4 research outputs found
XRay: Enhancing the Web's Transparency with Differential Correlation
Today's Web services - such as Google, Amazon, and Facebook - leverage user
data for varied purposes, including personalizing recommendations, targeting
advertisements, and adjusting prices. At present, users have little insight
into how their data is being used. Hence, they cannot make informed choices
about the services they choose. To increase transparency, we developed XRay,
the first fine-grained, robust, and scalable personal data tracking system for
the Web. XRay predicts which data in an arbitrary Web account (such as emails,
searches, or viewed products) is being used to target which outputs (such as
ads, recommended products, or prices). XRay's core functions are service
agnostic and easy to instantiate for new services, and they can track data
within and across services. To make predictions independent of the audited
service, XRay relies on the following insight: by comparing outputs from
different accounts with similar, but not identical, subsets of data, one can
pinpoint targeting through correlation. We show both theoretically, and through
experiments on Gmail, Amazon, and YouTube, that XRay achieves high precision
and recall by correlating data from a surprisingly small number of extra
accounts.Comment: Extended version of a paper presented at the 23rd USENIX Security
Symposium (USENIX Security 14
Recommended from our members
Compiler-assisted Adaptive Software Testing
Modern software is becoming increasingly complex and is plagued with vulnerabilities that are constantly exploited by attackers. The vast numbers of bugs found in security-critical systems and the diversity of errors presented in commercial off-the-shelf software require effective, scalable testing frameworks. Unfortunately, the current testing ecosystem is heavily fragmented, with the majority of toolchains targeting limited classes of errors and applications without offering provably strong guarantees. With software codebases continuously becoming more diverse and complex, the large-scale deployment of monolithic, non-adaptive analysis engines is likely to increase the aforementioned fragmentation. Instead, modern software testing requires adaptive, hybrid techniques that target errors selectively. This dissertation argues that adopting context-aware analyses will enable us to set the foundations for retargetable testing frameworks while further increasing the accuracy and extensibility of existing toolchains. To this end, we initially examine how compiler analyses can become context-aware, prioritizing certain errors over others of the same type. As a use case of our proposed approach, we extend a state-of-the-art compiler's integer error detection pipeline to suppress reports of benign errors by up to 89% in real-world workloads, while allowing for reporting of serious errors. Subsequently, we demonstrate how compiler-based instrumentation can be utilized by feedback-driven evolutionary fuzzers to provide multifaceted analyses targeting broader classes of bugs. In this direction, we present differential diversity (δ-diversity), we propose a generic methodology for offering state-aware guidance in feedback-driven frameworks, and we demonstrate how to retrofit state-of-the-art fuzzers to target broader classes of errors. We provide two such prototype implementations: NEZHA, the first differential generic fuzzer capable of handling logic bugs, as well as SlowFuzz, the first generic fuzzer targeting complexity vulnerabilities. We applied both prototypes on production software, and demonstrate their effectiveness. We found that NEZHA discovered hundreds of logic discrepancies across a wide variety of applications (SSL/TLS libraries, parsers, etc.), while SlowFuzz successfully generated inputs triggering slowdowns in complex, real-world software, including zip parsers, regular expression libraries, and hash table implementations
Term suggestion mechanisms for Scientific Database Systems
70 σ.Βασικός στόχος της συγκεκριμένης διπλωματικής είναι να κατασκευαστεί ένα καλύτερο σύστημα παροχής προτάσεων για τις εφαρμογές Ιστού DIANA. Αναπτύχθηκαν κατάλληλα εργαλεία για τη διαχείριση και την κατασκευή μηχανών αναζήτησης, με κύρια έμφαση σε τεχνικές συντακτικής απόστασης και ευρετηρίων gram. Τα εργαλεία αυτά περιλαμβάνουν κατά κύριο λόγο προγράμματα γραμμένα σε Perl για την κατασκευή ευρετηρίων και μία σειρά από mysql udfs που επιτελούν εργασίες συναφείς με n-grams. Παράλληλα, έγινε χρήση της php και τεχνολογιών ajax για την τροποποίηση του γραφικού περιβάλλοντος του συστήματος DIANA, μέσω του yii framework.
Συνολικά πετύχαμε σημαντική βελτίωση των χρόνων απόκρισης της μηχανής αναζήτησης του συστήματος DIANA.Βελτιώθηκε η ποιότητα των παρεχόμενων αποτελεσμάτων της εφαρμογής σε επίπεδο εύρους προτάσεων καθώς και το περιβάλλον αναζήτησης της εφαρμογής. Δημιουργήθηκαν εργαλεία κατασκευής ευρετηρίων και διαχείρισης της βάσης δεδομένων για τους διαχειριστές τόσο της εφαρμογής DIANA όσο και οποιουδήποτε άλλου συστήματος. Ο διαχειριστής του συστήματος έχει τη δυνατότητα να επιλέξει την κατασκευή index με οποιοδήποτε αριθμό grams και να καθορίσει το βάρος που θα χρησιμοποιηθεί για τα grams.Τέλος, επεκτάθηκε το πακέτο λογισμικού flamingo ώστε να είναι συμβατό με το λειτουργικό σύστημα Mac OS X.The main purpose of this thesis was the development of a better term suggestion mechanism for DIANA web applications. We developed several tools to manage search engines, focusing on edit distance and n-gram techniques. These tools mainly consist of programs written in Perl, in order to construct and maintain inverted indexes for ngram-based search engines and mysql udfs which implement operations concerning n-grams. We modified the graphic interface of the web application with the use of php and ajax, implemented in yii framework.
Overall, we achieved a major improvement in time response of the average query on the web application. The options offered by the search engine where improved in terms of variety and the ease of use of the web application improved as well. We also created a series of administration tools for DIANA administrators. These tools consist of programs to manage databases which include inverted indexes for search operations, and are applicable to any operating system. The system administrator has the ability to choose the construction of indexes of variable gram length and assign an arbitrary weight to the grams used. Finally, we made changes to flamingo software installer in order for it to be applicable to Mac OS X.Θεόφιλος Θ. Πέτσιο