Distributed Usage Control - Demos

Usage control demo videos

Usage control is concerned with what happens to data after it has been accessed. If the access is not local to one machine but happens over a network, usage control becomes distributed usage control.

Our work rests on two pillars. The first pillar is the necessity to do usage control at different levels of abstraction. This is because “copy” means different things at the operating system level (copy a file), the window manager (take a screenshot), a Java or .NET virtual machine (clone an object). In the end, of course, all these operations boil down to machine language instructions, but it turns out to be hard to identify exactly those machine instructions that perform, say, a screenshot.

The second pillar is the distinction between data and representations. Arguably, people are not so much interested in protecting one specific file, but rather all copies and transformations of that file as well. Moreover, the content of the file not only exist as a file, but also as pixmap when rendered in a window, as Java object structure, etc. As a consequence, we track data flow within and across layers of abstraction. In the running system, if an action happens on one specific representation, we use the data flow model to see if it corresponds to one data item for which a policy has been specified. In other words, our policies don’t specify “don’t copy secret.txt” but rather “don’t copy the data initially contained in file secret.txt”. We then track the flow of data through the system and enforce these policies for all considered layers of abstractions.

Our technology relies on generic policy enforcement points (PEP), policy decision points (PDP), and policy information points (PIP). PEPs – one per layer – intercept events (or intentions to perform an event) and query the PDP. The PDP – one instance per policy in the system – checks if  specific conditions are fulfilled and responds to the PEP to block or modify the event, or execute a further action. The PIP – one per layer of abstraction – maintains the mapping from data to representations and is queried by the PDP if the latter evaluates the policies.

Our framework can be used for both detective and preventive enforcement. In the former case, also dubbed optimistic control, we observe if a policy is violated and take corrective or penalizing actions. In the latter case, we make sure the policy is not violated in the first place. Both variants are applicable for different requirements and in different trust models. Data provenance tracking and information accountability can hence be implemented using our distributed usage control technology.

Our PDP implementation is generic. PEPs need to be able to intercept events at their layer of abstraction. PIPs specify, for each layer of abstraction and each event at that layer, how the events changes the mapping from data to representations.


Demo 1: usage control for Android, no data flow tracking. Facebook is not allowed to be used at a specific location (NB: in the video, we use location spoofing – it is possible to forbid this). Denis Feth implemented this system and took the video.

Demo 2: usage control for Android with data flow tracking. Each third byte of a file is replaced by X when viewed, also for all copies of this file. We use the TaintDroid system to implement data flow tracking. Denis Feth implemented this system and took the video.

Demo 3: usage control with data flow tracking for Windows and Thunderbird. We can protect various parts of an email not only within Thunderbird but also when attachments, included pictures, or text is stored leave Thunderbird. This work is coordinated by Enrico Lovat. Tobias Wüchner implemented the Windows part; Michael Lörscher and Jonas Peschla implemented the Thunderbird part.
Was this too fast? Here is a stripped-down version that shows how printing and taking screenshots are forbidden for an original text and its copy. This demo was implemented by Tobias Wüchner.

Demo 4: usage control with data flow tracking for OpenBSD, X11 and Firefox. We protect an image after it has been downloaded from a social network site. Ricardo Neisse implemented the OpenBSD part, Matthias Büchler the X11 part, and Jonas Peschla and Jens Kuhn the Firefox and SN server parts. Enrico Lovat and Prachi Kumari supervised this work.

Demo 5: usage control goes distributed. We show how data transmitted via ftp is transmitted together with the policies that are enforced both at the server and the client side. Florian Kelbert has done the implementation and taken the video.

Demo 6: usage control in a distributed system that connects a Facebook app to a smart metering system. Here is another way of looking at things. Alexander Fromm, Prachi Kumari and Florian Kelbert have supervised and implemented large parts of this work and also taken the demo.

Demo 7: usage control for ChromiumOS shows how data leakage prevention can be implemented for Chromium. Patrick Wenz has implemented this work and also taken the demo.

Demo 8: usage control for enforcing privacy in camera surveillance systems shows how usage control is used to hide movements of authorized personnel as long as no emergency/alarm situation occurs. Pascal Birnstill has implemented this work and also taken the demo.

Problems with viewing the videos? Try the VLC media player.