Security ty, P Privacy cy, & & Us User E Expect ectati - - PowerPoint PPT Presentation

Franzi ziska Roesner er

Assistant Professor Computer Science & Engineering University of Washington

Case Studies in Web Tracking and Application Permissions

Security ty, P Privacy cy, & & Us User E Expect ectati tion

• ns:

Franzi ziska Roesner er

Assistant Professor Computer Science & Engineering University of Washington

Case Studies in Web Tracking and Application Permissions

Security ty, P Privacy cy, & & Us User E Expect ectati tion

• ns:

+ many c collaborators!

New t technologies b bring n new b benefits…

10/20/2016 Franziska Roesner 3

… but but a also so new new r risk sks. s.

Impr proving ng S Secur urity & & Privacy

Security and privacy challenges often arise when user expectations don’t match real system properties.

10/20/2016 Franziska Roesner 4

Educ ducate, de design be better U UIs, increa ease e tran ansp spar arency. Build s d systems that b better match us user e expe pectatio ions.

Outlin line

I.

• I. The W

e Web eb:

Third-Party Tracking

II.

• II. Modern OSes:

Permission Granting

10/20/2016 Franziska Roesner 5

Outlin line

I.

• I. The W

e Web eb:

Third-Party Tracking

II.

• II. Modern OSes:

Permission Granting

10/20/2016 Franziska Roesner 6

F.

• F. R

Roesner, T. Kohno, D. Wetherall. “Detecting and Defending Against Third-Party Tracking on the Web.” In USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2012. F.

• F. R

Roesner, C. Rovillos, T. Kohno, D. Wetherall. “ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets.” In USENIX ;login: 2012.

• A. Lerner, A. Kornfeld Simpson, T. Kohno, and F. Ro
• Roesner. “Internet Jones and the Raiders of the Lost Trackers: An

Archaeological Study of Web Tracking from 1996 to 201.” In USENIX Security Symposium 2016.

Ads Ads T Tha hat Follow Y You

10/20/2016

• I. The Web: Third-Party Web Tracking

7

Advertisers (and others) track your browsing behaviors for the purposes of targeted ads, website analytics, and personalized content.

Third rd-Party W arty Web T Trac acki king

These ads allow crite teo.com to link your visits between sites, even if you never click on the ads.

10/20/2016

• I. The Web: Third-Party Web Tracking

8

Browsing p g profi file e for u user er 1 123: cnn.com theonion.com adult-site.com political-site.com

Conc ncerns A About ut Privac acy

10/18/16 9

• I. The Web: Third-Party Web Tracking

Understan anding t the T Tracki king E Ecosystem

In 2011, much discussion about tracking, but limited understanding of how it actually works. Ou Our Go Goal: systematically study web tracking ecosystem to inform policy and defenses. Challeng enges es:

– No agreement on definition of tracking. – No automated way to detect trackers. (State of the art: blacklists)

10/20/2016

• I. The Web: Third-Party Web Tracking

10

Our App ur Approac ach

ANAL NALYZE ZE

(1) Reverse-engineer trackers’ methods. (2) Develop tracking taxonomy.

MEA EASURE

(3) Build automated detection tool. (4) Measure prevalence in the wild. (5) Evaluate existing defenses.

BUILD ILD

(6) Develop new defenses.

10/20/2016

• I. The Web: Third-Party Web Tracking

11

Web B Background

Websites store info in cookies in the browser.

– Only accessible to the site that set them.

– Automatically included with web requests.

cookie: id=123 cookie: id=456 cookie: id=123 cookie: id=456

theonion.com server cnn.com server

10/20/2016

• I. The Web: Third-Party Web Tracking

12

Ano Anonym ymous T Trac acki king

Trackers included in other sites use cookies containing unique identifiers to create browsing profiles.

crit iteo.

• .com
• m

cookie: id=789

use user 789 789: theonion.com, cnn.com, adult-site.com, …

cookie: id=789 10/20/2016

• I. The Web: Third-Party Web Tracking

13

Our T ur Trac acki king Taxonomy

In the wild, tracking is much more complicated. (1) Trackers don’t just use cookies.

– Flash cookies, HTML5 LocalStorage, etc.

(2) Trackers exhibit different behaviors.

– Within-site vs. cross-site. – Anonymous vs. non-anonymous. – Specific behavior types: an analyt lytics, van anill illa, f forced ed, refer erred ed, p personal.

10/20/2016

• I. The Web: Third-Party Web Tracking

14

[NSDI ’12]

Other er T Tracker ers?

