Dan Boneh [email protected] with Monica Lam, David Mazieres, John Mitchell, and many students....
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Dan Boneh [email protected] with Monica Lam, David Mazieres, John Mitchell, and many students....
with Monica Lam, David Mazieres, John Mitchell, and many students.
Security for Mobile Devices
NSF Site Visit, June 2010
POMI2020
POMI Research Agenda
Applications
Data & Computing SubstratePrPl, Junction and Concierge
Radio technology
Econom
icsCinder: Energy aware, secure OS
secure apps
UI
HW Platform
Network SubstrateSoftware Defined Network & OpenFlow
Handheld
Infrastructure
platformsecurity
secureapps
POMI mobile security work
• Snap2Pass and Snap2Pay [DSBL’10]
• A password manager for mobile devices [BBBB’09]
• Android security: ASLR on Android [BB’10]
• Unlocking phones using cheap tokens [BB’10]
• Preventing tap-Jacking attacks on mobile web sites [RBB’10]
Joint work with Arvind Narayanan, Narendran Thiagarajan, and Mugdha Lakhani
Location services without big brother
Location-based social networking
Finally taking off?
Proximity Alerts
Detect when friends are nearby (e.g. Loopt)• Today: 24/7 user tracking by server
Our privacy goals:• When not nearby, friends don’t see your location• Server never sees your location
Building block for more complex functionality
Proximity alerts: applications
Granularity must be user-configurable
How we arrived at this problem
• POMI barrier #1: reliance on big brother• PrPl effort: social networks with privacy
• Many discussions with PrPl participants:• Can we make location-based services private?• Similarly, can we do private targeted advertising? (NDSS’10)
• Other results from the interaction:• QR codes for better user authentication [DSBL’10]
• Unlocking a phone using cheap tokens [BB’10]
Reducing proximity test to equality test
Equality testing
Space of possible locations is small! (32 bits)
Method 1: protocol based on public-key encryption (Lipmaa)
• Heavy computation: impractical for proximity of all friends
x y=?
Requires shared secret keys between pairs of friends
Our approach
An efficient protocol with server participation
Trust assumption: server does not collude with your friends
x y
r ( x – y )
Total traffic: 24 bytes, easy computation
?? ??
no one knows r
Problem: online brute-force attack
If only there were a way to verify that a user really is where they claim to be…
Solution: location tags (for small granularity)
Properties of location tags
Location tag = vector + matching functioni.e., space-time fingerprint
Unpredictability cannot produce matching tag unless nearby
Reproducibility two devices at same place & time produce matching
tags (not necessarily identical)
Location tags using WiFi packets
Discard packets like TCP that may originate outside local network• DHCP, ARP, Samba etc. are local• 15 packets/sec on CS/EE VLAN
Two different devices see about 90% of packets in common
Comparing location tags: privately test if intersection > 90%
Android implementation
Android implementation
Android implementation
Future work
Many location privacy questions:
• Private location based advertising
• Private location based search
• Private location statistics