Embed Size (px)
Citation preview
advanced topics in touchdevelop
privacytransparent privacy controlvia information flow analysis
Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Live are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
advanced topics in touchdevelop
what is the problemo when you write your own code, you know
exactly what happens to your informationo a script you get from the script bazaar...
could leak your provide information to the outside world!• post in your name on Facebook
• send SMS, make phone calls
• send your pictures to a unknown webservice
►what else?
advanced topics in touchdevelop
sources, sinkso sources: origin of private information
• camera, location, picture, music, microphone, contacts, calendar, home
o sinks: channels where information may leak• vetted – you can review: contacts, media, sharing, clipboard
• unvetted – you cannot review: web
✿ https://www.touchdevelop.com/help/scriptprivacy
advanced topics in touchdevelop
approacheso iOS
• prompt on first use
• can run app with disabled capability
• limited to notifications, location
o Android, Windows Phone 7• prompt at install time
• somewhat fine grained
►what are the problems with these approaches?
advanced topics in touchdevelop
our goalo transparent privacy awareness
• help me understand what’s going on
o flexible privacy control• let me be in charge of my information
o reasonable default settings• when I don’t tweak anything, I am safe
►what information did you share today?
advanced topics in touchdevelop
anonymized datao for each source, you can choose
between• your real data
• anonymized data
►what is an anonymized location, picture, calendar?
advanced topics in touchdevelop
basic ideao default for scripts from bazaar
• real information for safe flows
• anonymized information otherwise
o safe flows• untampered private information flows to
a vetted sink
►when is sharing a picture on Facebook safe?
advanced topics in touchdevelop
our approacho visualization
• show capabilities and information flows
o customizable access• choose between real / anonymized
o safe by default• real information only for safe flows
advanced topics in touchdevelop
central authorityo app store / marketplace / script
bazaar• centralized authorities that enforce
policy compliance
►what are the policies?
advanced topics in touchdevelop
script bazaaro all scripts get formally analyzed
• parse, typecheck
• compute capabilities
• compute information flow
o informal quality measures• ♥
• comments
advanced topics in touchdevelop
computing capabilitieso automated identification
of application capabilities via static analysis• annotated APIs with capability information
• parse each action (method) in the script into a AST tree
• visit each statement node to identify used capabilities
• a fix point is reached when no further changes
advanced topics in touchdevelop
computing information flowo compute information flows
via static analysis• compute summaries of blocks and
actions
• simulates program execution via static symbolic execution
• a fix point is reached when no further changes
location web
advanced topics in touchdevelop
summarieso block summary
o action summary• states of the exit block
advanced topics in touchdevelop
implicit flowo from control
structures
o recorded by additional local variable PC
l := senses -> current location;r := locations -> describe location(l);y := false;if r->contains(‘secret’) then {
y:= true;}
advanced topics in touchdevelop
referenceso deep
accesses are tracked on a per-kind basis
o connect kinds
action foo(i) : Nothing {….msgs -> add(msg);msg -> set message(s); // classified….msg2 -> msgs -> at(i);msg2 -> share(‘web service’);
}
advanced topics in touchdevelop
propagationo statement-based propagation
o union of the classified information of kinds
advanced topics in touchdevelop
tampered flowo track tampered information by
extending the information flow analysis
advanced topics in touchdevelop
access grantingo obtain users’ permissions
• anonymized information• e.g., fixed location, fixed
picture
• real Information• e.g., current location via GPS
o configure in script settings
advanced topics in touchdevelop
more information…✿ TechReport MSR-TR-2011-93
“Transparent Privacy Control via Static Information Flow Analysis”
Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal
http://research.microsoft.com/apps/pubs/default.aspx?id=152507
advanced topics in touchdevelop
exampleso share location
safe flow, results in ‘real’ information by default☁ http://touchdevelop.com/lbyk
o share location unsafe flow (sharing of a somehow compute value), results in ‘anonymized’ information by default)☁ http://touchdevelop.com/aoxc
advanced topics in touchdevelop
exercises► publish script with non-empty information flow
► publish script with unsafe information flow
► publish script with implicit information flow
