Biblio

Access control is a widely used technology to protect information security. The implementation of access control depends on the response generated by access control policies to users’ access requests. Therefore, ensuring the correctness of access control policies is an important step to ensure the smooth implementation of access control mechanisms. To solve this problem, this paper proposes a constraint based access control policy security analysis framework (CACPSAF) to perform security analysis on access control policies. The framework transforms the problem of security analysis of access control policy into the satisfiability of security principle constraints. The analysis and calculation of access control policy can be divided into formal transformation of access control policy, SMT coding of policy model, generation of security principle constraints, policy detection and evaluation. The security analysis of policies is divided into mandatory security principle constraints, optional security principle constraints and user-defined security principle constraints. The multi-dimensional security analysis of access control policies is realized and the semantic expression of policy analysis is stronger. Finally, the effectiveness of this framework is analyzed by performance evaluation, which proves that this framework can provide strong support for fine-grained security analysis of policies, and help to correctly model and conFigure policies during policy modeling, implementation and verification.

Recent advancement of smart devices and wearable tech-nologies greatly enlarges the variety of personal data people can track. Applications and services can leverage such data to provide better life support, but also impose privacy and security threats. Obfuscation schemes, consequently, have been developed to retain data access while mitigate risks. Compared to offering choices of releasing raw data and not releasing at all, we examine the effect of adding a data obfuscation option on users' disclosure decisions when configuring applications' access, and how that effect varies with data types and application contexts. Our online user experiment shows that users are less likely to block data access when the obfuscation option is available except for locations. This effect significantly differs between applications for domain-specific dynamic tracking data, but not for generic personal traits. We further unpack the role of context and discuss the design opportunities.