首页 > 最新文献

NDSS symposium最新文献

英文 中文
Privacy-Preserving Database Fingerprinting. 隐私保护数据库指纹。
Pub Date : 2023-02-01 DOI: 10.14722/ndss.2023.24693
Tianxi Ji, Erman Ayday, Emre Yilmaz, Ming Li, Pan Li

When sharing relational databases with other parties, in addition to providing high quality (utility) database to the recipients, a database owner also aims to have (i) privacy guarantees for the data entries and (ii) liability guarantees (via fingerprinting) in case of unauthorized redistribution. However, (i) and (ii) are orthogonal objectives, because when sharing a database with multiple recipients, privacy via data sanitization requires adding noise once (and sharing the same noisy version with all recipients), whereas liability via unique fingerprint insertion requires adding different noises to each shared copy to distinguish all recipients. Although achieving (i) and (ii) together is possible in a naïve way (e.g., either differentially-private database perturbation or synthesis followed by fingerprinting), this approach results in significant degradation in the utility of shared databases. In this paper, we achieve privacy and liability guarantees simultaneously by proposing a novel entry-level differentially-private (DP) fingerprinting mechanism for relational databases without causing large utility degradation. The proposed mechanism fulfills the privacy and liability requirements by leveraging the randomization nature of fingerprinting and transforming it into provable privacy guarantees. Specifically, we devise a bit-level random response scheme to achieve differential privacy guarantee for arbitrary data entries when sharing the entire database, and then, based on this, we develop an ϵ-entry-level DP fingerprinting mechanism. We theoretically analyze the connections between privacy, fingerprint robustness, and database utility by deriving closed form expressions. We also propose a sparse vector technique-based solution to control the cumulative privacy loss when fingerprinted copies of a database are shared with multiple recipients. We experimentally show that our mechanism achieves strong fingerprint robustness (e.g., the fingerprint cannot be compromised even if the malicious database recipient modifies/distorts more than half of the entries in its received fingerprinted copy), and higher database utility compared to various baseline methods (e.g., application-dependent database utility of the shared database achieved by the proposed mechanism is higher than that of the considered baselines).

