CyLab

Transparent Key Integrity (TKI): A Proposal for a Public-Key Validation Infrastructure (CMU-CyLab-12-016)

Tiffany Hyun-Jin Kim et al. — Tue, 12 Mar 2013 11:08:32 PDT

Recent trends in public-key infrastructure research explore the tradeoff between decreased trust in certificate authorities (CAs), the level of security achieved, the communication overhead (bandwidth and latency) for setting up a secure connection (e.g., verified via SSL/TLS), and the availability with respect to verifiability of public key information. In this paper, we propose TKI as a new public-key validation infrastructure, where we reduce the level of trust in any CA and increase the security by achieving increased robustness in the case of CA key compromise. Compared to other proposals, we reduce the communication overhead associated with certificate validation during the existing SSL/TLS connection handshake and provide site owners with an optional time window to review potentially malicious key changes. Our design deters CA misbehavior by using a public log that records all certificate events, thereby enabling CAs' accountability for their actions. TKI will help reduce the trust in the hundreds of currently trusted CAs, reduce exposure to CA compromise, and enhance the security of SSL/TLS connection establishment.

Audit Games (CMU-CyLab-13-004)

Jeremiah Blocki et al. — Mon, 04 Mar 2013 12:02:50 PST

Effective enforcement of laws and policies requires expending resources to prevent and detect offenders, as well as appropriate punishment schemes to deter violators. In particular, enforcement of privacy laws and policies in modern organizations that hold large volumes of personal information (e.g., hospitals, banks, and Web services providers) relies heavily on internal audit mechanisms. We study economic considerations in the design of these mechanisms, focusing in particular on effective resource allocation and appropriate punishment schemes. We present an audit game model that is a natural generalization of a standard security game model for resource allocation with an additional punishment parameter. Computing the Stackelberg equilibrium for this game is challenging because it involves solving an optimization problem with non-convex quadratic constraints. We present an additive FPTAS that efficiently computes a solution that is arbitrarily close to the optimal solution.

Privacy as Part of the App Decision-Making Process (CMU-CyLab-13-003)

Patrick Gage Kelley et al. — Wed, 06 Feb 2013 14:40:58 PST

Smartphones have unprecedented access to sensitive personal information. While users report having privacy concerns, they may not actively consider privacy while downloading apps from smartphone application marketplaces. Currently, Android users have only the Android permissions display, which appears after they have selected an app to download, to help them understand how applications access their information. We investigate how permissions and privacy could play a more active role in app-selection decisions. We designed a short "Privacy Facts" display, which we tested in a 20-participant lab study and a 366-participant online experiment. We found that by bringing privacy information to the user when they were making the decision and by presenting it in a clearer fashion, we could assist users in choosing applications that request fewer permissions.

Warning Design Guidelines (CMU-CyLab-13-002)

Lujo Bauer et al. — Tue, 05 Feb 2013 13:47:18 PST

This document contains a set of guidelines aimed at helping software designers and developers in designing moreeffective warning dialogs. These guidelines were compiled from available literature on usable security and warningsresearch and from Human Interface Guidelines for three broadly used operating systems: Windows, MacOS, and Linux.

RelationGrams: Tie-Strength Visualization for User-Controlled Online Identity Authentication (CMU-CyLab-11-014)

Tiffany Hyun-Jin Kim et al. — Mon, 21 Jan 2013 11:03:02 PST

Users experience a crisis of confidence for online activities in the current Internet. Unfortunately, the symptom of this crisis of confidence manifests itself through online attacks, where adversaries con users to extract money or valuable sensitive information. Instead of addressing the symptom, we investigate how to address the underlying cause, which is that the absence of humanly verifiable information for online entities prevents user authentication.

As an initial step in this endeavor, we consider the specific problem of how users can securely authenticate online identities (e.g., associate a Facebook ID with its owner). Based on prior social science research demonstrating that the strength of social ties is a useful indicator of trust in many real-world relationships, we explore how tie strength can be visualized using well-defined and measurable parameters. We then apply the visualization in the context of online friend invitations and propose a protocol for secure online identity authentication. We analyze the robustness of the protocol against adversaries who attempt to establish fraudulent online identities, and evaluate the usability in an actual implementation on a popular online social network (i.e., Facebook). We find that a tie-strength visualization is a useful primitive for online identity authentication.