10/20/2016

• I. The Web: Third-Party Web Tracking

15

“Personal” Trackers

Personal al T Trac acki king

• Tracking is not anonymous (linked to accounts).
• Users directly visit tracker’s site  evades some defenses.

facebook

• ok.com
• m

user er franzi zi.roesn esner er: theonion.com, cnn.com, adult-site.com, …

cookie: id=franzi.roesner 10/20/2016

• I. The Web: Third-Party Web Tracking

16 cookie: id=franzi.roesner cookie: id=franzi.roesner

Measur urement S Study udy

Ques estions: ns:

– How prevalent is tracking (of different types)? – How much of a user’s browsing history is captured? – How effective are defenses?

Appr Approach: Build tool to automatically crawl web, detect and categorize trackers based on our taxonomy.

10/20/2016

• I. The Web: Third-Party Web Tracking

17

TrackingObserver: tracking d g det etec ecti tion p platform

http:/ ://tracking ngobserver.cs.washing ngton. n.edu du

How pr preval alent i is tracki king? (2011)

11)

524 unique trackers on Alexa top 500 websites (homepages

+ 4 links)

457 domains (91%) embed at least one tracker.

(97% of those include at least one cross-site tracker.)

50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers.

10/18/16

• I. The Web: Third-Party Web Tracking

18

How pr preval alent i is tracki king? (2011)

11)

524 unique trackers on Alexa top 500 websites (homepages

+ 4 links)

457 domains (91%) embed at least one tracker.

(97% of those include at least one cross-site tracker.)

50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers.

10/18/16

• I. The Web: Third-Party Web Tracking

19

Trac acking i is increasi asing!

Unique trackers on the top 500 websites (homepages only): 2011: 383 2013: 409 2015: 512

How has has thi his c chan hanged o

• ver t

time?

• The web has existed for a while now…
• What about tracking before 2011? (our first study)
• What about tracking before 2009? (first academic study)

Solution: time travel!

10/18/16

• I. The Web: Third-Party Web Tracking

20

[USENIX Security ’16]

Th The e Wayb ybac ack Machi hine ne t to the Rescue ue

Time travel for web tracking (lots of challenges!)

http://trackingexcavator.cs.washington.edu

10/18/16

• I. The Web: Third-Party Web Tracking

21

1996 1996-2016: M More & & More T Tracking

More trackers of more types

10/18/16

• I. The Web: Third-Party Web Tracking

22

1996 1996-2016: M More & & More T Tracking

More trackers of more types, more per site

10/18/16

• I. The Web: Third-Party Web Tracking

23

1996 1996-2016: M More & & More T Tracking

More trackers of more types, more per site, more coverage

10/18/16

• I. The Web: Third-Party Web Tracking

24

10/20/2016

• I. The Web: Third-Party Web Tracking

25

Who ho/w /what ar are t the he top t p trac ackers? (201

011)

10/20/2016

• I. The Web: Third-Party Web Tracking

26

Who ho/w /what ar are t the he top t p trac ackers? (201

011)

Defenses for personal trackers (red bars) were inadequate.

Defen ense: e: ShareM eMeN eNot

Prior defenses for personal trackers: ineffective or completely removed social media buttons. Ou Our d defense se:

• ShareMeNot (for Chrome/Firefox) protects against

tracking without compromising button functionality.

• Blocks requests to load buttons, replaces with local
• versions. On click, shares to social media as expected.
• Techniques adopted by Ghostery and the EFF.

http://sharemenot.cs.washington.edu

10/20/2016

• I. The Web: Third-Party Web Tracking

27

Sum ummar ary: W Web T b Tracking

Pre-2011: Limited understanding of web tracking. Our work:

– Comprehensive tracking taxonomy. – Measurements and archeological study from 1996-2016. – Example results: >500 unique trackers, some able to capture up to 66% of a user’s browsing history. – New defense for “personal trackers” like Facebook, Google, Twitter: built into ShareMeNot, adopted by Ghostery + EFF.

10/20/2016

• I. The Web: Third-Party Web Tracking

28

Outlin line

I.

• I. The W

e Web eb:

Third-Party Tracking

II.

• II. Moderns OSes:

Permission Granting

10/20/2016 Franziska Roesner 29

F.

• F. R

Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, C. Cowan. “User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems.” In IEEE Symposium on Security & Privacy 2012 (Best Practical Paper Award). F.

• F. R

Roesner, J. Fogarty, T. Kohno. “User Interface Toolkit Mechanisms for Securing Interface Elements.” In ACM Symposium on User Interface Software and Technology (UIST) 2012. F.

• F. R

Roesner, T. Kohno. “Securing Embedded User Interfaces: Android and Beyond.” In USENIX Security 2013.

• T. Ringer, D. Grossman, F. R

Roes esner

• ner. “AUDACIOUS: User-Driven Access Control with Unmodified Operating

Systems.” In ACM Conference on Computer and Communications Security (CCS) 2016.

