250 likes | 367 Views
Security and Privacy-preserving Applications minus the Pain. Mohit Tiwari , Andrew Osheroff , Neel Rao , Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou , Dawn Song, Krste Asanović UC Berkeley. Security for Users’ Benefit: Contexts.
E N D
Security and Privacy-preserving Applications minus the Pain MohitTiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, KrsteAsanović UC Berkeley
Security for Users’ Benefit: Contexts • Users • ACLs are natural. But on what? (posts, tweets, photos, spreadsheets,…) • Contexts: real-world events that data clusters around • Developers • want to partition apps to provide rich functionality. But security labels? • App design pattern • System • Info flow control desired. How to use simple, legacy mechanisms? • Mandatory ACLs + Layout generators + Integrity checking
App-centric Security: Problematic • Permissions are complex • SD Card, File systems,… • 51 of 100+: dangerous • Statically assigned. • App owns user’s data What a Dope!
Information Flow Control: Problematic Policies on Labels Principals Data X
Problem: User maps Contexts to Policies Contexts Security Course NSF Proposal Users Apps System resources Files Microphone Wifi Camera
Bubbles: Context-centric Security • Data clusters around real-world contexts. • Privacy policy as access control on contexts. • Apps run in Bubbles; cannot affect privacy. NSF Proposal Security Course
Messages Events ACL for the bubble Simple Permissions (7/51 dangerous ones) Data from current bubble only
A Bubble is the Minimum Unit of Sharing • Untrusted code can arbitrarily mix data inside a bubble • Hence, sharing oneitem == sharing anyitem • Have to limit cross-bubble declassification • So that user has flexibility of re-sharing, e.g. meeting notes • Bubbles have to be very light-weight contexts • when in doubt, just create a new bubble. Work/Personal very coarse
Challenges in implementing Bubbles • Lots of bubbles UI for navigating bubbles • Apps don’t own data API for developers • System implementation Infer dangerous permissions, and create light-weight containers
… by contacts Search by tags Predict bubbles: current location, time, contacts, calendar
Bubbles App Design Pattern Marin Hike Developer Zone Public profile info Updates, Ads, … Developer User B’day Party
Application Design Pattern: 3 components • App • one app instance per bubble • app component examples to follow • Viewer • developer provides Layout file. • system generates the viewer, assigns per-bubble data into layout elements • Storage • deduplication, replication, caching, …
App Component • Most user-visible functionality • one app instance per bubble • App can write data snapshots into tiles on bubble home page • What about cross-bubble functionality?
Layout by developer + putData(), flushData(), chooseBubble() New events: trusted UI to select bubbles Transfer to App component to edit
Storage Component • Untrusted apps need unencrypted data from multiple bubbles • deduplication not efficient otherwise • performance: a shared memcached instance • legacy code: couchDB storage backend • Untrusted applications can leak data across bubbles • how to declassify output of such applications? • Cross-bubble functionality hidden behind storage abstraction • put – get (data): Integrity check data and declassify.
Bubbles API • API based on functionality, not security labels • Benign apps see no security exceptions. Malicious behavior terminated
Many Android Apps fit inside Bubbles • Application-initiated sharing • Recommendation engines, Spam filters • Differential privacy, k-anonymity, … • User-initiated sharing • Storing, sharing, and editing docs • Real-time communication (voice, video) • Pseudonymous: Not tied to real identity • Games, flashlights, wallpapers, • Browsing news, reviews, recipes, … Percent (of 700 top apps)
Data-centric Security policies = User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT) Many Cloud-based Applications too fit Bubbles app initiated sharing user initiated sharing pseudonymity
System Design and Implementation • Mandatory Access Control (MAC) for isolation, and • Bubble control and search • Viewer Layout Inflater • Sharing service: distributed database (use like sqlite) • modified android middleware: IPC, virtualized system logs per label • System uses ACLs and API to infer detailed policy • Bubbles apps cover a lot of functionality of secure DIFC-based apps • Robust Declassification: Integrity checking (storage) and layout language (viewer) • Minus the pain: users, developers don’t work with security labels
Context-centric Security • Context = data clustered around real-world events • minimum unit of sharing data. • Is working in contexts intuitive? Learnable? • Does API support all useful functionality? Bubbles Project