+ All Categories
Home > Documents > Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable...

Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable...

Date post: 05-Jun-2020
Category:
Upload: others
View: 5 times
Download: 1 times
Share this document with a friend
111
Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy of Michelle Mazurek, Lorrie Cranor, Mike Reiter, Rob Reeder, and Blasé Ur)
Transcript
Page 1: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Usable SecurityComputer Systems Security - 11/5

Daniel VotipkaFall 2018

(some slides courtesy of Michelle Mazurek, Lorrie Cranor, Mike Reiter, Rob Reeder, and Blasé Ur)

Page 2: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�2

In today’s lecture …

• Key challenges

• How to study usable security

– Grey, password meters, hackers vs. testers

• Guidelines for making things better

Page 3: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

What is usable security?

Page 4: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�4

The Human Threat

“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations…

Page 5: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�4

The Human Threat

“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… but they are sufficiently pervasive that we must design our protocols around their limitations.”

−− C. Kaufman, R. Perlman, and M. Speciner. Network Security: PRIVATE Communication in a PUBLIC World.

2nd edition. Prentice Hall, page 237, 2002.

Page 6: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�5

Key challenges

Page 7: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�5

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

Page 8: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�6

Page 9: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�7

Page 10: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�8

What’s the source of this attachment?

Page 11: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�9

What makes a source trustworthy or not trustworthy?

What’s the source of this attachment?

Page 12: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�10

What will happen if I don’t follow this advice?

What makes a source trustworthy or not trustworthy?

What’s the source of this attachment?

Page 13: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�11

Does this mean that opening is dangerous but saving is safe?

What will happen if I don’t follow this advice?

What makes a source trustworthy or not trustworthy?

What’s the source of this attachment?

Page 14: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�12

Does this mean that opening is dangerous but saving is safe?

What will happen if I don’t follow this advice?

What makes a source trustworthy or not trustworthy?

What’s the source of this attachment?

What steps can I take to decide what to do?

Page 15: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�13

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

Page 16: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�13

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

Page 17: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�14

People are economical

• Given two paths to a goal, they’ll take the shorter path

• More steps = less likely they’ll be completed

• Can they figure out what to do?

– Too hard = give up and take easiest path

Page 18: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�15

Good security practices• Install anti-virus software

• Keep your OS and applications up-to-date

• Change your passwords frequently *

• Read a website’s privacy policy before using it

• Regularly check accounts for unusual activity

• Pay attention to the URL of a website

• Research software’s reputation before installing

• Enable your software firewall

• Make regular backups of your data

• Read EULAs before installing software

Page 19: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�16

Security practices that people don’t do• Install anti-virus software

• Keep your OS and applications up-to-date

• Change your passwords frequently *

• Read a website’s privacy policy before using it

• Regularly check accounts for unusual activity

• Pay attention to the URL of a website

• Research software’s reputation before installing

• Enable your software firewall

• Make regular backups of your data

• Read EULAs before installing software

Page 20: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�17

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

Page 21: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�17

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

Page 22: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�18

Are you capable of remembering a unique strong password for every account you have?

Page 23: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�19

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

Page 24: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�19

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

• Misaligned priorities

Page 25: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�20

Security

Expert User

Page 26: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�20

Security

Expert User

Page 27: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�20

Security

Expert User

Keep the bad guys out

Page 28: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�20

Security

Expert User

Don’t lock me out!

Keep the bad guys out

Page 29: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�21

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

• Misaligned priorities

Page 30: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�21

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

• Misaligned priorities

• Habituation

- Active adversaries (Unlike ordinary UX)

Page 31: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�22

Habituation

“Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.”

Page 32: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�22

Habituation

“Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.”

-- former FBI Director Robert Mueller

Page 33: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�23

Exercise: Draw a penny

• Draw a circle

• Sketch the layout of the four basic items on the front of a US penny

– What are the items, and how are they positioned?

No cheating!

Page 34: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�23

Exercise: Draw a penny

• Draw a circle

• Sketch the layout of the four basic items on the front of a US penny

– What are the items, and how are they positioned?

• Hint:

– Someone’s portrait (who?)

– Two patriotic phrases

– Another item

– Extra credit: an item that some pennies have and some don’t

No cheating!

Page 35: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�24

Score your sketch• Score:

– 1 for Abraham Lincoln

– +1 for Abraham Lincoln facing right

– +1 for “Liberty”

– +1 for “Liberty” to Abe’s left

– +1 for “In God We Trust”

– +1 for “In God We Trust” over Abe’s head

– +1 for the year

– +1 for the year to Abe’s right

– Extra credit: +1 for the mint letter under the year

– -1 for every other item

Page 36: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�25

Lessons from Abe

• You’ve probably seen hundreds of pennies

– And yet, this is hard

• Memory limitations

– Remembering a penny isn’t important, unless you take this quiz!

• Habituation

– You see it so often, you don’t remember it anymore

Page 37: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�26

Habituation to warnings

Page 38: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�27

Page 39: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�27Image courtesy of Johnathan Nightingale

Page 40: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�28

Key challenges

• Security concepts are hard

– Viruses, certificates, SSL, encryption, phishing

• Security is a secondary task

– Users are trying to get something else done

• Human capabilities are limited

• Misaligned priorities

• Habituation

- Active adversaries (Unlike ordinary UX)

Page 41: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

How can we test if our system is usable?

Page 42: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�30

Case Study #1: Grey and user Buy-inhttps://www.archive.ece.cmu.edu/~lbauer/papers/2007/soups2007.pdf

Page 43: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�31

Is Grey too slow?

• Grey: Smartphone-based access control

– Strong security benefits vs. keys

• Users complained about speed

[Bauer et. al, SOUPS 2007]

Page 44: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�31

Is Grey too slow?

• Grey: Smartphone-based access control

– Strong security benefits vs. keys

• Users complained about speed

– Videotaped doors to measure Grey vs. keys

[Bauer et. al, SOUPS 2007]

Page 45: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�31

Is Grey too slow?

• Grey: Smartphone-based access control

– Strong security benefits vs. keys

• Users complained about speed

– Videotaped doors to measure Grey vs. keys

– Monitored access/use logs

[Bauer et. al, SOUPS 2007]

Page 46: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�31

Is Grey too slow?

• Grey: Smartphone-based access control

– Strong security benefits vs. keys

• Users complained about speed

– Videotaped doors to measure Grey vs. keys

– Monitored access/use logs

– Periodically asked Grey users to discuss their experience using it

[Bauer et. al, SOUPS 2007]

Page 47: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�32

Average access times

Getting keys

3.6 sec 5.4 sec

Stop in front of door

Door opened

Total 14.7 sec

σ = 3.1 σ = 3.15.7 secσ = 3.6

σ = 5.6Door Closed

Page 48: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�32

Average access times

Getting keys

3.6 sec 5.4 sec

Stop in front of door

Door opened

Total 14.7 sec

σ = 3.1 σ = 3.15.7 secσ = 3.6

σ = 5.6Door Closed

Door Closed

8.4 sec 2.9 sec 3.8 sec

Stop in front of door

Getting phone

Door opened

Total 15.1 sec

σ = 2.8 σ = 1.5 σ = 1.1

σ = 3.9

Page 49: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�32

Average access times

Getting keys

3.6 sec 5.4 sec

Stop in front of door

Door opened

Total 14.7 sec

σ = 3.1 σ = 3.15.7 secσ = 3.6

σ = 5.6Door Closed

Door Closed

8.4 sec 2.9 sec 3.8 sec

Stop in front of door

Getting phone

Door opened

Total 15.1 sec

σ = 2.8 σ = 1.5 σ = 1.1

σ = 3.9

Grey is not noticeably slower than keys!

Page 50: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�33

“I find myself standing outside and everybody inside is looking at me standing outside while I am trying to futz with my phone and open the stupid door.”

Page 51: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�33

“I find myself standing outside and everybody inside is looking at me standing outside while I am trying to futz with my phone and open the stupid door.”

Takeaway: Misaligned priorities

Page 52: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�34

Case Study #2: Password meters and motivating your users

https://www.blaseur.com/papers/sec12_pwmeters_paper.pdf

Page 53: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�35

Password Meters …

Page 54: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�35

Password Meters …• … come in all shapes and sizes

[Ur et. al, USENIX Sec 2012]

Page 55: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�36

Experimental setup

• No meter

• Baseline (boring) meter

• Visual differences

– Size, text only

• Dancing bunnies (wait and see)

• Scoring differences

– Same password scores differently

Page 56: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�37

Conditions with Visual Differences

Page 57: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�38

Conditions with Visual Differences

Page 58: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�39

Conditions with Visual Differences

Page 59: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�40

Conditions with Visual Differences

Page 60: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�41

Conditions with Visual Differences

Page 61: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�42

Conditions with Visual Differences

Page 62: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�43

Bunny Condition

Page 63: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�43

Bunny Condition

Page 64: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�44

Conditions with Scoring Differences

Page 65: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�45

Conditions with Scoring Differences

Page 66: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�46

Conditions with Scoring Differences

Page 67: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�47

Conditions with Scoring Differences

Page 68: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�48

Conditions with Scoring Differences

Page 69: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�49

Conditions with Scoring Differences

Page 70: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�50

Conditions with Scoring Differences

Page 71: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�51

Password Meters (Scoring)

