and Privacypreserving Applications minus the Pain Mohit Tiwari Andrew Osheroff Neel Rao Prashanth Mohan Eric Love Elaine Shi C Papamanthou ID: 179225
Download Presentation The PPT/PDF document "Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security and Privacy-preserving Applications minus the Pain
Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, Krste AsanovićUC Berkeley
1Slide2
Security for Users’ Benefit: ContextsUsers
ACLs are natural. But on what? (posts, tweets, photos, spreadsheets,…)Contexts: real-world events that data clusters aroundDeveloperswant to partition apps to provide rich functionality. But security labels?App design patternSystemInfo flow control desired. How to use simple, legacy mechanisms?Mandatory ACLs + Layout generators + Integrity checking 2Slide3
App-centric Security:
ProblematicPermissions are complexSD Card, File systems,…
51 of 100+: dangerousStatically assigned.
App
owns
user’s data
3
What a Dope!Slide4
Information Flow Control: Problematic
Data
X
Principals
Policies on Labels
4Slide5
NSF Proposal
Security
Course
Files
Camera
Microphone
Wifi
Apps
Contexts
System
resources
Users
Problem: User maps Contexts to Policies
5Slide6
Bubbles: Context-centric Security
Data clusters around real-world contexts.Privacy policy as access control on contexts.Apps run in Bubbles; cannot affect privacy.
NSF Proposal
Security Course
6Slide7
7Slide8
8
Messages
Events
D
ata from
current bubble only
ACL for the bubble
Simple Permissions
(7/51 dangerous ones)Slide9
A Bubble is the Minimum Unit of Sharing
Untrusted code can arbitrarily mix data inside a bubbleHence, sharing one item == sharing any itemHave to limit cross-bubble declassification So that user has flexibility of re-sharing, e.g. meeting notesBubbles have to be very light-weight contexts
when in doubt, just create a new bubble. Work/Personal very coarse
9Slide10
Challenges in implementing BubblesLots of bubbles
UI for navigating bubblesApps don’t own data API for developersSystem implementation Infer dangerous permissions, and create light-weight containers 10Slide11
11
Predict bubbles: current
location, time, contacts, calendar
Search by tags
… by contactsSlide12
12
…filter by locationSlide13
Bubbles App Design Pattern
DeveloperUpdates, Ads, …
Developer Zone
User
M
arin Hike
B’day
Party
Public profile info
13Slide14
Application Design Pattern: 3 componentsApp
one app instance per bubbleapp component examples to followViewerdeveloper provides Layout file.system generates the viewer, assigns per-bubble data into layout elements Storage deduplication, replication, caching, …14Slide15
Message board
15Slide16
Calendar
16Slide17
Remote Medicine
17Slide18
App ComponentMost user-visible functionality
one app instance per bubbleApp can write data snapshots into tiles on bubble home pageWhat about cross-bubble functionality?18Slide19
19
Layout by developer +
putData
(),
flushData
(),
chooseBubble
()
Transfer to App component to edit
N
ew events: trusted UI to select bubblesSlide20
Storage ComponentUntrusted apps need
unencrypted data from multiple bubblesdeduplication not efficient otherwiseperformance: a shared memcached instance legacy code: couchDB storage backendUntrusted applications can leak data across bubbleshow to
declassify output of such applications?
Cross-bubble functionality hidden behind storage abstraction
put – get (data):
Integrity check data
and declassify
.
20Slide21
Component
API Calls
Bubbles Actions
Application
POSIX/Android
put,get_to_storage_chk
register_app_interface
(
wsdl_file
)
Linux
syscall
API. No compiler/runtime or hardware support required.
Bubbles’ Storage checker stores a hash of
put
data, and uses the hash to declassify output of
get.
Bubbles uses
wsdl_file
to connect application with presentation layer.
Storage
put,get_frm_storage_chk
Bubbles lets Storage components access
plain text data
from multiple capsules with different ACLs – key to storage optimizations like
deduplication. Bubbles uses integrity checking to ensure data isn’t leaked across capsules – outputs can be declassified safely.ViewerLayout Template (HTML/js subset)
wsdl_function_call
(
func
,
data
)
Bubbles uses template to generate HTML views; and ensures that data across capsules are mutually isolated.
Bubbles ensures that
data
is sent only to
data
’s bubble-specific Application instance –
data
can thus be declassified safely.
Bubbles API
API based on functionality, not security labels
Benign apps see no security exceptions. Malicious behavior terminatedSlide22
Application-initiated sharingRecommendation engines, Spam filters
Differential privacy, k-anonymity, …User-initiated sharingStoring, sharing, and editing docsReal-time communication (voice, video)Pseudonymous: Not tied to real identityGames, flashlights, wallpapers,Browsing news, reviews, recipes, …
Many Android Apps fit inside Bubbles
Percent (of 700 top apps)
22Slide23
Data-centric Security policies =
User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT)Many Cloud-based Applications too fit Bubbles
app
initiated
sharing
pseudonymity
user
initiated
sharingSlide24
System Design and Implementation
Mandatory Access Control (MAC) for isolation, andBubble control and searchViewer Layout InflaterSharing service: distributed database (use like sqlite)modified android middleware: IPC, virtualized system logs per labelSystem uses ACLs and API to infer detailed policyBubbles apps cover a lot of functionality of secure DIFC-based appsRobust Declassification: Integrity checking (storage) and layout language (viewer)Minus the pain: users, developers don’t work with security labels
24Slide25
Context-centric Security
Bubbles Project
C
ontext
= data clustered around real-world events
minimum unit of sharing data.
Is working in contexts
intuitive? Learnable?
Does API support all useful
functionality?
25