Results 1 -
4 of
4
Flexible Dynamic Information Flow Control in the Presence of Exceptions
- UNDER CONSIDERATION FOR PUBLICATION IN J. FUNCTIONAL PROGRAMMING
, 2012
"... We describe a new, dynamic, floating-label approach to language-based information flow control. A labeled IO monad, LIO, keeps track of a current label and permits restricted access to IO functionality. The current label floats to exceed the labels of all data observed and restricts what can be modi ..."
Abstract
-
Cited by 9 (6 self)
- Add to MetaCart
We describe a new, dynamic, floating-label approach to language-based information flow control. A labeled IO monad, LIO, keeps track of a current label and permits restricted access to IO functionality. The current label floats to exceed the labels of all data observed and restricts what can be modified. Unlike other language-based work, LIO also bounds the current label with a current clearance that provides a form of discretionary access control. Computations may encapsulate and pass around the results of computations with different labels. In addition, the LIO monad offers a simple form of labeled mutable references and exception handling. We give precise semantics and prove confidentiality and integrity properties of a call-by-name λ-calculus and provide an implementation in Haskell.
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
, 2016
"... Abstract Numerous surveys have shown that Web users are concerned about the loss of privacy associated with online tracking. Alarmingly, these surveys also reveal that people are also unaware of the amount of data sharing that occurs between ad exchanges, and thus underestimate the privacy risks as ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Numerous surveys have shown that Web users are concerned about the loss of privacy associated with online tracking. Alarmingly, these surveys also reveal that people are also unaware of the amount of data sharing that occurs between ad exchanges, and thus underestimate the privacy risks associated with online tracking. In reality, the modern ad ecosystem is fueled by a flow of user data between trackers and ad exchanges. Although recent work has shown that ad exchanges routinely perform cookie matching with other exchanges, these studies are based on brittle heuristics that cannot detect all forms of information sharing, especially under adversarial conditions. In this study, we develop a methodology that is able to detect client-and server-side flows of information between arbitrary ad exchanges. Our key insight is to leverage retargeted ads as a tool for identifying information flows. Intuitively, our methodology works because it relies on the semantics of how exchanges serve ads, rather than focusing on specific cookie matching mechanisms. Using crawled data on 35,448 ad impressions, we show that our methodology can successfully categorize four different kinds of information sharing behavior between ad exchanges, including cases where existing heuristic methods fail. We conclude with a discussion of how our findings and methodologies can be leveraged to give users more control over what kind of ads they see and how their information is shared between ad exchanges.
Research Statement
"... My research interests span the areas of systems, programming languages, and security. I particularly enjoy building secure systems that can see adoption. My efforts are generally guided by two goals: (1) to enable average developers to build secure systems and applications, and (2) to leverage the b ..."
Abstract
- Add to MetaCart
(Show Context)
My research interests span the areas of systems, programming languages, and security. I particularly enjoy building secure systems that can see adoption. My efforts are generally guided by two goals: (1) to enable average developers to build secure systems and applications, and (2) to leverage the benefits of formal semantics when reasoning about the security properties of a system. For example, as part of my thesis research, I built a framework (Hails [6]) that allows novice developers to build secure web ap-plications. I then implemented a browser security architecture (Confinement with Origin Web Labels, or COWL [19]), currently being standardized at the W3C [20], for protecting user privacy from untrusted JavaScript. For both systems, I developed the formal
