Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou,

Published byBrett Michael Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou,"— Presentation transcript:

1 Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, Krste Asanović UC Berkeley 1

2 Security for Users’ Benefit: Contexts Users – ACLs are natural. But on what? (posts, tweets, photos, spreadsheets,…) – Contexts: real-world events that data clusters around Developers – want to partition apps to provide rich functionality. But security labels? – App design pattern System – Info flow control desired. How to use simple, legacy mechanisms? – Mandatory ACLs + Layout generators + Integrity checking 2

3 App-centric Security: Problematic Permissions are complex – SD Card, File systems,… – 51 of 100+: dangerous – Statically assigned. App owns user’s data 3 What a Dope!

4 Information Flow Control: Problematic Data X  Principals Policies on Labels 4

5 NSF Proposal Security Course Files Camera Microphone Wifi Apps Contexts System resources Users Problem: User maps Contexts to Policies 5

6 Bubbles: Context-centric Security Data clusters around real-world contexts. Privacy policy as access control on contexts. Apps run in Bubbles; cannot affect privacy. NSF Proposal Security Course 6

7 7

8 8 Messages Events Data from current bubble only ACL for the bubble Simple Permissions (7/51 dangerous ones)

9 A Bubble is the Minimum Unit of Sharing Untrusted code can arbitrarily mix data inside a bubble – Hence, sharing one item == sharing any item Have to limit cross-bubble declassification – So that user has flexibility of re-sharing, e.g. meeting notes Bubbles have to be very light-weight contexts – when in doubt, just create a new bubble. Work/Personal very coarse 9

10 Challenges in implementing Bubbles Lots of bubbles  UI for navigating bubbles Apps don’t own data  API for developers System implementation  Infer dangerous permissions, and create light-weight containers 10

11 11 Predict bubbles: current location, time, contacts, calendar Search by tags … by contacts

12 12 …filter by location

13 Bubbles App Design Pattern Developer Updates, Ads, … Developer Zone User Marin Hike B’day Party Public profile info 13

14 Application Design Pattern: 3 components App – one app instance per bubble – app component examples to follow Viewer – developer provides Layout file. – system generates the viewer, assigns per-bubble data into layout elements Storage – deduplication, replication, caching, … 14

15 Message board 15

16 Calendar 16

17 Remote Medicine 17

18 App Component Most user-visible functionality – one app instance per bubble App can write data snapshots into tiles on bubble home page What about cross-bubble functionality? 18

19 19 Layout by developer + putData(), flushData(), chooseBubble() Transfer to App component to edit New events: trusted UI to select bubbles

20 Storage Component Untrusted apps need unencrypted data from multiple bubbles – deduplication not efficient otherwise – performance: a shared memcached instance – legacy code: couchDB storage backend Untrusted applications can leak data across bubbles – how to declassify output of such applications? Cross-bubble functionality hidden behind storage abstraction – put – get (data): Integrity check data and declassify. 20

21 ComponentAPI CallsBubbles Actions Application POSIX/Android put,get_to_storage_chk register_app_interface( wsdl_file ) Linux syscall API. No compiler/runtime or hardware support required. Bubbles’ Storage checker stores a hash of put data, and uses the hash to declassify output of get. Bubbles uses wsdl_file to connect application with presentation layer. Storage put,get_frm_storage_chk Bubbles lets Storage components access plain text data from multiple capsules with different ACLs – key to storage optimizations like deduplication. Bubbles uses integrity checking to ensure data isn’t leaked across capsules – outputs can be declassified safely. Viewer Layout Template (HTML/js subset) wsdl_function_call( func, data) Bubbles uses template to generate HTML views; and ensures that data across capsules are mutually isolated. Bubbles ensures that data is sent only to data ’s bubble- specific Application instance – data can thus be declassified safely. Bubbles API API based on functionality, not security labels Benign apps see no security exceptions. Malicious behavior terminated

22 Application-initiated sharing – Recommendation engines, Spam filters – Differential privacy, k-anonymity, … User-initiated sharing – Storing, sharing, and editing docs – Real-time communication (voice, video) Pseudonymous: Not tied to real identity – Games, flashlights, wallpapers, – Browsing news, reviews, recipes, … Many Android Apps fit inside Bubbles Percent (of 700 top apps) 22

23 Data-centric Security policies = User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT) Many Cloud-based Applications too fit Bubbles app initiated sharing pseudonymity user initiated sharing

24 System Design and Implementation Mandatory Access Control (MAC) for isolation, and – Bubble control and search – Viewer Layout Inflater – Sharing service: distributed database (use like sqlite) – modified android middleware: IPC, virtualized system logs per label System uses ACLs and API to infer detailed policy – Bubbles apps cover a lot of functionality of secure DIFC-based apps – Robust Declassification: Integrity checking (storage) and layout language (viewer) Minus the pain: users, developers don’t work with security labels 24

25 Context-centric Security Bubbles Project Context = data clustered around real-world events – minimum unit of sharing data. Is working in contexts intuitive? Learnable? Does API support all useful functionality? 25

Download ppt "Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou,"

Similar presentations

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Business Development Suit Presented by Thomas Mathews.

Business Development Suit Presented by Thomas Mathews.
Introduction.  Professor  Adam Porter 

Introduction.  Professor  Adam Porter 
July 2010 D2.1 Upgrading strategy Javier Soto Catalog Release 3. Communities.

July 2010 D2.1 Upgrading strategy Javier Soto Catalog Release 3. Communities.
PPD: Platform for Private Data Mohit Tiwari with Krste Asanović, Dawn Song, Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil.

PPD: Platform for Private Data Mohit Tiwari with Krste Asanović, Dawn Song, Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil.
Information Retrieval in Practice

Information Retrieval in Practice
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
TRANSFORMATION HARDWARE SYSTEM ARCHITECTURES SVA Binary translation and emulation Formal methods Hardware support for isolation Dealing with malicious.

TRANSFORMATION HARDWARE SYSTEM ARCHITECTURES SVA Binary translation and emulation Formal methods Hardware support for isolation Dealing with malicious.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Mobile Application Development

Mobile Application Development
CS 591 - Nicholis Bufmack Secure Storage Servers Secure Storage Servers An Intrusion Recovery System.

CS Nicholis Bufmack Secure Storage Servers Secure Storage Servers An Intrusion Recovery System.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Google Account Basics: Getting Started with free Google applications.

Google Account Basics: Getting Started with free Google applications.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Taking the Headache out of. Reach your sphere of influence on a daily basis – AT NO COST? Reconnect with friends and stay in touch with family – AT NO.

Taking the Headache out of. Reach your sphere of influence on a daily basis – AT NO COST? Reconnect with friends and stay in touch with family – AT NO.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
CS378 - Mobile Computing What's Next?. Fragments Added in Android 3.0, a release aimed at tablets A fragment is a portion of the UI in an Activity multiple.

CS378 - Mobile Computing What's Next?. Fragments Added in Android 3.0, a release aimed at tablets A fragment is a portion of the UI in an Activity multiple.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.

Similar presentations

Ads by Google