ipshield: a framework for enforcing context-aware privacy · sensor subsystem in android and data...

Supriyo Chakraborty, Chenguang Shen, Kasturi Rangan Raghavan, Yasser Shoukry, Matt Millar, Mani Srivastava

ipShield: A Framework For EnforcingContext-Aware Privacy

From sensor data to inferences

2

Sensor Data


2

Sensor Data

Apps


2

Sensor Data

Apps Inferences

mHealth

Phone operation

Utility ProvidingFitness

Lifelogging


2

Sensor Data

Apps

Sensitive

LocationPassword

Media habitsPhysiological habits

Inferences

mHealth

Phone operation


Lifelogging

Location


Sensitive

Password

Utility Providing

mHealth

Phone operationLifelogging


3

Sensor Data

Apps Inferences

Fitness

Protecting inference privacy while providing utility

4

Sensor Data

Apps

Sensitive

LocationPassword


Inferences

mHealth

Phone operation


Lifelogging Whi

telis

tBl

ackl

ist


4

Sensor Data

Apps

Sensitive

LocationPassword


Inferences

mHealth

Phone operation


Lifelogging

Inference firewall

Whi

telis

tBl

ackl

ist


4

Sensor Data

Apps

Sensitive

LocationPassword


Inferences

mHealth

Phone operation


Lifelogging

Inference firewall ✖

Whi

telis

tBl

ackl

ist

Prior notions of privacy in databases

5

Sensor DataCapture

Sensor DataCapture

Sensor DataCapture

Data Processing

Data Processing

Data Processing

Population Scale Database

D := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}


5

Sensor DataCapture

Sensor DataCapture

Sensor DataCapture

Data Processing

Data Processing

Data Processing

InformationRecipient

1. K-anonymity2. L-Diversity3. t-closeness


Privacy

M=<P’,Q’,V

>

inference = identity

D := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}


5

Sensor DataCapture

Sensor DataCapture

Sensor DataCapture

Data Processing

Data Processing

Data Processing


1. K-anonymity2. L-Diversity3. t-closeness


Differential Privacy


Privacy

M=<P’,Q’,V

>

Privacy

M=R(<P,Q,V>)+noise

inference = identity

inference = membershipD := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}


6

Sensor DataCapture

Sensor DataCapture

Data Processing

Data Processing



Aggregate Queries

Sharing anIndividual’s data

M:=<P, Q, V’>


6

Sensor DataCapture

Sensor DataCapture

Data Processing

Data Processing



Aggregate Queries

Sharing anIndividual’s data

Privacy of Data(secrecy)

Privacy of Identity(anonymity)

Traditional

Privacy of Behavior

M:=<P, Q, V’>

7

Controls provided by current systems are insufficientAndroid Manifest

Binary Policies

7

Controls provided by current systems are insufficientpDroid

Static Policies

7

Controls provided by current systems are insufficientProtectMyPrivacy

Share Random Data

Design requirements of ipShield

8Protected

APIs

Unre

stric

ted

Acce

ss


8

Sensor Monitoring

Protected

APIs

Unre

stric

ted

Acce

ss

Combination of benign sensors can be used for privacy attack


9

Sensor Monitoring

GPS

Network

Accelerometer

Microphone

Light


9

Sensor Monitoring

GPS

Network

Accelerometer

Microphone

Light

Location

Transportation Mode

Password/PIN

Stress

Media Watching

Privacy Abstraction


10

Sensor Monitoring

Privacy Abstraction

TranslationAlgorithms

Privacy Rules on Sensors

Whitelist/Blacklist

User Privacy Preferences

Rule Enforcement


10

Sensor Monitoring

Privacy Abstraction



Whitelist/Blacklist


Rule Enforcement

Rule Recommender


10

Sensor Monitoring

Privacy Abstraction



Whitelist/Blacklist


Rule Enforcement

Rule Recommender

Manual Override (Rules)


10

Sensor Monitoring

Privacy Abstraction



Whitelist/Blacklist


Rule Enforcement

Rule Recommender

Manual Override (Rules)

Rule Enforcement

ipSh

ield

Rule Recommender

Whitelist/Blacklist

Privacy rules on sensors

Recommender objective

12

Generate a plan for context-aware obfuscation of sensor data

depending on the prioritized whitelist and blacklist

such that accuracy of whitelist is maximized and accuracy of blacklist is minimized.

