Skip to main content
To KTH's start page To KTH's start page

2021-12 03: Practical Data Access Minimization in Trigger-Action Platforms

Andrei Sabelfeld (Chalmers) will give a seminar on December 3rd, 2021, 13:00-14:00, Lindstedtsvägen 3, 4th floor, room 1440 or virtually.

Abstract:
Trigger-Action Platforms (TAPs) connect disparate online services and enable users to create automation rules in diverse domains such as smart homes and business productivity. Unfortunately, the current TAP
design is flawed from a privacy perspective, since it has unfettered access to sensitive user data. We point out that TAPs suffer from two types of overprivilege: (1) attribute-level, where it has access to more data attributes than it needs for running user-created rules; and (2) token-level, where it has access to more APIs than it needs. To mitigate overprivilege and subsequent privacy concerns we design and implement minTAP, a practical approach to data access minimization in TAPs. Our key insight is that the semantics of a user-created automation rule implicitly specifies the minimal amount of data it needs. This allows minTAP to leverage language-based data minimization to apply the principle of least-privilege by releasing only the
necessary attributes of user data to the TAP. Using real user-created rules on the popular IFTTT TAP, we demonstrate that minTAP on average sanitizes a median of 4 sensitive data attributes per rule, with modest
performance overhead and without modifying IFTTT.Joint work with Yunang Chen, Mohannad Alhanahnah, Rahul Chatterjee, and Earlence Fernandes, to appear in USENIX Security 2022.

Bio:
Andrei Sabelfeld is Professor at Chalmers University of Technology. Before joining Chalmers as faculty, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld's research ranges from foundations to practice in a range of topics in computer security and privacy. He is a recipient of a number of prestigious prizes and awards from ERC, SSF, VR, Chalmers, Google, and Facebook. Today, he leads a group of researchers at Chalmers engaged in a number of internationally visible projects on software security, web security, IoT security, and applied cryptography.

You are welcome to attend the seminar in person or virtually: kth-se.zoom.us/j/8088501391

Belongs to: School of Electrical Engineering and Computer Science
Last changed: Nov 12, 2021
Title
2021-12-08: Testing Software and Hardware against Speculation Contracts
2021-12 03: Practical Data Access Minimization in Trigger-Action Platforms
2021-11-16: Securing software in the presence of realistic attackers and polices
2021-11-9: An In-depth Study of Java Deserialization Exploits and Vulnerabilities
2019-02-05 Faceted Secure Multi-Execution
2019-01-11 Privacy-preserving ridesharing and multi key-homomorphic signatures
2018-11-06 Authentication and Pairing Using Human Body Impedance
2018-10-26 Security and Privacy in the IoT: An Information-Theoretic Perspective
2018-09-17 Cyber-Defence Panel
2018-09-13: Reconfigurable Distributed MIMO for Physical-layer Security in Mobile Networks
2018-09-03: A Constraint Programming approach to deliver a Tolerant Algebraic Side-Channel Attack of AES
2018-06-18: Coarse-grained information-flow control as a library in Haskell
2018-06-07: The capacity of private information retrieval with eavesdroppers
2018-05-23: Information-Flow Control for Concurrent Programs with Declassification
2018-05-09: Browser fingerprinting: past, present and possible future
2018-05-07: The Verificatum Project 10-year Anniversary