Number of Guesses

Perc

enta

ge o

f Pa

ssw

ords

Cra

cked

0%

10%

20%

30%

40%

50%

104 105 106 107 108 109 1010 1011 1012 1013

No meter

Baseline meter Nudge-comp8 Bold text-only half Text-only half Nudge-16 One-third-score Half-score

Weak 5×108

Medium 5×1010

Strong 5×1012

Page 72: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�52

Password Meters (Scoring)

Number of Guesses

Perc

enta

ge o

f Pa

ssw

ords

Cra

cked

0%

10%

20%

30%

40%

50%

104 105 106 107 108 109 1010 1011 1012 1013

No meter

Baseline meter Nudge-comp8 Bold text-only half Text-only half Nudge-16 One-third-score Half-score

Weak 5×108

Medium 5×1010

Strong 5×1012

Page 73: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�52

Password Meters (Scoring)

Number of Guesses

Perc

enta

ge o

f Pa

ssw

ords

Cra

cked

0%

10%

20%

30%

40%

50%

104 105 106 107 108 109 1010 1011 1012 1013

No meter

Baseline meter Nudge-comp8 Bold text-only half Text-only half Nudge-16 One-third-score Half-score

Weak 5×108

Medium 5×1010

Strong 5×1012

Visual changes don’t significantly increase resistance to guessing

Page 74: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�52

Password Meters (Scoring)

Number of Guesses

Perc

enta

ge o

f Pa

ssw

ords

Cra

cked

0%

10%

20%

30%

40%

50%

104 105 106 107 108 109 1010 1011 1012 1013

No meter

Baseline meter Nudge-comp8 Bold text-only half Text-only half Nudge-16 One-third-score Half-score

Weak 5×108

Medium 5×1010

Strong 5×1012

Visual changes don’t significantly increase resistance to guessing

Stringent meters with visual bars increase resistance to guessing, without affecting memorability

Page 75: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�52

Password Meters (Scoring)

Number of Guesses

Perc

enta

ge o

f Pa

ssw

ords

Cra

cked

0%

10%

20%

30%

40%

50%

104 105 106 107 108 109 1010 1011 1012 1013

No meter

Baseline meter Nudge-comp8 Bold text-only half Text-only half Nudge-16 One-third-score Half-score

Weak 5×108

Medium 5×1010

Strong 5×1012

Visual changes don’t significantly increase resistance to guessing

Too stringent can deplete user buy-in and backfire

Stringent meters with visual bars increase resistance to guessing, without affecting memorability

Page 76: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�53

What if the domain is not well understood?

Page 77: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�53

Case Study #3: Hackers vs. Testers

What if the domain is not well understood?

http://users.umiacs.umd.edu/~dvotipka/papers/VotipkaHackerTesters2018.pdf

Page 78: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�54

Vulnerability discovery

[Votipka et. al, IEEE S&P 2018]

Page 79: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�55

Vulnerability discovery

Generalists Experts

Page 80: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�56

Research Questions

1. How do testers and hackers search for vulnerabilities?

2. What are the differences between testers and hackers?

Page 81: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�56

Research Questions

1. How do testers and hackers search for vulnerabilities?

2. What are the differences between testers and hackers?

Interview study:

• Task Analysis

• Tools, Skills, and Communities

Page 82: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�57

Info Gathering

Program Understanding

Attack Surface

Exploration

Vulnerability Recognition

Reporting

Page 83: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�57

Info Gathering

Program Understanding

Attack Surface

Exploration

Vulnerability Recognition

Reporting

Vulnerability Discovery

Experience

Access to Development

Process

Underlying System

Knowledge

Motivation

Page 84: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�57

Info Gathering

Program Understanding

Attack Surface

Exploration

Vulnerability Recognition

Reporting

Vulnerability Discovery

Experience

Access to Development

Process

Underlying System

Knowledge

Motivation

Page 85: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�58

Employment

Hacking Exercises

Community

Bug Reports

Vulnerability Discovery Experience

Amount of experience

Page 86: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�58

Employment

Hacking Exercises

Community

Bug Reports

Vulnerability Discovery Experience

Amount of experience

Page 87: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�59

TimeCapture-the-Flag(2 weeks)

Hacking exercises

Page 88: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Diary StudyDiary Surveys

(10 mins: 12 weeks, 2x/week, 1x/day)

�59

TimeCapture-the-Flag(2 weeks)

Hacking exercises

Page 89: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Diary StudyDiary Surveys

(10 mins: 12 weeks, 2x/week, 1x/day)

�59

TimeCapture-the-Flag(2 weeks)