Smartp artphone ( (In)S )Securi rity ty

Users accidentally install malicious applications.

10/20/2016

• II. Modern OSes: Permission Granting

30

Smartp artphone ( (In)S )Securi rity ty

Users accidentally install malicious applications. Even legitimate applications exhibit questionable behavior.

10/20/2016

• II. Modern OSes: Permission Granting

31

Hornyack et al.: 43 of 110 Android applications sent location or phone ID to third-party advertising/analytics servers.

Permis issio sion G Grantin ing P Proble lem

Smartphones (and other modern OSes) try to prevent such attacks by limiting applications’ access to:

– System Resources (clipboard, file system). – Devices (camera, GPS, phone, …).

Standard approach: Ask the user.

10/20/2016

• II. Modern OSes: Permission Granting

32

How should operating system grant permissions to applications?

St State of e of t the e Art

10/20/2016 33

Prompt pts s (time-of-use)

• II. Modern OSes: Permission Granting

St State of e of t the e Art

10/20/2016 34

Prompt pts s (time-of-use)

• II. Modern OSes: Permission Granting

Manife fests (install-time)

Disrupt ptive ve, which leads to prompt-fatigue.

St State of e of t the e Art

10/20/2016 35

Prompt pts s (time-of-use)

• II. Modern OSes: Permission Granting

Manife fests (install-time)

Ou Out o t of c f context; not understood by users. In practice, both are ov

• verly p

ly permissiv ive: Once granted permissions, apps can misuse them. Disrupt ptive ve, which leads to prompt-fatigue.

Goals f ls for P Permiss issio ion G Grantin ing

1.

• 1. Least

st-Privileg ege: e: Applications should receive the minimum necessary access.

2.

• 2. Usable:
• Not disruptive to users.
• Matches user expectations.
• Doesn’t require constant

comprehension/management.

3.

• 3. Ge

General alizab able: Easily extended to new resources.

10/20/2016 36

(“magically” grants exactly those permissions expected by the user)

• II. Modern OSes: Permission Granting

Our W Wor

• rk: U

: User er-Driv iven A Acces ccess C Con

• ntrol

Let this application access my location now

• w.

Insight: t: A user’s natural UI actions within an application implicitly carry permission-granting semantics.

10/20/2016

• II. Modern OSes: Permission Granting

37

Our W Wor

• rk: U

: User er-Driv iven A Acces ccess C Con

• ntrol

Let this application access my location now

• w.

Insight: t: A user’s natural UI actions within an application implicitly carry permission-granting semantics.

10/20/2016

• II. Modern OSes: Permission Granting

38

Ou Our s study s shows ws: Many users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model.

Re Resource-Rel elated ed UI UIs Today

10/20/2016

• II. Modern OSes: Permission Granting

39

Photo Editor App

User’s View Operating System’s View

Kernel Photo Editor App

(1) User clicks on camera button (2) Access camera APIs

Permissions: CAMERA, LOCATION

Re Resource-Rel elated ed UI UIs Today

10/20/2016

• II. Modern OSes: Permission Granting

40

Photo Editor App

User’s View Operating System’s View

Kernel Photo Editor App

(1) User clicks on camera button (2) Access camera APIs

Permissions: CAMERA, LOCATION

Prob

• blem:

m: OS can’t understand user’s interaction with application  can’t link permission use to user intent. Challen enge: e: Can the system extract access control decisions from user actions in a gen eneral, a applicati tion-agn gnostic w way? Prior approaches are hard to generalize:

EWS [SVNC ’04], NitPicker [FH ’05], CapDesk [M ’06], Qubes, Polaris [SKYCM ’06], UIBAC [SE ’08], BLADE [LYPL ’10]

New O OS Primitive: Acces ccess C Con

• ntrol

l Gadgets ( (ACGs)

Appr Approach: Make resource-related UI elements first-class

• perating system objects (access control gadgets).
• To receive resource access, applications must embed

a system-provided ACG.

• ACGs allow the OS to capture the user’s permission

granting intent in application-agnostic way.

10/20/2016

• II. Modern OSes: Permission Granting

41

Acces ccess C Con

• ntrol

l Gadgets ( (ACGs) i ) in Acti ction

Photo Editor App

User’s View Operating System’s View

Kernel Camera Resource Monitor ACG Photo Editor App

<object src= “rm://camera/ta kePicture”/>

(1) User clicks on camera ACG (2) Take picture (3) Receive picture

Isolation container

Camera ACG

10/20/2016

• II. Modern OSes: Permission Granting

42

Challen enges es wi with ACGs

Impact ct on a applications:

– What about application customization? – How to design system/resource APIs to support necessary application functionality?

