“A Study of Application Sandbox Policies in Linux” accepted at SACMAT 2022

I’m pleased to share that our paper, “A Study of Application Sandbox Policies in Linux,” will appear at SACMAT 2022 in June. In this work, WSPR PhD student Trevor Dunlap, in collaboration with his co-advisors Will Enck and myself, examine the brave new worlds of Linux desktop application distribution: Flatpak and Snap. These competing platforms are already used by millions, and will likely become the defacto method of distributing apps on Linux moving forward — complementing if not replacing traditional package managers like apt and yum. Our paper examines the sandbox policies of these systems, finding that package maintainers seem to be doing their level best to implement least-privilege policies, but occasionally get it wrong — leading to failed functionality or creating chances for compromise. More details soon!

“Investigating web service account remediation advice” to appear at SOUPS 21

WSPR PhD Student Lorenzo Neil will present his first first-author paper, titled “Investigating web service account remediation advice” at the 2021 Symposium on Usable Security and Privacy. Lorenzo was assisted by Elijah Bouma-Sims, a WSPR undergraduate now in the PhD program at CMU, NC State undergrad Evan Lafontaine, Dr. Yasemin Acar, and myself.

Abstract:

Online web services are susceptible to account compromises where adversaries gain access to a user’s account. Once compromised, an account must be restored to its pre-compromise state in a process we term “account remediation.” Account remediation is a technically complex process that in most cases is left to the user, though some web services provide guidance to users through help documentation. The quality of this account remediation advice is of paramount importance in assisting victims of account compromise, yet it is unclear if this advice is complete or suitable. In this paper, we analyze account remediation advice from 57 popular U.S.- based web services. We identify five key phases of account remediation, use this five-phase model to develop a codebook of account remediation advice, then analyze topic coverage. We find that only 39% of the web services studied provided advice for all phases of account remediation. We also find that highly-ranked websites and sites with a previously disclosed data breach have more complete coverage than other sites. Our findings show that account remediation should be more carefully and systematically considered by service providers, security researchers, and consumer advocates, and our detailed analysis will aid in creating better guidelines for users and services.

You can find more about the paper here.