Abstract:
With the rapid development of web services, more and more users have started to be concerned about their private data stored on the third party service provider. Traditionally, a service provider specifies a single access control policy for all users' data stored in its database in order to control the access to the data. A service provider normally hosts a large amount of users' data, thus to maintain a single access control policy for all users' data become difficult and inflexible. This thesis proposes a user-centric data access control scheme that automatically adds access control code to web service programs. The scheme simplifies the task of the programmers. It uses a fine-grained access control policy to control access of data. Compared with existing schemes, the proposed scheme allows users to specify their own policy for their data stored in the service provider and is more flexible in setting access control policies on data. The scheme automatically tracks the flow of data in the server programs and detects the data flows that might be explored by attackers of online applications. It also provides a program transformer that can be used by the service providers to insert necessary code at relevant places in the source program for carrying out the proposed access control mechanism, which relieves the programmers from writing access control code in the server program. Experiments show that the proposed scheme incurs acceptable overheads.
