...
Ilia Lebedev <ilebedev@mit.edu> I would like to Implement dynamic permissions in android: in addition to asking the user to approve permissions during installation, high-risk permissions must be prompted when the application generates an intent. The user can chose to deny or approve the intent, and to optionally remember his decision for current session, for current version of the app, or forever. This approach to access control may or may not require that the intent be handled in a safe way, even if denied, if the application blocks and waits for a response . If time permits, I would also like to explore fine-grained network access policies in Android. I believe it may be possible to construct a demo in google's emulator, or even on a dev phone.
Emily Stark <estark@mit.edu>, Meelap Shah <meelap@mit.edu>: We plan to build a tool to convert existing web apps into a form that provides data confidentiality guarantees to clients. Our tool will take as input server side code and partition it into two pieces; one piece will remain on the server and the other will be pushed to the client. Data fields containing sensitive client data will be encrypted on the client so that nothing is revealed to the server. The code will be partitioned so that the piece that remains on the server can operate on ciphertext. This will maintain the application's functionality while providing the confidentiality guarantees we desire.