Skip to main content
Springer Nature Link
Log in

Conformance Verification of Privacy Policies

  • Conference paper
Web Services and Formal Methods (WS-FM 2010)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6551))

Included in the following conference series:

Abstract

Web applications are both the consumers and providers of information. To increase customer confidence, many websites choose to publish their privacy protection policies. However, policy conformance is often neglected. We propose a logic based framework for formally specifying and reasoning about the implementation of privacy protection by a web application. A first order extension of computation tree logic is used to specify a policy. A verification paradigm, built upon a static control/data flow analysis, is presented to verify if a policy is satisfied.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Implementing p3p using database technology. In: Proceedings of 19’th International Conference on Data Engineering, pp. 595–606 (2003)

    Google Scholar 

  2. Alur, R., ÄŒerný, P., Zdancewic, S.: Preserving secrecy under refinement. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 107–118. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Anand, S., Pásáreanu, C.S., Visser, W.: JPF-SE: A symbolic execution extension to java pathfinder. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 134–138. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  4. Ashley, P.: Enforcement of a p3p privacy policy. In: Proceedings of the 2nd Australian Information Security Management Conference, pp. 11–26 (2004)

    Google Scholar 

  5. Baldoni, M., Baroglio, C., Martelli, A., Patti, V., Schifanella, C.: Verifying the Conformance of Web Services to Global Interaction Protocols: A first step. In: Bravetti, M., Kloul, L., Tennenholtz, M. (eds.) EPEW/WS-EM 2005. LNCS, vol. 3670, pp. 257–271. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 184–198 (2006)

    Google Scholar 

  7. Barth, A., Mitchell, J.C.: Enterprise privacy promises and enforcement. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security, pp. 58–66 (2005)

    Google Scholar 

  8. Burch, J., Clarke, E., McMillan, K., Dill, D., Hwang, L.: Symbolic model checking: 1020 states and beyond. In: IEEE Symposium on Logic in Computer Science, pp. 428–439 (1990)

    Google Scholar 

  9. Chiba, S.: Getting started with javassit, http://www.csg.is.titech.ac.jp/~chiba/javassist/html/index.html .

  10. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press, Cambridge (1999)

    Google Scholar 

  11. Deutsch, A., Sui, L., Vianu, V.: Specification and verification of data-driven web services. In: Proceedings of the Twenty-Third ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, PODS 2004, pp. 71–82 (2004)

    Google Scholar 

  12. Fu, X., Bultan, T., Su, J.: Model checking XML manipulating software. In: Proceedings of the 2004 Int. Symp. on Software Testing and Analysis (ISSTA), pp. 252–262 (2004)

    Google Scholar 

  13. Hallé, S., Villemaire, R., Cherkaoui, O., Tremblay, J., Ghandour, B.: Extending model checking to data-aware temporal properties of web services. In: Proceedings of 2007 Web Services and Formal Methods, 4th International Workshop, pp. 31–45 (2007)

    Google Scholar 

  14. Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Proceedings of Privacy Enhancing Technologies Workshop, pp. 302–313 (2005)

    Google Scholar 

  15. He, Q., Anton, A.: A framework for modeling privacy requirements in role engineering. In: Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality, pp. 1–15 (2003)

    Google Scholar 

  16. IBM. Declarative Data Privacy Monitoring, http://www.redbooks.ibm.com/redbooks/pdfs/sg246999.pdf .

  17. Jackson, D.: Alloy 3 Reference Manual, http://alloy.mit.edu/reference-manual.pdf

  18. Jackson, D.: Automating first-order relational logic. In: Proceedings of the 8th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), pp. 130–139 (2000)

    Google Scholar 

  19. Kagal, L., Paolucci, M., Srinivasan, N., Denker, G., Finin, T., Sycara, K.: Authorization and privacy for semantic web services. IEEE Intelligent Systems 19(4), 50–56 (2004)

    Article  Google Scholar 

  20. Khalek, S.A., Elkarablieh, B., Laleye, Y.O., Khurshid, S.: Query-aware test generation using a relational constraint solver. In: Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering, pp. 238–247 (2008)

    Google Scholar 

  21. Khurshid, S., Jackson, D.: Correcting a naming architecture using lightweight constraint analysis. Technical report, MIT Lab for Computer Science (December 1998)

    Google Scholar 

  22. King, J.C.: Symbolic execution and program testing. Communications of the ACM 19(7), 385–394 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  23. House of Representatives. Health insurance portability and accountability act of (1996), http://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/pdf/CRPT-104hrpt736.pdf

  24. Rajamani, S.K., Rehof, J.: Conformance checking for models of asynchronous message passing software. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 166–179. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  25. REVERSE - policies & trust, http://cs.na.infn.it/rewerse/pubs.html

  26. W3C Member Submission. Enterprise privacy authorization language (epal 1.2.), http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/

  27. Taghdiri, M., Jackson, D.: A lightweight formal analysis of a multicast key management scheme. In: Proceedings of Formal Techniques of Networked and Distributed Systems, pp. 240–256. Springer, Heidelberg (2003)

    Google Scholar 

  28. Torlak, E., Jackson, D.: Kodkod: A relational model finder. In: Proceedings of Tools and Algorithms for the Construction and Analysis of Systems, pp. 632–647 (2007)

    Google Scholar 

  29. Tschantz, M.C., Wing, J.M.: Formal methods for privacy. In: Proceedings of the 2nd World Congress on Formal Methods, pp. 1–15 (2009)

    Google Scholar 

  30. W3C. Platform for privacy preferences (p3p), http://www.w3.org/P3P/

  31. Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, pp. 32–41 (2007)

    Google Scholar 

  32. Yu, T., Li, N., Antón, A.I.: A formal semantics for p3p. In: Proceedings of the 2004 Workshop on Secure Web Service, pp. 1–8 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Hofstra University, USA

    Xiang Fu

Authors
  1. Xiang Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Bologna, Mura A. Zamboni 7, 40127, Bologna, Italy

    Mario Bravetti

  2. University of California, Santa Barbara, CA, USA

    Tevfik Bultan

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fu, X. (2011). Conformance Verification of Privacy Policies. In: Bravetti, M., Bultan, T. (eds) Web Services and Formal Methods. WS-FM 2010. Lecture Notes in Computer Science, vol 6551. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19589-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19589-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19588-4

  • Online ISBN: 978-3-642-19589-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics