View
5
Download
0
Category
Preview:
Citation preview
Supriyo Chakraborty, Chenguang Shen, Kasturi Rangan Raghavan, Yasser Shoukry, Matt Millar, Mani Srivastava
ipShield: A Framework For EnforcingContext-Aware Privacy
From sensor data to inferences
2
Sensor Data
From sensor data to inferences
2
Sensor Data
Apps
From sensor data to inferences
2
Sensor Data
Apps Inferences
mHealth
Phone operation
Utility ProvidingFitness
Lifelogging
From sensor data to inferences
2
Sensor Data
Apps
Sensitive
LocationPassword
Media habitsPhysiological habits
Inferences
mHealth
Phone operation
Utility ProvidingFitness
Lifelogging
Location
Media habitsPhysiological habits
Sensitive
Password
Utility Providing
mHealth
Phone operationLifelogging
From sensor data to inferences
3
Sensor Data
Apps Inferences
Fitness
Location
Media habitsPhysiological habits
Sensitive
Password
Utility Providing
mHealth
Phone operationLifelogging
From sensor data to inferences
3
Sensor Data
Apps Inferences
Fitness
Location
Media habitsPhysiological habits
Sensitive
Password
Utility Providing
mHealth
Phone operationLifelogging
From sensor data to inferences
3
Sensor Data
Apps Inferences
Fitness
Location
Media habitsPhysiological habits
Sensitive
Password
Utility Providing
mHealth
Phone operationLifelogging
From sensor data to inferences
3
Sensor Data
Apps Inferences
Fitness
Protecting inference privacy while providing utility
4
Sensor Data
Apps
Sensitive
LocationPassword
Media habitsPhysiological habits
Inferences
mHealth
Phone operation
Utility ProvidingFitness
Lifelogging Whi
telis
tBl
ackl
ist
Protecting inference privacy while providing utility
4
Sensor Data
Apps
Sensitive
LocationPassword
Media habitsPhysiological habits
Inferences
mHealth
Phone operation
Utility ProvidingFitness
Lifelogging
Inference firewall
Whi
telis
tBl
ackl
ist
Protecting inference privacy while providing utility
4
Sensor Data
Apps
Sensitive
LocationPassword
Media habitsPhysiological habits
Inferences
mHealth
Phone operation
Utility ProvidingFitness
Lifelogging
Inference firewall ✖
Whi
telis
tBl
ackl
ist
Prior notions of privacy in databases
5
Sensor DataCapture
Sensor DataCapture
Sensor DataCapture
Data Processing
Data Processing
Data Processing
Population Scale Database
D := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}
Prior notions of privacy in databases
5
Sensor DataCapture
Sensor DataCapture
Sensor DataCapture
Data Processing
Data Processing
Data Processing
InformationRecipient
1. K-anonymity2. L-Diversity3. t-closeness
Population Scale Database
Privacy
M=<P’,Q’,V
>
inference = identity
D := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}
Prior notions of privacy in databases
5
Sensor DataCapture
Sensor DataCapture
Sensor DataCapture
Data Processing
Data Processing
Data Processing
InformationRecipient
1. K-anonymity2. L-Diversity3. t-closeness
InformationRecipient
Differential Privacy
Population Scale Database
Privacy
M=<P’,Q’,V
>
Privacy
M=R(<P,Q,V>)+noise
inference = identity
inference = membershipD := {P = personal identifiers, (name, ID)Q = quasi identifiers, (age, zip code)V = measurement values (sensor data)}
Prior notions of privacy in databases
6
Sensor DataCapture
Sensor DataCapture
Data Processing
Data Processing
InformationRecipient
InformationRecipient
Aggregate Queries
Sharing anIndividual’s data
M:=<P, Q, V’>
Prior notions of privacy in databases
6
Sensor DataCapture
Sensor DataCapture
Data Processing
Data Processing
InformationRecipient
InformationRecipient
Aggregate Queries
Sharing anIndividual’s data
Privacy of Data(secrecy)
Privacy of Identity(anonymity)
Traditional
Privacy of Behavior
M:=<P, Q, V’>
7
Controls provided by current systems are insufficientAndroid Manifest
Binary Policies
7
Controls provided by current systems are insufficientpDroid
Static Policies
7
Controls provided by current systems are insufficientProtectMyPrivacy
Share Random Data
Design requirements of ipShield
8Protected
APIs
Unre
stric
ted
Acce
ss
Design requirements of ipShield
8
Sensor Monitoring
Protected
APIs
Unre
stric
ted
Acce
ss
Combination of benign sensors can be used for privacy attack
Design requirements of ipShield
9
Sensor Monitoring
GPS