Divide-and-conquer strategy

13

Recommend a plan containing allow/deny rules for sensors



+

Divide-and-conquer strategy

13

Recommend a plan containing allow/deny rules for sensors



Support manual override/configuration of fine-grained context-aware rules

Elements of the problem: accuracy

14

Activity Location OnScreen Taps

GPS+Acc+Gyro 95% 97% 80%

GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


14

Infe

renc

e D

atab

ase

(A)



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


14

SensorCombination

Infe

renc

e D

atab

ase

(A)



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


14

SensorCombination

InferenceType

Infe

renc

e D

atab

ase

(A)



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


14

SensorCombination

InferenceType

Accuracy of Prediction

Infe

renc

e D

atab

ase

(A)

Elements of the problem: priority

15

Priority = (pactivity

, p

location

, p

tap

)

↓ ↓ ↓{10, 4, 10}priority = Prio

rity

(p)

Elements of the problem: priority

15

Priority = (pactivity

, p

location

, p

tap

)

↓ ↓ ↓{10, 4, 10}priority = Prio

rity

(p)

priorityWhitelisted inferences

↑ ⇒ allow whitelisted inferences

Blacklisted inferencespriority↑ ⇒ block blacklisted inferences

max

�22N

X

l2WA(�, l)2pl �

X

l2BA(�, l)2pl

s.t.X

l2B,pl

=pmax

A( , l) = 0

� = Sensor combination

W = whitelist, B = blacklist, pl = priority, and

Rule recommender in ipShield

16

max

�22N

X

l2WA(�, l)2pl �

X

l2BA(�, l)2pl

s.t.X

l2B,pl

=pmax

A( , l) = 0

⇓� = Sensor combination



16

Over all sensor combinations

max

�22N

X

l2WA(�, l)2pl �

X

l2BA(�, l)2pl

s.t.X

l2B,pl

=pmax

A( , l) = 0




16

Over all sensor combinations maximize accuracy of prioritized whitelist and

max

�22N

X

l2WA(�, l)2pl �

X

l2BA(�, l)2pl

s.t.X

l2B,pl

=pmax

A( , l) = 0




16

Over all sensor combinations maximize accuracy of prioritized whitelist and minimize accuracy of prioritized blacklist

max

�22N

X

l2WA(�, l)2pl �

X

l2BA(�, l)2pl

s.t.X

l2B,pl

=pmax

A( , l) = 0




16

Over all sensor combinations maximize accuracy of prioritized whitelist and minimize accuracy of prioritized blacklist

such that highest priority blacklists are always blocked.

Rule recommender at work

17



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


17

Priority1{10, 4, 10}

0

835.4

820.0

731.45



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%


17

Priority1{10, 4, 10}

0

835.4

820.0

731.45

Allow



GPS+WiFi 83.1% 97% 0%

GPS+GSM 81.7% 98.2% 0%

GSM+WiFi 72.9% 94.03% 0%

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement

Prototype implementation on Android

Sensor subsystem in android and data interception

19

Third Party Apps

System Server

LocationManagerService

Sensor Manager

Location Manager

Sensor DataSensor Data

Hardware

Android Native/Linux Kernel

System Processes User Processes

Android Framework

SensorService


19

Third Party Apps

System Server


Sensor Manager

Location Manager


Hardware



Android Framework

}App and Managers run as part of the same process

SensorService


19

Third Party Apps

System Server


Sensor Manager

Location Manager


Hardware



Android Framework

}App and Managers run as part of the same process

} Services run in separatesystem owned processes

SensorService

Implementing ipShield

20

Sensor Manager

Location Manager

Hardware

Native Runtime


Trusted App part of ipShield

Trusted App (User Process)

Whitelist and Blacklist of inference ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System Server


20

Sensor Manager

Location Manager

Hardware

Native Runtime



Semantic Firewall Configurator

FirewallConfigManager

FirewallConfigService



Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System Server


20

Sensor Manager

Location Manager

Hardware

Native Runtime








Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System Server

InferenceDatabase


20

Sensor Manager

Location Manager

Hardware

Native Runtime







Whitelist and Blacklist of inference

RuleRecommender

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System Server

InferenceDatabase


20

Sensor Manager

Location Manager

Hardware

Native Runtime








ContextEngine Rule

Recommender

DirectConfigurator

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System Server

InferenceDatabase


20

Sensor Manager

Location Manager

Hardware

Native Runtime








ContextEngine Rule

Recommender

DirectConfigurator

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement


SensorService

System ServerObfuscatorObfuscator

InferenceDatabase

User interaction with ipShield

21

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules


21

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained RulesSuppress


21

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Feasibility of running ipShield on mobile platforms

22

0

0.015

0.03

0.045

0.06

1 50 100 150 200

Tim

e (in

sec

s)

# rules

time to load rules into memorytime for the rules to take effect


22

0

0.015

0.03

0.045

0.06

1 50 100 150 200

Tim

e (in

sec

s)

# rules


0.1SENSOR_DELAY_NORMAL, SENSOR_DELAY_UI


22

0

0.015

0.03

0.045

0.06

1 50 100 150 200

Tim

e (in

sec

s)

# rules



0.02

SENSOR_DELAY_GAME


22

0

0.015

0.03

0.045

0.06

1 50 100 150 200

Tim

e (in

sec

s)

# rules



0.02

SENSOR_DELAY_GAME

0.006

SENSOR_DELAY_FASTEST


23

26.2

26.325

26.45

26.575

26.7

AOSP Passthrough Constant Perturb Suppress

Mem

ory

(in M

B)

Concluding Remarks

•We designed and implemented ipShield which- proposes the use of inferences as the currency for privacy and utility

specification.- advocates that the burden of configuring fine-grained privacy rules

should be shifted from the user to the system.- provides insight into how and what data is being used by apps and better

visibility into potential risks and consequences of sharing data.

• Going forward we want to...- develop the rule recommender to generate rules for obfuscating data.- augment ipShield with ability to perform static analysis of app code to

better understand the risks presented by the apps.- allow crowd-sourcing for bootstrapping of rules.

ipShield can be downloaded at http://tinyurl.com/ipshieldgit

24

25

Thank You

Rules supported

26

Contexts Action

Built-In External

TimeOfDay

Place

SensorType

AppName

DayOfWeek

Rule

Walking Running ...

Suppress Perturb Play-back

DistributionName

DistributionParam

SensorSource

Constant

Scalar Vector

SensorType

Normal

SensorSource

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement

Rules supported

26

Rule: If ((TimeOfDay in [12am-11:59pm]) and (Place=Bar) and (AppName=Saga) then apply action = Constant and Value = Restaurant on SensorType = GPS;

Contexts Action

Built-In External

TimeOfDay

Place

SensorType

AppName

DayOfWeek

Rule

Walking Running ...

Suppress Perturb Play-back

DistributionName

DistributionParam

SensorSource

Constant

Scalar Vector

SensorType

Normal

SensorSource

Classroom

My Home

Friend’sHome

StarbucksBar

Restaurant

Actual traceSpoofed trace

My Home

Friend’sHome

Classroom

Bar

ipShield

Monitoring

Privacy Abstraction

Rule Recommender

Fine-grained Rules

Enforcement

Sensor usage for apps

27

0

12.5

25

37.5

50

1 2 3 4 5 6

% o

f app

s

# sensors

Distribution of sensors by type

28

Accelerometer

GPS

Microphone

WiFi

Soft Sensors

Bluetooth

Gyroscope

Cellular

Camera

Others

0 5 10 15 20

% of apps

ipshield: a framework for enforcing context-aware privacy · sensor subsystem in android and data...

Documents