1 / 25

Security and Privacy-preserving Applications minus the Pain

Security and Privacy-preserving Applications minus the Pain. Mohit Tiwari , Andrew Osheroff , Neel Rao , Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou , Dawn Song, Krste Asanović UC Berkeley. Security for Users’ Benefit: Contexts.

kyros
Télécharger la présentation

Security and Privacy-preserving Applications minus the Pain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Privacy-preserving Applications minus the Pain MohitTiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, KrsteAsanović UC Berkeley

  2. Security for Users’ Benefit: Contexts • Users • ACLs are natural. But on what? (posts, tweets, photos, spreadsheets,…) • Contexts: real-world events that data clusters around • Developers • want to partition apps to provide rich functionality. But security labels? • App design pattern • System • Info flow control desired. How to use simple, legacy mechanisms? • Mandatory ACLs + Layout generators + Integrity checking

  3. App-centric Security: Problematic • Permissions are complex • SD Card, File systems,… • 51 of 100+: dangerous • Statically assigned. • App owns user’s data What a Dope!

  4. Information Flow Control: Problematic Policies on Labels Principals Data X 

  5. Problem: User maps Contexts to Policies Contexts Security Course NSF Proposal Users Apps System resources Files Microphone Wifi Camera

  6. Bubbles: Context-centric Security • Data clusters around real-world contexts. • Privacy policy as access control on contexts. • Apps run in Bubbles; cannot affect privacy. NSF Proposal Security Course

  7. Messages Events ACL for the bubble Simple Permissions (7/51 dangerous ones) Data from current bubble only

  8. A Bubble is the Minimum Unit of Sharing • Untrusted code can arbitrarily mix data inside a bubble • Hence, sharing oneitem == sharing anyitem • Have to limit cross-bubble declassification • So that user has flexibility of re-sharing, e.g. meeting notes • Bubbles have to be very light-weight contexts • when in doubt, just create a new bubble. Work/Personal very coarse

  9. Challenges in implementing Bubbles • Lots of bubbles  UI for navigating bubbles • Apps don’t own data  API for developers • System implementation  Infer dangerous permissions, and create light-weight containers

  10. … by contacts Search by tags Predict bubbles: current location, time, contacts, calendar

  11. …filter by location

  12. Bubbles App Design Pattern Marin Hike Developer Zone Public profile info Updates, Ads, … Developer User B’day Party

  13. Application Design Pattern: 3 components • App • one app instance per bubble • app component examples to follow • Viewer • developer provides Layout file. • system generates the viewer, assigns per-bubble data into layout elements • Storage • deduplication, replication, caching, …

  14. Message board

  15. Calendar

  16. Remote Medicine

  17. App Component • Most user-visible functionality • one app instance per bubble • App can write data snapshots into tiles on bubble home page • What about cross-bubble functionality?

  18. Layout by developer + putData(), flushData(), chooseBubble() New events: trusted UI to select bubbles Transfer to App component to edit

  19. Storage Component • Untrusted apps need unencrypted data from multiple bubbles • deduplication not efficient otherwise • performance: a shared memcached instance • legacy code: couchDB storage backend • Untrusted applications can leak data across bubbles • how to declassify output of such applications? • Cross-bubble functionality hidden behind storage abstraction • put – get (data): Integrity check data and declassify.

  20. Bubbles API • API based on functionality, not security labels • Benign apps see no security exceptions. Malicious behavior terminated

  21. Many Android Apps fit inside Bubbles • Application-initiated sharing • Recommendation engines, Spam filters • Differential privacy, k-anonymity, … • User-initiated sharing • Storing, sharing, and editing docs • Real-time communication (voice, video) • Pseudonymous: Not tied to real identity • Games, flashlights, wallpapers, • Browsing news, reviews, recipes, … Percent (of 700 top apps)

  22. Data-centric Security policies = User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT) Many Cloud-based Applications too fit Bubbles app initiated sharing user initiated sharing pseudonymity

  23. System Design and Implementation • Mandatory Access Control (MAC) for isolation, and • Bubble control and search • Viewer Layout Inflater • Sharing service: distributed database (use like sqlite) • modified android middleware: IPC, virtualized system logs per label • System uses ACLs and API to infer detailed policy • Bubbles apps cover a lot of functionality of secure DIFC-based apps • Robust Declassification: Integrity checking (storage) and layout language (viewer) • Minus the pain: users, developers don’t work with security labels

  24. Context-centric Security • Context = data clustered around real-world events • minimum unit of sharing data. • Is working in contexts intuitive? Learnable? • Does API support all useful functionality? Bubbles Project

More Related