ORCID ID

https://orcid.org/0000-0003-1917-7677

Date Awarded

2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy (Ph.D.)

Department

Computer Science

Advisor

Adwait Nadkarni

Committee Member

Denys Poshyvanyk

Committee Member

Dmitry Evtyushkin

Committee Member

Stephen Herwig

Committee Member

Kapil Singh

Abstract

Consumer-oriented software systems have become the foundation on which consumer data is collected and transported from the consumers to the data processors. They are complex, with various interconnected, heterogeneous components working together, making their security and privacy analysis challenging, and impact on the user uncertain. In this work, we first explore how security threats can arise in novel context in such systems by performing a security evaluation of data-store based smart home platforms and the overall security risks posed by the design of routines within such platforms. We analyze various components of the smart home such as the platform’s permission enforcement mechanism and the apps/services that connect to the smart home that are used during the creation and execution of routines. We find that 1) platform’s permission enforcement and access control model may be broken and allow for attacker’s to bypass user’s consent to perform privileged tasks, 2) around 20% of apps that connect to smart home platforms may have vulnerable SSL connections, and 3) lateral privilege escalation in smart home platforms is possible with the help of routines, wherein we demonstrate by compromising a smart home camera by escalating our privilege gained with a smart home switch app. Secondly, to develop a practical defense against the threats introduced by the routines, we leverage the unique opportunity provided by the smart home i.e., validating incoming state change requests by comparing with the observations gathered by physical devices connected to the platform, for enhancing integrity in smart home platforms. Using this insight, we propose HomeEndorser, which is a practical framework to provide integrity guarantees to smart home platforms. To do so, HomeEndorser endorses (or rejects) requests by apps or services to modify Abstract Home Objects (AHOs) such as home or fire by enforcing integrity policies based on the current state of devices in the home. By protecting against malicious modifications of AHOs, HomeEndorser is able to prevent arbitrary privilege escalation attacks that were possible by exploiting routines. Finally, to understand how effectively stakeholders convey security and privacy risks to the users, we designed the Polityzer framework to systematically analyze the privacy postures of election campaign websites. Using Polityzer, we find a vast majority of election campaign websites lack a privacy disclosure, and even in cases where privacy policies were provided, they were often incomplete. We also found that campaigns may be inadvertently sharing data with other campaigns through common fundraising platforms, without disclosing such sharing.

DOI

https://dx.doi.org/10.21220/s2-9cgg-w467

Rights

© The Author

Download

Share Feedback

Share

COinS