aw are preventing abuse of privacy sensitive sensors via
play

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation - PowerPoint PPT Presentation

Aug 19, 2022 •345 likes •860 views

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca Ahamad-Atamli Reineh Trent Jaeger gxp18@cse.psu.edu atamli@cs.ox.ac.uk tjaeger@cse.psu.edu The Pennsylvania State University University of

  1. AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca Ahamad-Atamli Reineh Trent Jaeger gxp18@cse.psu.edu atamli@cs.ox.ac.uk tjaeger@cse.psu.edu The Pennsylvania State University University of Oxford, UK The Pennsylvania State University School of Electrical Engineering and Computer Science Dept. of Electrical Engineering and Computer Science School of Electrical Engineering and Computer Science Institute for Networking and Security Research Institute for Networking and Security Research Yuqiong Sun Jens Grossklags yuqiong_sun@symantec.com jens.grossklags@in.tum.de Symantec Research Labs, US Technical University of Munich, DE

  2. Increasing Availability of Privacy-Sensitive Sensors Controlling when applications may use privacy-sensitive sensors (i.e., cameras, microphones, and touch screens): Entertainment Banking Screen Sharing G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  3. Abuse of Privacy-Sensitive Sensors G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  4. Real World Incidents G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  5. Current Authorization Mechanisms Install-Time First-Use Beginning in Android 6.0 (API level 23), users grant permissions to apps while the app is running, not whey the install the app! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  6. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  7. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  8. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  9. Proposed Defenses Input-Driven Access Control (IDAC) Authorize an operation request that immediately follows a user input event User inputs associated with operation authorizations Binding between the user inputs and the authorized operations still unknown to the system! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  10. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets associated with particular operations Binding between the user input and the authorized operation explicit to the system Binding still not explicit to the user! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  11. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets Compatibility Issue associated with particular operations G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  12. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets associated with particular operations 300,000+ apps Need Redesign No Customization G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  13. Limitations of Prior Work Leverage the user as weak link to circumvent protection mechanisms! “User Interface Attacks” User may fail to: Identify the application requesting sensor access Recognize subtle changes in the Graphic User Interface (GUI) Understand the operation granted by a particular gadget G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  14. Use Interface Attacks (Bait-and-Switch) Window A x Interac(on #1 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  15. Use Interface Attacks (Bait-and-Switch) Window A x Interac(on #2 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  16. Use Interface Attacks (Bait-and-Switch) Window A x Interac(on #3 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  17. Use Interface Attacks (Bait-and-Switch) Window A x Interac(on #4 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  18. Use Interface Attacks (Bait-and-Switch) Window A x Interac(on #5 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  19. Use Interface Attacks (Bait-and-Switch) Window A x The applica*on maintained the windowing display context Interac(on #4 but switched the widget to record audio “Bait-and-Switch A:ack” G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  20. Use Interface Attacks (Application Spoofing) Window A x A click by the user allows the Legi(mate App to record audio G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  21. Use Interface Attacks (Application Spoofing) Window A x “Applica(on Spoofing A:ack” A click by the user allows the Spoofing App to record audio G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  22. Research Objectives Operation authorizations explicit to both the system and the user Compatible with pre-existing applications Low authorization effort for the user (~ First-Use) No perceivable performance overhead AW ARE : Authorization Framework extending OS middleware to make access to privacy-sensitive sensors explicit to both the system and the user G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  23. Challenge: Identify legitimate entry points (Widgets) Goal : Identify the app’s widgets available to the user for requesting access to privacy-sensitive sensors G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  24. Challenge: Identify legitimate entry points (Widgets) Insight : Bind each user input even with the application’s widget displayed on the screen Operation Binding ( app, e , w ) app = application associated with widget e = user input event w = user interface widget G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  25. Challenge: Identify legitimate UI configurations for Widgets Goal : Identify the particular user interface configuration within which each widget is allowed to appear on the screen G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  26. Challenge: Identify legitimate UI configurations for Widgets Insight : Bind the widget with a set of structural features that uniquely identify the UI configuration Operation Binding ( app, e , w , c ) app = application associated with widget e = user input event w = user interface widget c = user interface configuration containing the widget G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  27. Challenge: Constrain the App Requests Goal : Make the application’s requested operation and the target sensors explicit to the system G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  28. Challenge: Constrain the App Requests Insight : Mediate each application’s operation request and identify the privacy-sensitive sensors targeted by such operation. Bind the application’s request to a specific input event for a particular widget. Operation Binding ( app , S , op , e , w , c ) app = application associated with widget and operation request S = set of sensors targeted by the request op = operation being requested e = user input event w = user interface widget c = user interface configuration containing the widget G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  29. Challenge: Make the Operation Binding explicit to the user Currently (First-Use) G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  30. AW ARE ’s Explicit Binding Request AWare Binding Request Allow Instagram app (Application ID) to use the front Camera to take Pictures when pressing ? Allow Deny ( app , S , op , e , w , c) are now explicit! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  31. AW ARE ’s Explicit Binding Request AWare Binding Request Allow Instagram S (Set of Sensors) to use the front Camera to take Pictures when pressing ? Allow Deny ( app , S , op , e , w , c) are now explicit! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  32. AW ARE ’s Explicit Binding Request AWare Binding Request Allow Instagram to use the front Camera to op take Pictures when pressing ? (Requested Operation) Allow Deny ( app , S , op , e , w , c) are now explicit! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

