API Security

With the emergence of new web technologies, and with the establishment of the Web 2.0, a large number of web sites are exposing their services by providing web programming interfaces (APIs). Several online web sites have released APIs that allow developers to leverage and aggregate information stored in user profiles to provide extended services. Furthermore, several sites are adopting a unified API development framework, for example the OpenSocial framework provides a common set of APIs for social applications across multiple websites. Applications require specific profile elements to provide the intended service. Some applications would require information from both the user’s profile and her friends’ profiles. When a user adds an application to their profile, they are given a few options that represent the access control agreement between the user and the application. The current state of art in social network platforms give users the ability to choose profile elements accessible to other users, on the other hand applications that are added to the user profile are given full read access to all the profile information, and other profiles accessible to the user. We believe, applications should be given limited view to the user profile and only given access to the minimum profile data required to provide the requested service. We are currently working on a framework that extends the social networks fine-grained risk aware access control model to include API based applications. Our framework will adopt the Principle of Least Privilege, which requires that each principal be accorded the minimum access privileges needed to accomplish its task. This translates to the requirement that an application should be awarded access to the minimum set of profile data in order to provide the requested service. We propose a mechanism to enable the application developer to select the data items required by the application and at the same time enable the user to opt-in or opt-out or each of the requested data items.  Related Publications:

  1. Gorrell Cheek, Mohamed Shehab, Truong Ung, and Ebonie Williams, iLayer: Toward an Application Access Control Framework for Content Management Systems, Policy’11: IEEE International Symposium on Policies for Distributed Systems and Networks, Pisa, Italy, June 6-8, 2011. [Policy11 Slides PDF] [Policy 2011 PDF]
  2. Moo Nam Ko, Gorrell Cheek, Mohamed Shehab, and Ravi Sandhu, Social-Networks Connect Services, IEEE Computer (Cover Feature), Volume 43, Issue 8, August 2010. [Computer 2010 PDF]
  3. Andrew Besmer, Heather Lipford, Mohamed Shehab, and Gorrell Cheek, Social Applications: Towards A Secure Framework. Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS), Mountain View, CA, 2009. [SOUPS 2009 PDF]
  4. Mohamed Shehab, Anna C. Squicciarini and Gail-Joon Ahn, Beyond User-to-User Access Control for Online Social Networks, ICICS 2008: 10th International Conference on Information and Communications Security, Birmingham, UK, October, 2008. [ICICS 2008 PDF]

Comments are closed.