hails protecting data privacy in untrusted web
play

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel - PowerPoint PPT Presentation

Aug 26, 2022 •165 likes •714 views

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

  1. Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazières, and Alejandro Russo

  2. Web platforms are great ! They allow third-party developers to build apps that use our personal data.

  3. Web platforms are scary ! They allow third-party developers to build apps that use our personal data.

  4. Trust concerns Don’t know the developers • ➤ Cannot determine trustworthiness of apps They may be malicious or security-unaware • Building secure web apps is hard • ➤ Even well-meaning authors cannot be trusted

  5. Typical App Design Jen’s Browser Use popular MVC paradigm Model: interface to data Controller View: renders pages Controller: handles and responds to HTTP requests View Model

  6. Typical App Design Jen’s How is security policy Browser specified and enforced? ➤ E.g., only Jen’s friends may Controller see her email address View Model

  7. Typical App Design Jen’s How is security policy Browser specified and enforced? ➤ E.g., only Jen’s friends may Controller see her email address Intertwined throughout code ➠ Error prone and not scalable View Model

  8. Platform solutions Can decide to give an app access to data, but can’t control how the app uses your data.

  9. Is there any hope for privacy on platforms?

  10. Change the hosting model Current model • ➤ App developers host their own apps ➤ Platform enforces security: terms of service New model • ➤ Platform provider hosts apps ➤ Platform enforces security: information flow control

  11. Hails: A web platform framework Security policy is explicit and first-class • ➤ Specified as single concise module Users still trust core platform components • Apps are untrusted • ➤ Language-level information flow control guarantees apps always obey policy

  12. What makes Hails different? Aeolus, HiStar, Nexus, Jif, Ur/Web, ... No guide for structuring applications • Policies are hard to write • Not appropriate for dynamic systems, e.g., web • Modify entire application stack •

  13. Goals Deployable today! • Usable by web developers • Suitable for building extensible web platforms • ➤ Enforcing policy across untrusted apps

  14. Adding Policy to MVC New paradigm: Model- Policy -View-Controller • Policy specified alongside data model • No policy code in View or Controller •

  15. Two categories of code Models-Polices (MPs) Views-Controllers (VCs) + + Implement UI and Specify data model other functionality and policy on data ➤ Users need not ➤ Users trust MPs they use to handle data trust VCs Policy enforced globally

  16. Information flow control Policy specifies where data can flow • ➤ Wrong: app can’t read Jen’s email address because it may leak it to Eve ➤ Right: app can read Jen’s email, but only reveal it to Jen, Alice or Bob Policy follows data through system • Runtime enforces policy end-to-end • ➤ E.g., when making HTTP request

  17. Case study: GitStar

  18. Case study: GitStar GitStar provides • ➤ MPs that specify projects and users ➤ VC for managing projects and users Third-party authors provide • ➤ Code viewer ➤ Wiki Untrusted VCs: ... ➤ Follower app PM CodeViewer Wiki ➤ etc. GitStar MPs +

  19. Model-Policy View-Controller + +

  20. Model-Policy (MP) Data model: document-oriented ➤ Collection: set of documents ➤ Document : set of field-value pairs users collection: Name Value Name Value Field Value user jen user jen user Jen email jen@ email jen@ email jen@aol.com friends [alice, bob, … ] friends [alice, bob, … ] friends [Alice, Bob]

  21. Model-Policy (MP) Data model: document-oriented ➤ Collection: set of documents ➤ Document : set of field-value pairs users collection: Name Value Name Value Field Value user jen user jen user Jen email jen@ email jen@ email jen@aol.com friends [alice, bob, … ] friends [alice, bob, … ] friends [Alice, Bob]

  22. Model-Policy (MP) Policy specifies restrictions on: • ➤ Collections , documents, fields ➤ E.g., only Jen may modify her profile ➤ E.g., only Jen and her friends may read her email address Policy composes • ➤ E.g., to read document you must be able to read the collection

  23. Example: Enforcing policy MP: • Field Value user Jen Policy: Only Jen, Alice email jen@aol.com and Bob can read friends [Alice, Bob] GitStar User MP + Eve’s untrusted address book VC: • AddrBook

  24. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  25. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  26. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Allow? GitStar User MP +

  27. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  28. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook findEmail users “user” “Jen” Allow? GitStar User MP +

  29. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook findEmail users “user” “Jen” GitStar User MP +

  30. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  31. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  32. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  33. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  34. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  35. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server ✗ Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  36. Policy specified in terms of data Web app data models already encode policy ➤ Ownership ➤ Relationships between users ➤ … Policy: Only user can modify Field Value user Jen Policy: Only user and email jen@aol.com friends can read friends [Alice, Bob]

