hails protecting data privacy in untrusted web
play

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel - PowerPoint PPT Presentation

Aug 26, 2022 •165 likes •714 views

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

  1. Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazières, and Alejandro Russo

  2. Web platforms are great ! They allow third-party developers to build apps that use our personal data.

  3. Web platforms are scary ! They allow third-party developers to build apps that use our personal data.

  4. Trust concerns Don’t know the developers • ➤ Cannot determine trustworthiness of apps They may be malicious or security-unaware • Building secure web apps is hard • ➤ Even well-meaning authors cannot be trusted

  5. Typical App Design Jen’s Browser Use popular MVC paradigm Model: interface to data Controller View: renders pages Controller: handles and responds to HTTP requests View Model

  6. Typical App Design Jen’s How is security policy Browser specified and enforced? ➤ E.g., only Jen’s friends may Controller see her email address View Model

  7. Typical App Design Jen’s How is security policy Browser specified and enforced? ➤ E.g., only Jen’s friends may Controller see her email address Intertwined throughout code ➠ Error prone and not scalable View Model

  8. Platform solutions Can decide to give an app access to data, but can’t control how the app uses your data.

  9. Is there any hope for privacy on platforms?

  10. Change the hosting model Current model • ➤ App developers host their own apps ➤ Platform enforces security: terms of service New model • ➤ Platform provider hosts apps ➤ Platform enforces security: information flow control

  11. Hails: A web platform framework Security policy is explicit and first-class • ➤ Specified as single concise module Users still trust core platform components • Apps are untrusted • ➤ Language-level information flow control guarantees apps always obey policy

  12. What makes Hails different? Aeolus, HiStar, Nexus, Jif, Ur/Web, ... No guide for structuring applications • Policies are hard to write • Not appropriate for dynamic systems, e.g., web • Modify entire application stack •

  13. Goals Deployable today! • Usable by web developers • Suitable for building extensible web platforms • ➤ Enforcing policy across untrusted apps

  14. Adding Policy to MVC New paradigm: Model- Policy -View-Controller • Policy specified alongside data model • No policy code in View or Controller •

  15. Two categories of code Models-Polices (MPs) Views-Controllers (VCs) + + Implement UI and Specify data model other functionality and policy on data ➤ Users need not ➤ Users trust MPs they use to handle data trust VCs Policy enforced globally

  16. Information flow control Policy specifies where data can flow • ➤ Wrong: app can’t read Jen’s email address because it may leak it to Eve ➤ Right: app can read Jen’s email, but only reveal it to Jen, Alice or Bob Policy follows data through system • Runtime enforces policy end-to-end • ➤ E.g., when making HTTP request

  17. Case study: GitStar

  18. Case study: GitStar GitStar provides • ➤ MPs that specify projects and users ➤ VC for managing projects and users Third-party authors provide • ➤ Code viewer ➤ Wiki Untrusted VCs: ... ➤ Follower app PM CodeViewer Wiki ➤ etc. GitStar MPs +

  19. Model-Policy View-Controller + +

  20. Model-Policy (MP) Data model: document-oriented ➤ Collection: set of documents ➤ Document : set of field-value pairs users collection: Name Value Name Value Field Value user jen user jen user Jen email jen@ email jen@ email jen@aol.com friends [alice, bob, … ] friends [alice, bob, … ] friends [Alice, Bob]

  21. Model-Policy (MP) Data model: document-oriented ➤ Collection: set of documents ➤ Document : set of field-value pairs users collection: Name Value Name Value Field Value user jen user jen user Jen email jen@ email jen@ email jen@aol.com friends [alice, bob, … ] friends [alice, bob, … ] friends [Alice, Bob]

  22. Model-Policy (MP) Policy specifies restrictions on: • ➤ Collections , documents, fields ➤ E.g., only Jen may modify her profile ➤ E.g., only Jen and her friends may read her email address Policy composes • ➤ E.g., to read document you must be able to read the collection

  23. Example: Enforcing policy MP: • Field Value user Jen Policy: Only Jen, Alice email jen@aol.com and Bob can read friends [Alice, Bob] GitStar User MP + Eve’s untrusted address book VC: • AddrBook

  24. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  25. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  26. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Allow? GitStar User MP +

  27. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook GitStar User MP +

  28. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook findEmail users “user” “Jen” Allow? GitStar User MP +

  29. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook findEmail users “user” “Jen” GitStar User MP +

  30. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  31. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  32. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  33. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  34. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  35. Example: Enforcing policy Eve’s spam Bob’s server Eve’s Browser server ✗ Allow? jen@aol.com AddrBook Policy: Only Jen, Alice findEmail users “user” “Jen” and Bob can read jen@aol.com Field Value user Jen GitStar User MP + email jen@aol.com friends [Alice, Bob]

  36. Policy specified in terms of data Web app data models already encode policy ➤ Ownership ➤ Relationships between users ➤ … Policy: Only user can modify Field Value user Jen Policy: Only user and email jen@aol.com friends can read friends [Alice, Bob]

  37. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  38. Example: Policy specification collection “users” $ do access $ do Collection is public readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  39. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  40. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody Index documents by field “user” key user names document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

  41. Example: Policy specification collection “users” $ do access $ do readers ==> anybody writers ==> anybody field “user” key document $ λ doc -> do readers ==> anybody writers ==> (“user” `from` doc) field “email” $ labeled $ λ doc -> do readers ==> (“user” `from` doc) ⋁ fromList (“friends” `from` doc) writers ==> anybody

Recommend

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy

#MicroFocusCyberSummit Cloud-based Data Privacy and Protection Protecting data and privacy across hybrid IT Farshad Ghazi - Moderator Mat Spitz Lacy Gruen #MicroFocusCyberSummit Reiner Kappenberger Cloud-based Data Privacy and Protection:

455 views • 10 slides
EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

EU Art.29 Data Protection Users care about privacy Working Party From: Special Eurobarometer

28/05/15 Outline Data privacy and the evolving regulation Privacy threats from LBS to geoSN EveryWare Lab Main (location) privacy protection techniques Data Management for Mobile Protecting geo-tagged resource publication

411 views • 7 slides
The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde & Laurent Massouli UT Austin Technicolor Privacy efficiency trade-offs q Google & FaceBook track online browsing behaviour q Apple

610 views • 27 slides
protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data

protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data

k-ANONYMITY: A model for protecting privacy ( By L.Sweeney ) Presented by : Navreet Kaur ROADMAP Data sharing and data privacy Related background work k-anonymity model Possible attacks against k-Anonymity Weaknesses of

575 views • 28 slides
Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden

Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden

Data confidentiality Protecting privacy in medical research Henk Jan van der Wijk Leiden University Medical Center (LUMC) Tuesday 1st April 2014 from 11.30 12.00 #EBMT2014 www.ebmt.org Data confidentiality requested topics Explanation

512 views • 20 slides
SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan

SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan

CloudCom, Dec 3, 2010 SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy Lingfang Zeng, Zhan Shi, Shengjie Xu, Dan Feng School of Computer Science and Technology, Huazhong University of Science and Technology

269 views • 13 slides
Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location Information for Epidemiologic Research Daniel C. Barth-Jones, M.P.H., Ph.D. Center for Healthcare Effectiveness Research Wayne State University (

652 views • 61 slides
Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data

Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data

Balancing Privacy and Safety: Protecting Driver Identity in Naturalistic Driving Video Data Sujitha Martin, Ashish Tawari and Mohan M. Trivedi Laboratory of Intelligent and Safe Automobiles September 19 th , 2014 1 2 Question: Can you tell

705 views • 21 slides
Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release Yaowei Han, Sheng Li, Yang Cao, Qiang Ma, Masatoshi Yoshikawa Department of Social Informatics, Kyoto University, Kyoto, Japan 1 National Institute of

611 views • 27 slides
Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It

Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It

Privacy, Economics, and Immediate Gratification: Why Protecting Privacy is Easy, But Selling It is Not Alessandro Acquisti Heinz School, Carnegie Mellon University PGuardian Technologies, Inc. acquisti@andrew.cmu.edu Why do we have great

1.13k views • 73 slides
Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting

Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting

Protecting Privacy in Connected Learning Linnette Attai Project Director, CoSN Protecting Privacy in Connected Learning and Trusted Learning Environment Programs Transforming Education Through Visionary Technology Leadership About CoSN:

640 views • 49 slides
Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J. Feldman Princeton UPenn Joint work with: Aaron Blankstein, Michael J. Freedman, and Edward W. Felten Social Networking with

661 views • 27 slides
ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy

ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy

ShareRoot Annual General Meeting 30 October 2018 1 Protecting Consumer Data and Privacy Company Revenue Streams Three revenue generating streams Strategic Growth GDPR (and international Marketing agency with a focus The first of its

318 views • 15 slides
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program August 12, 2014 1 Protecting

590 views • 43 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry

Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry

Protecting Privacy by Spying on Users Andrew Patrick & Information Security Group (Larry Korba, Ronggong Song, George Yee, Scott Buffett, Yunli Wang, Liqiang Geng, Steve Marsh, Hongyu Liu) 1 data breaches caused by laptop theft, hacks 2

512 views • 26 slides
Protecting the Privacy of Investors: An Overview of the Regulatory Framework & Tips on

Protecting the Privacy of Investors: An Overview of the Regulatory Framework & Tips on

Protecting the Privacy of Investors: An Overview of the Regulatory Framework & Tips on Avoiding Threats May 28, 2015 Malcolm Townsend, IT Research Analyst Overview Background Trends Threat landscape Privacy regulatory

102 views • 8 slides
1 Attacks on randomization - Error repeating the question An attack:

1 Attacks on randomization - Error repeating the question An attack:

Context: Theory of variable privacy Theory of security allows binary choice for data revelation: Bob is trusted/untrusted The channel coding theorem and the If he is trusted, data is revealed to him using a perfect protocol

400 views • 5 slides
Compliance Workshop Privacy & Security Protecting Personal Information & SNAP Program

Compliance Workshop Privacy & Security Protecting Personal Information & SNAP Program

3/27/2015 Compliance Workshop Privacy & Security Protecting Personal Information & SNAP Program Considerations August 14, 2014 Presentation by: Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 Todays Privacy &

475 views • 24 slides
Alternative Titles: What are the practical implications of the HIPAA privacy rules for

Alternative Titles: What are the practical implications of the HIPAA privacy rules for

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location Information for Epidemiologic Research Daniel C. Barth-Jones, M.P.H., Ph.D. Center for Healthcare Effectiveness Research Wayne State University (

448 views • 31 slides
K-anonymous algorithm in protecting privacy in social communication networks Jiacheng Wang

K-anonymous algorithm in protecting privacy in social communication networks Jiacheng Wang

K-anonymous algorithm in protecting privacy in social communication networks Jiacheng Wang 515030910412 ABSTRACT The rapid development of social communication network has increased the risk in privacy protection, the association between people has

385 views • 4 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides

More recommend