uranine real time privacy leakage monitoring without
play

Uranine: Real-time Privacy Leakage Monitoring without System - PowerPoint PPT Presentation

Mar 08, 2024 •47 likes •327 views

Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav Rastogi 1 , Zhengyang Qu 2 , Jedidiah McClurg 3 , Yinzhi Cao 4 , and Yan Chen 2 1 University of Wisconsin and Pennsylvania State University 2 Northwestern

  1. Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav Rastogi 1 , Zhengyang Qu 2 , Jedidiah McClurg 3 , Yinzhi Cao 4 , and Yan Chen 2 1 University of Wisconsin and Pennsylvania State University 2 Northwestern University 3 University of Colorado Boulder 4 Lehigh University

  2. The Privacy Problem • Third-party smartphone apps becoming increasingly important • Apps regularly leak private information without informing users • Private information leakage is a concern for both consumers and enterprises Goal make information about privacy leaks transparent and accessible to the user 2

  3. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 3

  4. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 4

  5. Requirements • Real-time detection: enable situationally-aware decision making • No platform modification: enable deployment on all devices • Easily configurable: enable privacy leakage monitoring for just the apps user wants, no overhead for the rest of the system • Portable: across different architectures and language runtimes • Others: accuracy, performance 5

  6. Requirements TaintDroid Phosphor Real time Yes Yes System Yes Yes Modification Configurability Little Little Portability No Yes Runtime Good Good performance Accuracy Good Good Enck, William, et al. "TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones." ACM Transactions on Computer Systems (TOCS) 32.2 (2014): 5. Bell, Jonathan Schaffer, and Gail E. Kaiser. "Phosphor: Illuminating Dynamic Data Flow in the JVM." OOPSLA (2014). 6

  7. Uranine • Inline taint tracking. Add information flow tracking code to the application • Do not touch platform code • No modification to the runtime • No modification to the framework libraries • Approximate information flow through platform code 7

  8. Requirements TaintDroid Phosphor Real time Yes Yes System Yes Yes Modification Configurability Little Little Portability No Yes Runtime Good Good performance Accuracy Good Good Enck, William, et al. "TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones." ACM Transactions on Computer Systems (TOCS) 32.2 (2014): 5. Bell, Jonathan Schaffer, and Gail E. Kaiser. "Phosphor: Illuminating Dynamic Data Flow in the JVM." (2014). 8

  9. Requirements TaintDroid Phosphor Uranine Real time Yes Yes Yes System Yes Yes No Modification Configurability Little Little High Portability No Yes Yes Runtime Good Good Good performance Accuracy Good Good Good Enck, William, et al. "TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones." ACM Transactions on Computer Systems (TOCS) 32.2 (2014): 5. Bell, Jonathan Schaffer, and Gail E. Kaiser. "Phosphor: Illuminating Dynamic Data Flow in the JVM." (2014). 9

  10. Deployment Model 10

  11. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 11

  12. Challenges Tracking taint across calls to framework libraries Accounting for the effects of callbacks Tainting objects while following Java reference semantics 12

  13. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 13

  14. Design App Framework Code To Intermediate Summarization Rules Representation Instrumentation Taint Storage & Propagation To Bytecode Instrumented App 14

  15. Taint Storage and Propagation • Shadow taint location for each location class A { class A { String field; String field; } int field_t; } • Similar for method parameters • Add additional parameters for carrying taints • Return taint returned via parameter • Taint propagation for various operations p = q + r; p = q + r; p_t = q_t | r_t; 15

  16. Taint Storage and Propagation • Introduce taint at sources String id = tm.getDeviceId(); String id = tm.getDeviceId(); int id_t = 1; • Check for taint reaching sinks socket.write(deviceLocation); if (deviceLocation_t != 0) sendAlert(); socket.write(deviceLocation); 16

  17. Tracking Taint across library calls • Pre-defined rules for summarization • Catch-all policy: Combine taint of all parameters and set to the return taint and the taint of object on which method is called ( receiver ) • Above summarization not sufficient: additionally propagate taint to all objects that refer to the object being tainted 17

