Preventing Information Inference in Access Control

Technological innovations like social networks, personal devices
and cloud computing, allow users to share and store online a huge
amount of personal data. Sharing personal data online raises significant
privacy concerns for users, who feel that they do not have
full control over their data. A solution often proposed to alleviate
users’ privacy concerns is to let them specify access control
policies that reflect their privacy constraints. However, existing approaches
to access control often produce policies which either are
too restrictive or allow the leakage of sensitive information. In this
paper, we present a novel access control model that reduces the risk
of information leakage. The model relies on a data model which
encodes the domain knowledge along with the semantic relations
between data. We illustrate how the access control model and the
reasoning over the data model can be automatically translated in
XACML.We evaluate and compare our model with existing access
control models with respect to its effectiveness in preventing leakage
of sensitive information and efficiency in authoring policies.
The evaluation shows that the proposed model allows the definition
of effective access control policies that mitigate the risks of
inference of sensitive data while reducing users’ effort in policy
authoring compared to existing models.