Security, Privacy, & User Expectations:

Similar documents
The Invisible Trail: Third- Party Tracking on the Web

Third-Party Tracking on the Web

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

OS Security Rethinking Permission Granting in Modern Operating Systems

Securing Embedded User Interfaces: Android and Beyond. Franziska Roesner and Tadayoshi Kohno University of Washington

Internet Jones and the Raiders of the Lost Trackers

Collaborative Verification of Information Flow for a High-Assurance App Store

Web Security. Course: EPL 682 Name: Savvas Savva

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

MFA Instructions. Getting Started. 1. Go to Apps, select Play Store 2. Search for Microsoft Authenticator 3. Click Install

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Firefox OS App Days. Overview and High Level Architecture. Author: José M. Cantera Last update: March 2013 TELEFÓNICA I+D

Security and privacy in the smartphone ecosystem: Final progress report

Mobile App Security and Malware in Mobile Platform

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

OWASP Top 10 The Ten Most Critical Web Application Security Risks

MFA Pilot Instructions

Features. Product Highlights. Not just an app, but a friend for your phone. Optimization. Speed. Battery. Storage. Data Usage

Digital Marketing, Privacy, and New Technologies. Jules Polonetsky, CEO Future of Privacy Forum

C1: Define Security Requirements

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University

Readiness Check: Website Certification

WHITEPAPER. Lookout Mobile Endpoint Security for App Risks

WELCOME Mobile Applications Testing. Copyright

Chrome Extension Security Architecture

MFA (Multi-Factor Authentication) Enrollment Guide

The Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter

We need a browser that just works with modern web sites and services. I m worried about Internet security threats and the risk to my business

Computer Security and the Internet of Things

Web Security: Loose Ends

NATHAN SAKUNKOO. Education: Professional Experience: Awards and Honors

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Pass, No Record: An Android Password Manager

An Introduction to Google Chrome

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

How Facebook knows exactly what turns you on

You Are Being Watched Analysis of JavaScript-Based Trackers

Privacy Policy. 1. Collection and Use of Your Personal Information

User Control Mechanisms for Privacy Protection Should Go Hand in Hand with Privacy-Consequence Information: The Case of Smartphone Apps

Integrated Access Management Solutions. Access Televentures

Daniel Bender VERACODE Solution Architect. Application Centric Mobile Application Security Model

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Web Security: 1) UI-based attacks 2) Tracking on the web

Signup for Multi-Factor Authentication

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

CS 161 Computer Security

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Software Version 3.3 Version 1.0 October Xerox Print Portal. Information Assurance Disclosure

A Virtual Smartphone

Ceedo Client Family Products Security

Security Analysis of modern Automobile

Robust Defenses for Cross-Site Request Forgery

Software Security: Buffer Overflow Defenses

An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications

Private Browsing: an Inquiry on Usability and Privacy Protection

Mobile Devices prioritize User Experience

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Wild Apricot Website User s Guide.

Information Security Controls Policy

Jeffrey Friedberg. Chief Trust Architect Microsoft Corporation. July 12, 2010 Microsoft Corporation

Static Verification of Android Security

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Oracle Service Cloud. Release 18D. What s New

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

The State of the Trust Gap in 2015

Software Security: Buffer Overflow Attacks

Some example UW security lab projects, related to emerging technologies. Tadayoshi Kohno CSE 484, University of Washington

Securing Office 365 with MobileIron

Online (in)security: The current threat landscape Nikolaos Tsalis

"Expiry if Persistent (# days till it expires" Cookie type (1st or 3rd) "Cookie type (Session or Persistent)" Cookie friendly name

OAuth2.0: the Promise and Pitfalls. Sergey Ozernikov Security Consultant OWASP NZ Day 4 th February 2016

Principles of ICT Systems and Data Security

Copyright

Cloud UC. Program Downloads I WOULD LIKE TO... DOWNLOADING THE CLIENT SOFTWARE

TAKING THE MODULAR VIEW

Information Sharing and User Privacy in the Third-party Identity Management Landscape