Attacks on A ACGs b by m malicious applications:

– How can system be sure that the user intent it captures is authentic?

10/20/2016

• II. Modern OSes: Permission Granting

43

Attac acks o

• n

n Ac Access C Contr trol G Gadg adgets ts

Malicious applications want to gain access without authentic user intent.

Example: Clickjacking attack. Trick users into clicking on ACG by making it transparent.

10/20/2016

• II. Modern OSes: Permission Granting

44

Sta tart ga game! Start g t game! e!

Malicious applications want to gain access without authentic user intent.

Example: Clickjacking attack. Trick users into clicking on ACG by making it transparent.

Attac acks o

• n

n Ac Access C Contr trol G Gadg adgets ts

10/20/2016

• II. Modern OSes: Permission Granting

45

The operating system must protect ACGs from potentially malicious parent applications. First implemented in MSR’s ServiceOS prototype system, later in Android (http://layercake.cs.washington.edu).

LayerCake ke: Secure E

Embedding f g for A Android

Modified Android 4.2 (JellyBean). Goa

• al: Allow an Activity in one

application to securely embed an Activity from another app. Pervasive changes to Android Window/Activity managers: (1) (1) Sepa eparate pr e process esses. es. (2) (2) Sepa eparate w e wind ndows. s.

10/20/2016 46

Location ACG Map Activity Ad Activity

• II. Modern OSes: Permission Granting

[USENIX Security ‘13]

UD UDAC C wi without O OS S Support

10/20/2016

• II. Modern OSes: Permission Granting

47

[CCS ‘16]

* M. D. Ernst, R. Just, S. Millstein, W. Dietl, S. Pernsteiner, F. Roesner, K. Koscher, P. B. Barros, R. Bhoraskar, S. Han, P. Vines, and E. X. Wu. “Collaborative verification of information flow for a high-assurance app store.” CCS ‘14.

Secure library, Dynamic analyses Static analyses Auditing *

Us User er-driven a access ess control m matches ches u user expe pect ctations. ns.

Many users already believe (52% of 186) – and/or desire (68%) – that resource access follows the UDAC model.

Us User er-driven a access c ess control i impr proves s s sec ecur urity.

Addresses most published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), 25 of 26 in Firefox (96%).

ACGs ha s have m mini nimal i impa pact on n us user er i inter erface. e.

73% of top Android apps need only limited customization for resource-related UIs.

Evalu luatio ion H Highlig lights

10/20/2016

• II. Modern OSes: Permission Granting

48

Us User er-driven a access c ess control i impr proves s s sec ecur urity.

Addresses most published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), 25 of 26 in Firefox (96%).

Us User er-driven a access ess control m matches ches u user expe pect ctations. ns.

Many users already believe (52% of 186) – and/or desire (68%) – that resource access follows the UDAC model.

ACGs h have m minimal i impact on user i interface ce.

73% of top Android apps need only limited customization for resource-related UIs.

Evalu luatio ion H Highlig lights

10/20/2016

• II. Modern OSes: Permission Granting

49

Sum ummar ary: Permission G n Granting ng

Prior approaches grant too much access, are too disruptive, or are not understood by users. Our approach: user driven access control.

– OS extracts permissions from user actions. – Enabled by new OS primitive: access control gadgets (must protect from malicious apps). – Recent work: ACGs without OS support. – Application-agnostic, improves security and matches user expectations.

10/20/2016

• II. Modern OSes: Permission Granting

50

Outlin line

I.

• I. The W

e Web eb:

Third-Party Tracking

II.

• II. Modern OSes:

Permission Granting

III.

• III. Conc

nclusi sion

10/20/2016 Franziska Roesner 51

Resear arch Ov h Overview:

Impr proving S Secu ecurity & & Privacy cy

10/20/2016 Franziska Roesner 52

Unde nderstand m mental m l mode dels:

Permissions, Journalists [USENIX Security ’15, PETS ‘16], Snapchat [FC ’14], Dev. world [ICTD ‘16, DEV ‘16]

Ana nalyze e existing ng s systems:

Web [NSDI ’12, USENIX Security ‘16], Automobiles [IEEE S&P ’10, USENIX Security ’11], QR Codes [MobiSys ’15]

Build n d new s systems:

OS, Web, Smartphones [IEEE S&P ’12, CCS ‘16], UI Toolkits [UIST ’12, USENIX Seccurity ’13], Usable encrypted email [EuroS&P ‘16]

Anticipa pate f fut uture t techn hnolo logie ies:

Robots [HRI ’15], Wearables, Augmented reality [HotOS ’13, CACM ’14, CCS ’14, HotMobile ‘16]

franz nzi@cs.washi shing ngton. n.edu du

Tha hank nks t to many colla laborators!