Description
In this dissertation, we make progress in addressing both these problems: translating people's high-level intentions into low-level policies and verifying that low-level policies meet high-level goals. To this end, we explore two application domains and their corresponding user bases.
For system administrators, we define a useful secure information-flow property, which we term CW-Lite. It says that untrusted processes should not be able to send unfiltered inputs to trusted processes. This is a basic security concern which can lead to system compromise, but it is unverified on most systems today because there is no effective, easy way to do the verification. A big advantage of our approach is that system administrators can perform a completely automated verification of CW-Lite using our tools, making it easier to integrate into a system.
With Doppelganger, an extension to the Firefox browser, we target a wider audience. Web browser cookies are used to manage relatively benign session state such as shopping carts, but also -- almost ubiquitously -- to track and record users' actions across sites and sessions, representing a significant privacy risk. Doppelganger seeks to generate a good cookie policy for each user, one that reflects that user's privacy vs. functionality cost-benefit curve, in an automated way. It uses several techniques: it automatically determines when certain cookies yield no benefit; when necessary, it asks the user to make a few informed, high-level decisions; and lastly, it offers a one-click error-recovery mechanism. We evaluated Doppelganger for privacy and usability in two experiments, including a controlled usability study with 18 users. In both cases, we found that Doppelganger offered greater privacy than the built-in browser settings, and that the cost in usability was modest.