| 1. |
- Balliu, Musard, et al.
(författare)
-
Securing IoT Apps
- 2019
-
Ingår i: IEEE Security and Privacy. - : IEEE COMPUTER SOC. - 1540-7993 .- 1558-4046. ; 17:5, s. 22-29
-
Tidskriftsartikel (refereegranskat)abstract
- Users increasingly rely on Internet of Things (IoT) apps to manage their digital lives through the overwhelming diversity of IoT services and devices. Are the IoT app platforms doing enough to protect the privacy and security of their users? By securing IoT apps, how can we help users reclaim control over their data?
|
|
| 2. |
- Bastys, Iulia, 1986
(författare)
-
A Principled Approach to Securing IoT Apps
- 2018
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- IoT apps are becoming increasingly popular as they allow users to manage their digital lives by connecting otherwise unconnected devices and services: cyberphysical “things” such as smart homes, cars, or fitness armbands, to online services such as Google or Dropbox, to social networks such as Facebook or Twitter. IoT apps rely on end-user programming, such that anyone with an active account on the platform can create and publish apps, with the majority of apps being created by third parties. We demonstrate that the most popular IoT app platforms are susceptible to attacks by malicious app makers and suggest short and longterm countermeasures for securing the apps. For short-term protection we rely on access control and suggest the apps to be classified either as exclusively private or exclusively public, disallowing in this way information from private sources to flow to public sinks. For longterm protection we rely on a principled approach for designing information flow controls. Following these principles we define projected security, a variant of noninterference that captures the attacker’s view of an app, and design two mechanisms for enforcing it. A static enforcement based on a flow-sensitive type system may be used by the platform to statically analyze the apps before being published on the app store. This enforcement covers leaks stemming from both explicit and implicit flows, but is not expressive enough to address timing attacks. Hence we design a second enforcement based on a dynamic monitor that covers the timing channels as well.
|
|
| 3. |
- Bastys, Iulia, 1986, et al.
(författare)
-
Automatic Annotation of Confidential Data in Java Code
- 2022
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. ; 13291, s. 146-161
-
Konferensbidrag (refereegranskat)abstract
- The problem of confidential information leak can be addressed by using automatic tools that take a set of annotated inputs (the source ) and track their flow to public sinks . Unfortunately, manually annotating the code with labels specifying the secret sources is one of the main obstacles in the adoption of such trackers. In this work, we present an approach for the automatic generation of labels for confidential data in Java programs. Our solution is based on a graph-based representation of Java methods: starting from a minimal set of known API calls, it propagates the labels both intra- and inter-procedurally until a fix-point is reached. In our evaluation, we encode our synthesis and propagation algorithm in Datalog and assess the accuracy of our technique on seven previously annotated internal code bases, where we can reconstruct 75% of the preexisting manual annotations. In addition to this single data point, we also perform an assessment using samples from the SecuriBench-micro benchmark, and we provide additional sample programs that demonstrate the capabilities and the limitations of our approach.
|
|
| 4. |
- Bastys, Iulia, 1986, et al.
(författare)
-
Clockwork: Tracking Remote Timing Attacks
- 2020
-
Ingår i: Proceedings - IEEE Computer Security Foundations Symposium. - : IEEE. - 1940-1434. ; 2020-June, s. 350-365
-
Konferensbidrag (refereegranskat)abstract
- Timing leaks have been a major concern for the security community. A common approach is to prevent secrets from affecting the execution time, thus achieving security with respect to a strong, local attacker who can measure the timing of program runs. However, this approach becomes restrictive as soon as programs branch on a secret. This paper focuses on timing leaks under remote execution. A key difference is that the remote attacker does not have a reference point of when a program run has started or finished, which significantly restricts attacker capabilities. We propose an extensional security characterization that captures the essence of remote timing attacks. We identify patterns of combining clock access, secret branching, and output in a way that leads to timing leaks. Based on these patterns, we design Clockwork, a monitor that rules out remote timing leaks. We implement the approach for JavaScript, leveraging JSFlow, a state-of-the-art information flow tracker. We demonstrate the feasibility of the approach on case studies with IFTTT, a popular IoT app platform, and VJSC, an advanced JavaScript library for e-voting.
|
|
| 5. |
- Bastys, Iulia, 1986, et al.
(författare)
-
If This Then What? Controlling Flows in IoT Apps
- 2018
-
Konferensbidrag (refereegranskat)abstract
- IoT apps empower users by connecting a variety of otherwise unconnected services. These apps (or applets) are triggered by external information sources to perform actions on external information sinks. We demonstrate that the popular IoT app platforms, including IFTTT (If This Then That), Zapier, and Microsoft Flow are susceptible to attacks by malicious applet makers, including stealthy privacy attacks to exfiltrate private photos, leak user location, and eavesdrop on user input to voice-controlled assistants. We study a dataset of 279,828 IFTTT applets from more than 400 services, classify the applets according to the sensitivity of their sources, and find that 30% of the applets may violate privacy. We propose two countermeasures for short-and longterm protection: access control and information flow control. For short-term protection, we suggest that access control classifies an applet as either exclusively private or exclusively public, thus breaking flows from private sources to sensitive sinks. For longterm protection, we develop a framework for information flow tracking in IoT apps. The framework models applet reactivity and timing behavior, while at the same time faithfully capturing the subtleties of attacker observations caused by applet output. We show how to implement the approach for an IFTTT-inspired setting leveraging state-of-the-art information flow tracking techniques for JavaScript based on the JSFlow tool and evaluate its effectiveness on a collection of applets.