Topics. Ensuring Security on Mobile Devices

Thomas Lippert Principal Product Manager. Sophos Mobile. Spring 2017

Combatting Browser Fingerprinting with ChromeDust

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Using HerpMapper. Mike Pingleton

Group Name: Team Epsilon Max Hinson Jhon Faghih Nassiri

1 Introduction Requirements Architecture Feature List... 4

Does Windows 10 Have Privacy Issues? February 11, Joel Ewing

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Get Smart. Get Smart. This is not about. What kind of phone you have Specific farming apps Actually size doesn t matter 30/04/2015

Data protection declaration

Password Managers: Attacks and Defenses

Software Security: Buffer Overflow Defenses and Miscellaneous

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

An Overview of Mobile Security

Adobe Spark. Schools and Educators. A Guide for. spark.adobe.com

Feature: Online App Builder Studio

Northern Arizona University. Project Requirements. Bit Tag. Temitope Alaga, John Dance, Josh Frampton, Jun Rao CS 476. Version 1.0

Transcription:

Security, Privacy, & User Expectations: Case Studies in Web Tracking and Application Permissions Franziska Roesner Assistant Professor Computer Science & Engineering University of Washington

Security, Privacy, & User Expectations: Case Studies in Web Tracking and Application Permissions Franziska Roesner Assistant Professor Computer Science & Engineering University of Washington + many collaborators!

New technologies bring new benefits but also new risks. 10/20/2016 Franziska Roesner 3

Improving Security & Privacy Security and privacy challenges often arise when user expectations don t match real system properties. Educate, design better UIs, increase transparency. Build systems that better match user expectations. 10/20/2016 Franziska Roesner 4

Outline I. The Web: Third-Party Tracking II. Modern OSes: Permission Granting 10/20/2016 Franziska Roesner 5

Outline I. The Web: Third-Party Tracking II. Modern OSes: Permission Granting F. Roesner, T. Kohno, D. Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. In USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2012. F. Roesner, C. Rovillos, T. Kohno, D. Wetherall. ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets. In USENIX ;login: 2012. A. Lerner, A. Kornfeld Simpson, T. Kohno, and F. Roesner. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 201. In USENIX Security Symposium 2016. 10/20/2016 Franziska Roesner 6

Ads That Follow You Advertisers (and others) track your browsing behaviors for the purposes of targeted ads, website analytics, and personalized content. 10/20/2016 I. The Web: Third-Party Web Tracking 7

Third-Party Web Tracking Browsing profile for user 123: cnn.com theonion.com adult-site.com political-site.com These ads allow criteo.com to link your visits between sites, even if you never click on the ads. 10/20/2016 I. The Web: Third-Party Web Tracking 8

Concerns About Privacy 10/18/16 I. The Web: Third-Party Web Tracking 9

Understanding the Tracking Ecosystem In 2011, much discussion about tracking, but limited understanding of how it actually works. Our Goal: systematically study web tracking ecosystem to inform policy and defenses. Challenges: No agreement on definition of tracking. No automated way to detect trackers. (State of the art: blacklists) 10/20/2016 I. The Web: Third-Party Web Tracking 10

Our Approach ANALYZE (1) Reverse-engineer trackers methods. (2) Develop tracking taxonomy. MEASURE (3) Build automated detection tool. (4) Measure prevalence in the wild. (5) Evaluate existing defenses. BUILD (6) Develop new defenses. 10/20/2016 I. The Web: Third-Party Web Tracking 11

Web Background Websites store info in cookies in the browser. Only accessible to the site that set them. Automatically included with web requests. cookie: id=123 cookie: id=123 theonion.com server cookie: id=456 cookie: id=456 cnn.com server 10/20/2016 I. The Web: Third-Party Web Tracking 12

Anonymous Tracking Trackers included in other sites use cookies containing unique identifiers to create browsing profiles. cookie: id=789 cookie: id=789 criteo.com user 789: theonion.com, cnn.com, adult-site.com, 10/20/2016 I. The Web: Third-Party Web Tracking 13

Our Tracking Taxonomy [NSDI 12] In the wild, tracking is much more complicated. (1) Trackers don t just use cookies. Flash cookies, HTML5 LocalStorage, etc. (2) Trackers exhibit different behaviors. Within-site vs. cross-site. Anonymous vs. non-anonymous. Specific behavior types: analytics, vanilla, forced, referred, personal. 10/20/2016 I. The Web: Third-Party Web Tracking 14

Other Trackers? Personal Trackers 10/20/2016 I. The Web: Third-Party Web Tracking 15

Personal Tracking cookie: id=franzi.roesner cookie: id=franzi.roesner cookie: id=franzi.roesner facebook.com user franzi.roesner: theonion.com, cnn.com, adult-site.com, Tracking is not anonymous (linked to accounts). Users directly visit tracker s site evades some defenses. 10/20/2016 I. The Web: Third-Party Web Tracking 16

Measurement Study Questions: How prevalent is tracking (of different types)? How much of a user s browsing history is captured? How effective are defenses? Approach: Build tool to automatically crawl web, detect and categorize trackers based on our taxonomy. TrackingObserver: tracking detection platform http://trackingobserver.cs.washington.edu 10/20/2016 I. The Web: Third-Party Web Tracking 17

How prevalent is tracking? (2011) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. (97% of those include at least one cross-site tracker.) 50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers. 10/18/16 I. The Web: Third-Party Web Tracking 18

How prevalent is tracking? (2011) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. Tracking is increasing! (97% of those include at least one cross-site tracker.) Unique trackers on the top 500 websites (homepages only): 2011: 383 2013: 409 2015: 512 50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers. 10/18/16 I. The Web: Third-Party Web Tracking 19

How has this changed over time? [USENIX Security 16] The web has existed for a while now - What about tracking before 2011? (our first study) - What about tracking before 2009? (first academic study) Solution: time travel! 10/18/16 I. The Web: Third-Party Web Tracking 20

The Wayback Machine to the Rescue Time travel for web tracking (lots of challenges!) http://trackingexcavator.cs.washington.edu 10/18/16 I. The Web: Third-Party Web Tracking 21

1996-2016: More & More Tracking More trackers of more types 10/18/16 I. The Web: Third-Party Web Tracking 22

1996-2016: More & More Tracking More trackers of more types, more per site 10/18/16 I. The Web: Third-Party Web Tracking 23

1996-2016: More & More Tracking More trackers of more types, more per site, more coverage 10/18/16 I. The Web: Third-Party Web Tracking 24

Who/what are the top trackers? (2011) 10/20/2016 I. The Web: Third-Party Web Tracking 25

Who/what are the top trackers? (2011) Defenses for personal trackers (red bars) were inadequate. 10/20/2016 I. The Web: Third-Party Web Tracking 26

Defense: ShareMeNot Prior defenses for personal trackers: ineffective or completely removed social media buttons. Our defense: - ShareMeNot (for Chrome/Firefox) protects against tracking without compromising button functionality. - Blocks requests to load buttons, replaces with local versions. On click, shares to social media as expected. - Techniques adopted by Ghostery and the EFF. http://sharemenot.cs.washington.edu 10/20/2016 I. The Web: Third-Party Web Tracking 27

Summary: Web Tracking Pre-2011: Limited understanding of web tracking. Our work: Comprehensive tracking taxonomy. Measurements and archeological study from 1996-2016. Example results: >500 unique trackers, some able to capture up to 66% of a user s browsing history. New defense for personal trackers like Facebook, Google, Twitter: built into ShareMeNot, adopted by Ghostery + EFF. 10/20/2016 I. The Web: Third-Party Web Tracking 28