  37. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  38. Example: Policy specification collection “users” $ do access $ do Collection is public readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  39. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  40. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody Index documents by field “user” key user names document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  41. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy across hybrid IT Farshad Ghazi - Moderator Mat Spitz Lacy Gruen #MicroFocusCyberSummit Reiner Kappenberger Cloud-based Data Privacy and Protection:

453 views • 10 slides
EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

28/05/15 Outline Data privacy and the evolving regulation Privacy threats from LBS to geoSN EveryWare Lab Main (location) privacy protection techniques Data Management for Mobile Protecting geo-tagged resource publication

411 views • 7 slides
The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde & Laurent Massouli UT Austin Technicolor Privacy efficiency trade-offs q Google & FaceBook track online browsing behaviour q Apple

610 views • 27 slides
protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data

protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data

k-ANONYMITY: A model for protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data privacy Related background work k-anonymity model Possible attacks against k-Anonymity Weaknesses of

575 views • 28 slides
Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden

Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden

Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden University Medical Center (LUMC) Tuesday 1st April 2014 from 11.30 12.00 #EBMT2014 www.ebmt.org Data confidentiality requested topics Explanation

512 views • 20 slides
SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan

SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan

CloudCom, Dec 3, 2010 SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan Shi, Shengjie Xu, Dan Feng School of Computer Science and Technology, Huazhong University of Science and Technology

269 views • 13 slides
Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location Information for Epidemiologic Research Daniel C. Barth-Jones, M.P.H., Ph.D. Center for Healthcare Effectiveness Research Wayne State University (

652 views • 61 slides
Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data

Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data

Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data Sujitha Martin, Ashish Tawari and Mohan M. Trivedi Laboratory of Intelligent and Safe Automobiles September 19 th , 2014 1 2 Question: Can you tell

705 views • 21 slides
Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release Yaowei Han, Sheng Li, Yang Cao, Qiang Ma, Masatoshi Yoshikawa Department of Social Informatics, Kyoto University, Kyoto, Japan 1 National Institute of

611 views • 27 slides
Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It

Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It

Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It is Not Alessandro Acquisti Heinz School, Carnegie Mellon University PGuardian Technologies, Inc. acquisti@andrew.cmu.edu Why do we have great

1.13k views • 73 slides
Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting

Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting

Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting Privacy in Connected Learning and Trusted Learning Environment Programs Transforming Education Through Visionary Technology Leadership About CoSN:

640 views • 49 slides
Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J. Feldman Princeton UPenn Joint work with: Aaron Blankstein, Michael J. Freedman, and Edward W. Felten Social Networking with

661 views • 27 slides
ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy

ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy

ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy Company Revenue Streams Three revenue generating streams Strategic Growth GDPR (and international Marketing agency with a focus The first of its

318 views • 15 slides
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program August 12, 2014 1 Protecting

590 views • 43 slides
1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB

1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB

1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB Registers SysTick Timer Registers Configuration Code Example Nested Vectored Interrupt Controller (NVIC) Exception/Interrupt

988 views • 72 slides
Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC Object-Oriented Design Pattern Continuation of Calculator Demo Computed Properties, MVC, Laying out the UI to work with different devices CS193p Winter

817 views • 33 slides
Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3 David S. Touretzky September, 2015 Basics of Control Theory Desired Control Controller Plant state signals Current state The plant

716 views • 26 slides
Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3 David S. Touretzky September, 2017 Dynamical Control The Marr-Albus models are static models that map a single input pattern to a

508 views • 28 slides
Chapter 7 Input/Output Contents External devices I/O modules I/O techniques

Chapter 7 Input/Output Contents External devices I/O modules I/O techniques

Chapter 7 Input/Output Contents External devices I/O modules I/O techniques Programmed I/O Interrupt-driven I/O Interrupt processing Intel 82C59A controller Direct memory access I/O channels and processors

939 views • 57 slides
Main Memory and DRAM Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture

Main Memory and DRAM Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture

Spring 2015 :: CSE 502 Computer Architecture Main Memory and DRAM Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture SRAM vs. DRAM SRAM = Static RAM As long as power is present, data is retained DRAM =

484 views • 37 slides
Devices and Device Controllers network interface graphics adapter secondary storage

Devices and Device Controllers network interface graphics adapter secondary storage

I/O 1 Devices and Device Controllers network interface graphics adapter secondary storage (disks, tape) and storage controllers serial (e.g., mouse, keyboard) sound co-processors . . . CS350 Operating Systems Winter

533 views • 28 slides
Congestion and the Role of Routers Jeff Chase Duke University Overview Problem is

Congestion and the Role of Routers Jeff Chase Duke University Overview Problem is

Congestion and the Role of Routers Jeff Chase Duke University Overview Problem is Bullies, Mobs, and Crooks [Floyd] AQM / RED / REM ECN Robust Congestion Signaling XCP Pushback Stoica Following slides

725 views • 50 slides

More recommend