Network
Accelerometer
Microphone
Light
Design requirements of ipShield
9
Sensor Monitoring
GPS
Network
Accelerometer
Microphone
Light
Location
Transportation Mode
Password/PIN
Stress
Media Watching
Privacy Abstraction
Design requirements of ipShield
10
Sensor Monitoring
Privacy Abstraction
TranslationAlgorithms
Privacy Rules on Sensors
Whitelist/Blacklist
User Privacy Preferences
Rule Enforcement
Design requirements of ipShield
10
Sensor Monitoring
Privacy Abstraction
TranslationAlgorithms
Privacy Rules on Sensors
Whitelist/Blacklist
User Privacy Preferences
Rule Enforcement
Rule Recommender
Design requirements of ipShield
10
Sensor Monitoring
Privacy Abstraction
TranslationAlgorithms
Privacy Rules on Sensors
Whitelist/Blacklist
User Privacy Preferences
Rule Enforcement
Rule Recommender
Manual Override (Rules)
Design requirements of ipShield
10
Sensor Monitoring
Privacy Abstraction
TranslationAlgorithms
Privacy Rules on Sensors
Whitelist/Blacklist
User Privacy Preferences
Rule Enforcement
Rule Recommender
Manual Override (Rules)
Rule Enforcement
ipSh
ield
Rule Recommender
Whitelist/Blacklist
Privacy rules on sensors
Recommender objective
12
Generate a plan for context-aware obfuscation of sensor data
depending on the prioritized whitelist and blacklist
such that accuracy of whitelist is maximized and accuracy of blacklist is minimized.
Divide-and-conquer strategy
13
Recommend a plan containing allow/deny rules for sensors
depending on the prioritized whitelist and blacklist
such that accuracy of whitelist is maximized and accuracy of blacklist is minimized.
+
Divide-and-conquer strategy
13
Recommend a plan containing allow/deny rules for sensors
depending on the prioritized whitelist and blacklist
such that accuracy of whitelist is maximized and accuracy of blacklist is minimized.
Support manual override/configuration of fine-grained context-aware rules
Elements of the problem: accuracy
14
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Elements of the problem: accuracy
14
Infe
renc
e D
atab
ase
(A)
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Elements of the problem: accuracy
14
SensorCombination
Infe
renc
e D
atab
ase
(A)
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Elements of the problem: accuracy
14
SensorCombination
InferenceType
Infe
renc
e D
atab
ase
(A)
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Elements of the problem: accuracy
14
SensorCombination
InferenceType
Accuracy of Prediction
Infe
renc
e D
atab
ase
(A)
Elements of the problem: priority
15
Priority = (pactivity
, p
location
, p
tap
)
↓ ↓ ↓{10, 4, 10}priority = Prio
rity
(p)
Elements of the problem: priority
15
Priority = (pactivity
, p
location
, p
tap
)
↓ ↓ ↓{10, 4, 10}priority = Prio
rity
(p)
priorityWhitelisted inferences
↑ ⇒ allow whitelisted inferences
Blacklisted inferencespriority↑ ⇒ block blacklisted inferences
max
�22N
X
l2WA(�, l)2pl �
X
l2BA(�, l)2pl
s.t.X
l2B,pl
=pmax
A( , l) = 0
� = Sensor combination
W = whitelist, B = blacklist, pl = priority, and
Rule recommender in ipShield
16
max
�22N
X
l2WA(�, l)2pl �
X
l2BA(�, l)2pl
s.t.X
l2B,pl
=pmax
A( , l) = 0
⇓� = Sensor combination
W = whitelist, B = blacklist, pl = priority, and
Rule recommender in ipShield
16
Over all sensor combinations
max
�22N
X
l2WA(�, l)2pl �
X
l2BA(�, l)2pl
s.t.X
l2B,pl
=pmax
A( , l) = 0
⇓� = Sensor combination
W = whitelist, B = blacklist, pl = priority, and
Rule recommender in ipShield
16
Over all sensor combinations maximize accuracy of prioritized whitelist and
max
�22N
X
l2WA(�, l)2pl �
X
l2BA(�, l)2pl
s.t.X
l2B,pl
=pmax
A( , l) = 0
⇓� = Sensor combination
W = whitelist, B = blacklist, pl = priority, and
Rule recommender in ipShield
16
Over all sensor combinations maximize accuracy of prioritized whitelist and minimize accuracy of prioritized blacklist
max
�22N
X
l2WA(�, l)2pl �
X
l2BA(�, l)2pl
s.t.X
l2B,pl
=pmax
A( , l) = 0
⇓� = Sensor combination
W = whitelist, B = blacklist, pl = priority, and
Rule recommender in ipShield
16
Over all sensor combinations maximize accuracy of prioritized whitelist and minimize accuracy of prioritized blacklist
such that highest priority blacklists are always blocked.
