Access control is a multi-faceted area that has been advanced by a wide range of computer science research communities including programming languages, human-computer interaction, computer architecture, and operating systems. In general, this body of work has either sought to improve the expressiveness of access control logic or introduce novel mechanisms for enforcing policies. Each approach relies on a human operator or programmer to manually specify access control policies which are then enforced by a trusted reference monitor. Unfortunately, policy specification is often an error-prone process and can lead to damaging breaches of confidentiality due to access control misconfiguration. This work takes a three-phased approach to mitigating the effects of access control misconfiguration: 1) develop heuristics and models of proper access control enforcement, 2) design and implement system monitoring mechanisms capable of automatically identifying suspicious sharing patterns, and 3) evaluate the effectiveness of these heuristics and implementations through user studies and honeypots. These activities target both ubiquitous Internet systems such as the web and email as well as emerging mobile systems such as mobile social networks and mobile banking.
Over the course of this grant, we have explored the problem of access control misconfiguration on both desktop and mobile computing platforms. In order to prevent sensitive data from leaking, a system must first know what data is sensitive. Our work on RedFlag addressed this problem by analyzing the data downloaded by desktop programs like web browsers and IM chat clients to infer whether it was sensitive. Soon after completing our work on RedFlag, we shifted our focus to the emerging (at the time) area of mobile computing. In particular, we became interested in data collected on smartphones, including locations, photographs, and social encounters. In particular, we collaborated with Intel and Penn State on the Android tracking tool TaintDroid. TaintDroid monitors how third-party apps use sensitive data, and we evaluated TaintDroid using 30 randomly selected, popular Android apps that use location, camera, or microphone data. TaintDroid correctly flagged 105 instances in which these apps transmitted sensitive data; of the 105, we determined that 37 were clearly legitimate. TaintDroid also revealed that 15 of the 30 apps forwarded users' locations to remote advertising and analytics servers without proper notification (i.e., via the text of the user agreement or prominent runtime alerts). These results were the first detailed account of how many mobile apps share users' sensitive information without proper notification. Our follow up focused on protecting users' passwords. One of the hallmarks of our work on TaintDroid has been the consistent involvement of undergraduates in research; since joining the project, four undergrads have worked on directly on TaintDroid or on a related follow-up project. In addition, this work has accelerated the ongoing shift in our operating systems courses away from material and projects based on traditional UNIX concepts and toward a focus on mobile operating systems like Android and the cloud infrastructure on which they depend.
