Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
πBox: A Platform for Privacy-Preserving Apps
Sangmin Lee, Edmund L. Wong, Deepak Goel, Mike Dahlin, Vitaly Shmatikov
The University of Texas at Austin
17% paid attention
3% understood
From “Android permissions: User attention, comprehension, and behavior.” In SOUPS 2012.
Shifting user trustfrom 300,000 app publishers...
to a few well known brands that many already trust
πBoxA platform that allows users to use untrusted apps while
providing explicit and useful privacy guarantees
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
Private vaultread/write
Per-user, per-app sandbox spans device and cloud
(e.g., settings, search history)
Content storage shared read-only, per-app
Per-user, per-app sandbox spans device and cloud
Private vaultread/write
(e.g., map data, media)
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
one counter per ad
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
Just set it and forget it!The Ronco Showtime Rotisserie Oven
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
random noise
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
see paper for other types of counters (delayed, top-K)
πBox
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
πDialog box displayed by πBox
← πBox asks whom to share with
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users may not know what is shared (steganography)
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users may not know what is shared (steganography)
Users know when and with whom sharing occursDifficult for publishers
to gain access to private data
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
Extended sandbox
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
+Aggregate channelbounded information leak
... +Counterfor ad x
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
+
+
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
+
+USER
%STRONGLY
%CAUTIONE
D
MAY%LEAK%I
NFORMATI
ON%WHEN%S
HARING
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
1. Can real applications benefit from πBox?
2. How much implementation effort is needed to use πBox?
3. What is the overhead of using πBox?
Three questions
From Google Play (as of Feb. 2013). Based on developer’s description. Core functionality only.
Arcade/Action Books
Brain/Puzzles Business
Cards/Casino Casual Comics
Communication Education
Entertainment Finance
Health/Fitness Lifestyle
Live Wallpaper Media/Video
Medical Music/Audio
News/Magazines Personalization Photography Productivity
Racing Shopping
Social Sports
Sports Games Tools
Transportation Travel/Local
Weather
FreePaid
0 2 4 6 8 1010 8 6 4 2 0
74% of paid apps
are green
67% of free apps are yellow
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
USER%STRONGLY%CAUTIONED
MAY%LEAK%INFORMATION%WHEN%SHARING
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
USER%STRONGLY%CAUTIONED
MAY%LEAK%INFORMATION%WHEN%SHARING
OsmAnd open-source navigation appchanged 174 lines (out of 119,147)
ServStream open-source media streaming appchanged 133 lines (out of 13,193) USER%WELCOME
NO%RISK%TO%PRIVACY
USER%WELCOME
NO%RISK%TO%PRIVACY
0
5
10
15
20
0 1750 3500 5250 7000
Late
ncy
(ms)
Throughput (ops/sec)
Without πBox
With πBox
0
75
150
225
300
0 100 200 300 400
Throughput (ops/sec)
Light workload Calculating SHA256 over server-generated 1 MB data
Server overheads