Chameleon: Towards Usable RBAC A. Chris Long Courtney Moskowitz, Greg Ganger ECE Department Carnegie Mellon University.

Slides:

Advertisements

Similar presentations

Jason I. Hong January 31, 2006 Usable Privacy and Security Chameleon and Kazaa.

Advertisements

A Pervasive Reminder System for Smart Homes Sylvain GIROUX and Simon GUERTIN Département d’informatique, Université de Sherbrooke 2500 boul. Université,

Lesson 17: Configuring Security Policies

WHAT IS INTERACTION DESIGN?

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Zero effort security for the home PC users? By Terje Risa.

CS575 - Human Issues in Computing CSULA Spring 2006 Human Impact of UI Design Paradigms (PART 1 – Overview) Robert Ritchey and Ruben Campos.

Chapter 11 Exploring Windows XP Vol. 1 Part One - Windows XP Professional: The Basics.

Human Computer Interface. HCI and Designing the User Interface The user interface is a critical part of an information system -- it is what the users.

Requirements Analysis Concepts & Principles

Inspection Methods. Inspection methods Heuristic evaluation Guidelines review Consistency inspections Standards inspections Features inspection Cognitive.

CS5540 HCI Assignment 4 Designing a Special Needs Nathan Black Taeho Kim 8 Dec 2004.

Teaching Multimedia. Multimedia is media that uses multiple forms of information content and information processing (e.g. text, audio, graphics, animation,

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

An evaluation framework

© Lethbridge/Laganière 2001 Chapter 7: Focusing on Users and Their Tasks1 7.1 User Centred Design (UCD) Software development should focus on the needs.

Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.

COMP1007 Introduction to Requirements Analysis © Copyright De Montfort University 2002 All Rights Reserved COMP1007 Introduction to Requirements Analysis.

[Context to Make You More Aware] Presentation [Adrienne Andrew, Yaw Anokwa, Karl Koscher, Jonathan Lester, Gaetano Borriello Department of Computer Science.

Tutorial 1 Exploring the Windows 7 Operating System

Copyright 1999 all rights reserved Overview of HCI n What is Human-Computer Interaction? n Why should an Information Scientist be concerned with Human-Computer.

Design, goal of design, design process in SE context, Process of design – Quality guidelines and attributes Evolution of software design process – Procedural,

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

CSC271 Database Systems Lecture # 20.

Module 2: Managing User and Computer Accounts

AppExchange Partner Academy- Building Your Application Listing By Jesse Dailey.

MS Access Advanced Instructor: Vicki Weidler Assistant:

Computing Fundamentals Module A Unit 2: Using Windows Vista LessonTopic 8Looking at Operating Systems 9Looking at the Windows Desktop 10Starting Application.

Planning for Divisions. Meeting Goals  Provide Baseline Overview of Divisions  Review Divisions Plan & Testing To Date.

Study of Human factors in Software Engineering CSC 532 Sree Harsha Pothireddy.

Evaluation Framework Prevention vs. Intervention CHONG POH WAN 21 JUNE 2011.

Lesson 1: Getting Started

1 WEB Engineering Introduction to Electronic Commerce COMM1Q.

ITEC224 Database Programming

An Introduction to Software Architecture

S556 SYSTEMS ANALYSIS & DESIGN Week 11. Creating a Vision (Solution) SLIS S556 2  Visioning:  Encourages you to think more systemically about your redesign.

Mr C Johnston ICT Teacher

CMPF124 Personal Productivity with Information Technology Chapter 1 – Part 4 Introduction To Windows Operating Systems Basic Windows Admin Introduction.

Human Computer Interaction

Module 2 Part IV Introduction To Windows Operating Systems Basic Windows Admin Introduction To Windows Operating Systems Basic Windows Admin.

Modal Interfaces & Speech User Interfaces Katherine Everitt CSE 490F Section Nov 20 & 21, 2006.

An Introduction to Progress Arcade ™ June 12, 2013 Rob Straight Senior Manager, OpenEdge Product Management.

Design Rules-Part B Standards and Guidelines

Chris Lehman - University of Illinois at Urbana-Champaign This project looked at whether an effective usability makeover of an enterprise.

1 ISE 412 Usability Testing Purpose of usability testing:  evaluate users’ experience with the interface  identify specific problems in the interface.

D1 - 25/10/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.

INFO 355Week #71 Systems Analysis II User and system interface design INFO 355 Glenn Booker.

INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.

Users’ Quality Ratings of Handheld devices: Supervisor: Dr. Gary Burnett Student: Hsin-Wei Chen Investigating the Most Important Sense among Vision, Hearing.

Lesson 11: Configuring and Maintaining Network Security

Controlling Computer Using Speech Recognition (CCSR) Creative Masters Group Supervisor : Dr: Mounira Taileb.

Today Next time  Interaction Reading: ID – Ch 2 Interaction  Introduction to HCI & Interaction Design Reading: ID – Ch. 1 CS 321 Human-Computer Interaction.

Unit 9: Distributing Computing & Networking Kaplan University 1.

Computing Fundamentals Module Lesson 7 — The Windows Operating System Computer Literacy BASICS.

CSE 303 – Software Design and Architecture

1 A Peripheral Display Toolkit Tara Matthews[1], Tye Rattenbury[1], Scott Carter[1], Anind K. Dey[2], Jennifer Mankoff[1] [1] EECS Department UC Berkeley.