Run-Time Enforcement of Information-Flow Properties on Android (CMU-CyLab-12-015)

Jassim Aljuraidan et al. — Fri, 07 Dec 2012 13:44:02 PST

Recent years have seen a dramatic increase in the number and importance in daily life of smartphones and similar mobile devices. The security properties that these devices provide to their applications, however, are inadequate to protect against many undesired behaviors. A broad class of such behaviors is violations of simple information-flow properties.

This paper proposes an enforcement system that permits Android applications to be concisely annotated with information-flow policies, which the system enforces at run time. Information-flow constraints are enforced both between applications and between components within applications, aiding developers in implementing least privilege. We develop a detailed model of our enforcement system using a process calculus, and use the model to prove noninterference. Our system and model have a number of useful or novel features, including support for Android’s single- and multiple-instance components, floating labels, declassification and endorsement capabilities, and support for legacy applications. Our system design fits the Android programming model and runtime cleanly enough that we have developed a fully functional prototype on Android 4.0.4. We have tested our prototype on a Nexus S phone, verifying that it can enforce practically useful policies that can be implemented with minimal modification to off-the-shelf applications.

QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks (CMU-CyLab-12-022)

Tim Vidas et al. — Tue, 06 Nov 2012 06:44:53 PST

The matrix barcodes known as Quick Response (QR) codes are rapidly becoming pervasive in urban environments around the world. QR codes are used to represent data, such as a web address, in a compact form that can be readily scanned and parsed by consumer mobile devices. They are popular with marketers because of their ease in deployment and use. However, this technology encourages mobile users to scan unauthenticated data from posters, billboards, stickers, and more, providing a new attack vector for miscreants. By positioning QR codes under false pretenses, attackers can entice users to scan the codes and subsequently visit malicious websites, install programs, or any other action the mobile device supports. We investigated the viability of QR-code-initiated phishing attacks, or QRishing, by conducting two experiments. In one experiment we visually monitored user interactions with QR codes; primarily to observe the proportion of users who scan a QR code but elect not to visit the associated website. In a second experiment, we distributed posters containing QR codes across 139 different locations to observe the broader application of QR codes for phishing. Over our four-week study, our disingenuous flyers were scanned by 225 individuals who subsequently visited the associated websites. Our survey results suggest that curiosity is the largest motivating factor for scanning QR codes. In our small surveillance experiment, we observed that 85% of those who scanned a QR code subsequently visited the associated URL.

Audit Mechanisms for Provable Risk Management and Accountable Data Governance (CMU-CyLab-12-020)

Jeremiah Blocki et al. — Wed, 05 Sep 2012 14:22:49 PDT

Organizations that collect and use large volumes of personal information are expected under the principle of accountable data governance to take measures to protect data subjects from risks that arise from inapproriate uses of this information. In this paper, we focus on a specific class of mechanisms—audits to identify policy violators coupled with punishments—that organizations such as hospitals, financial institutions, and Web services companies may adopt to protect data subjects from privacy and security risks stemming from inappropriate information use by insiders. We model the interaction between the organization (defender) and an insider (adversary) during the audit process as a repeated game. We then present an audit strategy for the defender. The strategy requires the defender to commit to its action and when paired with the adversary’s best response to it, provably yields an asymmetric subgame perfect equilibrium. We then present two mechanisms for allocating the total audit budget for inspections across all games the organization plays with different insiders. The first mechanism allocates budget to maximize the utility of the organization. Observing that this mechanism protects the organization’s interests but may not protect data subjects, we introduce an accountable data governance property, which requires the organization to conduct thorough audits and impose punishments on violators. The second mechanism we present achieves this property. We provide evidence that a number of parameters in the game model can be estimated from prior empirical studies and suggest specific studies that can help estimate other parameters. Finally, we use our model to predict observed practices in industry (e.g., differences in punishment rates of doctors and nurses for the same violation) and the effectiveness of policy interventions (e.g., data breach notification laws and government audits) in encouraging organizations to adopt accountable data governance practices.

Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces (CMU-CyLab-11-012)

Tim Vidas et al. — Tue, 31 Jul 2012 13:55:34 PDT

Application marketplaces are the main software distribution mechanism for modern mobile devices but are also emerging as a viable alternative to brick-and-mortar stores for personal computers. While most application marketplaces require applications to be cryptographically signed by their developers, in Android marketplaces, self-signed certificates are common, thereby offering very limited authentication properties. As a result, there have been reports of malware being distributed through application "repackaging." We provide a quantitative assessment of this phenomenon by collecting 41,057 applications from 194 alternative Android application markets in October 2011, in addition to a sample of 35,423 applications from the official Google Android Market. We observe that certain alternative markets almost exclusively distribute repackaged applications containing malware. To remedy this situation we propose a simple verification protocol, and discuss a proof-of-concept implementation, AppIntegrity. AppIntegrity strengthens the authentication properties offered in application marketplaces, thereby making it more difficult for miscreants to repackage apps, while presenting very little computational or communication overhead, and being deployable without requiring significant changes to the Android platform.

Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace (CMU-CyLab-12-018)

Nicolas Christin — Tue, 31 Jul 2012 13:19:44 PDT

We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods being sold on Silk Road, and of the revenues made both by sellers and Silk Road operators. Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics. A relatively small “core” of about 60 sellers has been present throughout our measurement interval, while the majority of sellers leaves (or goes “underground”) within a couple of weeks of their first appearance. We evaluate the total revenue made by all sellers to approximately USD 1.9 million per month; this corresponds to about USD 143,000 per month in commissions perceived by the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over the past few months. We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area.

Design, Development and Automated Verification of an Integrity-Protected Hypervisor (CMU-CyLab-12-017)

Sagar Chaki et al. — Wed, 18 Jul 2012 06:54:21 PDT

Hypervisors are a popular mechanism for implementing software virtualization. Since hypervisors execute at a very high privilege level, they must be secure. A fundamental security property of a hypervisor is memory integrity – the hypervisor’s memory must not be modified by software running at a lower privilege level. In this paper, we present a methodology – called DRIVE – for designing, developing, and verifying hypervisors to ensure memory integrity. DRIVE combines the power of architectural constraints (captured by a set of system properties and verification conditions) with that of formal analysis (used to discharge the verification conditions). We prove that any hypervisor satisfying the DRIVE properties and verification conditions has memory integrity. We validate DRIVE by using it to develop a hypervisor called XMHF for multi-core systems. In particular, we show how to ensure the DRIVE properties in XMHF by combining hardware virtualization support with design and development decisions. We also show how to discharge the DRIVE verification conditions on XMHF using the CBMC model checker. CBMC verified XMHF’s implementation – about 4700 lines of C code – in about 80 seconds using less than 2GB of RAM.

"It’s an app. It’s a hypervisor. It’s a hypapp.": Design and Implementation of an eXtensible and Modular Hypervisor Framework (CMU-CyLab-12-014)

Amit Vasudevan et al. — Wed, 27 Jun 2012 11:03:36 PDT

This paper presents our efforts in developing XMHF, an eXtensible and Modular Hypervisor Framework. XMHF takes a developer-centric approach to hypervisor design and implementation, and strives to be a comprehensible and flexible platform for performing hypervisor research and development. XMHF encapsulates common hypervisor core functionality in a framework that allows others to build custom hypervisor-based solutions (called "hypapps") while freeing them from a considerable amount of wheel-reinventing that is often associated with such efforts. We are encouraged by the end result – a clean, barebones hypervisor framework with desirable performance characteristics and an architecture amenable to formal analysis.

Sanctuary Trail: Refuge from Internet DDoS Entrapment (CMU-CyLab-12-013)

Hsu-Chun Hsiao et al. — Thu, 07 Jun 2012 13:16:16 PDT

We propose STRIDE, a new Internet architecture that provides strong DDoS defense mechanisms for both public services and private end-to-end communication. This new architecture presents several novel concepts including long-term static paths, bandwidth allocation through a top-down topology discovery protocol, dynamic bandwidth allocation via network capabilities, and differentiated packet prioritization. In concert, these mechanisms provide 1) a strong static class bandwidth guarantee, 2) strongly guaranteed capability establishment for private end-to-end communication, and a linear waiting time guarantee in the number of malicious source domains for capability establishment for public services, and 3) globally fair bandwidth allocation for capability-protected flows. STRIDE addresses the denial-of-capability problem and defends against a Coremelt attack by preventing a botnet from crowding out other flows on bottleneck network links. We demonstrate these properties through formal analysis and simulation.

Auditing Rational Adversaries to Provably Manage Risks (CMU-CyLab-12-011)

Jeremiah Blocki et al. — Wed, 23 May 2012 13:56:21 PDT

Audits to detect policy violations coupled with punishments are essential to manage risks stemming from inappropriate information use by authorized insiders in organizations that handle large volumes of personal information (e.g., in healthcare, finance, Web services sectors). Our main result is an audit mechanism that effectively manages organizational risks by balancing the cost of audit and punishment against the expected loss from policy violations. We model the interaction between an organization (defender) and an employee (adversary) as a suitable repeated game. We assume that the defender is fully rational and the adversary is near-rational (i.e., acts rationally with high probability and in a byzantine manner otherwise). The mechanism prescribes a strategy for the defender that when paired with the adversary’s best response to it yields an asymmetric subgame perfect equilibrium. This equilibrium concept, which we define, implies that the defender’s strategy is approximately optimal (she might only gain a small bounded amount of utility by deviating) while the adversary does not gain at all from deviating from her best response strategy. We provide evidence that a number of parameters in the game model can be estimated from prior empirical studies, suggest specific studies that can help estimate other parameters, and design a learning algorithm that the defender can use to provably learn the adversary’s private incentives. Finally, we use our model to predict observed practices in industry (e.g., differences in punishment rates of doctors and nurses for the same violation) and the effectiveness of policy interventions (e.g., data breach notification laws and government audits) in encouraging organizations to conduct more thorough audits.

Enforcing More with Less: Formalizing Target-aware Run-time Monitors (CMU-CyLab-12-009)

Yannis Mallios et al. — Thu, 03 May 2012 07:30:53 PDT

Run-time monitors ensure that untrusted software and system behavior adheres to a security policy. This paper defines an expressive formal framework, based on I/O automata, for modeling systems, policies, and run-time monitors in more detail than is typical. We explicitly model, for example, the environment, applications, and the interaction between them and monitors. The fidelity afforded by this framework allows us to study and explicitly formulate practical constraints on policy enforcement that were often only implicit in previous models, providing a more accurate view of what can be enforced by monitoring in practice. Moreover, we introduce two definitions of enforcement, target specific and generalized, that allow us to reason about practical monitoring scenarios. Finally, we provide some meta-theoretical comparison of these definitions and we apply them to investigate policy enforcement in scenarios where the monitor designer has knowledge of the target application and show how this can be exploited for making more efficient design choices.

Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising (CMU-CyLab-12-007)

Blase Ur et al. — Mon, 02 Apr 2012 08:07:30 PDT

We report results of 48 semi-structured interviews about online behavioral advertising (OBA). We investigate non-technical users' attitudes about OBA, then explain these attitudes by delving into users' understanding of its practice. Participants were surprised that their browsing history is currently used to tailor advertisements. They were unable to determine accurately what information is collected during OBA, assuming that advertisers collect more information than they actually do. Participants also misunderstood the role of advertising networks, basing their opinions of an advertising company on that company’s non-advertising activities. Furthermore, participants were unfamiliar with advertising industry icons intended to notify them when ads are behaviorally targeted, often believing that these icons were intended for advertisers, not for users. While many participants felt tailored advertising could benefit them, existing notice and choice mechanisms are not effectively reaching users. Our results suggest new directions both for providing users with effective notice about OBA and for the design of usable privacy tools that help consumers express their preferences about online behavioral advertising.

