Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3322431.3325109acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article
Public Access

Effectively Enforcing Authorization Constraints for Emerging Space-Sensitive Technologies

Published: 28 May 2019 Publication History

Abstract

Recently, applications that deliver customized content to end-users, e.g., digital objects on top of a video stream, depending on information such as their current physical location, usage patterns, personal data, etc., have become extremely popular. Despite their promising future, some concerns still exist with respect to the proper use of such space-sensitive applications (S-Apps) inside independently-run physical spaces, e.g., schools, museums, hospitals, memorials, etc. Based on the idea that innovative technologies should be paired with novel (and effective) security measures, this paper proposes space-sensitive access control (SSAC), an approach for restricting space-sensitive functionality in such independently-run physical spaces, allowing for the specification, evaluation and enforcement of rich and flexible authorization policies, which, besides meeting the specific needs for S-Apps, are also intended to avoid the need for interruptions in their normal use as well as repetitive policy updates, thus providing a convenient solution for both policy makers and end-users. We present a theoretical model, a proof-of-concept S-App, and a supporting API framework, which facilitate the policy crafting, storage, retrieval and evaluation processes, as well as the enforcement of authorization decisions. In addition, we present a performance case study depicting our proof-of-concept S-App in a set of realistic scenarios, as well as a user study which resulted in 90% of participants being able to understand and write authorization policies using our approach, and 93% of them also recognizing the need for restricting functionality in the context of emerging space-sensitive technologies, thus providing evidence that encourages the adoption of SSAC in practice.

References

[1]
C. A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani di Vimercati, and P. Samarati. 2006. Supporting Location-based Conditions in Access Control Policies. In Proc. of the Sym. on Info., Computer and Communications Security (ASIACCS '06). ACM, New York, NY, USA, 212--222.
[2]
C. A. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati. 2009. Access Control in Location-Based Services. Priv. in Location-Based Applications. Number 5599 in Lecture Notes in Computer Science. Springer, 106--126.
[3]
Steffen Bartsch. 2011. Authorization Enforcement Usability Case Study. In Engineering Secure Software and Systems, Ú. Erlingsson, R. Wieringa, and N. Zannone (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 209--220.
[4]
BBC. 2017. Pokemon Go away: Troublesome Sydney Pokestop shut down . http://www.bbc.com/news/technology-36948331. (2017). {Online; accessed June-22-2017}.
[5]
Julie Carmigniani, Borko Furht, Marco Anisetti, Paolo Ceravolo, Ernesto Damiani, and Misa Ivkovic. 2011. Augmented Reality Technologies, Systems and Applications. Multimedia Tools Appl., Vol. 51, 1 (Jan. 2011), 341--377.
[6]
Daily Sabah Europe. 2017. Germany's Auschwitz-Birkenau Museum says no Pokemon Go . http://www.dailysabah.com/europe/2016/07/14/germanys-auschwitz-birkenau-museum-says-no-pokemon-go . (2017). {Online; accessed June-5--2017}.
[7]
M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca. 2007. GEO-RBAC: A Spatially Aware RBAC . ACM Trans. Inf. Syst. Secur., Vol. 10 (Feb. 2007).
[8]
M. Decker. 2008. Requirements for a Location-based Access Control Model. In Proc. of the 6th Int. Conf. on Advances in Mobile Computing and Multimedia (MoMM '08). ACM, New York, NY, USA, 346--349.
[9]
Facebook Inc. 2018. Facebook for Developers. https://developers.facebook.com/. (2018).{Online; accessed November-22-2018}.
[10]
M. Fernández and B. Thuraisingham. 2018. A Category-Based Model for ABAC. In Proceedings of the Third ACM Workshop on Attribute-Based Access Control (ABAC'18). ACM, New York, NY, USA, 32--34.
[11]
Google Inc. 2017. Google Maps API . https://developers.google.com/maps/. (2017). {Online; accessed July-14-2017}.
[12]
V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication, Vol. 800 (2014), 162.
[13]
S. Jana, D. Molnar, A. Moshchuk, A. Dunn, B. Livshits, H. J. Wang, and E. Ofek. 2013. Enabling Fine-grained Permissions for Augmented Reality Applications with Recognizers. In Proc. of the 22Nd USENIX Conf. on Security. 415--430.
[14]
K. Lebeck, K. Ruth, T. Kohno, and F. Roesner. 2018. Towards Security and Privacy for Multi-user Augmented Reality: Foundations with End Users. In 2018 IEEE Symposium on Security and Privacy (SP). 392--408.
[15]
Lime, Inc. 2018. Lime Dockless Electric Scooter Share . https://www.li.me/electric-scooter. (2018). {Online; accessed November-26--2018}.
[16]
M. Miettinen, S. Heuser, W. Kronz, A. Sadeghi, and N. Asokan. 2014. ConXsense: Automated Context Classification for Context-aware Access Control. In Proc. of the ACM Symp. on Info., Comp. and Comm. Sec. (ASIA CCS '14). ACM, 293--304.
[17]
Niantic, Inc. 2017. Pokemon GO . http://www.pokemongo.com/. (2017). {Online; accessed June-5--2017}.
[18]
Niantic, Inc. 2018. Request Modification for Pokemon GO . https://goo.gl/uSZ1hP . (2018). {Online; accessed November-28--2018}.
[19]
OASIS Standard. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. (2013, January 22). (2013). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.
[20]
Q. M. Rajpoot, C. Damsgaard Jensen, and R. Krishnan. 2015. Attributes Enhanced Role-Based Access Control Model. In Int. Conf. on Trust, Privacy and Security in Digital Business (TrustBus).
[21]
F. Roesner, D. Molnar, A. Moshchuk, T. Kohno, and H. J. Wang. 2014. World-Driven Access Control for Continuous Sensing. In Proc. of the Conf. on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1169--1181.
[22]
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. 1996. Role-Based Access Control Models. Computer, Vol. 29, 2 (Feb. 1996), 38--47.
[23]
Time. 2017. Pokemon Go Players Anger 9/11 Memorial Visitors. http://time.com/4403516/pokemon-go-911-memorial-holocaust-museum/. (2017). {Online; accessed June-5-2017}.
[24]
R. Ward and B. Beyer. 2014. BeyondCorp: A New Approach to Enterprise Security., Vol. 39, No. 6 (2014), 6--11.

