Position: Ph.D. Candidate

Current Institution: Carnegie Mellon University

Protecting User Privacy for Modern and Emerging Platforms

The evolution of apps on new platforms such as mobile, web and Internet of Things are bringing more functionality and convenience for people; however, these new platforms also expose users to security and privacy risks. Researchers and developers are spending much efforts to protect the users, but unauthorized information leakage is still rampant, especially when new features or new techniques are introduced. This is because it is usually difficult to design new features securely from the beginning. Information leakage is dangerous and urgent to be resolved, especially for the cases where multiple parties are involved (which is more complicated to coordinate among different parties). The fundamental problems of information leakage for these new platforms usually are three folds: (1) unclear security implications in protocol design; (2) implementation errors due to misunderstood specifications; (3) ignored or misunderstood usability aspects of security-critical interfaces. To resolve these problems, I first try to understand the security implications and vulnerabilities of the apps and then design practical and usable information sharing and data protection policies.

In this talk, I’ll present selected projects to discover and measure privacy risks, as well as design and implement privacy schemes for modern and emerging platforms. First, in the protocol level, I did a security analysis for HTML5 design and identify issues that break the foundation of browser security policy. I proposed a defense to fix the vulnerabilities that leak large scale of user privacy. Second, in the implementation level, I performed program analysis to discover problems of current permission systems in third-party apps on social networks and Internet of Things. With the insights from the program analysis, I propose principles to design a privacy preserving permission system to share least privilege information to third-party apps without affecting their functionality. Third, in the user interaction level, I design a crowdsourcing-based privacy notification scheme for mobile updates, which nudge users to pay attention to the notification and make privacy preserving decisions. In general, I hope to bring the low-level privacy enhancements to the users through neat design, efficient implementation, and usable

Yuan is a Ph.D candidate at Carnegie Mellon University. Her research interests involve security and privacy and its interactions with system, networking, and human-computer interaction. Her current research focuses on developing new technologies for protecting user privacy, particularly in the areas of mobile systems and Internet of Things. Her previous work about mobile and web security and privacy have been adopted by Google (Chrome HTML5 privacy), Facebook (flaw analysis for web services, authentication protection), Microsoft (login protection), Samsung (mobile app security), Evernote (OAuth security), Dropbox (OAuth security), and others. She interned at Microsoft Research, Facebook, and Samsung Research. She served as a volunteer for CMU Privacy Day and presented talks to undergraduate student clubs about cyber security. She was awarded as Black Hat Future Female Leaders. She was a recipient of IBM Fellowship and in the final list of Microsoft Research Fellowship and Qualcomm Innovation Fellowship.