Rule recommender at work
17
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Rule recommender at work
17
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Rule recommender at work
17
Priority1{10, 4, 10}
0
835.4
820.0
731.45
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
Rule recommender at work
17
Priority1{10, 4, 10}
0
835.4
820.0
731.45
Allow
Activity Location OnScreen Taps
GPS+Acc+Gyro 95% 97% 80%
GPS+WiFi 83.1% 97% 0%
GPS+GSM 81.7% 98.2% 0%
GSM+WiFi 72.9% 94.03% 0%
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Prototype implementation on Android
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
SensorService
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
SensorService
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
SensorService
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
SensorService
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
}App and Managers run as part of the same process
SensorService
Sensor subsystem in android and data interception
19
Third Party Apps
System Server
LocationManagerService
Sensor Manager
Location Manager
Sensor DataSensor Data
Hardware
Android Native/Linux Kernel
System Processes User Processes
Android Framework
}App and Managers run as part of the same process
} Services run in separatesystem owned processes
SensorService
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Trusted App (User Process)
Whitelist and Blacklist of inference ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System Server
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Semantic Firewall Configurator
FirewallConfigManager
FirewallConfigService
Trusted App (User Process)
Whitelist and Blacklist of inference ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System Server
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Semantic Firewall Configurator
FirewallConfigManager
FirewallConfigService
Trusted App (User Process)
Whitelist and Blacklist of inference ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System Server
InferenceDatabase
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Semantic Firewall Configurator
FirewallConfigManager
FirewallConfigService
Trusted App (User Process)
Whitelist and Blacklist of inference
RuleRecommender
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System Server
InferenceDatabase
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Semantic Firewall Configurator
FirewallConfigManager
FirewallConfigService
Trusted App (User Process)
Whitelist and Blacklist of inference
ContextEngine Rule
Recommender
DirectConfigurator
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System Server
InferenceDatabase
Implementing ipShield
20
Sensor Manager
Location Manager
Hardware
Native Runtime
System Processes User Processes
Trusted App part of ipShield
Semantic Firewall Configurator
FirewallConfigManager
FirewallConfigService
Trusted App (User Process)
Whitelist and Blacklist of inference
ContextEngine Rule
Recommender
DirectConfigurator
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
LocationManagerService
SensorService
System ServerObfuscatorObfuscator
InferenceDatabase
User interaction with ipShield
21
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
User interaction with ipShield
21
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
User interaction with ipShield
21
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained RulesSuppress
User interaction with ipShield
21
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Feasibility of running ipShield on mobile platforms
22
0
0.015
0.03
0.045
0.06
1 50 100 150 200
Tim
e (in
sec
s)
# rules
time to load rules into memorytime for the rules to take effect
Feasibility of running ipShield on mobile platforms
22
0
0.015
0.03
0.045
0.06