  18. Callbacks class A { private String id; public A(TelephonyManager m) { id = m.getDeviceId(); } public toString() { return id; } } • toString() may be called by framework code and the returned string used elsewhere • Solution: treat like framework code and propagate return taint to receiver 18

  19. Java Reference Semantics • Problem: tainting objects, not just object references • If an object gets tainted, all references should show the taint • Storing object taints should not affect garbage collection • Solution: Use a weak hashtable to map objects to taints 19

  20. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 20

  21. Implementation • Employ dexlib to convert bytecode to IR • A class hierarchy analysis to identify callbacks and guide the instrumentation • A fine-grained instrumentation framework on top of IR • Generates bytecode sequences that pass the Dalvik verifier • 6000 lines of Scala code 21

  22. Accuracy Evaluation • Use TaintDroid as ground truth • Small-scale manual as well as large-scale automated tests • Large-scale automated runs with Android Monkey on 1490 apps • Privacy leakage results consistent with TaintDroid • 4 cases were identified to be Uranine false positives 22

  23. Performance Evaluation • Performance expected to be good: framework code, which does the real heavy-lifting, runs without overhead • Measuring performance is difficult • No macrobenchmarks for Android • Microbenchmarkingwill not show true performance on real workloads • Created 6 macrobenchmarksfrom real apps from Google Play • Overhead less than 50% for 5 benchmarks, and around 10% in four benchmarks • Compares favorably with TaintDroid (30%) and Phosphor (50%) 23

  24. Scope for Optimizations • Static analysis may be used to identify code paths that will not leak information • Thus only a few paths need to be instrumented • Such optimizations not possible for TaintDroid or Phosphor 24

  25. Outline Requirements and Approach Challenges Design Implementation and Evaluation Conclusion 25

  26. Conclusion • Privacy is a major issue in the present digital revolution • Private information leakage should be transparent • Uranine tracks private information leakage in Android apps without platform modification • A step towards bringing information leakage transparency to the masses 26

  27. https://play.google.com/stor e/apps/details?id=com.webs hield.privacyshield 27

  28. Thank you! 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate

Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate

Real-time raise alerts Real-Time Real-time with historical Dashboard Correlate Engine + Fabric Offline Develop initial monitoring query Back-test Progressive Non-temporal analysis Interactive Query Authoring

383 views • 15 slides
Privacy leakage on the Internet Balachander Krishnamurthy AT&T LabsResearch

Privacy leakage on the Internet Balachander Krishnamurthy AT&T LabsResearch

Privacy leakage on the Internet Balachander Krishnamurthy AT&T LabsResearch http://www.research.att.com/~bala/papers Joint work with Craig E. Wills, http://www.cs.wpi.edu/~cew AT&T LabsResearch 1 Talk outline 1. Privacy

1.35k views • 53 slides
Aval. Starting Zones Real-Time / Bad Weather

Aval. Starting Zones Real-Time / Bad Weather

NIVEXC TM AN ELECTRONIC SNOW-POLE FOR REAL-TIME MONITORING AN ELECTRONIC SNOW-POLE FOR REAL-TIME MONITORING OF AVALANCHE STARTING ZONES Massimiliano Barbolini Flow-Ing s.r.l. - Italy NIVEXC TM IS DESIGNED, PATENTED AND MANUFACTURED BY: NIVEXC

514 views • 18 slides
REAL-TIME INSTRUMENT FOR STRUCTURAL HEALTH MONITORING B. W. Lee 1 *, M. S. Seo 1 , H. G. Oh 1 ,

REAL-TIME INSTRUMENT FOR STRUCTURAL HEALTH MONITORING B. W. Lee 1 *, M. S. Seo 1 , H. G. Oh 1 ,

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS REAL-TIME INSTRUMENT FOR STRUCTURAL HEALTH MONITORING B. W. Lee 1 *, M. S. Seo 1 , H. G. Oh 1 , C. Y. Park 2 1 Fiberpro Inc, Daejeon, Korea, 2 Aeronautical Technology Directorate, ADD,

200 views • 4 slides
Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA USA W3C Workshop on Web Tracking and User Privacy April, 2011 1 Its Not Just Tracking

474 views • 4 slides
The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P.

