Security - PowerPoint Presentation

Slide1

Security and Privacy-preserving Applications minus the Pain

Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, Krste AsanovićUC Berkeley

1Slide2

Security for Users’ Benefit: ContextsUsers

ACLs are natural. But on what? (posts, tweets, photos, spreadsheets,…)Contexts: real-world events that data clusters aroundDeveloperswant to partition apps to provide rich functionality. But security labels?App design patternSystemInfo flow control desired. How to use simple, legacy mechanisms?Mandatory ACLs + Layout generators + Integrity checking 2Slide3

App-centric Security:

ProblematicPermissions are complexSD Card, File systems,…

51 of 100+: dangerousStatically assigned.

App

owns

user’s data

3

What a Dope!Slide4

Information Flow Control: Problematic

Data

X



Principals

Policies on Labels

4Slide5

NSF Proposal

Security

Course

Files

Camera

Microphone

Wifi

Apps

Contexts

System

resources

Users

Problem: User maps Contexts to Policies

5Slide6

Bubbles: Context-centric Security

Data clusters around real-world contexts.Privacy policy as access control on contexts.Apps run in Bubbles; cannot affect privacy.

NSF Proposal

Security Course

6Slide7

7Slide8

8

Messages

Events

D

ata from

current bubble only

ACL for the bubble

Simple Permissions

(7/51 dangerous ones)Slide9

A Bubble is the Minimum Unit of Sharing

Untrusted code can arbitrarily mix data inside a bubbleHence, sharing one item == sharing any itemHave to limit cross-bubble declassification So that user has flexibility of re-sharing, e.g. meeting notesBubbles have to be very light-weight contexts

when in doubt, just create a new bubble. Work/Personal very coarse

9Slide10

Challenges in implementing BubblesLots of bubbles

 UI for navigating bubblesApps don’t own data  API for developersSystem implementation  Infer dangerous permissions, and create light-weight containers 10Slide11

11

Predict bubbles: current

location, time, contacts, calendar

Search by tags

… by contactsSlide12

12

…filter by locationSlide13

Bubbles App Design Pattern

DeveloperUpdates, Ads, …

Developer Zone

User

M

arin Hike

B’day

Party

Public profile info

13Slide14

Application Design Pattern: 3 componentsApp

one app instance per bubbleapp component examples to followViewerdeveloper provides Layout file.system generates the viewer, assigns per-bubble data into layout elements Storage deduplication, replication, caching, …14Slide15

Message board

15Slide16

Calendar

16Slide17

Remote Medicine

17Slide18

App ComponentMost user-visible functionality

one app instance per bubbleApp can write data snapshots into tiles on bubble home pageWhat about cross-bubble functionality?18Slide19

19

Layout by developer +

putData

(),

flushData

(),

chooseBubble

()

Transfer to App component to edit

N

ew events: trusted UI to select bubblesSlide20

Storage ComponentUntrusted apps need

unencrypted data from multiple bubblesdeduplication not efficient otherwiseperformance: a shared memcached instance legacy code: couchDB storage backendUntrusted applications can leak data across bubbleshow to

declassify output of such applications?

Cross-bubble functionality hidden behind storage abstraction

put – get (data):

Integrity check data

and declassify

.

20Slide21

Component

API Calls

Bubbles Actions

Application

POSIX/Android

put,get_to_storage_chk

register_app_interface

(

wsdl_file

)

Linux

syscall

API. No compiler/runtime or hardware support required.

Bubbles’ Storage checker stores a hash of

put

data, and uses the hash to declassify output of

get.

Bubbles uses

wsdl_file

to connect application with presentation layer.

Storage

put,get_frm_storage_chk

Bubbles lets Storage components access

plain text data

from multiple capsules with different ACLs – key to storage optimizations like

deduplication. Bubbles uses integrity checking to ensure data isn’t leaked across capsules – outputs can be declassified safely.ViewerLayout Template (HTML/js subset)

wsdl_function_call

(

func

,

data

)

Bubbles uses template to generate HTML views; and ensures that data across capsules are mutually isolated.

Bubbles ensures that

data

is sent only to

data

’s bubble-specific Application instance –

data

can thus be declassified safely.

Bubbles API

API based on functionality, not security labels

Benign apps see no security exceptions. Malicious behavior terminatedSlide22

Application-initiated sharingRecommendation engines, Spam filters

Differential privacy, k-anonymity, …User-initiated sharingStoring, sharing, and editing docsReal-time communication (voice, video)Pseudonymous: Not tied to real identityGames, flashlights, wallpapers,Browsing news, reviews, recipes, …

Many Android Apps fit inside Bubbles

Percent (of 700 top apps)

22Slide23

Data-centric Security policies =

User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT)Many Cloud-based Applications too fit Bubbles

app

initiated

sharing

pseudonymity

user

initiated

sharingSlide24

System Design and Implementation

Mandatory Access Control (MAC) for isolation, andBubble control and searchViewer Layout InflaterSharing service: distributed database (use like sqlite)modified android middleware: IPC, virtualized system logs per labelSystem uses ACLs and API to infer detailed policyBubbles apps cover a lot of functionality of secure DIFC-based appsRobust Declassification: Integrity checking (storage) and layout language (viewer)Minus the pain: users, developers don’t work with security labels

24Slide25

Context-centric Security

Bubbles Project

C

ontext

= data clustered around real-world events

minimum unit of sharing data.

Is working in contexts

intuitive? Learnable?

Does API support all useful

functionality?

25