anonymity
play

Anonymity Mobile Autumn 2018 Tadayoshi (Yoshi) Kohno - PowerPoint PPT Presentation

Dec 15, 2023 •482 likes •864 views

CSE 484 / CSE M 584: Computer Security and Privacy Anonymity Mobile Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska

  1. CSE 484 / CSE M 584: Computer Security and Privacy Anonymity Mobile Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • HW 3 due Nov 30 • Lab 3 out this week, due Dec 7 (Quiz Section on Nov 29) 11/28/2018 CSE 484 / CSE M 584 2

  3. Admin • Final Project Proposals: Looked great! • Final Project Checkpoint: Nov 30 – preliminary outline and references • Final Project Presentation: Dec 10 – 12-15-minute video – must be on time • Explore something of interest to you, that could hopefully benefit you or your career in some way – technical topics, current events, etc 11/28/2018 CSE 484 / CSE M 584 3

  4. [Reed, Syverson, Goldschlag 1997] Review: Onion Routing R R R 4 R R 3 R R 1 R R 2 Alice R Bob • Sender chooses a random sequence of routers • Some routers are honest, some controlled by attacker • Sender controls the length of the path 11/28/2018 4

  5. Review: Route Establishment R 2 R 4 Alice R 3 Bob R 1 {M} pk(B) {B,k 4 } pk(R4) ,{ } k4 {R 4 ,k 3 } pk(R3) ,{ } k3 {R 3 ,k 2 } pk(R2) ,{ } k2 {R 2 ,k 1 } pk(R1) ,{ } k1 • Routing info for each link encrypted with router ’ s public key • Each router learns only the identity of the next router 11/28/2018 5

  6. Tor • Second-generation onion routing network – http://tor.eff.org – Developed by Roger Dingledine, Nick Mathewson and Paul Syverson – Specifically designed for low-latency anonymous Internet communications • Running since October 2003 • “Easy -to- use” client proxy – Freely available, can use it for anonymous browsing 11/28/2018 6

  7. Tor Circuit Setup (1) • Client proxy establishes a symmetric session key and circuit with Onion Router #1 11/28/2018 7

  8. Tor Circuit Setup (2) • Client proxy extends the circuit by establishing a symmetric session key with Onion Router #2 – Tunnel through Onion Router #1 11/28/2018 8

  9. Tor Circuit Setup (3) • Client proxy extends the circuit by establishing a symmetric session key with Onion Router #3 – Tunnel through Onion Routers #1 and #2 11/28/2018 9

  10. Using a Tor Circuit • Client applications connect and communicate over the established Tor circuit. 11/28/2018 10

  11. Tor Management • Many applications can share one circuit – Multiple TCP streams over one anonymous connection • Tor router doesn’t need root privileges – Encourages people to set up their own routers – More participants = better anonymity for everyone • Directory servers – Maintain lists of active onion routers, their locations, current public keys, etc. – Control how new routers join the network • “Sybil attack”: attacker creates a large number of routers – Directory servers’ keys ship with Tor code 11/28/2018 11

  12. Is Tor Perfect? • Q: What can “go wrong” with the use of Tor? 11/28/2018 15

  13. Issues and Notes of Caution • Passive traffic analysis – Infer from network traffic who is talking to whom – To hide your traffic, must carry other people’s traffic! • Active traffic analysis – Inject packets or put a timing signature on packet flow • Compromise of network nodes – Attacker may compromise some routers • And powerful adversaries may have “too many” routers (e.g., a super computer at a national lab) – It is not obvious which nodes have been compromised • Attacker may be passively logging traffic – Better not to trust any individual router • Assume that some fraction of routers is good, don’t know which 11/28/2018 16

  14. Issues and Notes of Caution • Tor isn’t completely effective by itself – Tracking cookies, fingerprinting, etc. – Exit nodes can see everything! 11/28/2018 17

  15. Issues and Notes of Caution • The simple act of using Tor could make one a target for additional surveillance • Hosting an exit node could result in illegal activity coming from your machine 11/28/2018 18

  16. Mobile Security 11/28/2018 CSE 484 / CSE M 584 19

  17. Roadmap • History, How we got here • Mobile malware • Mobile platforms vs. traditional platforms • Dive into Android 11/28/2018 20

  18. Questions: Mobile Malware Q: How might malware authors get malware onto phones? Q: What are some goals that mobile device malware authors might have? 11/28/2018 21