The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P.

The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P. Chung, Steven Han, Wenke Lee College of Computing Georgia Institute of Technology Outline Background & Motivation Methodology

576 views • 34 slides
Near real-time monitoring of the April-May 2010 Eyjafjlls ash cloud Labazuy P. and the

Near real-time monitoring of the April-May 2010 Eyjafjlls ash cloud Labazuy P. and the

Near real-time monitoring of the April-May 2010 Eyjafjlls ash cloud Labazuy P. and the HotVolc Team Observatoire de Physique du Globe de Clermont-Ferrand, CNRS, Universit Blaise Pascal 13th International Conference on Harmonization

501 views • 24 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
DelDOT Real-Time Transportation Information Gene Donaldson Operations Manager, DelDOT

DelDOT Real-Time Transportation Information Gene Donaldson Operations Manager, DelDOT

DelDOT Real-Time Transportation Information Gene Donaldson Operations Manager, DelDOT Transportation Management Center July 22, 2017 DelDOT Real-Time Traveler Information Flood Monitoring System Statewide network of monitoring

311 views • 6 slides
DEVELOPMENT OF SMART CEMENT FOR REAL TIME MONITORING OF ULTRA DEEPWATER OIL WELL CEMENTING

DEVELOPMENT OF SMART CEMENT FOR REAL TIME MONITORING OF ULTRA DEEPWATER OIL WELL CEMENTING

Proceedings CIGMAT-2014 Conference & Exhibition DEVELOPMENT OF SMART CEMENT FOR REAL TIME MONITORING OF ULTRA DEEPWATER OIL WELL CEMENTING APPLICATIONS C. Vipulanandan Ph.D., P.E. Center for Innovative Grouting Material and Technology

165 views • 16 slides
BurstRadar Practical Real-time Microburst Monitoring for Datacenter Networks Raj Joshi 1 , Ti

BurstRadar Practical Real-time Microburst Monitoring for Datacenter Networks Raj Joshi 1 , Ti

BurstRadar Practical Real-time Microburst Monitoring for Datacenter Networks Raj Joshi 1 , Ti Ting Qu 2 , Mun Choon Chan 1 , Ben Leong 1 , Boon Thau Loo 3 1 2 3 Microbursts (bursts) Events of intermittent congestion lasting 10s or

426 views • 29 slides
Real-time Corrosion Product Transport Monitoring Using On-line Particle Monitors Joe Zimmerman

Real-time Corrosion Product Transport Monitoring Using On-line Particle Monitors Joe Zimmerman

Real-time Corrosion Product Transport Monitoring Using On-line Particle Monitors Joe Zimmerman Chemtrac Systems, Inc. Norcross, GA Introduction The goal of CPT monitoring is to determine: when corrosion is occurring where corrosion is

661 views • 30 slides
Real-time Monitoring of Large Scientific Simulations D. E. Laney V. Pascucci, R. J. Frank, G.

Real-time Monitoring of Large Scientific Simulations D. E. Laney V. Pascucci, R. J. Frank, G.

Real-time Monitoring of Large Scientific Simulations D. E. Laney V. Pascucci, R. J. Frank, G. Scorzelli, L. Linsen, B. Hamann, F. Gygi This work was performed under the auspices of the U.S. Department of Energy by the University of California,

544 views • 21 slides
Real-time Monitoring Sensors and Station Things to Consider Communication: How will sensors and

Real-time Monitoring Sensors and Station Things to Consider Communication: How will sensors and

Real-time Monitoring Sensors and Station Things to Consider Communication: How will sensors and stations transmit data? Cellular Network Verizon and AT&T FirstNet in Monroe County Radio Antennae Satellite Data Management

