Box: A Platform for Privacy-Preserving Apps...controlled sharing Aggregate channel bounded...
82
πBox: A Platform for Privacy-Preserving Apps Sangmin Lee, Edmund L. Wong, Deepak Goel, Mike Dahlin, Vitaly Shmatikov The University of Texas at Austin
Transcript of Box: A Platform for Privacy-Preserving Apps...controlled sharing Aggregate channel bounded...
πBox: A Platform for Privacy-Preserving Apps
Sangmin Lee, Edmund L. Wong, Deepak Goel, Mike Dahlin, Vitaly Shmatikov
The University of Texas at Austin
17% paid attention
17% paid attention
3% understood
From “Android permissions: User attention, comprehension, and behavior.” In SOUPS 2012.
300,000 app publishers!
Shifting user trustfrom 300,000 app publishers...
Shifting user trustfrom 300,000 app publishers...
to a few well known brands
Shifting user trustfrom 300,000 app publishers...
to a few well known brands that many already trust
πBoxA platform that allows users to use untrusted apps while
providing explicit and useful privacy guarantees
Confine apps for STRONG PRIVACY
aggregatechannel
sharingchannel
Platform channels for FUNCTIONALITY
aggregatechannel
sharingchannel
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
Per-user, per-app sandbox
Per-user, per-app sandbox
Per-user, per-app sandbox
X
Per-user, per-app sandbox
Per-user, per-app sandbox spans device and cloud
Per-user, per-app sandbox spans device and cloud
Private vaultread/write
Per-user, per-app sandbox spans device and cloud
(e.g., settings, search history)
Content storage shared read-only, per-app
Per-user, per-app sandbox spans device and cloud
Private vaultread/write
(e.g., map data, media)
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
Just set it and forget it!The Ronco Showtime Rotisserie Oven
Just set it and forget it!The Ronco Showtime Rotisserie Oven
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
one counter per ad
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
Just set it and forget it!The Ronco Showtime Rotisserie Oven
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counter for ad x
App Publisher
...
Aggregate channel (shared write only)
releasing true values enable app to signal to publisher
πBox
Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
random noise
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
πBox
+Counterfor ad x
App Publisher
...
Aggregate channel (shared write only)
uses differential privacy to bound information leak
see paper for other types of counters (delayed, top-K)
πBox
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
what is sharedwhen it is sharedwith whom it is shared
what is sharedwhen it is sharedwith whom it is shared
what is sharedwhen it is sharedwith whom it is shared
π
πDialog box displayed by πBox
πDialog box displayed by πBox
← πBox asks whom to share with
πDialog box displayed by πBox
← πBox asks whom to share with
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users may not know what is shared (steganography)
Users know when and with whom sharing occurs
πDialog box displayed by πBox
πBox confirms content to share
← πBox asks whom to share with
Users may not know what is shared (steganography)
Users know when and with whom sharing occursDifficult for publishers
to gain access to private data
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
Extended sandbox
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
π
Extended sandboxstrong confinement
Extended sandboxstrong confinement
USER%WELCOME
NO%RISK%TO%PRIVACY
Extended sandboxstrong confinement
+Aggregate channelbounded information leak
... +Counterfor ad x
Extended sandboxstrong confinement
+Aggregate channelbounded information leak
... +Counterfor ad x
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
+
+
π
Extended sandboxstrong confinement
Sharing channelcontrolled sharing
Aggregate channelbounded information leak
... +Counterfor ad x
+
+USER
%STRONGLY
%CAUTIONE
D
MAY%LEAK%I
NFORMATI
ON%WHEN%S
HARING
How are apps confined within the sandbox?
How does the aggregate channel work?
How does the sharing channel work?
What guarantees are provided to users?
What is the applicability and overhead of πBox?
Outline
1. Can real applications benefit from πBox?
2. How much implementation effort is needed to use πBox?
3. What is the overhead of using πBox?
Three questions
From Google Play (as of Feb. 2013). Based on developer’s description. Core functionality only.
Arcade/Action Books
Brain/Puzzles Business
Cards/Casino Casual Comics
Communication Education
Entertainment Finance
Health/Fitness Lifestyle
Live Wallpaper Media/Video
Medical Music/Audio
News/Magazines Personalization Photography Productivity
Racing Shopping
Social Sports
Sports Games Tools
Transportation Travel/Local
Weather
FreePaid
0 2 4 6 8 1010 8 6 4 2 0
74% of paid apps
are green
67% of free apps are yellow
Password Manager
News Reader with ads and sharing
Transcription with feedback
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
USER%STRONGLY%CAUTIONED
MAY%LEAK%INFORMATION%WHEN%SHARING
Password Manager
News Reader with ads and sharing
Transcription with feedback
USER%WELCOME
NO%RISK%TO%PRIVACY
USER%GUIDANCE%SUGGESTED
MINIMAL%RISK%TO%PRIVACY
USER%STRONGLY%CAUTIONED
MAY%LEAK%INFORMATION%WHEN%SHARING
OsmAnd open-source navigation appchanged 174 lines (out of 119,147)
ServStream open-source media streaming appchanged 133 lines (out of 13,193) USER%WELCOME
NO%RISK%TO%PRIVACY
USER%WELCOME
NO%RISK%TO%PRIVACY
0
5
10
15
20
0 1750 3500 5250 7000
Late
ncy
(ms)
Throughput (ops/sec)
Without πBox
With πBox
0
75
150
225
300
0 100 200 300 400
Throughput (ops/sec)
Light workload Calculating SHA256 over server-generated 1 MB data
Server overheads
πBox Protects users’ privacy from untrusted apps
Provides explicit and simple privacy guarantees
Thank you!