|
|
| 6. |
- Bastys, Iulia, 1986
(författare)
-
Principled Flow Tracking in IoT and Low-Level Applications
- 2022
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Significant fractions of our lives are spent digitally, connected to and dependent on Internet-based applications, be it through the Web, mobile, or IoT. All such applications have access to and are entrusted with private user data, such as location, photos, browsing habits, private feed from social networks, or bank details. In this thesis, we focus on IoT and Web(Assembly) apps. We demonstrate IoT apps to be vulnerable to attacks by malicious app makers who are able to bypass the sandboxing mechanisms enforced by the platform to stealthy exfiltrate user data. We further give examples of carefully crafted WebAssembly code abusing the semantics to leak user data. We are interested in applying language-based technologies to ensure application security due to the formal guarantees they provide. Such technologies analyze the underlying program and track how the information flows in an application, with the goal of either statically proving its security, or preventing insecurities from happening at runtime. As such, for protecting against the attacks on IoT apps, we develop both static and dynamic methods, while for securing WebAssembly apps we describe a hybrid approach, combining both. While language-based technologies provide strong security guarantees, they are still to see a widespread adoption outside the academic community where they emerged. In this direction, we outline six design principles to assist the developer in choosing the right security characterization and enforcement mechanism for their system. We further investigate the relative expressiveness of two static enforcement mechanisms which pursue fine- and coarse-grained approaches for tracking the flow of sensitive information in a system. Finally, we provide the developer with an automatic method for reducing the manual burden associated with some of the language-based enforcements.
|
|
| 7. |
- Bastys, Iulia, 1986, et al.
(författare)
-
Prudent Design Principles for Information Flow Control
- 2018
-
Ingår i: Proceedings of the ACM Conference on Computer and Communications Security. - New York, NY, USA : ACM. - 1543-7221. - 9781450359931 ; , s. 17-23
-
Konferensbidrag (refereegranskat)abstract
- Recent years have seen a proliferation of research on information flow control. While the progress has been tremendous, it has also given birth to a bewildering breed of concepts, policies, conditions, and enforcement mechanisms. Thus, when designing information flow controls for a new application domain, the designer is confronted with two basic questions: (i) What is the right security characterization for a new application domain? and (ii) What is the right enforcement mechanism for a new application domain? This paper puts forward six informal principles for designing information flow security definitions and enforcement mechanisms: attacker-driven security, trust-aware enforcement, separation of policy annotations and code, language-independence, justified abstraction, and permissiveness. We particularly highlight the core principles of attacker-driven security and trust-aware enforcement, giving us a rationale for deliberating over soundness vs. soundiness. The principles contribute to roadmapping the state of the art in information flow security, weeding out inconsistencies from the folklore, and providing a rationale for designing information flow characterizations and enforcement mechanisms for new application domains.
|
|
| 8. |
- Bastys, Iulia, 1986, et al.
(författare)
-
SecWasm: Information Flow Control for WebAssembly
- 2022
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Cham : Springer Nature Switzerland. - 1611-3349 .- 0302-9743. ; 13790 LNCS, s. 74-103
-
Konferensbidrag (refereegranskat)abstract
- We introduce SecWasm, the first general purpose information-flow control system for WebAssembly (Wasm), thus extending the safety guarantees offered by Wasm with guarantees that applications manipulate sensitive data in a secure way. SecWasm is a hybrid system enforcing termination-insensitive noninterference which overcomes the challenges posed by the uncommon characteristics for machine languages of Wasm in an elegant and thorough way.
|
|
| 9. |
- Bastys, Iulia, 1986, et al.
(författare)
-
Tracking Information Flow via Delayed Output: Addressing Privacy in IoT and Emailing Apps
- 2018
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. ; 11252 LNCS, s. 19-37
-
Konferensbidrag (refereegranskat)abstract
- This paper focuses on tracking information flow in the presence of delayed output. We motivate the need to address delayed output in the domains of IoT apps and email marketing. We discuss the threat of privacy leaks via delayed output in code published by malicious app makers on popular IoT app platforms. We discuss the threat of privacy leaks via delayed output in non-malicious code on popular platforms for email-driven marketing. We present security characterizations of projected noninterference and projected weak secrecy to capture information flows in the presence of delayed output in malicious and non-malicious code, respectively. We develop two security type systems: for information flow control in potentially malicious code and for taint tracking in non-malicious code, engaging read and write security types to soundly enforce projected noninterference and projected weak secrecy.
|
|
| 10. |
- Pape, Sebastian, et al.
(författare)
-
Towards an Architecture for Pseudonymous E-Commerce
- 2018
-
Ingår i: Lecture Notes in Informatics. - 1617-5468. ; P-281, s. 17-28
-
Konferensbidrag (refereegranskat)abstract
- In this paper we apply privacy by design in e-commerce. We outline the requirements of a privacy-aware online shopping platform that satisfies the principle of data minimization and we suggest several architectures for building such a platform. We then compare them according to four dimensions: privacy threats, transparency, usability and compatibility with existing business models. Based on the comparison, we aim to build the selected platform in the next step.
|
|
| 11. |
- Rajani, Vineet, et al.
(författare)
-
Type systems for information flow control: the question of granularity
- 2017
-
Ingår i: ACM SIGLOG News. - : Association for Computing Machinery (ACM). - 2372-3491. ; 4:1, s. 6-21
-
Tidskriftsartikel (övrigt vetenskapligt/konstnärligt)abstract
- Information flow control is central to computer security. The objective of information flow control is to prevent unauthorized flows of secret information to the public outputs of a computation. This task is often accomplished using type systems that rely on modal operators to label and track information and, hence, this style of enforcing information flow control is deeply ingrained in logic. One key choice in designing a type system for information flow control, or dependence analysis in general, is the granularity at which dependencies are tracked. This article considers two extreme design points in this vast design space and examines their relative expressiveness.
|
|