  33. AW ARE ’s Explicit Binding Request AWare Binding Request Allow Instagram to use the front Camera to take Pictures when pressing ? e Allow Deny (Input Event) ( app , S , op , e , w , c) are now explicit! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca Ahmad-Atamli Reineh Trent Jaeger gxp18@cse.psu.edu atamli@cs.ox.ac.uk tjaeger@cse.psu.edu The Pennsylvania State University University of

813 views • 55 slides
MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and

MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and

What would you submit to MoVid 13? Landon Cox Duke University Want to share sensitive data. Devices have sensors and talk to the cloud . Data is often sensitive (e.g., location, images). Mobile sensing services Tremendous opportunities

567 views • 11 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
References The Use of Opioids for Chronic Non-Cancer Pain While Preventing Abuse and Diversion

References The Use of Opioids for Chronic Non-Cancer Pain While Preventing Abuse and Diversion

References The Use of Opioids for Chronic Non-Cancer Pain While Preventing Abuse and Diversion ASPMN National Conference, September 2016. 1. American Society of Addiction Medicine, (2012). Public policy statement on measures to counteract

552 views • 3 slides
Preventing and Remediating Criminal Abuse of Online Infrastructure Michel van Eeten 1

Preventing and Remediating Criminal Abuse of Online Infrastructure Michel van Eeten 1

Preventing and Remediating Criminal Abuse of Online Infrastructure Michel van Eeten 1 Breaking into computers might be the bicycle theft of the future Netherlands Attorney General Gerrit van der Burg 2 DDoS in Netherlands, 2015 >

535 views • 29 slides
Preventing Abuse of the Non-Profit Sector to Finance Terrorism Special meeting of the

Preventing Abuse of the Non-Profit Sector to Finance Terrorism Special meeting of the

Project on Preventing Abuse of the Non-Profit Sector to Finance Terrorism Special meeting of the Counter-Terrorism Committee United Nations, New York 2012-11-20 The Need for Technical Assistance Growth of the NPO sector FATF

402 views • 8 slides
Best Practices for Preventing FMLA Abuse: Using the FMLA to your Advantage You are placed on

Best Practices for Preventing FMLA Abuse: Using the FMLA to your Advantage You are placed on

Best Practices for Preventing FMLA Abuse: Using the FMLA to your Advantage You are placed on notice of an employees need for FMLA leave. What is the first thing you do? Dont give leave prematurely Before designating leave as FMLA,

336 views • 30 slides
Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA USA W3C Workshop on Web Tracking and User Privacy April, 2011 1 Its Not Just Tracking

474 views • 4 slides
Adults their rights, protecting them Section 42 and preventing abuse. Enquiries Delivered

Adults their rights, protecting them Section 42 and preventing abuse. Enquiries Delivered

Safeguarding is Safeguarding about making people aware of Adults their rights, protecting them Section 42 and preventing abuse. Enquiries Delivered by: Jane Hughes Safeguarding Consultant on behalf of Hampshire Safeguarding Adults

489 views • 35 slides
Preventing Substance Abuse and Supporting Student Social-Emotional Wellbeing Presented to the

Preventing Substance Abuse and Supporting Student Social-Emotional Wellbeing Presented to the

Middletown Township Public School District Preventing Substance Abuse and Supporting Student Social-Emotional Wellbeing Presented to the Municipal Alliance on Saturday, May 18, 2019 Personnel Support for Student Social/Emotional Wellbeing

118 views • 11 slides
1 Sensors Intrude on Privacy Accelerometers can leak keystrokes [1], gyroscopes can leak

1 Sensors Intrude on Privacy Accelerometers can leak keystrokes [1], gyroscopes can leak

1 Sensors Intrude on Privacy Accelerometers can leak keystrokes [1], gyroscopes can leak voice [2], etc. What is the threat from devices never intended to be sensors in the first place? Accelerometers: [1] Marquardt et al., CCS '11,

705 views • 29 slides
Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

EMX Industries Inc . Application Driven Sensors Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity Sensors Brightness Sensors Special Sensors Bluetooth Switch The Facts Fastest Speed