Outline I. The Web: Third-Party Tracking II. Moderns OSes: Permission Granting F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In IEEE Symposium on Security & Privacy 2012 (Best Practical Paper Award). F. Roesner, J. Fogarty, T. Kohno. User Interface Toolkit Mechanisms for Securing Interface Elements. In ACM Symposium on User Interface Software and Technology (UIST) 2012. F. Roesner, T. Kohno. Securing Embedded User Interfaces: Android and Beyond. In USENIX Security 2013. T. Ringer, D. Grossman, F. Roesner. AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems. In ACM Conference on Computer and Communications Security (CCS) 2016. 10/20/2016 Franziska Roesner 29

Smartphone (In)Security Users accidentally install malicious applications. 10/20/2016 II. Modern OSes: Permission Granting 30

Smartphone (In)Security Users accidentally install malicious applications. Even legitimate applications exhibit questionable behavior. Hornyack et al.: 43 of 110 Android applications sent location or phone ID to third-party advertising/analytics servers. 10/20/2016 II. Modern OSes: Permission Granting 31

Permission Granting Problem Smartphones (and other modern OSes) try to prevent such attacks by limiting applications access to: System Resources (clipboard, file system). Devices (camera, GPS, phone, ). How should operating system grant permissions to applications? Standard approach: Ask the user. 10/20/2016 II. Modern OSes: Permission Granting 32

State of the Art Prompts (time-of-use) 10/20/2016 II. Modern OSes: Permission Granting 33

State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive, which leads to prompt-fatigue. 10/20/2016 II. Modern OSes: Permission Granting 34

State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive, which leads to prompt-fatigue. Out of context; not understood by users. In practice, both are overly permissive: Once granted permissions, apps can misuse them. 10/20/2016 II. Modern OSes: Permission Granting 35

Goals for Permission Granting 1. Least-Privilege: Applications should receive the minimum necessary access. 2. Usable: - Not disruptive to users. - Matches user expectations. - Doesn t require constant comprehension/management. ( magically grants exactly those permissions expected by the user) 3. Generalizable: Easily extended to new resources. 10/20/2016 II. Modern OSes: Permission Granting 36

Our Work: User-Driven Access Control Let this application access my location now. Insight: A user s natural UI actions within an application implicitly carry permission-granting semantics. 10/20/2016 II. Modern OSes: Permission Granting 37

Our Work: User-Driven Access Control Let this application access my location now. Our study shows: Insight: Many users already believe A user s (52% natural of 186) UI actions within and/or desire (68%) an that application resource implicitly access carry follows the user-driven permission-granting access control model. semantics. 10/20/2016 II. Modern OSes: Permission Granting 38

Resource-Related UIs Today User s View Photo Editor App Operating System s View Photo Editor App Permissions: CAMERA, LOCATION (2) Access camera APIs (1) User clicks on camera button Kernel 10/20/2016 II. Modern OSes: Permission Granting 39

Resource-Related UIs Today User s View Photo Editor App Operating System s View Problem: OS can t understand user s Photo interaction Editor App with application can t link permission use to user intent. Permissions: CAMERA, LOCATION Challenge: Can the system extract access control decisions from user actions in a general, application-agnostic way? Prior approaches are hard to generalize: (1) User clicks on EWS [SVNC 04], NitPicker [FH 05], CapDesk Kernel [M 06], Qubes, camera button Polaris [SKYCM 06], UIBAC [SE 08], BLADE [LYPL 10] (2) Access camera APIs 10/20/2016 II. Modern OSes: Permission Granting 40

New OS Primitive: Access Control Gadgets (ACGs) Approach: Make resource-related UI elements first-class operating system objects (access control gadgets). To receive resource access, applications must embed a system-provided ACG. ACGs allow the OS to capture the user s permission granting intent in application-agnostic way. 10/20/2016 II. Modern OSes: Permission Granting 41

Access Control Gadgets (ACGs) in Action User s View Photo Editor App Operating System s View Camera Resource Monitor Isolation container Photo Editor App Camera ACG (1) User clicks on camera ACG ACG (2) Take picture Kernel <object src= rm://camera/ta kepicture /> (3) Receive picture 10/20/2016 II. Modern OSes: Permission Granting 42

