The most powerful of security and privacy mechanisms may be rendered ineffective if people cannot use them. A common usability problem is that it is hard to specify the policies that the mechanisms enforce. Indeed, the more powerful the mechanism, the larger and more complex its policy can be; this makes it difficult not only to write a policy down, but also to make sure that an existing policy is a secure one.

In this dissertation, we make progress in addressing both these problems: translating people's high-level intentions into low-level policies and verifying that low-level policies meet high-level goals. To this end, we explore two application domains and their corresponding user bases.

For system administrators, we define a useful secure information-flow property, which we term CW-Lite. It says that untrusted processes should not be able to send unfiltered inputs to trusted processes. This is a basic security concern which can lead to system compromise, but it is unverified on most systems today because there is no effective, easy way to do the verification. A big advantage of our approach is that system administrators can perform a completely automated verification of CW-Lite using our tools, making it easier to integrate into a system.

With Doppelganger, an extension to the Firefox browser, we target a wider audience. Web browser cookies are used to manage relatively benign session state such as shopping carts, but also -- almost ubiquitously -- to track and record users' actions across sites and sessions, representing a significant privacy risk. Doppelganger seeks to generate a good cookie policy for each user, one that reflects that user's privacy vs. functionality cost-benefit curve, in an automated way. It uses several techniques: it automatically determines when certain cookies yield no benefit; when necessary, it asks the user to make a few informed, high-level decisions; and lastly, it offers a one-click error-recovery mechanism. We evaluated Doppelganger for privacy and usability in two experiments, including a controlled usability study with 18 users. In both cases, we found that Doppelganger offered greater privacy than the built-in browser settings, and that the cost in usability was modest.




Download Full History