1 50 100 150 200
Tim
e (in
sec
s)
# rules
time to load rules into memorytime for the rules to take effect
0.1SENSOR_DELAY_NORMAL, SENSOR_DELAY_UI
Feasibility of running ipShield on mobile platforms
22
0
0.015
0.03
0.045
0.06
1 50 100 150 200
Tim
e (in
sec
s)
# rules
time to load rules into memorytime for the rules to take effect
0.1SENSOR_DELAY_NORMAL, SENSOR_DELAY_UI
0.02
SENSOR_DELAY_GAME
Feasibility of running ipShield on mobile platforms
22
0
0.015
0.03
0.045
0.06
1 50 100 150 200
Tim
e (in
sec
s)
# rules
time to load rules into memorytime for the rules to take effect
0.1SENSOR_DELAY_NORMAL, SENSOR_DELAY_UI
0.02
SENSOR_DELAY_GAME
0.006
SENSOR_DELAY_FASTEST
Feasibility of running ipShield on mobile platforms
23
26.2
26.325
26.45
26.575
26.7
AOSP Passthrough Constant Perturb Suppress
Mem
ory
(in M
B)
Feasibility of running ipShield on mobile platforms
23
26.2
26.325
26.45
26.575
26.7
AOSP Passthrough Constant Perturb Suppress
Mem
ory
(in M
B)
Concluding Remarks
•We designed and implemented ipShield which- proposes the use of inferences as the currency for privacy and utility
specification.- advocates that the burden of configuring fine-grained privacy rules
should be shifted from the user to the system.- provides insight into how and what data is being used by apps and better
visibility into potential risks and consequences of sharing data.
• Going forward we want to...- develop the rule recommender to generate rules for obfuscating data.- augment ipShield with ability to perform static analysis of app code to
better understand the risks presented by the apps.- allow crowd-sourcing for bootstrapping of rules.
ipShield can be downloaded at http://tinyurl.com/ipshieldgit
24
25
Thank You
Rules supported
26
Contexts Action
Built-In External
TimeOfDay
Place
SensorType
AppName
DayOfWeek
Rule
Walking Running ...
Suppress Perturb Play-back
DistributionName
DistributionParam
SensorSource
Constant
Scalar Vector
SensorType
Normal
SensorSource
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Rules supported
26
Contexts Action
Built-In External
TimeOfDay
Place
SensorType
AppName
DayOfWeek
Rule
Walking Running ...
Suppress Perturb Play-back
DistributionName
DistributionParam
SensorSource
Constant
Scalar Vector
SensorType
Normal
SensorSource
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Rules supported
26
Contexts Action
Built-In External
TimeOfDay
Place
SensorType
AppName
DayOfWeek
Rule
Walking Running ...
Suppress Perturb Play-back
DistributionName
DistributionParam
SensorSource
Constant
Scalar Vector
SensorType
Normal
SensorSource
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Rules supported
26
Contexts Action
Built-In External
TimeOfDay
Place
SensorType
AppName
DayOfWeek
Rule
Walking Running ...
Suppress Perturb Play-back
DistributionName
DistributionParam
SensorSource
Constant
Scalar Vector
SensorType
Normal
SensorSource
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Rules supported
26
Rule: If ((TimeOfDay in [12am-11:59pm]) and (Place=Bar) and (AppName=Saga) then apply action = Constant and Value = Restaurant on SensorType = GPS;
Contexts Action
Built-In External
TimeOfDay
Place
SensorType
AppName
DayOfWeek
Rule
Walking Running ...
Suppress Perturb Play-back
DistributionName
DistributionParam
SensorSource
Constant
Scalar Vector
SensorType
Normal
SensorSource
Classroom
My Home
Friend’sHome
StarbucksBar
Restaurant
Actual traceSpoofed trace
My Home
Friend’sHome
Classroom
Bar
ipShield
Monitoring
Privacy Abstraction
Rule Recommender
Fine-grained Rules
Enforcement
Sensor usage for apps
27
0
12.5
25
37.5
50
1 2 3 4 5 6
% o
f app
s
# sensors
Distribution of sensors by type
28
Accelerometer
GPS
Microphone
WiFi
Soft Sensors
Bluetooth
Gyroscope
Cellular
Camera
Others
0 5 10 15 20
% of apps
Recommended