Challenges with ACGs Impact on applications: What about application customization? How to design system/resource APIs to support necessary application functionality? Attacks on ACGs by malicious applications: How can system be sure that the user intent it captures is authentic? 10/20/2016 II. Modern OSes: Permission Granting 43

Attacks on Access Control Gadgets Malicious applications want to gain access without authentic user intent. Example: Clickjacking attack. Trick users into clicking on ACG by making it transparent. 10/20/2016 II. Modern OSes: Permission Granting 44

Attacks on Access Control Gadgets Malicious applications want to gain access without authentic user intent. Example: Clickjacking attack. Trick The users operating into clicking system on must ACG by protect making ACGs it transparent. from potentially malicious parent applications. Start game! Start game! First implemented in MSR s ServiceOS prototype system, later in Android (http://layercake.cs.washington.edu). 10/20/2016 II. Modern OSes: Permission Granting 45

[USENIX Security 13] LayerCake: Secure Embedding for Android Modified Android 4.2 (JellyBean). Goal: Allow an Activity in one application to securely embed an Activity from another app. Pervasive changes to Android Window/Activity managers: (1) Separate processes. (2) Separate windows. Ad Activity Location ACG Map Activity 10/20/2016 II. Modern OSes: Permission Granting 46

[CCS 16] UDAC without OS Support Secure library, Dynamic analyses Static analyses * Auditing * M. D. Ernst, R. Just, S. Millstein, W. Dietl, S. Pernsteiner, F. Roesner, K. Koscher, P. B. Barros, R. Bhoraskar, S. Han, P. Vines, and E. X. Wu. Collaborative verification of information flow for a high-assurance app store. CCS 14. 10/20/2016 II. Modern OSes: Permission Granting 47

Evaluation Highlights User-driven access control matches user expectations. Many users already believe (52% of 186) and/or desire (68%) that resource access follows the UDAC model. User-driven access control improves security. Addresses most published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), 25 of 26 in Firefox (96%). ACGs have minimal impact on user interface. 73% of top Android apps need only limited customization for resource-related UIs. 10/20/2016 II. Modern OSes: Permission Granting 48

Evaluation Highlights User-driven access control improves security. Addresses most published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), 25 of 26 in Firefox (96%). User-driven access control matches user expectations. Many users already believe (52% of 186) and/or desire (68%) that resource access follows the UDAC model. ACGs have minimal impact on user interface. 73% of top Android apps need only limited customization for resource-related UIs. 10/20/2016 II. Modern OSes: Permission Granting 49

Summary: Permission Granting Prior approaches grant too much access, are too disruptive, or are not understood by users. Our approach: user driven access control. OS extracts permissions from user actions. Enabled by new OS primitive: access control gadgets (must protect from malicious apps). Recent work: ACGs without OS support. Application-agnostic, improves security and matches user expectations. 10/20/2016 II. Modern OSes: Permission Granting 50

Outline I. The Web: Third-Party Tracking II. Modern OSes: Permission Granting III. Conclusion 10/20/2016 Franziska Roesner 51

Research Overview: Improving Security & Privacy franzi@cs.washington.edu Thanks to many collaborators! Analyze existing systems: Web [NSDI 12, USENIX Security 16], Automobiles [IEEE S&P 10, USENIX Security 11], QR Codes [MobiSys 15] Build new systems: OS, Web, Smartphones [IEEE S&P 12, CCS 16], UI Toolkits [UIST 12, USENIX Seccurity 13], Usable encrypted email [EuroS&P 16] Understand mental models: Permissions, Journalists [USENIX Security 15, PETS 16], Snapchat [FC 14], Dev. world [ICTD 16, DEV 16] Anticipate future technologies: Robots [HRI 15], Wearables, Augmented reality [HotOS 13, CACM 14, CCS 14, HotMobile 16] 10/20/2016 Franziska Roesner 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback