Context-centric Security

Users today are unable to use the rich collection of third-party untrusted applications without risking significant privacy leaks. In this paper, we argue that current and proposed applications and data-centric security policies do not map well to users' expectations of privacy. In the eyes of a user, applications and peripheral devices exist merely to provide functionality and should have no place in controlling privacy. Moreover, most users cannot handle intricate security policies dealing with system concepts such as labeling of data, application permissions and virtual machines. Not only are current policies impenetrable to most users, they also lead to security problems such as privilege-escalation attacks and implicit information leaks. Our key insight is that users naturally associate data with real-world events, and want to control access at the level of human contacts. We introduce Bubbles, a context-centric security system that explicitly captures user's privacy desires by allowing human contact lists to control access to data clustered by real-world events. Bubbles infers information-flow rules from these simple context-centric access-control rules to enable secure use of untrusted applications on users' data. We also introduce a new programming model for untrusted applications that allows them to be functional while still upholding the users' privacy policies. We evaluate the model's usability by porting an existing medical application and writing a calendar app from scratch. Finally, we show the design of our system prototype running on Android that uses bubbles to automatically infer all dangerous permissions without any user intervention. Bubbles prevents Android-style permission escalation attacks without requiring users to specify complex information flow rules.

[1]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[3]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[4]  Frank Stajano,et al.  Implementing a Multi-hat PDA , 2005, Security Protocols Workshop.

[5]  Trevor Darrell,et al.  Privacy in Context , 2001, Hum. Comput. Interact..

[6]  E. Goffman The Presentation of Self in Everyday Life , 1959 .

[7]  P. Menage Adding Generic Process Containers to the Linux Kernel , 2010 .

[8]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[9]  Benjamin Livshits,et al.  RePriv: Re-imagining Content Personalization and In-browser Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[11]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[12]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[13]  Jeremy Andrus,et al.  Cells: a virtual mobile smartphone architecture , 2011, SOSP '11.

[14]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[15]  Heinrich Hußmann,et al.  TreasurePhone: Context-Sensitive User Data Protection on Mobile Phones , 2010, Pervasive.

[16]  Helen Nissenbaum,et al.  Adnostic: Privacy Preserving Targeted Advertising , 2010, NDSS.

[17]  Youngki Lee,et al.  MobiCon: a mobile context-monitoring platform , 2012, CACM.

[18]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[19]  Martin C. Brown,et al.  Beos Porting UNIX Applications , 1998 .