Quantitative bounds on the security-critical resource consumption of JavaScript apps

Current resource policies for mobile phone apps are based on permissions that unconditionally grant or deny access to a resource like private data, sensors and services. In reality, the legitimacy of an access may be context-dependent - for example, depending on how often a resource is accessed and in which situation. This thesis presents research into providing bounds on the access of JavaScript apps to security and privacy-relevant resources on mobile devices. The investigated bounds are quantitative and interaction-dependent: for example, permitting one access each time the user presses a specified button. Two novel systems are presented with different approaches to providing these bounds. The system PhoneWrap injects a quantitative policy into an app and enforces the bound dynamically during runtime by monitoring the resource consumption and the user interaction. If the injected bound is exceeded, the resource request is replaced by a deny action. This way, PhoneWrap restricts the unwanted behaviour while the expected functionality can be performed. Policies for this system describe the UI elements which trigger the expected resource consumption and the number of resource units consumed for each interaction. The enforcement of the policies is achieved via wrapping the critical APIs using JavaScript internal features. The injection of a policy can be performed automatically. PhoneWrap is the first system using the lightweight wrapping method to inject policies directly into mobile apps and the first to combine quantitative policies with interaction-dependencies. The second system AmorJiSe statically analyses the resource consumption of a given JavaScript program. This system automatically infers amortised annotations on top of given JavaScript data types. The amortised annotations symbolise reserved resource units stored in the data structures. This way the amount of resource units available to the app is expressed dependent on the size of the data structures. The resulting function types of the UI handlers can be used to extract interaction-dependent bounds. The correctness of these bounds is proven in relation to a resource-aware operational semantics. AmorJiSe extends the known amortised type paradigm to JavaScript with its dynamic object structures and applies this paradigm to the novel domain of mobile resources. Although, the two systems are based on similar resource models and produce similar resource bounds, they use different methods with different properties which are presented in this dissertation

Cerebral Hemodynamic Failure Presenting as Limb-Shaking Transient Ischemic Attacks

Limb-shaking transient ischemic attacks (TIA) may occur in patients with insufficient brain perfusion due to an underlying occlusive disease. We present the case of a 64-year-old patient who suffered from repetitive TIA presenting with shaking movements of the right-sided extremities and accompanying speech arrest. Symptoms are documented in the online supplementary video (www.karger.com/doi/10.1159/000327683). These episodes were frequently triggered in orthostatic situations. The diagnosis of limb-shaking TIA was established. The diagnostic workup revealed pseudo-occlusion of the left internal carotid artery, a poor intracranial collateral status and, as a consequence, an exhausted vasomotor reserve capacity. At ultrasound examination, symptoms were provoked by a change of the patient's position from supine to sitting. During evolvement of symptoms, a dramatic decrease of flow velocities in the left middle cerebral artery was observed. This case thus documents the magnitude and dynamics of perfusion failure in a rare manifestation of cerebral ischemic disease

Arterial Stiffness in Patients with Sarcoidosis and Obstructive Sleep Apnea

Background: Obstructive sleep apnea (OSA) and sarcoidosis have both been implied to be risk factors for increased arterial stiffness. However, it is unclear whether an elevated apnea–hypopnea index (AHI) in sarcoidosis patients increases arterial stiffness and thus the cardiovascular risk. Methods: We performed non-invasive applanation tonometry in 57 adults with sarcoidosis. The participants underwent SphygmoCor to assess arterial stiffness using an aortic augmentation index with a heart rate of 75/min (AIx) and level-3 respiratory polygraphy. An AHI of ≥5/h, ≥15/h, and ≥30/h defined mild, moderate, and severe OSA, respectively. Multivariate regression analysis was used to investigate the association between AIx and AHI, adjusted for prespecified risk factors for AIx. Results: 23 (40%) sarcoidosis patients had at least mild OSA (AHI ≥ 5), while 7 (12%) patients showed AHI ≥ 15/h. AHI was significantly associated with AIx (coef. (95%CI) of 0.31 (0.09/0.52), p = 0.006) even after adjustment for known risk factors of arterial stiffness. While severe OSA was positively associated with increased AIx, mild and moderate OSA were not associated with increased AIx after adjusting for known risk factors. Conclusions: Increased AHI is independently associated with increased arterial stiffness in sarcoidosis patients. Further investigations are needed to underline the association between OSA severity and the magnitude of arterial stiffness

"Am I Private and If So, how Many?" -- Using Risk Communication Formats for Making Differential Privacy Understandable

