Upload
jason-hong
View
51
Download
1
Tags:
Embed Size (px)
Citation preview
User-Controllable Security and Privacy forPervasive Computinghttp://www.cs.cmu.edu/~sadeh/user_controllable_security_and_privacy.htm© Ian Fette 2007, All Rights Reserved
User-Controllable Security and User-Controllable Security and Privacy for Pervasive Computing Privacy for Pervasive Computing
Jason Cornwell, Jason Cornwell, Ian FetteIan Fette, Gary Hsieh, Madhu Prabaker, , Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman
SadehSadeh February 26, [email protected]
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 2
What’s wrong?What’s wrong?
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 3
Even worse…Even worse…
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 4
The ProblemThe Problem Mobile devices are becoming integrated into Mobile devices are becoming integrated into
everyday lifeeveryday life Mobile communications Sharing location information with others Remote access to home Mobile e-commerce
Managing Security and privacy policies is hardManaging Security and privacy policies is hard Preferences hard to articulate Policies hard to specify Limited input and output
Leads to new sources of vulnerability and Leads to new sources of vulnerability and frustrationfrustration
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 5
The ObjectiveThe Objective ObjectiveObjective
Develop and validate techniques to empower end-users to manage their policies
Evaluate tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance
Understand how much we can realistically hope to delegate to users – business and policy implications
Large multi-disciplinary team and projectLarge multi-disciplinary team and project Six faculty, 1.5 postdocs, 10 graduate students Roughly 1.5 years into project
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 6
OverviewOverview MotivationMotivation
Domains we’re InvestigatingDomains we’re Investigating Contextual Instant Messaging Access Control of Resources with Grey People Finder
Problems We’re Looking At Prior Studies in Lab
Difficulty of Specifying Preferences Ability to Learn Preferences
Current Work Field Deployment and Study More Comprehensive Rule Specification Mechanism
Conclusions
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 7
Contextual Instant MessagingContextual Instant Messaging Facilitate coordination and communication by Facilitate coordination and communication by
letting people request contextual information via letting people request contextual information via IMIM Interruptibility (via SUBTLE toolkit) Location (via Place Lab wifi positioning) Active window
Developed a custom client and robot on top of Developed a custom client and robot on top of AIMAIM Client (Trillian plugin) captures and sends context to
robot People can query imbuddy411 robot for info
“howbusyis username” Robot also contains privacy rules governing disclosure
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 8
Contextual Instant Messaging (2)Contextual Instant Messaging (2)
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 9
Access Control of Resources with Access Control of Resources with GreyGrey
Distributed smartphone-based Distributed smartphone-based access control system access control system physical resources like office doors,
computers, and coke machines electronic ones like computer
accounts and electronic files
currently only physical doors
Proofs assembled from Proofs assembled from credentialscredentials No central access control list End-users can create flexible
policies
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 10
People FinderPeople Finder Allow users to request each Allow users to request each
others’ locationothers’ location Useful for meeting up Checking up on someone
Involves…Involves… Eliciting users’ privacy
preferences Allowing users to audit the
incoming request history Attempting to learn users’
preferences automatically Making “smart” suggestions to
users for how to fix problems … and lots of behind-the-scenes
work
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 11
People Finder (2)People Finder (2) Problems we’re investigating:Problems we’re investigating:
How to allow users to specify rules What to include in rules
Time Date Person / Group Location Calendar Activities Anything else…
As an example, how to specify locations in rules? Minimum Bounding Rectangles? Labeled Spaces … or more complex ontologies (“in a bar”, “at home”, “at a
colleague’s house”… …yet more expressiveness may not necessarily increase
user’s sense of control and satisfaction.
