plications. We present a mechanism that controls not only
what the third-party applications can access, but also what
these applications can do with the data that they are al-
lowed to access. We propose and implement a new frame-
work called xBook that provides a hosting service to the
applications and enforces information flow control within
the framework. xBook provides three types of enforce-
ment that encapsulate the privacy requirements in a typ-
ical social network setting: (1) user-user access control
(e.g., access to only friends) for data flowing within one
application, (2) information sharing outside xBook with
external parties; and (3) protection of the application’s
proprietary data. While (1) and (2) protects the privacy
of a user from information leaks, (3) prevents the applica-
tion’s proprietary data or algorithm from being leaked to
the application users.
The third-party applications are redesigned in such a
way that they have access to all the data they require (al-
lowing them to perform their functionality) and at the
same time, not allowing these applications to pass this
data to an external entity unless it is approved by the user.
Our framework enforces that the applications make these
communications explicit to the user so that he is more in-
formed before approving an application.
There are several challenges associated with the design
of our xBook framework:
Confinement. The execution of application code needs
to be confined. This problem needs to be dealt with inde-
pendently on the client side within the browser and on the
server side in the web server. We use “the web server” as
a conceptual entity to represent one or more servers.
Mediation. All communication from and within an ap-
plication needs to be mediated by the xBook platform for
permissible information flow. To this end, we developed
a labeling model that enforces user-defined security poli-
cies. High-level policies specified by the user are con-
verted to low-level labels enforced by xBook.
Programmability. The programming abstraction to the
application writers should be practical and easy to use.
xBook provides a set of simple APIs in line with the ex-
isting social networking platforms.
Portability. The requirements imposed by xBook on the
application design should not break the existing applica-
tions. In other words, it should be feasible to port most
functionality of typical applications to xBook with little
effort.
We show the viability of our framework design by im-
plementing a working prototype of our xBook system and
porting some of the popular applications from existing so-
cial networks, such as Facebook, on top of the framework.
We also demonstrate a practical deployment strategy of
our system by porting our framework itself as an appli-
cation on Facebook. Our system is available online [33].
We evaluate the security of our platform by illustrating
some possible application scenarios, and how xBook en-
sures privacy control in such cases. We also create some
synthetic attacks that attempt to exploit the platform to
leak information. Our results illustrate that xBook can
successfully prevent all such attacks. Our performance
results further demonstrate that xBook’s privacy control
mechanism incurs negligible overhead for typical social
networking applications.
The rest of the paper is organized as follows. Sec-
tion 2 motivates our work by analyzing some privacy is-
sues with the current social networking platforms. We
present an overview of our xBook framework in Section
3. Section 4 and 5 discuss the implementation details of
xBook’s client-side and server-side components, respec-
tively. Our labeling model is described in Section 6. Sec-
tion 7 presents the evaluation results. We discuss the limi-
tations of our work in Section 8, followed by related work
in Section 9. Finally, Section 10 concludes the paper.
2 Background
2.1 Social Networking Platforms
Social networks are the backbone of the online social
life of many Internet users. These networks have ex-
panded their development scope by allowing third-party
developers to write their own applications, which in turn
can be accessed and executed via the social network. An
application is an entity that provides some value-added
service to the user, and it requires user’s profile data to
perform its functionality. For example, a simple horo-
scope application generates daily horoscope based on
user’s birth information.
Facebook is one popular network that has pioneered the
concept of the social network as a platform. The applica-
tions bring value both to the platform and its users in pro-
viding new features. Applications are deployed on their
own servers and Facebook only acts as a proxy for in-
tegrating the applications’ output to its own pages. The
growing popularity of applications on Facebook has en-
ticed other networks, such as Google’s Orkut, to start sup-
porting applications. The Orkut platform model is based
on the OpenSocial framework [18]. OpenSocial provides
a set of APIs for its partner sites (which it refers to as
“containers”) to implement. An application that is built
for one container should be able to run with few modifi-
cations on other partner sites. The APIs allow third parties
to have access to the social graph and personal user data.
For the rest of the paper, we use the Facebook case as an
example; similar concepts apply to other social network-
ing platforms.
2.2 Privacy Issues with Current Designs
Facebook supports customized policies for user-user
access control, but currently provides no control on what