当与其他方共享关系数据库时,除了向接收方提供高质量(实用)数据库外,数据库所有者还旨在(i)为数据条目提供隐私保障,以及(ii)在未经授权的重新分发情况下(通过指纹识别)提供责任保障。然而,(i)和(ii)是正交目标,因为当与多个接收者共享数据库时,通过数据净化的隐私需要添加一次噪声(并与所有接收者共享相同的噪声版本),而通过唯一指纹插入的责任需要向每个共享副本添加不同的噪声以区分所有接收者。尽管以一种天真的方式(例如,不同的私有数据库扰动或指纹识别后的合成)同时实现(i)和(ii)是可能的,但这种方法会导致共享数据库的效用显著降低。在本文中,我们通过为关系数据库提出一种新的入门级差分私有(DP)指纹机制,同时实现了隐私和责任保障,而不会导致大的效用退化。所提出的机制通过利用指纹的随机性并将其转化为可证明的隐私保证来满足隐私和责任要求。具体来说,我们设计了一种位级随机响应方案,以在共享整个数据库时实现任意数据项的差异隐私保证,然后在此基础上,我们开发了一种入门级DP指纹机制。我们通过推导闭式表达式,从理论上分析了隐私、指纹鲁棒性和数据库实用性之间的联系。我们还提出了一种基于稀疏矢量技术的解决方案,以控制当数据库的指纹副本与多个收件人共享时累积的隐私损失。我们的实验表明,我们的机制实现了强大的指纹鲁棒性(例如,即使恶意数据库接收者修改/扭曲了其收到的指纹副本中超过一半的条目,指纹也不会被破坏),以及与各种基线方法相比更高的数据库效用(例如,通过所提出的机制实现的共享数据库的依赖于应用程序的数据库效用高于所考虑的基线的数据库效用)。
{"title":"Privacy-Preserving Database Fingerprinting.","authors":"Tianxi Ji, Erman Ayday, Emre Yilmaz, Ming Li, Pan Li","doi":"10.14722/ndss.2023.24693","DOIUrl":"10.14722/ndss.2023.24693","url":null,"abstract":"<p><p>When sharing relational databases with other parties, in addition to providing high quality (utility) database to the recipients, a database owner also aims to have (i) privacy guarantees for the data entries and (ii) liability guarantees (via fingerprinting) in case of unauthorized redistribution. However, (i) and (ii) are orthogonal objectives, because when sharing a database with multiple recipients, privacy via data sanitization requires adding noise once (and sharing the same noisy version with all recipients), whereas liability via unique fingerprint insertion requires adding different noises to each shared copy to distinguish all recipients. Although achieving (i) and (ii) together is possible in a naïve way (e.g., either differentially-private database perturbation or synthesis followed by fingerprinting), this approach results in significant degradation in the utility of shared databases. In this paper, we achieve privacy and liability guarantees simultaneously by proposing a novel entry-level differentially-private (DP) fingerprinting mechanism for relational databases without causing large utility degradation. The proposed mechanism fulfills the privacy and liability requirements by leveraging the randomization nature of fingerprinting and transforming it into provable privacy guarantees. Specifically, we devise a bit-level random response scheme to achieve differential privacy guarantee for arbitrary data entries when sharing the entire database, and then, based on this, we develop an <math><mi>ϵ</mi></math>-entry-level DP fingerprinting mechanism. We theoretically analyze the connections between privacy, fingerprint robustness, and database utility by deriving closed form expressions. We also propose a sparse vector technique-based solution to control the cumulative privacy loss when fingerprinted copies of a database are shared with multiple recipients. We experimentally show that our mechanism achieves strong fingerprint robustness (e.g., the fingerprint cannot be compromised even if the malicious database recipient modifies/distorts more than half of the entries in its received fingerprinted copy), and higher database utility compared to various baseline methods (e.g., application-dependent database utility of the shared database achieved by the proposed mechanism is higher than that of the considered baselines).</p>","PeriodicalId":74253,"journal":{"name":"NDSS symposium","volume":"2023 ","pages":""},"PeriodicalIF":0.0,"publicationDate":"2023-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10238085/pdf/nihms-1902823.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"9584068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks 在混合Web/移动应用框架中破坏和修复基于源的访问控制
Pub Date : 2014-02-01 DOI: 10.14722/NDSS.2014.23323
Martin Georgiev, S. Jana, Vitaly Shmatikov
Hybrid mobile applications (apps) combine the features of Web applications and "native" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies "bridges" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.
混合移动应用程序(app)结合了Web应用程序和“本地”移动应用程序的特性。与Web应用程序一样,它们是用可移植的、独立于平台的语言(如HTML和JavaScript)实现的。与原生应用一样,它们可以直接访问本地设备资源——文件系统、位置、摄像头、联系人等。混合应用程序通常使用混合应用程序框架(如PhoneGap)开发。该框架的目的是双重的。首先,它提供了一个嵌入式Web浏览器(例如,Android上的WebView)来执行应用程序的Web代码。其次,它提供“桥接”,允许Web代码脱离浏览器并访问设备上的本地资源。我们分析了由混合框架创建的软件栈,并证明了它不能正确地组成分别管理Web代码和本地代码的访问控制策略。Web代码由同源策略管理,而本地代码由操作系统的访问控制策略管理(例如,Android中用户授予的权限)。框架向浏览器添加的网桥具有与整个应用程序相同的本地访问权限,但没有受到相同源策略的正确保护。这为跟踪攻击打开了大门,这种攻击允许将来自国外的Web内容包含在混合应用程序中(例如,限制在iframes中的广告)钻过这些层并直接访问设备资源。压裂漏洞是通用的:它们影响所有混合框架、所有嵌入式Web浏览器、所有桥接机制以及部署这些框架的所有平台。我们研究了基于PhoneGap框架的免费Android应用中跟踪漏洞的普遍性。每个漏洞都将敏感的本地资源——读写联系人列表、本地文件等的能力——暴露给数十个潜在的恶意Web域。我们还分析了混合框架为防止外来Web内容访问资源而部署的防御措施,并解释了它们无效的原因。然后,我们介绍了NoFrak,这是一种基于能力的针对水力压裂攻击的防御。NoFrak是独立于平台的,与任何框架和嵌入式浏览器兼容,不需要改变现有混合应用程序的代码,也不会破坏其广告支持的商业模式。
{"title":"Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks","authors":"Martin Georgiev, S. Jana, Vitaly Shmatikov","doi":"10.14722/NDSS.2014.23323","DOIUrl":"https://doi.org/10.14722/NDSS.2014.23323","url":null,"abstract":"Hybrid mobile applications (apps) combine the features of Web applications and \"native\" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies \"bridges\" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.","PeriodicalId":74253,"journal":{"name":"NDSS symposium","volume":"1 1","pages":"1-15"},"PeriodicalIF":0.0,"publicationDate":"2014-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85553188","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 95
Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. 在混合Web/移动应用框架中破坏和修复基于源的访问控制。
Pub Date : 2014-02-01
Martin Georgiev, Suman Jana, Vitaly Shmatikov

