(Georgia Institute of Technology, 2010)
Singh, Kapil; Erete, Ikpeme; Lee, Wenke
With the rapid growth of Web 2.0 technologies, users are
contributing more and more content on the Internet, in the
form of user profiles, blogs, reviews, etc. With this increased
sharing comes a pressing need for access control policies and
mechanisms to protect the users’ privacy. Access control has
remained largely centralized and under the control of the
web applications hosted on their servers. Moreover, most
web applications either provide no or very primitive and
limited access control. We argue that the owner of any piece
of data on the web should be able to decide how to control
access to this data. This argument should hold not only
for the web applications contributing data, but also for the
contributing users. In other words, users should be able to
choose their own access control models to control the sharing
of their data independent of the underlying applications of
their data. In this work, we present a novel framework, called xAccess,
for providing generic access control that empowers
users to control how they want their data to be accessed.
Such a control could be in the form of user-defined access
categories, or in the form of new access control models built
on top of our framework. On one hand, xAccess enables
individual users to use a single unified access control across
multiple web applications; and on the other hand, it allows
an application to support different access control models deployed
by its users with a single model abstraction. We
demonstrate the viability of our design by means of a platform
prototype. The usability of the platform is further
evaluated by developing sample applications using the xAccess
APIs. Our results show that our model incurs minimum
overhead in enforcing the generic access control and requires
negligible changes to the application code for deployment.
(Georgia Institute of Technology, 2009)
Jain, Nehil; Lee, Wenke; Sangal, Samrit; Singh, Kapil; Traynor, Patrick
Malware targeting mobile phones is being studied with increasing interest by the research community. While
such attention has previously focused on viruses and worms, many of which use near-field communications in
order to propagate, none have investigated whether more complex malware such as botnets can effectively
operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile
phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation
based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in
many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that
command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being
issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage
of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile
phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.