Adam Barth

High performance imaging using large camera arrays

The advent of inexpensive digital image sensors and the ability to create photographs that combine information from a number of sensed images are changing the way we think about photography. In this paper, we describe a unique array of 100 custom video cameras that we have built, and we summarize our experiences using this array in a range of imaging applications. Our goal was to explore the capabilities of a system that would be inexpensive to produce in the future. With this in mind, we used simple cameras, lenses, and mountings, and we assumed that processing large numbers of images would eventually be easy and cheap. The applications we have explored include approximating a conventional single center of projection video camera with high performance along one or more axes, such as resolution, dynamic range, frame rate, and/or large aperture, and using multiple cameras to approximate a video camera with a large synthetic aperture. This permits us to capture a video light field, to which we can apply spatiotemporal view interpolation algorithms in order to digitally simulate time dilation and camera motion. It also permits us to create video sequences using custom non-uniform synthetic apertures.

Robust defenses for cross-site request forgery

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.

Privacy and contextual integrity: framework and applications

Contextual integrity is a conceptual framework for understanding privacy expectations and their implications developed in the literature on law, public policy, and political philosophy. We formalize some aspects of contextual integrity in a logical framework for expressing and reasoning about norms of transmission of personal information. In comparison with access control and privacy policy frameworks such as RBAC, EPAL, and P3P, these norms focus on who personal information is about, how it is transmitted, and past and future actions by both the subject and the users of the information. Norms can be positive or negative depending on whether they refer to actions that are allowed or disallowed. Our model is expressive enough to capture naturally many notions of privacy found in legislation, including those found in HIPAA, COPPA, and GLBA. A number of important problems regarding compliance with privacy norms, future requirements associated with specific actions, and relations between policies and legal standards reduce to standard decision procedures for temporal logic

Privacy and Utility in Business Processes

We propose an abstract model of business processes for the purpose of (i) evaluating privacy policy in light of the goals of the process and (ii) developing automated support for privacy policy compliance and audit. In our model, agents that send and receive tagged personal information are assigned organizational roles and responsibilities. We present approaches and algorithms for determining whether a business process design simultaneously achieves privacy and the goals of the organization (utility). The model also allows us to develop a notion of minimal exposure of personal information, for a given process. We investigate the problem of auditing with inexact information and develop methods to identify a set of potentially culpable individuals when privacy is breached. The audit methods draw on traditional causality concepts to reduce the effort needed to search audit logs for irresponsible actions.

An evaluation of extended validation and picture-in-picture phishing attacks

In this usability study of phishing attacks and browser antiphishing defenses, 27 users each classified 12 web sites as fraudulent or legitimate. By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.

Privacy in encrypted content distribution using private broadcast encryption

In many content distribution systems it is important both to restrict access to content to authorized users and to protect the identities of these users. We discover that current systems for encrypting content to sets of users are subject to attacks on user privacy. We propose a new mechanism, private broadcast encryption, to protect the privacy of users of encrypted file systems and content delivery systems. We construct a private broadcast scheme, with a strong privacy guarantee against an active attacker, that achieves ciphertext length, encryption time, and decryption time comparable with the non-private schemes currently used in encrypted file systems.

Forcehttps: protecting high-security web sites from network attacks

As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to compromise browsing sessions inadvertently. ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browsers lax error processing. By augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS. We provide a prototype implementation of ForceHTTPS as a Firefox browser extension.

App isolation: get the security of multiple browsers with just one

Many browser-based attacks can be prevented by using separate browsers for separate web sites. However, most users access the web with only one browser. We explain the security benefits that using multiple browsers provides in terms of two concepts: entry-point restriction and state isolation. We combine these concepts into a general app isolation mechanism that can provide the same security benefits in a single browser. While not appropriate for all types of web sites, many sites with high-value user data can opt in to app isolation to gain defenses against a wide variety of browser-based attacks. We implement app isolation in the Chromium browser and verify its security properties using finite-state model checking. We also measure the performance overhead of app isolation and conduct a large-scale study to evaluate its adoption complexity for various types of sites, demonstrating how the app isolation mechanisms are suitable for protecting a number of high-value Web applications, such as online banking.

Conflict and combination in privacy policy languages

Many modern enterprises require methods for guaranteeing compliance with privacy legislation and announced privacy policies. IBM has proposed a formal language, the Enterprise Privacy Authorization Language (EPAL), for describing privacy policies rigorously. In this paper, we identify four desirable properties of a privacy policy language: guaranteed consistency, guaranteed safety, admitting local reasoning, and closure under combination. While EPAL achieves only one of these four goals, an extended language framework allows us to achieve three out of four, while retaining the basic EPAL framework of restricting access and imposing obligations on users of confidential information.

Enterprise privacy promises and enforcement

Several formal languages have been proposed to encode privacy policies, ranging from the Platform for Privacy Preferences (P3P), intended for communicating privacy policies to consumers over the web, to the Enterprise Privacy Authorization Language (EPAL), intended to enable policy enforcement within an enterprise. However, current technology does not allow an enterprise to determine whether its detailed, internal enforcement policy meets its published privacy promises. We present a data-centric, unified model for privacy, equipped with a modal logic for reasoning about permission inheritance across data hierarchies. We use this model to critique two privacy preference languages (APPEL and XPref), to justify P3Ps policy summarization algorithm, and to connect privacy policy languages, such as EPAL. Specifically, we characterize when one policy enforces another and provide an algorithm for generating the most specific privacy promises, at a given level of detail, guaranteed by a more detailed enforcement policy.