Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE credits
Dramatic growth in the number of subscribers in Online Social Networks (OSNs), such as Facebook, MySpace, Orkut, etc. shows their increasing popularity among people from different ages and sectors. However, currently, the users need to put complete trust on OSN service providers, to protect their sensitive information because of centralized access control at the providers. Taking advantage of this infrastructure, OSN service providers can expose their subscribers' personal information for targeted advertisements, or anything that is mentioned in the terms of the privacy agreement, including to change the terms. To give complete access control to the users over their data, there must be an alternative infrastructure, which removes dependence on OSN service providers. In order to address this privacy issue, Sonja Buchegger and Anwitaman Datta proposed 2-tier peer-to-peer architecture for social networks, called PeerSoN.
The goal of this master's thesis is to evaluate the suitability of eXtensible Markup Language (XACML) for Distributed Online Social Network (DOSN) access control and privacy preservation. To do that, at the beginning, we determine the requirements for access control in DOSN, and present a structure for users' profiles. Due to the wide ranges of requirements, we propose to use rule-based access control for the users in OSN, where the rules are based on both static and dynamic constraints. Secondly, to investigate whether these policies can be expressed in XACML or not, we implement some common authorization policies using SunXACML, an open source implementation of standard XACML version 2.0. Moreover, to enhance privacy, regarding authentication and enforcement, we offer to use secret key based authentication of SAML, and one of the XACML supported web or application servers, such as JBoss Application server, Fedora server, in conjunction with XACML. Finally, we evaluate our architecture against three types of attackers; namely, users from social links, users form outside of social links, and random person, and claim that our mechanism is well protected against different threats, such as unauthorized access, impersonation attacks, identity theft, information leakage via friendship links, etc., specifically, when each user's profile is stored on his own machine.