Selected Conference Publications
AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings
To appear in the Proceedings of the 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada.
Giuseppe Petracca, Ahmad-Atamli Reineh, Yuqiong Sun, Jens Grossklags, and Trent Jaeger
System designers have long struggled with the challenge of determining how to obtain user authorizations securely and effectively for allowing untrusted applications to perform sensitive system operations on privacy-sensitive device sensors. While trusted paths enable the system to receive authentic user input, systems have to bridge a semantic gap to determine the intent of an application-specific user input, and untrusted applications may try to spoof the user and/or the system to obtain unauthorized access. In this paper, we propose that users explicitly authorize the operations allowed by their user input events and bind it to specific contexts within which an application can operate sensitive device sensors. To demonstrate this approach, we implement the AWare authorization framework for Android, extending the Android Middleware to control access to sensitive device sensors. We evaluate the effectiveness of AWare in preventing abuse of such sensors by malicious applications in a laboratory-based user study, finding that at most 7% of the users were tricked by examples of four types of attacks when using AWare, while 88% of users were tricked when using alternative approaches on average. Also, we study the decision overhead required of the users for the finer-grained access control in AWare, finding that the user effort is limited to only 2 additional decisions, on average, per application for the study duration. Lastly, we study the compatibility of AWare with 1,000 of the most-downloaded Android applications, demonstrating that such applications can operate effectively under AWare while incurring less than 4% performance overhead on microbenchmarks.
On Risk in Access Control Enforcement
To appear in the 22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017, Indianapolis, IN, USA.
Giuseppe Petracca, Frank Capobianco, Christian Skalka and Trent Jaeger
While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies oen allow information ows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, nding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk diers from that expected.
Agility Maneuvers to Mitigate Inference Attacks on Sensed Location Data
Proceedings of the 35th Premier International Conference for Military Communications, MILCOM 2016, Baltimore, MD, USA.
Giuseppe Petracca, Lisa M. Marvel, Ananthram Swami, and Trent Jaeger
Sensed location data is subject to inference attacks by cybercriminals that aim to obtain the exact position of sensitive locations, such as the victim’s home and work locations, to launch a variety of different attacks. Various Location-Privacy Preserving Mechanisms (LPPMs) exist to reduce the probability of success of inference attacks on location data. However, such mechanisms have been shown to be less effective when the adversary is informed of the protection mechanism adopted, also known as white-box attacks. We propose a novel approach that makes use of targeted agility maneuvers as a more robust defense against white-box attacks. Agility maneuvers are systematically activated in response to specific system events to rapidly and continuously control the rate of change in system configurations and increase diversity in the space of readings, which would decrease the probability of success of inference attacks by an adversary. Experimental results, performed on a real data set, show that the adoption of agility maneuvers reduces the probability of success of white-box attacks to 2.68% on average, compared to 56.92% when using state-of-the-art LPPMs.
|2015||AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Proceedings of the 31th Annual Computer Security Applications Conference, ACSAC 2015, Los Angeles, CA, USA.
Giuseppe Petracca, Yuqiong Sun, Ahmad Atamli, and Trent Jaeger
Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mo-bile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the micro-phone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroids hows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.
Other Conference Publications
|2016||Pileus: Protecting User Resources from Vulnerable Cloud Services
Proceedings of the 2016 Annual Computer Security Applications Conference, ACSAC 2016, Los Angeles, CA, USA.
Yuqiong Sun, Giuseppe Petracca, Xinyang Ge and Trent Jaeger [PDF]
|2015||CloudArmor: Protecting Cloud Commands from Compromised Cloud Services
Proceedings of the 8th IEEE International Conference on Cloud Computing, CLOUD 2015, New York, NY, USA
Yuqiong Sun, Giuseppe Petracca, Vijayakumar Hayawardh, Joshua Schiffman, and Trent Jaeger [PDF]
|2014||Inevitable Failure: The Flawed Trust Assumption in the Cloud
Proceedings of the 21st ACM Conference on Computer and Communications Security, ACM CCSW 2014, Scottsdale, Arizona, USA
Yuqiong Sun, Giuseppe Petracca, and Trent Jaeger [PDF]
|Situational Awareness through Reasoning on Network Incidents in Controlled Networks
Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, ACM CODASPY 2014, San Antonio, TX, USA
Anna Cinzia Squicciarini, Giuseppe Petracca, William Horne, and Aurnob Nath [PDF]
|2013||Adaptive data protection in distributed systems
Proceedings of the 3th ACM Conference on Data and Application Security and Privacy, ACM CODASPY 2013, San Antonio, TX, USA.
Anna Cinzia Squicciarini, Giuseppe Petracca, and Elisa Bertino [PDF]
|2012||ReasONets: a fuzzy-based approach for reasoning on network incidents
Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA.
Giuseppe Petracca, Anna Squicciarini, William Horne, and Marco Casassa Mont [PDF] [Poster]
|Adaptive data management for self-protecting objects in cloud computing systems
Proceedings of the 8th International Conference on Network and Service Management, 2012, ACM CNSM 2012, Las Vegas, NV, USA.
Anna Cinzia Squicciarini, Giuseppe Petracca, and Elisa Bertino [PDF]
|Early Detection of Policies Violations in a Social Media Site: A Bayesian Belief Network Approach
Proceedings of the 2012 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2012, Chapel Hill, NC, USA.
Anna Cinzia Squicciarini, William McGill, Giuseppe Petracca, and Shuo Huang [PDF]