Security and Privacypreserving Applications minus the Pain Mohit

  • Slides: 25
Download presentation
Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth

Security and Privacy-preserving Applications minus the Pain Mohit Tiwari, Andrew Osheroff, Neel Rao, Prashanth Mohan, Eric Love, Elaine Shi, C. Papamanthou, Dawn Song, Krste Asanović UC Berkeley 1

Security for Users’ Benefit: Contexts • Users – ACLs are natural. But on what?

Security for Users’ Benefit: Contexts • Users – ACLs are natural. But on what? (posts, tweets, photos, spreadsheets, …) – Contexts: real-world events that data clusters around • Developers – want to partition apps to provide rich functionality. But security labels? – App design pattern • System – Info flow control desired. How to use simple, legacy mechanisms? – Mandatory ACLs + Layout generators + Integrity checking 2

App-centric Security: Problematic • Permissions are complex – SD Card, File systems, … –

App-centric Security: Problematic • Permissions are complex – SD Card, File systems, … – 51 of 100+: dangerous – Statically assigned. • App owns user’s data What a Dope! 3

Information Flow Control: Problematic Principals Data X Policies on Labels 4

Information Flow Control: Problematic Principals Data X Policies on Labels 4

Problem: User maps Contexts to Policies NSF Proposal Security Course Contexts Users Apps System

Problem: User maps Contexts to Policies NSF Proposal Security Course Contexts Users Apps System resources Files Camera Microphone Wifi 5

Bubbles: Context-centric Security • Data clusters around real -world contexts. NSF Proposal Security Course

Bubbles: Context-centric Security • Data clusters around real -world contexts. NSF Proposal Security Course • Privacy policy as access control on contexts. • Apps run in Bubbles; cannot affect privacy. 6

7

7

Messages Events ACL for the bubble Simple Permissions (7/51 dangerous ones) Data from current

Messages Events ACL for the bubble Simple Permissions (7/51 dangerous ones) Data from current bubble only 8

A Bubble is the Minimum Unit of Sharing • Untrusted code can arbitrarily mix

A Bubble is the Minimum Unit of Sharing • Untrusted code can arbitrarily mix data inside a bubble – Hence, sharing one item == sharing any item • Have to limit cross-bubble declassification – So that user has flexibility of re-sharing, e. g. meeting notes • Bubbles have to be very light-weight contexts – when in doubt, just create a new bubble. Work/Personal very coarse 9

Challenges in implementing Bubbles • Lots of bubbles UI for navigating bubbles • Apps

Challenges in implementing Bubbles • Lots of bubbles UI for navigating bubbles • Apps don’t own data API for developers • System implementation Infer dangerous permissions, and create light-weight containers 10

Search by tags … by contacts Predict bubbles: current location, time, contacts, calendar 11

Search by tags … by contacts Predict bubbles: current location, time, contacts, calendar 11

…filter by location 12

…filter by location 12

Bubbles App Design Pattern Marin Hike Public profile info Developer Zone Updates, Ads, …

Bubbles App Design Pattern Marin Hike Public profile info Developer Zone Updates, Ads, … User Developer B’day Party 13

Application Design Pattern: 3 components • App – one app instance per bubble –

Application Design Pattern: 3 components • App – one app instance per bubble – app component examples to follow • Viewer – developer provides Layout file. – system generates the viewer, assigns per-bubble data into layout elements • Storage – deduplication, replication, caching, … 14

Message board 15

Message board 15

Calendar 16

Calendar 16

Remote Medicine 17

Remote Medicine 17

App Component • Most user-visible functionality – one app instance per bubble • App

App Component • Most user-visible functionality – one app instance per bubble • App can write data snapshots into tiles on bubble home page • What about cross-bubble functionality? 18

Layout by developer + put. Data(), flush. Data(), choose. Bubble() New events: trusted UI

Layout by developer + put. Data(), flush. Data(), choose. Bubble() New events: trusted UI to select bubbles 19

Storage Component • Untrusted apps need unencrypted data from multiple bubbles – deduplication not

Storage Component • Untrusted apps need unencrypted data from multiple bubbles – deduplication not efficient otherwise – performance: a shared memcached instance – legacy code: couch. DB storage backend • Untrusted applications can leak data across bubbles – how to declassify output of such applications? • Cross-bubble functionality hidden behind storage abstraction – put – get (data): Integrity check data and declassify. 20

Bubbles API Component API Calls • POSIX/Android Application • put, get_to_storage_chk • register_app_interface( wsdl_file

Bubbles API Component API Calls • POSIX/Android Application • put, get_to_storage_chk • register_app_interface( wsdl_file ) Bubbles Actions Linux syscall API. No compiler/runtime or hardware support required. Bubbles’ Storage checker stores a hash of put data, and uses the hash to declassify output of get. Bubbles uses wsdl_file to connect application with presentation layer. Bubbles lets Storage components access plain text data • API based on functionality, not security labels from multiple capsules with different ACLs – key to storage optimizations like deduplication. • put, get_frm_storage_chk • Storage Benign apps see no security exceptions. Malicious behavior terminated Bubbles uses integrity checking to ensure data isn’t leaked across capsules – outputs can be declassified safely. Viewer • Layout Template (HTML/js subset) • wsdl_function_call( func, data) Bubbles uses template to generate HTML views; and ensures that data across capsules are mutually isolated. Bubbles ensures that data is sent only to data’s bubblespecific Application instance – data can thus be declassified safely.

Many Android Apps fit inside Bubbles • Application-initiated sharing Percent (of 700 top apps)

Many Android Apps fit inside Bubbles • Application-initiated sharing Percent (of 700 top apps) 100 – Recommendation engines, Spam filters – Differential privacy, k-anonymity, … 90 80 70 • User-initiated sharing 60 – Storing, sharing, and editing docs – Real-time communication (voice, video) 50 40 30 • Pseudonymous: Not tied to real identity 20 10 0 Free Paid – Games, flashlights, wallpapers, – Browsing news, reviews, recipes, … 22

Many Cloud-based Applications too fit Bubbles Cloud Storage app initiated sharing Personal Documents user

Many Cloud-based Applications too fit Bubbles Cloud Storage app initiated sharing Personal Documents user initiated sharing pseudonymity Real-time applications E-commerce Miscellaneous Browsing Social applications Data-centric Security policies = User-initiated sharing (this talk) + Anonymity (Link privacy, GUPT)

System Design and Implementation • Mandatory Access Control (MAC) for isolation, and – Bubble

System Design and Implementation • Mandatory Access Control (MAC) for isolation, and – Bubble control and search – Viewer Layout Inflater – Sharing service: distributed database (use like sqlite) – modified android middleware: IPC, virtualized system logs per label • System uses ACLs and API to infer detailed policy – Bubbles apps cover a lot of functionality of secure DIFC-based apps – Robust Declassification: Integrity checking (storage) and layout language (viewer) • Minus the pain: users, developers don’t work with security labels 24

Context-centric Security • Context = data clustered around real-world events Bubbles Project – minimum

Context-centric Security • Context = data clustered around real-world events Bubbles Project – minimum unit of sharing data. • Is working in contexts intuitive? Learnable? • Does API support all useful functionality? 25