CS 98/198: Web 2.0 Applications Using Ruby on Rails

CS 98/198: Web 2.0 Applications Using Ruby on Rails

SCRUB: Secure Computing Research for Users Benefit David Wagner http://scrub.cs.berkeley.edu/ 1 Security is hard 2

What is SCRUB? SCRUB is a new center focusing on security for users benefit Model: industry funding + collaboration 4 Intel researchers in residence at Berkeley $2.5M/year in funding Open IP policy Schools: Berkeley, CMU, Drexel, Duke,

UIUC 3 Research Agenda Thin intermediation layer Data-centric security Security analytics SCRUB

Mobile security Security of Desktop Computing Problem: todays desktops use a security architecture based upon 1970s-era threat model. 5

Secure Desktop Computing A thin, low-level intermediation layer can enable secure computation e.g., online banking establish an island of security amidst the sea of malware Benefit to users: secure computing on insecure desktops 7

Securing the desktop: Thin intermediation layer Email OS Web browser

Banking app OS Thin client Intermediation layer Hardware

Mobile Security Huge growth in third-party apps: 9 Mobile Security How do we ensure third-party apps are safe? How do we build effective app permission systems?

Can we make app stores more robust and secure? New paradigm for secure computing: protect against apps, not against users Benefit to users: Secure smartphones, tablets 10

Desktop OS Threat model: users attacking users Applications run with users full privileges 11 Modern Reality Threat model: apps attacking users

One user per device Users dont trust all apps 12 Permission Systems User approves what permissions the application receives. Does this provide security benefits?

13 The Good News Permissions do limit harm from breaches Android apps get median of 4 permissions; desktop apps get 56. Only 10% of Android apps can cost users Developers do complymoney, and only 15% get

personal info. Only 30% of apps are overprivileged, and only a little But can users use permissions effectively? 14 More work needed Some users can use permissions effectively 20% demonstrated awareness and some comprehension

20% have declined to install an app because of perms But, at least on Android, permissions are not effective for most users Only 17% of Android users look at permissions Only 24% understand Android permissions (more or less) Our user studies partially explain why, but more work is needed to find a good solution

15 Apps as paradigm for security Phone Desktop Beyond phones: app-based platforms offer a path to

securing laptops and desktops. 16 Data-centric security Data increasingly resides not only on enduser devices, but also on servers, cloud, Can we provide consistent protection for user data as it flows through a complex distributed system, no matter where it is stored? Benefit to users: visibility and control

over their data 17 Data-centric security Cloud platform protects user data and ensures that apps cant misuse it Each users data is separately encrypted. When cloud authenticates the user, it gives app access to users data. Cloud prevents apps from exfiltrating the data. Ability to audit who has access to data. App cloud server

encrypted, authenticated channel encrypted storage 18 Security analytics How can we accurately measure security? Current approaches lead us in the dark Are our efforts to secure systems making progress?

Goal: robust security metrics and analytics Benefit to users: Ability to prioritize, manage, and measure security 19 Learn more Come visit us: SCRUB Open House, 2-4pm, 373 Soda Hall Come visit the TRUST center, too:

TRUST Open House, 2-4pm, 337 Cory Hall Follow our work: http://scrub.cs.berkeley.edu/ 20

Recently Viewed Presentations

  • Introduction to Information Security Chapter N

    Introduction to Information Security Chapter N

    Special considerations include: financial, priority, time, staff, scope, procurement, organizational feasibility, training and indoctrination and change control and technology governance Financial Considerations No matter what information security needs exist in the organization, the amount of effort that can be expended...
  • Drama Management

    Drama Management

    Gender-Inclusive Quest Generation in Massively Multiplayer Online Role-Playing Games Anne Sullivan University of California, Santa Cruz School of Engineering
  • Who wants to be a millionaire template - PBworks

    Who wants to be a millionaire template - PBworks

    * If you drop the lab and then try to add a new one, you might not be able to get into either one. Try and "Swap" the lab instead. ELPE stands for "English Language Proficiency Examination" You will be...
  • Imperialism in the Far East

    Imperialism in the Far East

    Aftermath of Rebellion "The people are afraid of officials, the officials are afraid of foreigners, and the foreigners are afraid of the people" Cixi is allowed to stay in power. Some educational reforms are passed. Qing Dynasty = weak and...
  • Louisiana Homestead Exemption

    Louisiana Homestead Exemption

    Serve Louisiana taxpayers fairly and with integrity by administering property tax laws. Provide the general public with a centralized place to obtain property tax information and confidence to the taxpayers that their assessments are fair and equitable.
  • Your Trusted Business Partner_Advisers not using a DFM 02.10.17

    Your Trusted Business Partner_Advisers not using a DFM 02.10.17

    Friend at the bowls club. Mate down the pub / at work who read the newspaper, listened to radio 4 money box. If you talk product you re enforce the 'broker searching for me' mentality.
  • Chapter 4 Dialogue 2 - Cheng & Tsui

    Chapter 4 Dialogue 2 - Cheng & Tsui

    detachable compound does not take an object. When there is an attributive element to modify the object, such as an adjective or a number-measure word combination, it must be inserted between the verb and the noun. Such a compound is...
  • Edmonds Managerial Chapter 4 - Valencia College

    Edmonds Managerial Chapter 4 - Valencia College

    Evaluate performance. Control operations. Prepare financial statements. What does it cost? Learning Objective LO1 Identify cost objects and cost drivers. Determine the Cost of Cost Objects Cost accumulation begins with identifying: Cost objects Cost drivers A cost object is any...