P2P file sharing systems are rapidly becoming one of the most popular applications on the internet, with millions of users online exchanging files daily. While primarily intended for sharing multimedia files, programs such as Gnutella, Freenet, and Kazaa frequently allow other types of files to be shared. Although this has no doubt contributed to P2P filesharing's growing popularity, it raises serious security concerns about the types of files that users are aware of sharing with others. Users who accidentally or unknowingly allow their private or personal files to be shared risk disclosing their private information to other users on the network. In this

Computer security protocols usually terminate in a computer; however, the human-based services which they support usually terminate in a human. The gap between the human and the computer creates potential for security problems. We examine this gap, as it is manifested in secure Web servers. Felten et al. demonstrated the potential, in 1996, for malicious servers to impersonate honest servers. In this paper, we show how malicious servers can still do this—and can also forge the existence of an SSL session and the contents of the alleged server certificate. We then consider how to systematically defend against Web spoofing, by creating a trusted path from the browser to the human user. We present potential designs, propose a new one, prototype it in open-source Mozilla, and demonstrate its effectiveness via user studies.

Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people’s ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, “is this system secure enough for what I want to do?” We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.

Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

Recent advances in embedded computing and communications technology have facilitated the development of intelligent environments, enabling exciting new ap-plications, but also creating new challenges for security. The large number of het-erogeneous devices, mobile users, and new kinds of applications all contribute to making security administration and enforcement more difficult. We study the problem of access control for such environments, which we call Ac-tive Spaces. Context plays an important role in these systems—users may have different permissions in different situations, making access control harder to con-figure, enforce and understand. Collaboration between users is common in these spaces, and needs to be supported by the system. My thesis is that existing models for access control, such as Role-Based Access Con-trol, can be extended to satisfy the access control requirements for Active Spaces. An access control architecture for Active Spaces must integrate physical and virtual aspects of the environment, provide explicit support for collaborative applications,

Permission is granted for noncommercial reproduction of the work for educational or research purposes.

We examine the problem of providing useful feedback to users who are denied access to resources, while controlling the disclosure of the system security policies. High-quality feedback enhances the usability of a system, especially when permissions may depend on contextual information---time of day, temperature of a room and other factors that change unpredictably. However, providing too much information to the user may breach the confidentiality of the system policies.

With the rapid growth of personal computer networks and the Internet, sharing files has become a central activity in computer use. The ways in which users control the what, how, and with whom of sharing are dictated by the tools they use for sharing; there are a wide range of sharing practices, and hence a wide range of tools to support these practices. In practice, users ’ requirements for certain sharing features may dictate their choice of tool, even though the other affordances available through that tool may not be an ideal match to the desired manner of sharing. In this paper, we explore users ’ current practices in file sharing and examine the tools used to share files. Based on our findings, we unpack the features and affordances of these tools into a set of dimensions along which sharing tools can be characterized. Then, we present the set of user interface features we have prototyped in an interface called a sharing palette, which provides a platform for exploration and experimentation with new modalities of sharing. We briefly present the tool as a whole and then focus on the individual features of the sharing palette that support reported styles of sharing. ACM Classification: H.5.2 [Information Interfaces and

Conflicts between security and usability goals can be avoided by considering the goals together throughout an iterative design process. A successful design involves addressing users ’ expectations and inferring authorization based on their acts of designation. Designers of security-sensitive software applications sometimes speak of a trade-off between achieving strong security and making software easy to use. When we look for ways to adjust an existing design, usability improvements seem to yield more easily compromised software, and adding security measures seems to make software tedious to use or hard to understand. Yet designers cannot afford to neglect either—both security and usability failures can render a product useless.

The usability of access control mechanisms in modern distributed systems has been widely criticized but little studied. In this paper, we carefully examine one such widely deployed access control mechanism, the one embedded in the WebDAV standard, from the point-of-view of an end-user trying to decide how to grant or deny access to some resource to a third party. This analysis points to problems with the conceptual usability of the system. Significant effort is required on the part of the user to determine how to implement the desired access rules; the user, however, has low interest and expertise in this task, given that such access management actions are almost always secondary to the collaborative task at hand. The analysis does however indicate a possible solution: to recast the access control puzzle as a decision support problem in which user intentions (i.e. the descriptions of desired system outputs) are interpreted by an access mediator that either automatically or semi-automatically decides how to achieve the designated goals and provides enough feedback to the user. We call such systems intentional access management (IAM) systems and describe them in both specific and general terms. To demonstrate the feasibility and usability of the proposed IAM models, we develop an intentional access management prototype for WebDAV. The results of a user study conducted on the system show its superior usability compared to traditional access management tools like the access control list editor. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection – access controls. H.1.2 [Models and Principles]: User/Machine Systems