  19. Smartphone (In)Security Users accidentally install malicious applications. 11/28/2018 22

  20. Smartphone (In)Security Even legitimate applications exhibit questionable behavior. Hornyack et al. : 43 of 110 Android applications sent location or phone ID to third-party advertising/analytics servers. 11/28/2018 23

  21. Mobile Malware Goals • “Unique” to phones: – Premium SMS messages – Identify location – Record phone calls – Log SMS • Similar to desktop/PCs: – Connects to botmasters – Steal data – Phishing – Malvertising 11/28/2018 30

  22. Malware in the Wild Android malware grew quickly! Today: millions of samples. [Zhou et al.] 11/28/2018 31

  23. Mobile Malware Examples Over Time • DroidDream (Android) – Over 58 apps uploaded to Google app market – Conducts data theft; send credentials to attackers • Zitmo (Symbian,BlackBerry,Windows,Android) – Poses as mobile banking application – Captures info from SMS – steal banking 2 nd factors – Works with Zeus botnet • Ikee (iOS) – Worm capabilities (targeted default ssh password) – Worked only on jailbroken phones with ssh installed 11/28/2018 32

  24. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Unix) design: 1. There may be multiple users who don’t trust each other. 2. Once an application is installed, it’s (more or less) trusted. 11/28/2018 35

  25. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Unix) design: 1. There may be multiple users who don’t trust each other. 2. Once an application is installed, it’s (more or less) trusted. 11/28/2018 36

  26. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Unix) design: 1. There may be multiple users who don’t trust each other. 2. Once an application is installed, it’s (more or less) trusted. Apps can do anything the UID they’re running under can do. 11/28/2018 37

  27. What’s Different about Mobile Platforms? • Isolation: Applications are isolated – Each runs in a separate execution context – No default access to file system, devices, etc. – Different than traditional OSes where multiple applications run with the same user permissions! • App Store: Approval process for applications – Market: Vendor controlled/Open – App signing: Vendor-issued/self-signed – User approval of permissions 11/28/2018 38

  28. More Details: Android [Enck et al.] • Based on Linux • Application sandboxes – Applications run as separate UIDs, in separate processes. – Memory corruption errors only lead to arbitrary code execution in the context of the particular application, not complete system compromise! – (Can still escape sandbox – but must compromise Linux kernel to do so.)  allows rooting 11/28/2018 39

  29. Challenges with Isolated Apps So mobile platforms isolate applications for security, but… 1. Permissions: How can applications access sensitive resources? 2. Communication: How can applications communicate with each other? 11/28/2018 42

  30. Permission Granting Problem Smartphones (and other modern OSes) try to prevent such attacks by limiting applications’ access to: – System Resources (clipboard, file system). – Devices (camera, GPS, phone, … ). How should operating system grant permissions to applications? Standard approach: Ask the user. 11/28/2018 43

  31. Two Ways to Ask the User Prompts (time-of-use) Manifests (install-time) 11/28/2018 44

  32. Questions • Q: What are the pros and cons of the manifest-based permission model? • Q: What are the pros and cons of the “ask each use” permission mode? 11/28/2018 45

  33. Two Ways to Ask the User Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to prompt-fatigue. 11/28/2018 46

  34. Two Ways to Ask the User Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to Out of context ; not prompt-fatigue. understood by users. In practice, both are overly permissive : Once granted permissions, apps can misuse them. 11/28/2018 47

  35. [Felt et al.] Are Manifests Usable? Do users pay attention to permissions? … but 88% of users looked at reviews. 11/28/2018 48

  36. [Felt et al.] Are Manifests Usable? Do users understand the warnings? 11/28/2018 49

  37. [Felt et al.] Are Manifests Usable? Do users act on permission information? “Have you ever not installed an app because of permissions?” 11/28/2018 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

821 views • 40 slides
Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti Dina Katabi & Katya Puchala State of the art: Onio Onion Rout n Routing over P2P ing over P2P n Routing over P2P ing over P2P Bob Onion

705 views • 43 slides
Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh | Shinyoung Cho | Phillipa Gill Stony Brook University 1 Anonymity on the Internet Tor Network 2 Anonymity on the Internet Does not know the source

261 views • 15 slides
Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

CyLab Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818:

467 views • 46 slides
for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket

Anonymity Trilemma not all is lost for anonymity, but quite a lot is. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 Universitaet zu Luebeck Anonymous Communication (AC) Networks

449 views • 21 slides
Free Software, Free Internet, Anonymity & Tor Andrew Lewman andrew@torproject.org 24 Feb

Free Software, Free Internet, Anonymity & Tor Andrew Lewman andrew@torproject.org 24 Feb

Free Software, Free Internet, Anonymity & Tor Andrew Lewman andrew@torproject.org 24 Feb 2011 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how

926 views • 51 slides
Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March

Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March

Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March 30, 2006 Outline Anonymity 1 Anonymity with identity escrow 2 Marshall and Molina-Jiminez protocol 3 Our protocol 4 Verification in

567 views • 20 slides
Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter & Aviel D. Rubin of

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter & Aviel D. Rubin of

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter & Aviel D. Rubin of AT&T Labs (August, 1997) Presenter: Craig Bergstrom Overview The Problem At Hand How Crowds Works Levels and Types of Anonymity &

326 views • 19 slides
Simulating Real-world Load Patterns when playback just wont cut it Wayne Roseberry, M

Simulating Real-world Load Patterns when playback just wont cut it Wayne Roseberry, M

Simulating Real-world Load Patterns when playback just wont cut it Wayne Roseberry, M icrosoft Corporation Background: M icrosoft SharePoint Web-based application server, part of M icrosoft Office Communication, issue tracking

646 views • 20 slides
EFFICIENTSEQUENTIALDECISIONMAKING ALGORITHMSFORCONTAINERINSPECTION OPERATIONS

EFFICIENTSEQUENTIALDECISIONMAKING ALGORITHMSFORCONTAINERINSPECTION OPERATIONS

EFFICIENTSEQUENTIALDECISIONMAKING ALGORITHMSFORCONTAINERINSPECTION OPERATIONS SushilMi;alandFredRoberts RutgersUniversity&DIMACS DavidMadigan ColumbiaUniversity&DIMACS

722 views • 55 slides
6d strings and exceptional instantons Seok Kim (Seoul National University) Geometric

6d strings and exceptional instantons Seok Kim (Seoul National University) Geometric

6d strings and exceptional instantons Seok Kim (Seoul National University) Geometric correspondence of gauge theories, ICTP Sep 15, 2016 Talk based on: Hee-Cheol Kim, SK, Jaemo Park,

724 views • 18 slides
An industrial study ALS pt Adj Prof Pr Emanuelsson Ericsson and LiU le Prof Ulf Nilsson

An industrial study ALS pt Adj Prof Pr Emanuelsson Ericsson and LiU le Prof Ulf Nilsson

Static Analysis methods and tools An industrial study ALS pt Adj Prof Pr Emanuelsson Ericsson and LiU le Prof Ulf Nilsson LiU pt le Outline pt le pt Why static analysis? t pt What is it? Underlying technology pt An

875 views • 40 slides
Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) January 10,

Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) January 10,

Configuration management with Ansible and Git Paul Waring (paul@xk7.net, @pwaring) January 10, 2017 Topics Configuration management Version control Firewall Apache / nginx Git Hooks Bringing it all together Configuration

493 views • 26 slides
Studies on the UV to IR Evolution of Gauge Theories and Quasiconformal Behavior Robert Shrock

Studies on the UV to IR Evolution of Gauge Theories and Quasiconformal Behavior Robert Shrock

Studies on the UV to IR Evolution of Gauge Theories and Quasiconformal Behavior Robert Shrock Yale University, on leave from Stony Brook University Strongly Coupled Gauge Theories in the LHC Perspective (SCGT) 12, Nagoya University, 2012.12.05

805 views • 53 slides
Matthew Series Lesson #030 April 13, 2014 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #030 April 13, 2014 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #030 April 13, 2014 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Murder and Mental Attitude Sins Matthew 5:2126 Matt. 5:17, Do not think that I came to destroy the Law or the

579 views • 20 slides
LAO 2017 04 GOALS Highest quality legal services for indigent defendants Rotational

LAO 2017 04 GOALS Highest quality legal services for indigent defendants Rotational

9/6/2018 LAO 2017 04 GOALS Highest quality legal services for indigent defendants Rotational assignment of cases Bench/Bar selection of eligible attorneys ongoing LAO 2017 04 GOALS CLE and jury trial experience requirements

314 views • 5 slides

More recommend