ABSTRACT
Services such as Facebook and Twitter host and disseminate data on behalf of billions of users. Because these services often manage personal data, they allow users to specify access policies controlling how their data is shared with others within the service. However, services also act as programming platforms, exporting users' data to third-party applications via remote APIs. Nearly all of these third-party applications execute on server infrastructure that is not controlled by the service. As a result, a service has no way to guarantee that data shared with a third-party application will be managed according to users' policies. Delegation protocols such as OAuth allow a user and service to confer or deny an application's right to access a data item, but once the item has been released there is no oversight of what the application does with it. In this paper, we present the design and implementation of a Multi-User Taint Tracker (MUTT), which ensures that third-party applications adhere to access policies defined by service users. We motivate MUTT's design by analyzing 170 Facebook apps and several services' Terms of Service, and demonstrate the feasibility of our design through experiments with a prototype implementation.
- Amazon EC2 Facebook Application Hosting. http://aws.amazon.com/facebook-application-hosting/.Google Scholar
- Badoo. www.badoo.com.Google Scholar
- Facebook application statistics. http://statistics.allfacebook.com/applications.Google Scholar
- Facebook Developers Blog: Open Graph Beta. https://developers.facebook.com/docs/beta.Google Scholar
- Facebook Developers Blog: Permissions. https://developers.facebook.com/docs/reference/api/permissions.Google Scholar
- Facebook in Privacy Breach: Top-Ranked Applications Transmit Personal IDs, a Journal Investigation Finds. Wall Street Journal, October 18, 2010.Google Scholar
- Facebook statistics. https://www.facebook.com/press/info.php?statistics.Google Scholar
- Farmville. www.farmville.com.Google Scholar
- Lessons from FarmVille: How Zynga uses the Cloud. http://www.informationweek.com/news/global-cio/interviews/229402805.Google Scholar
- The Facebook Blog: debunking rumors about advertising and photos. https://www.facebook.com/blog.php?post=110636457130.Google Scholar
- Twitter Suspends UberMedia Clients For Privacy And Monetization Violations, Trademark Infringement. http://techcrunch.com/2011/02/18/twitter-suspends-ubermedia-clients-ubertwitter-and-twidroyd-for-violating-policies/.Google Scholar
- VKontakte. http://vk.com.Google Scholar
- W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 39--50, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- E. Chin and D. Wagner. Efficient character-level taint tracking for java. In Proceedings of the 2009 ACM workshop on Secure web services, SWS '09, pages 3--12, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- N. Chohan, C. Bunch, S. Pang, C. Krintz, N. Mostafa, S. Soman, and R. Wolski. Appscale: Scalable and open appengine application development and deployment. In International Conference on Cloud Computing, October 2009.Google Scholar
- S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In In Proc. 16th USENIX Security, 2007. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5): 236--243, May 1976. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, 2010. Google ScholarDigital Library
- D. B. Giffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. C. Mitchell, and A. Russo. Hails: protecting data privacy in untrusted web applications. In OSDI '12, October 2012. Google ScholarDigital Library
- P.-E. Gobry. Huge facebook app loses 75% uniques after facebook threatens it, April 2011. http://www.businessinsider.com/badoo-facebook-2011-4.Google Scholar
- P. Goss. Facebook shuts down application over privacy, July 2008. Tech Radar.Google Scholar
- M. Krohn, A. Yip, M. Brodsky, R. Morris, and M. Walfish. A World Wide Web Without Walls. In HotNets '07, November 2007.Google Scholar
- J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages 321--334, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- E. Mills. Facebook suspends app that permitted peephole, June 2008. CNET News.Google Scholar
- A. C. Myers and B. Liskov. A decentralized model for information flow control. SIGOPS Oper. Syst. Rev., 31: 129--142, October 1997. Google ScholarDigital Library
- A. Sabelfeld and A. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal, January 2003. Google ScholarDigital Library
- F. B. Schneider, K. Walsh, and E. G. Sirer. Nexus authorization logic (nal): Design rationale and applications, September 2009. Cornell Computing and Information Science Technical Report.Google Scholar
- J. Seo and M. S. Lam. Invisitype: Object-oriented security policies. In Network and Distributed System Security Symposium, 2010.Google Scholar
- K. Singh, S. Bhola, and W. Lee. xBook: redesigning privacy control in social networking platforms. In Usenix Security Symposium, 2009. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGARCH Comput. Archit. News, 32: 85--96, October 2004. Google ScholarDigital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. Taj: effective taint analysis of web applications. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, PLDI '09, pages 87--97, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the 22th ACM Symposium on Operating Systems Principles (SOSP '09), Big Sky, Montana, October 2009. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazires. Making Information Flow Explicit in HiStar. In Proceedings of the Seventh Symposium on Operating Systems Design and Implementation (OSDI), November 2006. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-wickizer, and D. Mazieres. Securing distributed systems with information flow control. In In Proc. of the 5th NSDI, pages 293--308, 2008. Google ScholarDigital Library
Index Terms
- MUTT: a watchdog for OSN applications
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big DataMobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Comments