IAC: On the Feasibility of Utilizing Neural Signals for Access Control

Abstract

Access control is the core security mechanism of an operating system (OS). Ideally, the access control system should enforce context integrity, i.e., an application can only access security and privacy sensitive resources expected by users. Unfortunately, existing access control systems, including the permission systems in modern OS like iOS and Android, all fail to enforce context integrity thus allow apps to abuse their permissions. A naive approach to enforce context integrity is to prompt users every time a sensitive resource is accessed, but this will quickly lead to habituation. The state-of-art solutions include (1) user-driven access control, which binds a predefined context to protected GUI elements and (2) predicting users' authorization decision based on their previous behaviors and privacy preferences. However, previous studies have shown that the first approach is vulnerable to attacks (e.g., clickjacking) and the second approach i challenging to implement as it is difficult to infer the context. In this work, we explore the feasibility of a novel approach to enforce the context integrity-by inferring what task users want to do under the given context from their neural signals; then automatically authorizes access to a predefined set of sensitive resources that are necessary for that task. We conducted a comprehensive user study including 41 participants where we collected their neural signals when they were performing tasks that required access to sensitive resources. After preprocessing and features extraction, we trained machine learning classifier to infer what kind of tasks a user wants to perform. The experiment results show that the classifier was able to infer the high-level intents like take a photo with a weighted average precision of 88%.