smart devices: do they respect your privacy? · 2016. 11. 28. · what do we mean by privacy?...

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

INDIAN INSTITUTE OF TECHNOLOGY

KHARAGPUR

Presenter:

Sandip Chakraborty

[email protected]

Systems and Mobile Research Lab, Department of Computer Science and Engineering

mailto:[email protected]

CONTEXT OF THIS TALK

Indian Institute of Technology Kharagpur

• Do we sacrifice privacy by using various network services (Internet, online social networks, mobile phones, wearables)?

• How does the structure/topology of a network affect its privacy properties?

• Techniques for enhancing privacy?

• Privacy is hard!

• Few slides of this talk have been taken from https://www.cs.duke.edu/courses/spring11/cps096/notes/privacy.pptxThanks to the author!

https://www.cs.duke.edu/courses/spring11/cps096/notes/privacy.pptx

WHAT DO WE MEAN BY PRIVACY?


• Louis Brandeis (1890)

• “right to be left alone”

• protection from institutional threat: government, press

• Alan Westin (1967)

– “right to control, edit, manage, and delete information about themselves and decide when, how, and to what extent information is communicated to others”

PRIVACY VS SECURITY


• Security helps enforce privacy policies

• Can be at odds with each other

– e.g., invasive screening to make us more “secure” against terrorism

Privacy: what information goes where?

Security: protection against unauthorized access

TRACKING ON THE WEB


• IP address

• Number identifying your device on the Internet

• Visible to application you are visiting

• Not always permanent

• Cookies

• Text stored on your device by the application

• Sent back to application server by your device application

• Used to save prefs, shopping cart, etc.

• Can track you even if IP changes

APPLICATION PRIVACY: APPS OVER WEARABLES


SOCIAL APPS OVER WEARABLES ARE MORE VULNEARABLE


• Apps are more optimized to run over low resource devices –compromization with security

• Data is transmitted through multiple interfaces • Wearables are connected to smart-

phones. Ex. Twitter app over smart-phone trigger a notification over the Twitter app in the wearable.

• Multi-modal data processing: Device – Cloud – Device

FACEBOOK WANTS YOU TO BE LESS PRIVATE !!!!


ATTACK ON THE ZOMBIE PHOTOS


OSN MISHANDLES DATA ….


THREAT: COLLUSION AMONG SERVICES


• Pros• Simplifies data analysis

• High availability

• Cons• Single point of attack

• No longer control access to own data

Centralized structure

OSN APPS ARE SOURCES FOR SINGLE-POINT ATTACK


Personal data

• Anonymization• Do not use real names

• Encryption• NOYB, flyByNight

• Decentralization• Tighter control over data

ALTERNATIVES?


• Hide identity, remove identifying info

• Proxy server: connect through a third party to hide IP

• Health data released for research purposes: remove name, address, etc

ANONYMIZATION


• Netflix Prize dataset, released 2006

• 100,000,000 (private) ratings from 500,000 users

• Competition to improve recommendations• i.e., if user X likes movies A,B,C, will also like D

• Anonymized: user name replaced by a number

THREAT: DEANONYMIZATION


• Problem: can combine “private” ratings from Netflix with public reviews from IMDB to identify users in dataset

• May expose embarrassing info about members…



User Movie Rating

1234 Rocky II 3/5

1234 The Wizard 4/5

1234 The Dark Knight 5/5

…

1234 Girls Gone Wild 5/5

User Movie Rating

dukefan The Wizard 8/10

dukefan The Dark Knight 10/10

dukefan Rocky II 6/10

…

User 1234 is dukefan!



• Lesson: cannot always anonymize data simply by removing identifiers

• Vulnerable to aggregating data from multiple sources/networks

• Humans are predictable• E.g., try Rock-paper-scissors vs AI



• Mobile phones/ Wearables:• Always in your pocket, hands• Always connected• Always knows where it is: GPS

• Location-based services

• Location-based ads

• What are we giving up?

LOCATION PRIVACY


• It is not a simple question!

• Tradeoff between functionality

• Also important whom to disclose it to?• Relatives

• Co-workers

• Friends

• There have been studies about this• Not easy to classify

• People want to disclose only what is useful

WHY, WHEN AND WHAT TO DISCLOSE?


• Many “free” apps supported by ads

• Analytics: profiling users

• Our research: found it common for popular free apps to send location and device ID to advertising and analytics servers

• What can we do?• More visibility into what app

does with data once it reads it

HOW IS YOUR DATA USED BY APPS?


• Monitors app behavior to determine when privacy sensitive information leaves the phone

APPSCOPE


• Develop a learning algorithm to identify the “Personally Identifiable Information” (PII)• Find keywords corresponds to PIIs

• Location

• Name

• Phone Number

• Gender

• …

• 30 popular Android applications that access Internet, camera, location or microphone

Of 105 flagged connections, only 37 were legitimate

APPLICATION STUDY


• 15 of the 30 applications shared physical location with an ad server

• Most of this information was sent in the clear

• In no case was sharing obvious to user• Or written in the EULA

• In some cases it occurred without app use!

FINDINGS - LOCATION


• 7 applications sent device unique identifiers (IMEI) and 2 apps sent phone info (e.g. phone number) to a remote location without warning• One app’s EULA indicated the IMEI was sent

• Appeared to be sent to app developers

“There has been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.” -- Lookout

FINDINGS – PHONE IDENTIFIERS


• Decentralized network structure can enhance privacy

• Difficult to achieve true anonymity

• Fine-grained control over data can help• Tension with usability

TAKEAWAYS


• Decentralized network structure can enhance privacy

• Difficult to achieve true anonymity

• Fine-grained control over data can help• Tension with usability

TAKEAWAYS


APPSCOPE WORKS IN USER SPACE – AN APP CAN HIDE ITS PERMISSION FROM APPSCOPE

• Secure area of the main processor in a smart phone or any connected device

• Ensures sensitive data is stored, processed and protected in an isolated and trusted environment

• GlobalPlatform standardizes the TEE and generates specifications, compliance programs and certification schemes.

TRUSTED EXECUTION ENVIRONMENT


TEE ARCHITECTURE


"TEE allows Applications to execute, process, protect and store sensitive data in an isolated, trusted environment”


• Platform integrity

• Secure storage

• Isolated execution

• Device identification

• Device authentication

• User Authentication

• Transaction Validation

TEE USE CASE


• Architectures with single TEE • ARM TrustZone

• TI M-Shield

• Smart card

• Crypto co-processor

• TPM Architectures with multiple TEEs• Intel SGX

• TPM

• Hypervisor

TEE IN INDUSTRY


• TrustZone is a set of security extensions added to ARMv6 processors and greater, such as ARM11, CortexA8, CortexA9 and CortexA15.

• TrustZone enables the development of separate environments • Rich Operating System - Normal domain

• Trusted Execution – Secure domain

• Both domains have the same capabilities • Operate in a separate memory space

• Enables a single physical processor core to execute from both the Normal world and the Secure world • Normal world components cannot access secure world resources

ARM TRUSTZONE


• User space applications operate in "normal" world

• The kernel runs "system" mode. The trusted kernel operates in "monitor" mode in secure world

• Because of this architecture, even a "rooted" application cannot access protected regions within the trusted kernel.

• Uses a “33rd bit”, signaling whether in secure mode

• This bit is also propagated outside the system on chip (SoC)

• Peripherals and memory are configured during startup which side to belong to (normal/secure)

HOW TRUSTZONE WORKS?


• TrustZone Non Secure Bit• The memory is split in Secure and Non-secure regions

• Non-secure (NS) bit determines if the program execution is in the Secure or Nonsecure world

• TRANSITION MANAGEMENT• Switch between normal and secure domain

• Monitor Gatekeeper that controls migration between Normal and Secure world

TRUSTZONE WORKING


Source:https://www.arm.com/products/processors/technologies/trustzone/tee-smc.php

ARM TRUSTZONE ARCHITECTURE


Source: https://www.cs.helsinki.fi/group/secures/CCS-tutorial/

ARM TRUSTZONE ARCHITECTURE


• TrustZone software provides a minimal secure kernel which can be run in parallel with a more fully featured high-level OS-such as Linux.

• Android, or BSD-on the same core. It also provides drivers for the normal, rich OS ("normal world") to communicate with the secure OS ("secure world")

TRUSTZONE SOFTWARE


• TrustZone API was targeted for applications running in the normal OS and they masked the secure OS implementation from the normal OS

• It was the initial endeavor by ARM to standardize software development for the TrustZone hardware security extensions

• ARM has partnered with Global Platform to define a new Trusted Execution Environment (TEE) API that covers all three aspects:• TEE Client API Specification

• TEE Internal API Specification

• TEE System Architecture

TRUSTZONE API & GLOBALPLATFORM TEE API


• Reliable and Trustworthy Memory Acquisition on Smartphones(IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015)

• Using ARM TrustZone to Build a Trusted Language Runtime for Mobile Applications

(ASPLOS '14 Proceedings of the 19th international conference on Architectural support for programming languages and operating systems)

• TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens

(CCS '15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security)

RESEARCH WITH TRUSTZONE


Systems and Mobile Research Lab,

Department of Computer Science and Engineering, IIT KharagpurINDIA 721302http://cse.iitkgp.ac.in/~sandipc/

http://cse.iitkgp.ac.in/~sandipc/

smart devices: do they respect your privacy? · 2016. 11. 28. · what do we mean by privacy?...

Documents