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 12
People Finder (3)People Finder (3) Current SystemCurrent System
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 13
People Finder (4)People Finder (4)• Results so far (lab
study)– Users take a long time
to specify rules– Users take a long time
to revise rules
0
170
340
510
680
850
User 2
User 4
User 6
User 8
User 1
0
User 1
2
User 1
4
Rule Creation Time Rule Revision Time
Mean (sec) Standard
Deviation (sec)
Rule Creation 321.53 206.10
Rule Maintenance 101.15 110.02
Total 422.69 213.48
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 14
People Finder (5)People Finder (5) … … and yet, even after spending all this time, and yet, even after spending all this time,
users are still unable to craft policies that users are still unable to craft policies that completely express their intent…completely express their intent…
……but there’s hope, as we seem to be able to do a but there’s hope, as we seem to be able to do a good job at learning preferences based on audit good job at learning preferences based on audit historyhistory
0.0
7.5
15.0
22.5
30.0
User 2
User 3
User 4
User 5
User 6
User 7
User 8
User 9
User 1
0
User 1
1
User 1
2
User 1
3
User 1
4
Original Rules
Modified Rules (in-study)
Modified Rules (post-study)
Case-Based Reasoner
6167
72
82
0
20
40
60
80
100
Original
Rules
Modif
ied
Rules (
in-st
udy)
Modif
ied
Rules (
post-s
tudy
)
Case-B
ased R
easoner
% Correct Disclosures
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 15
People Finder (6)People Finder (6) Current WorkCurrent Work
Field Deployment and Study Giving out cell phones to users Observing the rule-creation behavior Analyzing accuracy of rules, and attempting to use
machine learning to do better than the users’ own rules
More Comprehensive Rule Specification Mechanism
Allow users to create hierarchal groups Allow location to be a part of rule specification
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 16
People Finder (7)People Finder (7) Current SystemCurrent System
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 17
People Finder (8)People Finder (8)
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 18
People Finder (9)People Finder (9)
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 19
People Finder (10)People Finder (10) Future Work:Future Work:
Better visualization of policies Better explanation of options to correct policies Utilization of additional semantic information
Calendaring Directory services Location services
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 20
USABLE POLICY AUTHORING: A PEOPLE FINDER EXAMPLEUSABLE POLICY AUTHORING: A PEOPLE FINDER EXAMPLE
Scenario IllustrationNewTechnology
Policy Creation
Policy Enforcement
Policy Auditing &Refinement
My colleagues can see my location
on weekdays between 8am and 5pm
Jane
Time
Jane is in Oakland but I can’t access Eric’s location
Jane and Eric are late for our meeting. Show me where they are!
Bob’sPhone
Bob
Why couldn’t Bob see where I was?
Bob is a colleague. So far only your friends can see where you are
Eric
Step
What if my colleagues could see my location too?Eric
In the past you denied access toyour colleague Steve
OK, make it just my superiors
PolicyVisualization
PolicyEnforcingEngines
Explanation
Dialog
Learningfrom the past
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 21
ConclusionsConclusions Traditional security paradigms do not directly translate to mobile and Traditional security paradigms do not directly translate to mobile and
pervasive computingpervasive computing
Users are responsible for increasing number of policies, and need Users are responsible for increasing number of policies, and need help to express their desireshelp to express their desires
Machine learning can be a part of helping users craft better policiesMachine learning can be a part of helping users craft better policies
Explanation technologies will be key to helping users understand Explanation technologies will be key to helping users understand problems and their solutionsproblems and their solutions
There is a tradeoff between expressiveness of policies and both the There is a tradeoff between expressiveness of policies and both the ability of users to create these policies, and the accuracy of the ability of users to create these policies, and the accuracy of the created policies, which must be further exploredcreated policies, which must be further explored
Better interfaces, combined with learning and explanation support, Better interfaces, combined with learning and explanation support, may alter the expressiveness-cost,accuracy tradeoffmay alter the expressiveness-cost,accuracy tradeoff
• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 22
AcknowledgementsAcknowledgements Thanks to the members of the team:Thanks to the members of the team:
Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea,Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman Sadeh*
*my advisor
Special thanks to Jason Hong and Norman Sadeh for Special thanks to Jason Hong and Norman Sadeh for sharing some of their slidessharing some of their slides
… … and to our sponsors. and to our sponsors. This work is supported by NSF Cyber Trust grant CNS-0627513,
NSF grant CNS-0433540, and ARO research grant DAAD19-02-1-0389 to Carnegie Mellon University's CyLab.
Contact: Ian Fette or Norman Sadeh (icf,sadeh)@cs.cmu.edu
Carnegie Mellon University, School of Computer Science
5000 Forbes Ave, Pittsburgh PA 15213