Hybrid mobile applications (apps) combine the features of Web applications and "native" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies "bridges" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.

混合移动应用程序(app)结合了Web应用程序和“本地”移动应用程序的特性。与Web应用程序一样,它们是用可移植的、独立于平台的语言(如HTML和JavaScript)实现的。与原生应用一样,它们可以直接访问本地设备资源——文件系统、位置、摄像头、联系人等。混合应用程序通常使用混合应用程序框架(如PhoneGap)开发。该框架的目的是双重的。首先,它提供了一个嵌入式Web浏览器(例如,Android上的WebView)来执行应用程序的Web代码。其次,它提供“桥接”,允许Web代码脱离浏览器并访问设备上的本地资源。我们分析了由混合框架创建的软件栈,并证明了它不能正确地组成分别管理Web代码和本地代码的访问控制策略。Web代码由同源策略管理,而本地代码由操作系统的访问控制策略管理(例如,Android中用户授予的权限)。框架向浏览器添加的网桥具有与整个应用程序相同的本地访问权限,但没有受到相同源策略的正确保护。这为跟踪攻击打开了大门,这种攻击允许将来自国外的Web内容包含在混合应用程序中(例如,限制在iframes中的广告)钻过这些层并直接访问设备资源。压裂漏洞是通用的:它们影响所有混合框架、所有嵌入式Web浏览器、所有桥接机制以及部署这些框架的所有平台。我们研究了基于PhoneGap框架的免费Android应用中跟踪漏洞的普遍性。每个漏洞都将敏感的本地资源——读写联系人列表、本地文件等的能力——暴露给数十个潜在的恶意Web域。我们还分析了混合框架为防止外来Web内容访问资源而部署的防御措施,并解释了它们无效的原因。然后,我们介绍了NoFrak,这是一种基于能力的针对水力压裂攻击的防御。NoFrak是独立于平台的,与任何框架和嵌入式浏览器兼容,不需要改变现有混合应用程序的代码,也不会破坏其广告支持的商业模式。
{"title":"Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks.","authors":"Martin Georgiev,&nbsp;Suman Jana,&nbsp;Vitaly Shmatikov","doi":"","DOIUrl":"","url":null,"abstract":"<p><p>Hybrid mobile applications (apps) combine the features of Web applications and \"native\" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies \"bridges\" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to <i>fracking</i> attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.</p>","PeriodicalId":74253,"journal":{"name":"NDSS symposium","volume":"2014 ","pages":"1-15"},"PeriodicalIF":0.0,"publicationDate":"2014-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4254737/pdf/nihms-612857.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"32889500","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
期刊
NDSS symposium
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1