457 views • 8 slides
Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real

Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #15 Updated 2009-03-03 Dependable Distributed Dependable Distributed Real- Real -Time Systems Time Systems Real- -Time Systems Time Systems Real Aircraft/automotive

501 views • 9 slides
Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs

Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs

Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs Research Craig E. Wills, Worcester Polytechnic Institute Workshop on Online Social Networks Boston, MA USA June 2010 1 Introduction Previously

775 views • 20 slides
2/12/2019 Current Bell Times Proposed Bell Times High School 7:30 am 2:15 pm 8:00 am

2/12/2019 Current Bell Times Proposed Bell Times High School 7:30 am 2:15 pm 8:00 am

2/12/2019 Current Bell Times Proposed Bell Times High School 7:30 am 2:15 pm 8:00 am 2:45 pm Middle School 8:00 am 3:00 pm 8:30 am 3:30 pm Elementary School 9:00 am 3:30 pm 9:15 am 3:45 pm Other FCPS Programs

310 views • 3 slides
Entropy Accumulation in Device-independent Protocols QIP17 Seattle | January 19, 2017 arXiv:

Entropy Accumulation in Device-independent Protocols QIP17 Seattle | January 19, 2017 arXiv:

Entropy Accumulation in Device-independent Protocols QIP17 Seattle | January 19, 2017 arXiv: 1607.01796 & 1607.01797 Rotem Arnon-Friedman , Frdric Dupuis, Omar Fawzi, Renato Renner, & Thomas Vidick Outline 1. Introduction to

550 views • 52 slides
April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility

April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility

April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model Tranquility Declassification McLeans criticism and System Z April 21, 2017 ECS 235B Spring Quarter 2017 Slide #1 Rule : R V D V Takes a

560 views • 45 slides
All graduates need modern day skills to succeed Access and Analyze and manage create media

All graduates need modern day skills to succeed Access and Analyze and manage create media

All graduates need modern day skills to succeed Access and Analyze and manage create media information Guide and lead be Think responsible creatively to others Work effectively in Adapt diverse to change teams Implement Reason

424 views • 7 slides
Back to School Webinar Effective Strategies for Expanding Participation in School Meals in the

Back to School Webinar Effective Strategies for Expanding Participation in School Meals in the

FRAC Breakfast Matters Back to School Webinar Effective Strategies for Expanding Participation in School Meals in the 2013-2014 School Year Jessie Hewins School Breakfast Associate Food Research and Action Center Todays Agenda Welcome and

614 views • 34 slides
Room for Debate: Are you a Social Conservative or a Social-ist? Esther Bonardi ,

Room for Debate: Are you a Social Conservative or a Social-ist? Esther Bonardi ,

Room for Debate: Are you a Social Conservative or a Social-ist? Esther Bonardi , Senior Director, Marketing Strategy, Yardi Systems, Inc. Candace Weaver , Director, Marketing, Bell Partners, Inc. Mallory Monsma , Marketing Leader, NALS

380 views • 15 slides
Science to Link Knowledge with Action: Maine's Sustainability Solutions Initiative Kathleen

Science to Link Knowledge with Action: Maine's Sustainability Solutions Initiative Kathleen

Science to Link Knowledge with Action: Maine's Sustainability Solutions Initiative Kathleen Bell, School of Economics, University of Maine 23 rd National NSF EPSCoR Conference Nashville, TN November 5, 2013 NSF award #EPS-0904155 Maines

737 views • 42 slides
Block-structured adaptive mesh refinement for finite volume methods on Cartesian grids Donna

Block-structured adaptive mesh refinement for finite volume methods on Cartesian grids Donna

Block-structured adaptive mesh refinement for finite volume methods on Cartesian grids Donna Calhoun (Boise State University) Carsten Burstedde, Univ. of Bonn, Germany Other collaborators : M. Shih (NYU); S. Aiton (BSU); X. Qin (Univ. of

729 views • 35 slides

More recommend