What Do Online Behavioral Advertising Disclosures Communicate to Users? (CMU-CyLab-12-008)

Pedro Giovanni Leon et al. — Mon, 02 Apr 2012 08:07:28 PDT

Online Behavioral Advertising (OBA) is the practice of tailoring ads based on an individual's online activities. We conducted a 1,505-participant online study to investigate Internet users' perceptions of OBA disclosures while performing an online task. We tested icons, accompanying taglines, and landing pages intended to inform users about OBA and provide opt-out options; these were based on prior research or drawn from those currently in use. The icons, taglines, and landing pages fell short both in terms of notifying participants about OBA and clearly informing participants about their choices. Half of the participants remembered the ads they saw but only 12% correctly remembered the disclosure taglines attached to ads. The majority of participants mistakenly believed that ads would pop up if they clicked on disclosure icons and taglines, and more participants incorrectly thought that clicking the disclosures would let them purchase their own advertisements than correctly understood that they could then opt out of OBA. "Ad-Choices," the tagline most commonly used by online advertisers, was particularly ineffective at communicating notice and choice. 45% of participants who saw "AdChoices" believed that it was intended to sell advertising space, while only 27% believed it was an avenue to stop tailored ads. A majority of participants mistakenly believed that opting out would stop all online tracking, not just tailored ads. We discuss challenges in crafting disclosures, and we provide suggestions for improvement.

Towards Scalable Evaluation of Mobile Applications through Crowdsourcing and Automation (CMU-CyLab-12-006)

Shahriyar Amini et al. — Mon, 19 Mar 2012 07:58:31 PDT

With the widespread adoption of smartphones, mobile applications have gained mainstream popularity. However, the potential privacy and security risks associated with using mobile apps are quite high, as smartphones become increasingly integrated with our lives, being able to access our email, social networking accounts, financial information, personal photos, and even our cars and homes. To address this problem, we introduce AppScanner, an automated cloud-based service based on crowdsourcing and traditional security approaches to analyze mobile applications. Considering the large and growing number of mobile applications, our envisioned service builds on crowdsourcing, virtualization, and automation to enable large-scale analysis of apps. AppScanner provides end-users with more understandable information regarding what mobile apps are really doing on their devices. This paper offers an overview of our vision for building AppScanner, as well as work to date in specific components, including automated traversal and monitoring of mobile applications, and interactive visual presentation of app traversal results. Armed with transparent and descriptive information regarding app behavior, users can make better decisions when installing and running apps.

Exploiting Privacy Policy Conflicts in Online Social Networks (CMU-CyLab-12-005)

Akira Yamada et al. — Thu, 15 Mar 2012 06:32:31 PDT

Online Social Networks (OSNs) offer access control mechanisms to protect users’ sensitive information from undesired accesses. Yet, their information is still vulnerable to disclosure when their friends assign conflicting privacy policies: a user prohibits everyone from accessing his own content or profile but his friends allow others to see it. OSNs tend to select Permit-Take-Precedence when resolving multiple conflicting policies so that the information is possibly exposed regardless of the information owner’s preference. In this paper, we confirm that specific types of information in real OSN services are under this circumstance. We then propose three attacking scenarios that reveal the hidden friend-lists, profiles, and posted messages on users’ OSN accounts, exploiting a target’s sensitive information. We finally discuss possible countermeasures in terms of both implementation and human behavior.

Trustworthy Execution on Mobile Devices: What security properties can my mobile platform give me? (CMU-CyLab-11-023)

Amit Vasudevan et al. — Wed, 08 Feb 2012 10:27:55 PST

We are now in the post-PC era, yet our mobile devices are insecure. We consider the different stake-holders in today’s mobile device ecosystem, and analyze why widely-deployed hardware security primitives on mobile device platforms are inaccessible to application developers and end-users. We systematize existing proposals for leveraging such primitives, and show that they can indeed strengthen the security properties available to applications and users, all without reducing the properties currently enjoyed by OEMs and network carriers. We also highlight shortcomings of existing proposals and make recommendations for future research that may yield practical, deployable results.