Cited By

View all
  • (2023)SpaceMediator: Leveraging Authorization Policies to Prevent Spatial and Privacy Attacks in Mobile Augmented RealityProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3593839(79-90)Online publication date: 24-May-2023
  • (2023)No-Fly-Zone: Regulating Drone Fly-Overs Via Government and User-Controlled Authorization ZonesProceedings of the Twenty-fourth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing10.1145/3565287.3617633(522-527)Online publication date: 23-Oct-2023
  • (2023)ICMS: A Flexible Location-Based Access Control System for Mobile DevicesIEEE Systems Journal10.1109/JSYST.2022.320269817:1(1536-1547)Online publication date: Mar-2023
  • Show More Cited By

Index Terms

  1. Effectively Enforcing Authorization Constraints for Emerging Space-Sensitive Technologies

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies
      May 2019
      243 pages
      ISBN:9781450367530
      DOI:10.1145/3322431
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 28 May 2019

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. attributes
      2. authorization policies
      3. space-sensitive access control

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      SACMAT '19
      Sponsor:

      Acceptance Rates

      SACMAT '19 Paper Acceptance Rate 12 of 52 submissions, 23%;
      Overall Acceptance Rate 177 of 597 submissions, 30%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)106
      • Downloads (Last 6 weeks)26
      Reflects downloads up to 14 Nov 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)SpaceMediator: Leveraging Authorization Policies to Prevent Spatial and Privacy Attacks in Mobile Augmented RealityProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3593839(79-90)Online publication date: 24-May-2023
      • (2023)No-Fly-Zone: Regulating Drone Fly-Overs Via Government and User-Controlled Authorization ZonesProceedings of the Twenty-fourth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing10.1145/3565287.3617633(522-527)Online publication date: 23-Oct-2023
      • (2023)ICMS: A Flexible Location-Based Access Control System for Mobile DevicesIEEE Systems Journal10.1109/JSYST.2022.320269817:1(1536-1547)Online publication date: Mar-2023
      • (2022)DyPolDroid: Protecting Against Permission-Abuse Attacks in AndroidInformation Systems Frontiers10.1007/s10796-022-10328-8Online publication date: 11-Oct-2022
      • (2021)Poster: Preventing Spatial and Privacy Attacks in Mobile Augmented Reality Technologies2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00056(713-715)Online publication date: Sep-2021
      • (2021)Privacy and Security Issues and Solutions for Mixed Reality ApplicationsSpringer Handbook of Augmented Reality10.1007/978-3-030-67822-7_7(157-183)Online publication date: 16-Dec-2021
      • (2020)Enforcing Location-based Access Policies Using the Existing IEEE 802.11 Infrastructure2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)10.1109/UEMCON51285.2020.9298073(0727-0731)Online publication date: 28-Oct-2020

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Get Access

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media