TightLip: Keeping Applications from Spilling the Beans (presented with demo)

Managing the permissions of any shared space is challenging, even for highly skilled computer users. This task is particularly daunting for untrained PC users, for whom access control errors are routine and can lead to damaging privacy leaks. A 2003 usability study of the Kazaa peer-to-peer file-sharing network found that many users share their entire hard drive with the rest of the Internet, including email inboxes and credit card information. Over 12 hours, the study found 156 distinct users who were sharing their email inboxes. Not only were these files available for download, but other users could be observed downloading them. This and similar compromises such as users inadvertently copying sensitive data into their public web space present a different threat model than is normally assumed by the privacy and security literature. In these cases, data leaked due to access control misconfigurations rather than malice or buggy software. For example, companies in the UK were reported to have banned their employees from using Google Desktop because it allows users to search across machines and can store sensitive files on remote Google servers. Neither secure communication channels nor hostbased intrusion detection would have prevented these exposures. Furthermore, the impact of these leaks extends beyond the negligent users themselves since the leaked data can and often does include previous communication and transaction records involving principals. No matter how careful any individual is, her privacy will only be as secure as her least competent confidant. Prior approaches to similar problems either rely on new programming language features, making them incompatible with legacy code or track “tainted” within a running process, leading to prohibitively poor performance. Thus, we are exploring a new approach to preventing leaks due to access control misconfigurations through a privacy management system called TightLip. TightLip helps users define what data is important and who is trusted, rather than forcing them to understand the com-