


– Page
content,
content
visibility,
content
ownership,
access
privileges


• Refinement
1


– Principal
content,
page
fields


• Refinement
2


– Mandatory
content


• Refinement
3


– User
wall,
wall
visible
content,
wall
access
privileges


• Social
Friends


– Friendship
rela7ons


• Refinement
4


– Rela7ons
among
friendship,
visibility
and
privileges


B
Model


SETS PERSON, RAWCONTENT, OPS = {view, edit} INVARIANTS person <: PERSON rawcontent <: RAWCONTENT content : person <-> rawcontent act: (rawcontent*OPS) <-> person

B
Model


OPERATIONS transmit_rc(rc, ow, pe) = PRE rc : rawcontent & pe : person &

• w = owner(rc) & ow /= pe &

pe |-> rc /: content THEN content := content \/ {pe |-> rc} || act := act \/ {rc} * OPS * {pe} END

B
Model


INVARIANTS ∀ rc : rawcontent => ∀ op : OPS => rc |-> op |-> owner(rc) : act

B
Model


friendship : friend <-> friend & best_friends <: friendship & social_friends <: friendship & acquaintances <: friendship & best_friends /\ social_friends = {} & best_friends /\ acquaintances = {} & social_friends /\ acquaintances = {}

Func7onal
Requirements


• FUN1
The
social
network
shall
have
users

• FUN2
Social‐network
users
shall
upload
data

• FUN3
Users
will
have
controlled
access
to


their
data
on
the
network
based
on
privileges


• FUN4
Users
who
uploads
data
shall
be


classified
as
the
owner
of
the
said
data


• FUN5
Users
might
choose
what
data
available


to
them
is
viewed
by
them


Privacy
and
Security


• PrivSec
If
a
person
appears
to
have
permission


to
operate
on
some
content
(today),
then
this
 person
has
been
given
that
permission
(in
the
 past)
and
has
not
been
released
that
 permission
(meanwhile)



Privacy
and
Security


∀(rc,op,pe). rc |-> op |-> pe : act <=> #i:dom(given). (owner(rc)|->(rc|->op|->pe)) : given(i) and not( #j:dom(removed) and j > i and (owner(rc) |-> (rc|->op |-> pe)) : removed(j)

• r

(pe |-> (rc |-> op |-> pe)) : removed(j) )

Formalisa7on


• A
complete
formalisa7on
of
social
network


applica7on
in
predicate
calculus


• Formalisa7on
in
AtelierB


– 411
Proof
Obliga7ons
(all
discharged)


• We
have
not
generated
code
yet.


Social
Networks
‐
MVC


View
 Controller
 Model


State
 Query
 State
 Change
 Events
/
GET
and
POST
HTTPS
 Requests
 Change
 Modifica@on


Social
Networks
‐
MVC


View
 Controller
 Model


State
 Query
 State
 Change
 Events
/
GET
and
POST
HTTPS
 Requests
 Change
 Modifica@on


Extending
the
Core
Implementa7on


• Plug‐ins
implemen7ng
func7onali7es

• Social
Network
Plug‐in
Validator


– Proof
Carrying
Code
(PCC),
Necula,
G.‐C.
 – Plug‐in
consists
of
C
implemen7ng
the
 func7onality
and
a
proof
of
adherence
to
the
B
 model
of
social‐networks


Extending
the
Core
Implementa7on


• Non‐bypassable:
the
security
func7ons


cannot
be
circumvented


• Tamper‐proof:
subversive
code
cannot
alter


the
func7on
of
the
security
func7ons
by
 exhaus7ng
resources
or
overrunning
buffers.


MILS


• High‐assurance
security
architecture

• It’s
accomplished
by
providing
several
types
of


separa7on


– Data
Isola@on
 – Control
of
Informa@on
Flow
 – Fault
Isola@on


Data
Isola@on


• Data
in
a
par@@on
is
accessible
for
that


par77on
only


• Private
data
remains
private


Data
Isola@on


• Data
in
a
par@@on
is
accessible
for
that


par77on
only


• Private
data
remains
private

• par@@on
≈
friendship




Data
Isola@on


friends(pe)

Social
Network


pe.remove(rc) pe

Control
Flow
Informa@on


• Informa7on
flow
goes
from
an
authorised


source
to
an
authorised
target


Par@@on
Informa@on
Flow
Policy


• Par@@on
Abstrac@on


– All
the
elements
of
a
par77on
are
subject
to
the
 same
restric7ons/permissions.



Control
Flow
Informa@on


friends(pe)

Social
Network


pe.remove(rc) content(pe) BF(pe) SF(pe) AC(pe) rc

Control
Flow
Informa@on


friends(pe)

Social
Network


pe.remove(rc) content(pe) BF(pe) SF(pe) AC(pe) rc

Control
Flow
Informa@on


friends(pe)

Social
Network


pe.remove(rc) content(pe) BF(pe) SF(pe) AC(pe) rc

Control
Flow
Informa@on


friends(pe)

Social
Network


pe.remove(rc) content(pe) BF(pe) SF(pe) AC(pe) rc

Control
Flow
Informa@on


friends(pe)

Social
Network


pe.remove(rc) content(pe) BF(pe) SF(pe) AC(pe) rc

Control
Flow
Informa@on


∀ pe : dom(friendship) => ∀ bf : best_friends[{pe}] => ∀ sf : social_friends[{pe}] => ∀ rc : rawcontent => ∀ ac : OPS => pe = owner(rc) & pe |-> rc : content & rc |-> ac |-> pe : act & bf |-> rc : content & sf |-> rc : content & rc |-> ac |-> sf : act => rc |-> ac: act~[{bf}]

Fault
Isola@on


• Control
of
excep@ons


– Extended
the
generated
code
 – Might
be
included
into
the
abstract
model



Social
Networks
‐
MVC


View
 Controller
 Model


State
 Query
 State
 Change
 Events
/
GET
and
POST
HTTPS
 Requests
 Change
 Modifica@on


HCI
&
Security


• But
securing
sohware
is
not
the
same
as


securing
systems


– The
human
element
ohen
the
weakest
link







Overwhelmed
by
complexity


 Unable
to
determine
consequences


Conclusions


• Social
networks
contain
highly
sensi7ve


personal
informa7on


• Social
networks
contain
highly
sensi7ve


personal
informa7on


– We
aim
to
make
them
provably
secure
 – We
aim
to
make
them
usably
secure


Ques7ons?