Slides
Transcripción
Slides
I Know Where You’ve Been: ! Geo-Inference Attacks via the Browser Cache! Yaoqi Jia∗, Xinshu Dong†, Zhenkai Liang ∗, Prateek Saxena∗ ! ∗School of Computing, National University of Singapore ! †Advanced Digital Sciences Center! Geo-location in Browsers! Benefits Threats 1! May I Access Your Geo-location?! 2! Sources of Users’ Geo-locations! Browser 3! Problem Statement! ? Browser Can we infer the user’s geolocation from his browser? 4! Site-Related States in Browser! Browser! 5! Browser Cache Saves Loading Time! 1st: 1360ms 2nd: 320ms 3rd: 350ms Browser Cache! 6! Browser Cache Abused: Timing Channels of Leakage! Felten and Shneider, CCS’00 Browser cache is shared across all sites Browser Cache! 7! Our Contributions! ! Geo-inference attacks via the browser cache! ! ! ! Infer a user’s country, city or even neighborhood! Prevalence of geo-inference attacks! ! Five mainstream browsers and TorBrowser! ! Top 55 Alexa and 11 map websites! Pros & cons of potential solutions! 8! Outline! ! Problem Statement! ! Case Studies! ! Evaluation! ! Discussion! 9! Case Studies! Can we infer a user’s country?! ! ! Can we infer a user’s city?! ! ! ! Can we infer a user’s neighborhood?! 10! How to Infer a User’s Country?! • Google has 191 regional sites, and one site represents one country or region. • Measure image load time of Google’s logo from Google’s 191 regional sites 11! Measuring Image Load Time! Before Loading img.onload Fires var image = document.createElement(`img'); image.setAttribute(`startTime', (new Date().getTime())); image.onload = function() { var endTime = new Date().getTime(); var loadTime = endTime parseInt(this.getAttribute(`startTime')); ...... } 12! How to Infer a User’s City?! Measure page load time of Craigslist’s 712 city sites, determine which page is cached 13! Measuring Page Load Time! Before Loading iframe.onload Fires var page = document.createElement(`iframe'); page.setAttribute(`startTime', (new Date()).getTime()); page.onload = function () { var endTime = (new Date()).getTime(); var loadTime = ( endTime parseInt(this.getAttribute(`startTime'))); ...... } 14! How to Infer a User’s Neighborhood?! Measure the image load time of map tiles of the user’s city from Google Maps, determine which tiles are cached 15! Evaluation! Questions to be answered:! ! (Prevalence) How many browsers and websites are susceptible to geo-inference attacks?! ! (Reliability) How big is the time difference between resources load time without cache and that with cache?! 16! Evaluation Setup! ! Websites: 191 Google’s regional sites, 100 Craigslist’s city sites, and 4,646 map tiles of New York City from Google Maps.! ! Browsers: Five mainstream browsers, i.e., Chrome, Firefox, Safari, Opera and IE, as well as TorBrowser (version 3.5.2.1) on both desktop and available mobile platforms. ! ! Locations: US, UK, Australia, Singapore, and Japan, via VPN service Hotspot Shield. ! 17! Websites with Location-Related! Resources in Browser Cache! Total 11 map service sites! 62% of 55 top Alexa global sites! 18! Browsers Susceptible to ! Geo-Inference Attacks! Mainstream Browsers! Desktop Platforms! Mobile Platforms! 19! Reliability (Time Difference)! 2000" 1800" 1600" 1400" 1200" 1000" 800" 600" 400" 200" 0" 1" 3" 5" 7" 9" 11" 13" 15" 17" 19" 21" 23" 25" 27" 29" 31" 33" 35" 37" 39" 41" 43" 45" 47" 49" 51" 53" 55" 57" 59" 61" 63" 65" 67" 69" 71" 73" 75" 77" 79" 81" 83" 85" 87" 89" 91" 93" 95" 97" 99" Without"Cache" With"Cache" The huge difference between the page load time (in millisecond) of 100 Craigslist sites without cache (> 1000 ms) and with cache (≈ 220 ms) 20! indicates geo-inference attacks with Craigslist Discussion of Defense Solutions! ! Private Browsing Mode and TorBrowser! ! Randomizing timing measurements! ! Segregating browser cache! 21! Private Browsing Mode ! is not the Cure! Private Browsing Mode ! Clear browser cache after closing window.! ! Disable disk cache, enable memory cache.! ! It cannot prevent one site from inferring geo-location of another site! ! ! Confirmed by experiments.! TorBrowser is VPN + Private Browsing Mode! Browser Cache! 22! Randomizing Timing Measurements! ! Add noise into timing measurement mechanisms. ! ! Intricate engineering effort.! Browser Cache! 23! Segregating Browser Cache! ! Deploy Same-Origin Policy on browser cache. [Jackson et al. WWW’06]! ! High performance overhead measured in our experiment! Browser Cache! 24! To Cache or Not To Cache?! ! No cache for location-sensitive resources.! ! ! Cache-Control: no-cache HTTP response header! Identifying location-sensitive resource! ! Developer assistance! ! Automated tool to detect location-sensitive resources! 25! Conclusion! ! Geo-inference attacks via the browser cache! ! All five mainstream browsers and TorBrowser, as well as 11 map service sites and 62% of Alexa Top 100 websites, are susceptible to such attacks. ! ! Discussion of existing and potential defenses.! ! Calling for actions ! 26! Yaoqi Jia! E-mail: [email protected]! 27!
Documentos relacionados
Browser Cache
D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song, “Towards a formal founda2on of web security,” in Computer Security Found...
Más detalles