Research on access control policy configuration Manya and Shuai

advertisement
Research on access control policy
configuration
Manya and Shuai
Outline
• Quick overview of some research
– Grey
– Expandable Grid
– SPARCLE
– Reactive access control
• Discussion of experimental design
– Issues
– Activity!
Grey
• Smartphone application for
physical access control (CIC
doors) via Bluetooth
• Based on certificates that can
be delegated to others
– All certificates
– One-time delegation
– Group-based
L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control
system. SOUPS 2007
Grey: utility analysis
• Wanted ground-truth preferences to evaluate
system
• Interviewed 29 participants about policies
trying to create with Grey/keys
– Ideal policies: “Who they wanted to provide
access to and under what conditions”
• Coded actual policies
L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control
system. CHI 2008.
Grey: utility analysis
• Grey matched ideal policies better than keys
– Hidden keys
– Lack of logging/notification
– Difficult to give people keys/track keys
– Lack of flexibility with keys
L. Bauer, L. Cranor, R. W. Reeder, M. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control
system. CHI 2008.
Grey: design principles
• Perceived speed and convenience are critical
to user satisfaction and acceptance
• A single failure can strongly discourage
adoption
• Users won’t use features they don’t
understand
• Low overhead for creating and changing
policies encourages policy change
L. Bauer, L. Cranor, M. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system.
SOUPS 2007.
Expandable grid
• Goals:
– Viewing policy
– Changing policy
– Viewing composite value
memberships
– Detecting and resolving
conflicts
• Overview of entire policy
• Transparent hierarchies
R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring Computer
Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
Expandable Grid: usability testing
• 36-subject lab study
• Expandable grid vs. Windows XP
• TA administering server for music department
– Basic training on system
– Simple and complex policy creation and
interpretation tasks
• Expandable grid participants did better in
terms of accuracy and time
R. W. Reeder, L. Bauer, L.F. Cranor, M.K. Reiter, K. Bacon, K. How, and H. Strong. Expandable Grids for Visualizing and Authoring
Computer Security Policies. ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '08). 2008.
Expandable grid: conflict resolution
• Usability of conflict
resolution
– E.g. People in the class can
see my photos but
Rebecca can’t
• Methods:
– Specificity precedence
– Deny precedence
• Windows – combination
• Grid - use specificity
precedence if possible
R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Vaniea. More than skin deep: Measuring effects of the underlying model on
access-control system usability. CHI 2011.
Expandable grid: conflict resolution
usability testing
• 3 conditions
– Windows with Windows method
– Grid with Windows method
– Grid with tested method
•
•
•
•
54-subjects
Music department TA lab test
Six tasks that tested conflict resolution
Based on accuracy rate, tested method better
when subject needed to take corrective action
R. Reeder, L. Bauer, L. Cranor, M. Reiter, K. Vaniea. More than skin deep: Measuring effects of the underlying model on access-control system
usability. CHI 2011.
SPARCLE
• Policies as natural language sentences
– User, action, data, purpose, condition
– Must be one sentence, specific order of elements
– Ex: Loan officers can use credit history or salary to make loan
decisions
• Workbench displays results of parsed rule, allows modifications
C. Brodie, C-M Karat, J. Karat. “An Empirical Study of Natural Language Parsing of Privacy Policy Rules Using the SPARCLE Polciy Workbench.”
SOUPS 2006.
http://domino.research.ibm.com/comm/research_projects.nsf/pages/sparcle.index.html
SPARCLE: usability
• Syntax highlighting to help
with parsing
• 17 participants, two
conditions (highlighting,
control)
• Two policy creation tasks
• Participants who used
highlighting liked it but
performed no better
K. Vaniea, C.M. Karat, J.B. Gross, J. Karat, and C. Brodie. Evaluating Assistance of Natural Language Policy Authoring. SOUPS 2008.
Reactive access control
• Users determine access
control when resource
requested
• 24-participant experiencesampling study
• Asked for preferences for
set of friends/files
before/after study
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, Lorrie Faith Cranor. Exploring Reactive Access
Control CHI 2011
Reactive access control
• User preferences changed over course of
week
• Varied based on context, social situations,
resources
• Users liked reactive decisions
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, Lorrie Faith Cranor. Exploring Reactive Access
Control CHI 2011
Issues for experimental design
• Secondary task
• Training often needed/outside expected range
• Decision to use users’ content or created tasks
– Lab study v. field study
– How to simulate risk in lab?
– How to measure ground truth preferences
• Control case
• Other issues?
Your task: Help Kami!
• Kami created a system that visualizes photo sharing
system permissions
• Two conditions:
– Sidebar: visualization beside photos
– Under photo: visualization under photos
• Would like to know if either of her visualizations are
effective and, if so, which is more effective. In
groups of 3-4, please design a study to help her.
• Keep in mind:
– Access control is a secondary task – we need to test
users’ abilities to notice permission errors
– Time is an issue (Kami wants to graduate!)
Kami’s solution
• Task-based lab study
• Started with simple tutorial:
– Included explanation of permissions and other
aspects
– Goal was to “bury” permissions in everything else
• Pat Jones scenario
– Told subjects they were Pat Jones
– 3 blocks of 4 emails that asked Pat Jones to do tasks
(some related to permissions)
– Set up each block with an overview of Pat’s life to
provide context for permissions
Kami’s solution: example
Information: Adventures
Despite having a normal desk job you really like to go out and do fun things on the weekends. When it comes to
exciting activities like sky diving you will try anything once. You make sure to post photos of all your adventures so
your friends can see. However, your mother is one of those people who panics easily and you know if she ever saw a
photograph of you diving out of an airplane you would never hear the end of it. So you make sure not to mention
some of your more exciting adventures.
: Pat Jones <pat@jones.com>
: Mom <samantha@jones.com>
: Are you ok?
Pat,
Are you all right? Are you ok?
I just sent Aunt Sue a link to Jennifer's Baby pictures and she sent me back this photo of you jumping off a building. A
BUILDING! Are you crazy? What were you thinking? Do you realize how dangerous what you are doing is? People die
from this!
Uncle David already thinks I'm a poor mother, if he sees these photographs I will NEVER hear the end of it. And he is
going to be looking as soon as he gets home because I already sent him a link to Jennifer's Baby pictures. What were
you thinking? How could you do this to me?
Please, please make sure no more of our family see these photographs.
Mom
Appendix
Your task: Help Kami!
•
•
Kami created a new policy configuration system for Gallery (open source photo sharing site)
Two test conditions:
–
–
•
•
Side bar: visualization beside photos
Under photo: visualization under photos
Which one’s better? Are either of them better than a control?
If you want to check it out: http://snappgallery.com/index.php/ (Login: Manya Sleeper)
Under photo condition (appears under each
photo on mouseover)
Sidebar condition (always visible on side of
screen)
Download