Knowledge Assessment

Pre-CTF Assessment

(60 mins)

Post-CTF Assessment

(60 mins)

Hacking exercises

Page 90: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Diary StudyDiary Surveys

(10 mins: 12 weeks, 2x/week, 1x/day)

�59

TimeCapture-the-Flag(2 weeks)

Knowledge Assessment

Pre-CTF Assessment

(60 mins)

Post-CTF Assessment

(60 mins)

Hacking exercises

https://www.umiacs.umd.edu/~dvotipka/papers/VotipkaDropboxCTF2018.pdf

Page 91: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Making things better

Page 92: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�61

Use psychology in your favor

• Limit memory requirements

• Grab attention when you need it

• Make critical information stand out / avoid habituation

• Minimize effort:

– To get users to take action, make it easy

– To get users to avoid danger, make it difficult

Page 93: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�62

Limit the user’s cognitive load

Might be dangerous

User must decide

Very low probability of

danger

Don’t bother user

High probability of danger

Block

Page 94: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�62

Limit the user’s cognitive load

Might be dangerous

User must decide

Very low probability of

danger

Don’t bother user

High probability of danger

Block

Improve warnings

Help user decide by asking a question user is qualified to answer

Page 95: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�63

Bad question

Your web browser thinks this is a phishing web site. Do you want to go there anyway?

Go there anywayDon’t go there

I don’t know what a phishing site is.

I really want to go to this site.

Of course I will go there anyway!

Page 96: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�64

You are trying to go to evilsite.com. Do you really want to go there or would you rather go to yourbank.com?

Go to evilsite.comGo to yourbank.com

Better question

Of course I want to go to yourbank.com!

Page 97: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�65

Hierarchy of solutions

• Make it “just work”

– Invisible security

• Make security/privacy understandable

– Make it visible

– Make it intuitive

– Use metaphors that users can relate to

• Train the user

Page 98: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�66

Want to learn more?

Page 99: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�66

Want to learn more?

Page 100: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�66

Want to learn more?

https://www.usenix.org/conference/soups2018

Page 101: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�66

Want to learn more?

[email protected]@cs.umd.edu

https://www.usenix.org/conference/soups2018

Page 102: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�67

Case Study #4: Sensitive resource accesses and usage context

https://www.cs.umd.edu/~micinski/apptracer-2017.pdf

Page 103: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�68

When is it ok for an app to access sensitive data?

[Micinski et. al, CHI 2017]

Page 104: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�69

Experimental setup

• Study #1:

• Analyze 150 top apps

• Determine how apps actually use resources

• Study #2:

• Show MTurkers a variety of scenarios

• See what they think the app is doing

Page 105: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�70

Microphone

Media/SD Card

Camera

Calendar

Contacts

SMS

Running Tasks

Location

Calls

Accounts

Power/Diagnostics

Bluetooth

Phone State

0 25 50 75 100Percent of Patterns

Click

Bg-App

Page

Bg-Ext

Startup

Uncertain

Page 106: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�70

Microphone

Media/SD Card

Camera

Calendar

Contacts

SMS

Running Tasks

Location

Calls

Accounts

Power/Diagnostics

Bluetooth

Phone State

0 25 50 75 100Percent of Patterns

Click

Bg-App

Page

Bg-Ext

Startup

Uncertain

Mostly interactive

Page 107: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�70

Microphone

Media/SD Card

Camera

Calendar

Contacts

SMS

Running Tasks

Location

Calls

Accounts

Power/Diagnostics

Bluetooth

Phone State

0 25 50 75 100Percent of Patterns

Click

Bg-App

Page

Bg-Ext

Startup

Uncertain

Mixed access

Page 108: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

�70

Microphone

Media/SD Card

Camera

Calendar

Contacts

SMS

Running Tasks

Location

Calls

Accounts

Power/Diagnostics

Bluetooth

Phone State

0 25 50 75 100Percent of Patterns

Click

Bg-App

Page

Bg-Ext

Startup

Uncertain

Mostly background

Page 109: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy
Page 110: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Interactivity v. Expectation

• The more interactive the pattern, the more likely the user is to expect access

• A resource access after a click was 106 times more expected than when no interaction shown

• Explicit authorization also shows significant increase

Page 111: Usable Security - GitHub Pagesenee457.github.io/lectures/week10/ENEE457-usablesec.pdf · Usable Security Computer Systems Security - 11/5 Daniel Votipka Fall 2018 (some slides courtesy

Effect of Prior Access• Prior event of a click not significantly different from no

interaction

• More likely to expect background access when prior event was not associated with user interaction

• First Use not significantly different from Never for second access

• First Use may condition users to expect a single access


Recommended