Jaeyeon Jung
David Wetherall
ABSTRACT
We describe the design and implementation of Privacy Oracle, a system that reports on application leaks of user information via the network traffic that they send. Privacy Oracle treats each application as a black box, without access to either its internal structure or communication protocols. This means that it can be used over a broad range of applications and information leaks (i.e., not only Web traffic or credit card numbers). To accomplish this, we develop a differential testing technique in which perturbations in the application inputs are mapped to perturbations in the application outputs to discover likely leaks; we leverage alignment algorithms from computational biology to find high quality mappings between different byte-sequences efficiently. Privacy Oracle includes this technique and a virtual machine-based testing system. To evaluate it, we tested 26 popular applications, including system and file utilities, media players, and IM clients. We found that Privacy Oracle discovered many small and previously undisclosed information leaks. In several cases, these are leaks of directly identifying information that are regularly sent in the clear (without end-to-end encryption) and which could make users vulnerable to tracking by third parties or providers.
- http://www.autoitscript.com/autoit3/.Google Scholar
- Marshall Beddoe. The protocol informatics project. http://www4tphi.net/~awaiters/PI/PI.html, 2004.Google Scholar
- Gerald Combs. Wireshark. http://www.wireshark.org.Google Scholar
- Weidong Cui, Vern Paxson, and Nicholas Weaver. Protocol-Independent Adaptive Replay of Application Dialog. In NDSS, 2006.Google Scholar
- Robert B. Evans and Alberto Savoia. Differential testing: a new approach to change detection. In ESEC-FSE posters, 2007. Google ScholarDigital Library
- Leita Corrado gand Ken Mermoud and Marc Dacier. Scriptgen: an automated script generation tool for honeyd. In ACSAC, December 2005. Google ScholarDigital Library
- J. W. Hunt and M. D. McIlroy. An algorithm for differential file comparison, 1976.Google Scholar
- IEInspector Software LLC. IEInspector HTTP Analyzer -- HTTP Sniffer, HTTP Monitor, HTTP Trace, HTTP Debug. http://www.ieinspector.com/httpanalyzer/, 2007.Google Scholar
- Marc Fisher II, Sebastian Elbaum, and Gregg Rothermel. Dynamic characterization of web application interfaces. FASE 2007, LNCS, 4422:260--275, 2007. Google ScholarDigital Library
- Christian Kreibich and Jon Crowcroft. Efficient sequence alignment of network traffic. In IMC, 2006. Google ScholarDigital Library
- Last Bit Software. RegSnap. http://www.lastbit.com/regsnap/.Google Scholar
- Stephen McCamant and Michael D. Ernst. Quantitative information flow as network flow capacity. In PLDI, 2008. Google ScholarDigital Library
- Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study of the reliability of UNIX utilities. CACM, 33(12):32--44, 1990. Google ScholarDigital Library
- Burkhard Morgenstern, Andreas Dress, and Thomas Werner. Multiple DNA and protein sequence alignment based on segment-to-segment comparison. PNAS, 93(22):12098--12103, October 1996.Google ScholarCross Ref
- Burkhard Morgenstern, Kornelie Frech, Andreas Dress, and Thomas Werner. Dialign: finding local similarities by multiple sequence alignment. Bioinformatics, 14(3):290--294, 1998.Google ScholarCross Ref
- S.B. Needleman and C.D. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 1970.Google ScholarCross Ref
- NMMI. What is my machine Windows name? http://faq.nmmi.edu/fom- serve/cache/338.html, April 2005.Google Scholar
- Objective Development. Little Snitch. http://www.obdev.at/products/littlesnitch/.Google Scholar
- Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. Characteristics of internet background radiation. In IMC, 2004. Google ScholarDigital Library
- Vern Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23--24):2435--2463, 1999. Google ScholarDigital Library
- T. Scott Saponas, Jonathan Lester, Carl Hartung, Sameer Agarwal, and Tadayoshi Kohno. Devices that tell on you: Privacy trends in consumer ubiquitous computing. In 16th Usenix Security Symposium, August 2007. Google ScholarDigital Library
- http://yro.slashdot.org/yro/07/12/29/2120202.shtml.Google Scholar
- http://yro.slashdot.org/yro/08/01/03/1630203.shtml.Google Scholar
- Stuart Cheshire and Marc Krochmal. Multicast DNS. http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt, 2006.Google Scholar
- The Canadian Internet Policy and Public Interest Clinic. Digital Rights Management and Consumer Privacy. http://www.cippic.ca, September 2007.Google Scholar
- VIP Defense: privacy and anonymity keeping company. VIP Privacy. http://www.vipdefense.com/.Google Scholar
- http://www.vmware.com/.Google Scholar
- WebSense. WebSense Content Protection Suite. http://www.websense.com/, 2008.Google Scholar
- Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS, 2007. Google ScholarDigital Library
- Aydan R. Yumerefendi, Benjamin Mickle, and Landon P. Cox. Tightlip: Keeping applications from spilling the beans. In NSDI, 2007. Google ScholarDigital Library
Index Terms
- Privacy oracle: a system for finding application leaks with black box differential testing
Recommendations
Sanitization's slippery slope: the design and study of a text revision assistant
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityFor privacy reasons, sensitive content may be revised before it is released. The revision often consists of redaction, that is, the "blacking out" of sensitive words and phrases. Redaction has the side effect of reducing the utility of the content, ...
Managing professional and personal sensitive information
SIGUCCS '10: Proceedings of the 38th annual ACM SIGUCCS fall conference: navigation and discoveryAll organizations have to manage sensitive information related to their business operations. Unfortunately, universities have the added challenge of not only managing administrative and academic sensitive information, but often times the personal ...
A privacy framework: indistinguishable privacy
EDBT '13: Proceedings of the Joint EDBT/ICDT 2013 WorkshopsIn this paper we illustrate a privacy framework named Indistinguishable Privacy. Indistinguishable privacy could be deemed as the formalization of the existing privacy definitions in privacy preserving data publishing as well as secure multi-party ...
Comments