ABSTRACT
Usage control is concerned with how data is used after access to it has been granted. Data may exist in multiple representations which potentially reside at different layers of abstraction, including operating system, window manager, application level, DBMS, etc. Consequently, enforcement mechanisms need to be implemented at different layers, in order to monitor and control data at and across all of them.
We present an architecture for usage control enforcement mechanisms that cater to the data dimension, grasping the distinction between data (e.g a picture or a song) and its representations within the system (e.g a file, a window, a network packet, etc.). We then show three exemplary instantiations at the level of operating system, application, and windowing system. Our mechanisms enforce data-related policies simultaneously at the respective levels, offering a concrete multi-layer enforcement and laying the grounds for a combined inter-layer usage control enforcement.
In this demo, we consider a use case from a social network scenario. A user can, on the grounds of assigned trust values, protect his data from being misused after having been downloaded by other users. In particular, our mechanisms prevent sensitive data in the browser window from being printed, saved or copied to the system clipboard, avoid direct access to the cached copy of the file and forbid taking a screenshot of the window where data is shown.
- M. Harvan and A. Pretschner. State-based Usage Control Enforcement with Data Flow Tracking using System Call Interposition. In Proc. 3rd Intl. Conf. on Network and System Security, pages 373--380, 2009. Google ScholarDigital Library
- P. Kumari, A. Pretschner, J. Peschla, and J.-M. Kuhn. Distributed data usage control for web applications: a social network implementation. In Proc. 1st ACM Conf. on Data and application security and privacy, pages 85--96, 2011. Google ScholarDigital Library
- A. Pretschner, M. Buechler, M. Harvan, C. Schaefer, and T. Walter. Usage control enforcement with data flow tracking for x11. In Proc. 5th Intl. Workshop on Security and Trust Management, pages 124--137, 2009.Google Scholar
- A. Pretschner, M. Hilty, D. Basin, C. Schaefer, and T. Walter. Mechanisms for Usage Control. In Proc. ACM Symposium on Information, Computer & Communication Security, pages 240--245, 2008. Google ScholarDigital Library
Index Terms
- Data-centric multi-layer usage control enforcement: a social network example
Recommendations
Data usage control enforcement in distributed systems
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacyDistributed usage control is concerned with how data may or may not be used in distributed system environments after initial access has been granted. If data flows through a distributed system, there exist multiple copies of the data on different client ...
Data Usage Control for Distributed Systems
Data usage control enables data owners to enforce policies over how their data may be used after they have been released and accessed. We address distributed aspects of this problem, which arise if the protected data reside within multiple systems. We ...
Deriving implementation-level policies for usage control enforcement
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and PrivacyUsage control is concerned with how data is used after access to it has been granted. As such, it is particularly relevant to end users who own the data. System implementations of access and usage control enforcement mechanisms, however, do not always ...
Comments