309 views • 10 slides
Telemedicine Credentialing and Privileging Protecting Patient Privacy, Avoiding Fraud and Abuse

Telemedicine Credentialing and Privileging Protecting Patient Privacy, Avoiding Fraud and Abuse

Presenting a live 90 minute webinar with interactive Q&A Telemedicine Credentialing and Privileging Protecting Patient Privacy, Avoiding Fraud and Abuse Liability, Ensuring Quality Care WEDNES DAY, AUGUS T 21, 2013 1pm Eastern |

947 views • 61 slides
CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2019

CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2019

CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2019 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2019SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors everywhere, including in very sensitive settings. They are capturing information

897 views • 65 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
FINANCIAL RESULTS HY 2020 COMPANY PRESENTATION Rory J F Macleod, Managing Director & CEO

FINANCIAL RESULTS HY 2020 COMPANY PRESENTATION Rory J F Macleod, Managing Director & CEO

FINANCIAL RESULTS HY 2020 COMPANY PRESENTATION Rory J F Macleod, Managing Director & CEO February 2020 Important notice and disclaimer The following disclaimer applies to this presentation and any information provided in this presentation

715 views • 35 slides
Davisco Foods International, Inc. Stephen Raab Advisor: Matt Domski On-site Supervisor: Jeff

Davisco Foods International, Inc. Stephen Raab Advisor: Matt Domski On-site Supervisor: Jeff

Product Recovery and BOD Reduction Davisco Foods International, Inc. Stephen Raab Advisor: Matt Domski On-site Supervisor: Jeff Shodean Who I Am University of Notre Dame undergraduate Class of 2016 B.S. in Chemical Engineering

354 views • 17 slides
Topsail Beach Paddle Trails The Teal Plan Tori Carle Lindsey Cole Johanna Colburn Carmen

Topsail Beach Paddle Trails The Teal Plan Tori Carle Lindsey Cole Johanna Colburn Carmen

Topsail Beach Paddle Trails The Teal Plan Tori Carle Lindsey Cole Johanna Colburn Carmen Johnson Educational Theme The Topsail Paddle Trails are an interwoven community of plants, animals, and people where natural and historic wonders come

891 views • 10 slides
Cargo Line LLC Foreign Trade Agent Russia PRESENTATION INTERNATIONAL TRADING RUSSIAN

Cargo Line LLC Foreign Trade Agent Russia PRESENTATION INTERNATIONAL TRADING RUSSIAN

Cargo Line LLC Foreign Trade Agent Russia PRESENTATION INTERNATIONAL TRADING RUSSIAN AGRICULTURAL PRODUCTS CEREALS, LEGUMES, OIL SEEDS, ANIMAL FEED www.mercury-intergroup.ru/cargoline_llc Cargo Line LLC Foreign Trade Agent Registration

422 views • 6 slides
Brown Family Governance Journey WSWA Leadership Skills Conference Tuesday, July 15 th

Brown Family Governance Journey WSWA Leadership Skills Conference Tuesday, July 15 th

Brown Family Governance Journey WSWA Leadership Skills Conference Tuesday, July 15 th Campbell P. Brown 2 Who is Brown-Forman? Publicly traded and family controlled High quality premium spirit & wine producer with more than $3B in

930 views • 13 slides
Barriers to Fish Migration Prioritisation for Second RBMP Carla Ward River Basin Planning

Barriers to Fish Migration Prioritisation for Second RBMP Carla Ward River Basin Planning

Barriers to Fish Migration Prioritisation for Second RBMP Carla Ward River Basin Planning Co-ordinator Barrier types and numbers 173 109 97 Actives Assets Historics Current total 379 Actions since last FFAG Meeting Improved

570 views • 16 slides
Identifying and Preserving LGBTQ Historic Sites Me g a n Spring a te , Na tio na l Pa rk Se rvic

Identifying and Preserving LGBTQ Historic Sites Me g a n Spring a te , Na tio na l Pa rk Se rvic

Identifying and Preserving LGBTQ Historic Sites Me g a n Spring a te , Na tio na l Pa rk Se rvic e Susa n F e re ntino s, Pre se rva tio n Co nsulta nt Old L ine Sta te Summit July 12, 2017 LGBTQ America: A Theme Study of Lesbian, Gay,

518 views • 8 slides
October 10 to 15, 2019 Founded in 1852. Named in 1882 by two Scottish merchants.

October 10 to 15, 2019 Founded in 1852. Named in 1882 by two Scottish merchants.

October 10 to 15, 2019 Founded in 1852. Named in 1882 by two Scottish merchants. Dunedin Gaelic interpretation of Edinburgh. St. Andrews Memorial Chapel Built in 1888. City hosts an annual Highland Games and Festival.

564 views • 11 slides

More recommend