Design and Evaluation of an Ambient Display to Support Time Management during Meetings Valentina Occhialini, Harm van Essen, Berry Eggen Intelligent Lighting.

Chapter 5:User Interface Design Concepts Of UI Interface Model Internal an External Design Evaluation Interaction Information Display Software.

Architecture & Cybersecurity – Module 3 ELO-100Identify the features of virtualization. (Figure 3) ELO-060Identify the different components of a cloud.

Safe’n’Sec IT security solutions for enterprises of any size.

1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.

Operating Systems Morrison / WellsCLB: A Comp Guide to IC 3 3E 1 Morrison / Wells.

User Interface Evaluation Introduction Lecture #15.

ZenFox CS F Project Phase III The Tab Four Lam, Billy MacKenzie, Russ R, Mohan Su, Tao A task-focused web browser.

1 Lesson 8 Operating Systems Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

User-centred system design process

Introduction UI designer stands for User Interface designer. UI designing is a type of process that is used for making interfaces in the software or the.

An Introduction to Software Architecture

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Presentation transcript:

Chameleon: Towards Usable RBAC A. Chris Long Courtney Moskowitz, Greg Ganger ECE Department Carnegie Mellon University

2 Problem: Malware Malware: viruses, trojan horses, worms, etc. Current approaches are inadequate Few address typical home user Malware enabler: all software has permission to do everything

3 Problem: Higher Level View The computer is too ignorant Are these secure? format c: cp confidential-info /mnt/floppy Can we get users to tell the computer more about what’s allowable? Prepare for reinstall Trojan horse Transfer btwn. work & home Theft of trade secrets

4 Project Inspiration People understand physical access Different access at home for plumbers vs. accountant What about file access control? Answer: too fine-grained, rarely used Few people can manage fine-grained security (e.g., file permissions) Can we improve de facto security with coarse-grained security?

5 Chameleon: Coarse-grained Security Partition computer into “roles”, e.g.: Vault Communication Internet Testing System Each app confined to its own role Can we make this model usable?

6 Outline Introduction Related Work Chameleon User Studies Discussion, Future Work, & Conclusions

7 Related Work HCISEC Security usability [Whitten & Tygar 1999] Design guidelines [Yee 2002] WindowBox [Balfanz & Simon 2000] HCI Desktop info organization [Barreau & Nardi 1995] WorkspaceMirror [Boardman 2002]

8 Related Work (cont’d) Security models Compartmented mode workstation [Berger, et al 1990] Role-based access control [Ferraiolo & Kuhn 1992] Sandboxing [Schmid, et al 2002]

9 Outline Introduction Related Work Chameleon User Studies Discussion, Future Work, & Conclusions

10 Chameleon Research agenda Interface design Awareness Control Usability vs. and security File organization synergy Software design

11 Usable Role Management Target audience: typical home computer user Key properties Intelligible Convenient Key tasks Switching roles Moving data & files across roles “Plan to throw the first one away. You will, anyway.” — Fred Brooks

12 Paper Prototype Security manager Personal filesComm. app. Unsafe app.

13 Outline Introduction Related Work Chameleon User Studies Discussion, Future Work, & Conclusions Security in Context Security Mechanisms Software prototype

14 User Study 1: Security In Context Goals Observe ease of use of security features in realistic task Explicit vs. implicit role switching Results Positive opinions about roles Interface implications Changed to single clipboard model Keep implicit role switching Keep plan for role customization

15 User Study 2: Security Interface Mechanisms Goals Evaluate desktop display options Evaluate methods for security operations Result summary Generally positive: 5/6 would use interface Opinion divided on desktop icon display Liked drag and drop “I wish some of [your] designs…would be common practice amongst big leading software companies.” — An enthusiastic participant

16 Software Prototype Internet app. Testing app. Comm. apps.

17 Study 3: Software Prototype Goals Continue usability evaluation Investigate appropriate feedback levels 3 levels: minimal, animated, dialog box Issues: subjective impact, prevent being tricked Results No quantitative effect of feedback on being tricked Few participants caught tricks Overall positive view of Chameleon Security concerns generally correlated with positive views of Chameleon

18 Outline Introduction Related Work Chameleon User Studies Discussion, Future Work, & Conclusions

19 Discussion Chameleon lessons Make UI role-aware (file dialog) Eliminate “active” role Role purposes must be clear Add “Neutral” or “Default” role Make indicators active (Security Manager) Need better role awareness HCISEC evaluation Laboratory setting ill-suited for evaluation of interaction with “normal” tasks

20 Future Work Chameleon development Improve UI design Implement prototype usable by real apps Deploy Chameleon for daily use Continue investigation of Security awareness & control Software architecture for security

21 Future Work (cont’d) LevelProCon Operating System Single implementationNo context information ApplicationsContext availableMultiple impls. ToolkitSome context available Single (or few) implementations Right abstractions unknown

22 Conclusions Chameleon work in progress HCISEC UI design issues Software architecture HCISEC evaluation Usable RBAC seems feasible

23 <= 0.5-baked Idea Problem: How to run software with less than all permissions? Solution: Attach trust/authority/ permission to user action (capability) Propagate capability Starts at input device To OS, to toolkit, to application

Thank You (1 spot in my car for a short person)