advanced topics in touchdevelop privacy transparent privacy control via information flow analysis Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Live are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

advanced topics in touchdevelop what is the problem o when you write your own code, you know exactly what happens to your information o a script you get from the script bazaar... could leak your provide information to the outside world! post in your name on Facebook send SMS, make phone calls send your pictures to a unknown webservice ►what else?

advanced topics in touchdevelop sources, sinks o sources: origin of private information camera, location, picture, music, microphone, contacts, calendar, home o sinks: channels where information may leak vetted – you can review: contacts, media, sharing, clipboard unvetted – you cannot review: web ✿

advanced topics in touchdevelop approaches o iOS prompt on first use can run app with disabled capability limited to notifications, location o Android, Windows Phone 7 prompt at install time somewhat fine grained ►what are the problems with these approaches?

advanced topics in touchdevelop our goal o transparent privacy awareness help me understand what’s going on o flexible privacy control let me be in charge of my information o reasonable default settings when I don’t tweak anything, I am safe ►what information did you share today?

advanced topics in touchdevelop anonymized data o for each source, you can choose between your real data anonymized data ►what is an anonymized location, picture, calendar?

advanced topics in touchdevelop basic idea o default for scripts from bazaar real information for safe flows anonymized information otherwise o safe flows untampered private information flows to a vetted sink ►when is sharing a picture on Facebook safe?

advanced topics in touchdevelop our approach o visualization show capabilities and information flows o customizable access choose between real / anonymized o safe by default real information only for safe flows

advanced topics in touchdevelop central authority o app store / marketplace / script bazaar centralized authorities that enforce policy compliance ►what are the policies?

advanced topics in touchdevelop script bazaar o all scripts get formally analyzed parse, typecheck compute capabilities compute information flow o informal quality measures ♥ comments

advanced topics in touchdevelop computing capabilities o automated identification of application capabilities via static analysis annotated APIs with capability information parse each action (method) in the script into a AST tree visit each statement node to identify used capabilities a fix point is reached when no further changes

advanced topics in touchdevelop computing information flow o compute information flows via static analysis compute summaries of blocks and actions simulates program execution via static symbolic execution a fix point is reached when no further changes locationweb

advanced topics in touchdevelop summaries o block summary o action summary states of the exit block

advanced topics in touchdevelop implicit flow o from control structures o recorded by additional local variable PC l := senses -> current location; r := locations -> describe location(l); y := false; if r->contains(‘secret’) then { y:= true; }

advanced topics in touchdevelop references o deep accesses are tracked on a per-kind basis o connect kinds action foo(i) : Nothing { …. msgs -> add(msg); msg -> set message(s); // classified …. msg2 -> msgs -> at(i); msg2 -> share(‘web service’); }

advanced topics in touchdevelop propagation o statement-based propagation o union of the classified information of kinds

advanced topics in touchdevelop tampered flow o track tampered information by extending the information flow analysis

advanced topics in touchdevelop access granting o obtain users’ permissions anonymized information e.g., fixed location, fixed picture real Information e.g., current location via GPS o configure in script settings

advanced topics in touchdevelop more information… ✿ TechReport MSR-TR “Transparent Privacy Control via Static Information Flow Analysis” Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal

advanced topics in touchdevelop examples o share location safe flow, results in ‘real’ information by default ☁ o share location unsafe flow (sharing of a somehow compute value), results in ‘anonymized’ information by default) ☁

advanced topics in touchdevelop exercises ► publish script with non-empty information flow ► publish script with unsafe information flow ► publish script with implicit information flow

advanced topics in touchdevelop title o item 1 o Item 2 song→post to wall ☀ anecdote ☁ (link to sample) ► an exercise ✿ a reference