Overhaul at DSN 2016

Better privacy through user intent inference
Posted
privacy systems ui

Kaan will be presenting a paper describing Overhaul, a technique for inferring user intent for resource authorization in traditional operating systems, at DSN 2016 this summer.

Permissions are a Good Thing

One opportunity afforded by the development of new operating systems for mobile devices was reconsidering what sorts of security mechanisms might be useful for creating more secure software. Android and iOS in particular took advantage of this opportunity by building finer-grained permissions into the platform APIs and user experience. That is, users could in principle avoid installing or deny installed applications the ability to access sensitive resources like the address book or SMS store. While this user-driven approach to security and privacy has problems, the availability of permissions is a definite improvement over platforms that lack them.

Unfortunately, adding permission enforcement to traditional platforms for the desktop is a difficult problem. Research has shown how this can be done if one is willing to modify and adapt applications to permission-aware APIs, but achieving this for unmodified applications has heretofore not been shown.

Permissions for Traditional Platforms

Overhaul aims at addressing exactly this challenge of retrofitting permission enforcement onto unmodified applications for traditional platforms. The fundamental technique used by Overhaul is to augment the system display manager to distinguish real from synthetically-injected UI events issued to applications by users. These events serve as indirect observations of user intent to allow an application to access a protected resource such as a camera, microphone, clipboard, or other shared resource. A kernel-based permission manager observes both the input UI event stream forwarded by the display manager as well as attempts by untrusted applications to access protected resources, and allows these accesses only if they occur within a small window of time after a UI event has been issued by the user. An example of this process is shown in the figure below.

Example of an Overhaul-shepherded access by an untrusted application to a microphone. In (1), an event (e.g., a mouse click) for application \(a\) at time \(t\) is received by the display manager which notifies the kernel-based permission monitor of this in (2). At (3), the event is propagated to the application, which attempts to open the microphone device at (4). Because the permission monitor received a UI event notification at (2), the access will be allowed in (5) so long as \(t \leq t + i < t + n\) for a configurable window size of \(n\). In (6), a visual notification of the microphone access is presented to the user.

The disadvantage of this approach is that a strong binding between the user’s intentions can’t be made. Instead, Overhaul can only infer such intent through temporal locality between UI events and accesses. On the other hand, the approach works for unmodified applications in a black-box manner, something we see as a major advantage given the large installation base of platforms that currently enjoy no permission-style protection.

Of course, building a stronger binding than time-based intent inference might be possible by dropping the black-box aspect of Overhaul’s approach. This is something we’re looking into and hope to be able to say more about in the future!