Bridging the Gap Between People and Policies in Security and Privacy

Umesh Shankar

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2006-191

December 21, 2006

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-191.pdf

<p>The most powerful of security and privacy mechanisms may be rendered ineffective if people cannot use them. A common usability problem is that it is hard to specify the policies that the mechanisms enforce. Indeed, the more powerful the mechanism, the larger and more complex its policy can be; this makes it difficult not only to write a policy down, but also to make sure that an existing policy is a secure one. </p><p> In this dissertation, we make progress in addressing both these problems: <i>translating</i> people's high-level intentions into low-level policies and <i>verifying</i> that low-level policies meet high-level goals. To this end, we explore two application domains and their corresponding user bases. </p><p> For system administrators, we define a useful secure information-flow property, which we term <i>CW-Lite</i>. It says that untrusted processes should not be able to send unfiltered inputs to trusted processes. This is a basic security concern which can lead to system compromise, but it is unverified on most systems today because there is no effective, easy way to do the verification. A big advantage of our approach is that system administrators can perform a completely automated verification of CW-Lite using our tools, making it easier to integrate into a system. </p><p> With <i>Doppelganger</i>, an extension to the Firefox browser, we target a wider audience. Web browser cookies are used to manage relatively benign session state such as shopping carts, but also---almost ubiquitously---to track and record users' actions across sites and sessions, representing a significant privacy risk. Doppelganger seeks to generate a good cookie policy for each user, one that reflects that user's privacy vs. functionality cost-benefit curve, in an automated way. It uses several techniques: it automatically determines when certain cookies yield no benefit; when necessary, it asks the user to make a few informed, high-level decisions; and lastly, it offers a one-click error-recovery mechanism. We evaluated Doppelganger for privacy and usability in two experiments, including a controlled usability study with 18 users. In both cases, we found that Doppelganger offered greater privacy than the built-in browser settings, and that the cost in usability was modest. </p>

Advisors: David Wagner

BibTeX citation:

@phdthesis{Shankar:EECS-2006-191,
    Author= {Shankar, Umesh},
    Title= {Bridging the Gap Between People and Policies in Security and Privacy},
    School= {EECS Department, University of California, Berkeley},
    Year= {2006},
    Month= {Dec},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-191.html},
    Number= {UCB/EECS-2006-191},
    Abstract= {<p>The most powerful of security and privacy mechanisms may be
rendered ineffective if people cannot use them. A common usability
problem is that it is hard to specify the policies that the mechanisms
enforce. Indeed, the more powerful the mechanism, the larger and more
complex its policy can be; this makes it difficult not only to write a
policy down, but also to make sure that an existing policy is a secure
one.
</p><p> In this dissertation, we make progress in addressing both
these problems: <i>translating</i> people's high-level intentions into
low-level policies and <i>verifying</i> that low-level policies meet
high-level goals. To this end, we explore two application domains and
their corresponding user bases.
</p><p> For system administrators, we define a useful secure
information-flow property, which we term <i>CW-Lite</i>. It says that
untrusted processes should not be able to send unfiltered inputs to
trusted processes. This is a basic security concern which can lead to
system compromise, but it is unverified on most systems today because
there is no effective, easy way to do the verification. A big
advantage of our approach is that system administrators can perform a
completely automated verification of CW-Lite using our tools, making
it easier to integrate into a system.
</p><p> With <i>Doppelganger</i>, an extension to the Firefox browser,
we target a wider audience.  Web browser cookies are used to manage
relatively benign session state such as shopping carts, but
also---almost ubiquitously---to track and record users' actions across
sites and sessions, representing a significant privacy
risk. Doppelganger seeks to generate a good cookie policy for each
user, one that reflects that user's privacy vs. functionality
cost-benefit curve, in an automated way. It uses several techniques:
it automatically determines when certain cookies yield no benefit;
when necessary, it asks the user to make a few informed, high-level
decisions; and lastly, it offers a one-click error-recovery mechanism.
We evaluated Doppelganger for privacy and usability in two
experiments, including a controlled usability study with 18 users. In
both cases, we found that Doppelganger offered greater privacy than
the built-in browser settings, and that the cost in usability was
modest.
</p>},
}

EndNote citation:

%0 Thesis
%A Shankar, Umesh 
%T Bridging the Gap Between People and Policies in Security and Privacy
%I EECS Department, University of California, Berkeley
%D 2006
%8 December 21
%@ UCB/EECS-2006-191
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-191.html
%F Shankar:EECS-2006-191