Mobility data is essential for cities and communities to identify areas for necessary improvement. Data collected by mobility providers already contains all the information necessary, but privacy of the individuals needs to be preserved. Differential privacy (DP) defines a mathematical property which guarantees that certain limits of privacy are preserved while sharing such data, but its functionality and privacy protection are difficult to explain to laypeople. In this paper, we adapt risk communication formats in conjunction with a model for the privacy risks of DP. The result are privacy notifications which explain the risk to an individual's privacy when using DP, rather than DP's functionality. We evaluate these novel privacy communication formats in a crowdsourced study. We find that they perform similarly to the best performing DP communications used currently in terms of objective understanding, but did not make our participants as confident in their understanding. We also discovered an influence, similar to the Dunning-Kruger effect, of the statistical numeracy on the effectiveness of some of our privacy communication formats and the DP communication format used currently. These results generate hypotheses in multiple directions, for example, toward the use of risk visualization to improve the understandability of our formats or toward adaptive user interfaces which tailor the risk communication to the characteristics of the reader

"Am I Private and If So, how Many?" - Communicating Privacy Guarantees of Differential Privacy with Risk Communication Formats

Decisions about sharing personal information are not trivial, since there are many legitimate and important purposes for such data collection, but often the collected data can reveal sensitive information about individuals. Privacy-preserving technologies, such as differential privacy (DP), can be employed to protect the privacy of individuals and, furthermore, provide mathematically sound guarantees on the maximum privacy risk. However, they can only support informed privacy decisions, if individuals understand the provided privacy guarantees. This article proposes a novel approach for communicating privacy guarantees to support individuals in their privacy decisions when sharing data. For this, we adopt risk communication formats from the medical domain in conjunction with a model for privacy guarantees of DP to create quantitative privacy risk notifications. We conducted a crowd-sourced study with 343 participants to evaluate how well our notifications conveyed the privacy risk information and how confident participants were about their own understanding of the privacy risk. Our findings suggest that these new notifications can communicate the objective information similarly well to currently used qualitative notifications, but left individuals less confident in their understanding. We also discovered that several of our notifications and the currently used qualitative notification disadvantage individuals with low numeracy: these individuals appear overconfident compared to their actual understanding of the associated privacy risks and are, therefore, less likely to seek the needed additional information before an informed decision. The promising results allow for multiple directions in future research, for example, adding visual aids or tailoring privacy risk communication to characteristics of the individuals.Comment: Accepted to ACM CCS 2022. arXiv admin note: substantial text overlap with arXiv:2204.0406

Cost-effectiveness analysis of surgical lung volume reduction compared with endobronchial valve treatment in patients with severe emphysema

BACKGROUND Lung volume reduction, either by surgery or bronchoscopically by endobronchial valve treatment have been shown to be a cost-effective alternative compared with conservative therapy. However, there is no comparative analysis of lung volume reduction by surgery and bronchoscopic lung volume reduction using endobronchial valves. OBJECTIVES The aim of this retrospective study was to provide a cost-effectiveness analysis of lung volume reduction by surgery compared with bronchoscopic lung volume reduction using endobronchial valves. METHODS The effectiveness of lung volume reduction was assessed using forced expiratory volume in the first second (FEV1), residual volume (RV) and 6-minute walking distance (6MWD), measured at baseline and at 4 to 12 weeks. Cost unit accounting derived from SwissDRG was used as a surrogate of the costs from the payer's perspective. RESULTS In total, 67 patients (37 men and 30 women) with a mean age of 68.3 ± 7.4 years were included. Both clinical effectiveness and costs were comparable between surgical and bronchoscopic lung reduction. The incremental cost-effectiveness ratios (ICERs) for bronchoscopic compared with lung volume reduction by surgery for FEV1, RV and 6MWD were -101, 4 and 58, respectively. For RV and 6MWD, it could be shown that endobronchial valve treatment is justified as a probably cost-effective alternative to lung volume reduction by surgery. Endobronchial valve treatment resulted in an improvement of 0.25 quality-adjusted life years (QALYs) and an ICER of € 7657 per QALY gained. CONCLUSION A robust statement on the superiority of one of the two procedures in terms of cost-effectiveness cannot be made from the present study. Therefore, the study is not suitable for resource allocation. Two upcoming trials comparing lung volume reduction surgery and endobronchial valve treatment may be able to answer this question

Using “Photovoice” to Identify Rural Community Food Issues

Rural communities experience unique barriers to food security. Developing food policy councils (FPCs) is a systematic approach to address food security. FPCs bring together a diverse network of community stakeholders to address local food system strengths and concerns. A six-state team developed new or provided support to existing FPCs in rural communities. Photovoice is a project component used to engage youths, helped identify community food issues, such as food access and affordability in studied communities. Furthermore, it was meant to engage FPCs in meaningful dialogue to identify solutions, such as community gardens and work with local food pantries. Because of the multistate nature of the project, unique measures were employed to provide consistent, successful training and implementation of Photovoice. This article reveals the best practices learned