Hyungsub Kim
ABSTRACT
Web applications use the local storage of a web browser to temporarily store static resources for caching and persistently store personalized data for stateful services. Since different web applications use the local storage differently in terms of size and time, attackers can infer a user's browser activity and status if they can monitor storage usage: for example, which web site a user is viewing and whether a user has logged in to a certain web site. In this paper, we explore passive and active web attacks that exploit the Quota Management API to extract such information from a web browser, as the API allows us to continuously monitor the size of available storage space. We develop two web attacks: a cross-tab activity inference attack to passively monitor which web site a user is currently visiting and a browser status inference attack to actively identify the browser status such as browser history and login information. Our attacks are successful at stealing private information from Chrome running on various platforms with ∼90% accuracy. We further propose an effective solution against the attacks.
- T. G. Abbott, K. J. Lai, M. R. Lieberman, and E. C. Price. Browser-based attacks on Tor. In Privacy Enhancing Technologies Symposium (PETS), 2010. Google Scholar
Digital Library
- L. D. Baron. :visited support allow queries into global history. https://bugzilla.mozilla.org/show_bug.cgi?id=147777, 2002.Google Scholar
- L. D. Baron. Preventing attacks on a user's history through CSS :visited selectors. http://dbaron.org/mozilla/visited-privacy, 2010.Google Scholar
- A. Bortz, D. Boneh, and P. Nandy. Exposing private information by timing web applications. In Proceedings of the 16th International World Wide Web Conference (WWW), Alberta, Canada, May 2007. Google ScholarDigital Library
- X. Cai, R. Nithyanand, T. Wang, R. Johnson, and I. Goldberg. A systematic approach to developing and evaluating website fingerprinting defenses. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, Arizona, Nov. 2014. Google ScholarDigital Library
- X. Cai, X. C. Zhang, B. Joshi, and R. Johnson. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, Oct. 2012. Google ScholarDigital Library
- S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Proceedings of the 31th IEEE Symposium on Security and Privacy (Oakland), Oakland, CA, May 2010. Google ScholarDigital Library
- S. S. Clark, H. Mustafa, B. Ransford, J. Sorber, K. Fu, and W. Xu. Current events: Identifying webpages by tapping the electrical outlet. In European Symposium on Research in Computer Security (ESORICS), 2013.Google ScholarCross Ref
- Facebook Help Center. What are the privacy options for groups? https://www.facebook.com/help/220336891328465.Google Scholar
- E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS), Athens, Greece, Oct. 2000. Google ScholarDigital Library
- T. Gentilcore. Chrome's 10 caches. http://gent.ilcore.com/2011/02/chromes-10-caches.html, 2011.Google Scholar
- T. V. Goethem, W. Joosen, and N. Nikiforakis. The clock is still ticking: Timing attacks in the modern web. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), Denver, Colorado, Oct. 2015. Google ScholarDigital Library
- T. V. Goethem, M. Vanhoef, F. Piessens, and W. Joosen. Request and conquer: Exposing cross-origin resource size. In Proceedings of the 25th USENIX Security Symposium (Security), Austin, TX, Aug. 2016.Google Scholar
- Google Developers. Managing HTML5 offline storage. https://developers.google.com/chrome/whitepapers/storage.Google Scholar
- Google Developers. Web developer's guide to prerendering in Chrome. https://developers.google.com/chrome/whitepapers/prerender.Google Scholar
- X. Gu, M. Yang, and J. Luo. A novel website fingerprinting attack against multi-tab browsing behavior. In Proceedings of 19th IEEE International Conference on Computer Supported Cooperative Work in Design (CSCWD), 2015.Google ScholarCross Ref
- J. Hayes and G. Danezis. k-fingerprinting: a robust scalable website fingerprinting technique. In Proceedings of the 25th USENIX Security Symposium (Security), Austin, TX, Aug. 2016.Google Scholar
- I. Hickson. 7.7 offline web applications - HTML standard. http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html, 2014.Google Scholar
- C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference (WWW), Edinburgh, Scotland, May 2006. Google ScholarDigital Library
- S. Jana and V. Shmatikov. Memento: Learning secrets from process footprints. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2012. Google ScholarDigital Library
- Y. Jia, X. Dong, Z. Liang, and P. Saxena. I know where you've been: Geo-inference attacks via the browser cache. In Web 2.0 Security & Privacy (W2SP), 2014.Google Scholar
- M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt. A critical evaluation of website fingerprinting attacks. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, Arizona, Nov. 2014. Google ScholarDigital Library
- R. Kotcher, Y. Pei, P. Jumde, and C. Jackson. Cross-origin pixel stealing: Timing attacks using CSS filters. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, Oct. 2013. Google ScholarDigital Library
- A. Kwon, M. AlSabah, D. Lazar, M. Dacier, and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of Tor hidden services. In Proceedings of the 24th USENIX Security Symposium (Security), Washington, DC, Aug. 2015. Google ScholarDigital Library
- L. Latecki, Q. Wang, S. Koknar-Tezel, and V. Megalooikonomou. Optimal subsequence bijection. In Proceedings of 7th IEEE International Conference on Data Mining (ICDM), 2007. Google ScholarDigital Library
- S. Lee, H. Kim, and J. Kim. Identifying cross-origin resource status using application cache. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2015.Google ScholarCross Ref
- S. Lee, Y. Kim, J. Kim, and J. Kim. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2014. Google ScholarDigital Library
- B. Liang, W. You, L. Liu, W. Shi, and M. Heiderich. Scriptless timing attacks on web browser privacy. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2014. Google ScholarDigital Library
- M. Liberatore and B. N. Levine. Inferring the source of encrypted HTTP connections. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Oct.--Nov. 2006. Google ScholarDigital Library
- J. Mann and A. Jain. Page visibility (second edition). http://www.w3.org/TR/page-visibility/, 2013.Google Scholar
- N. Mehta, J. Sicking, E. Graff, A. Popescu, J. Orlow, and J. Bell. Indexed database API. http://www.w3.org/TR/IndexedDB/, 2013.Google Scholar
- Y. Michalevsky, A. Schulman, G. A. Veerapandian, D. Boneh, and G. Nakibly. PowerSpy: Location tracking using mobile device power analysis. In Proceedings of the 24th USENIX Security Symposium (Security), Washington, DC, Aug. 2015. Google ScholarDigital Library
- A. Panchenko, F. Lanze, A. Zinnen, M. Henze, J. Pennekamp, K. Wehrle, and T. Engel. Website fingerprinting at Internet scale. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016.Google ScholarCross Ref
- M. Perry. A critique of website traffic fingerprinting attacks. https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks, 2013.Google Scholar
- D. Ross and T. Gondrom. HTTP header field X-Frame-Options. RFC 7034, 2013.Google Scholar
- A. Russell, J. Song, and J. Archibald. Service Workers. http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html.Google Scholar
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: A study of clickjacking vulnerabilities on popular sites. In Web 2.0 Security & Privacy (W2SP), 2010.Google Scholar
- S. Salvador and P. Chan. Toward accurate dynamic time warping in linear time and space. Intelligent Data Analysis, 11(5):561--580, 2007. Google ScholarDigital Library
- Q. Sun, D. R. Simon, Y.-M. Wang, W. Russell, V. N. Padmanabhan, and L. Qiu. Statistical identification of encrypted web browsing traffic. In Proceedings of the 23rd IEEE Symposium on Security and Privacy (Oakland), Oakland, CA, May 2002. Google ScholarDigital Library
- The Chromium Projects. GPU program caching. https://docs.google.com/a/chromium.org/document/d/1Vceem-nF4TCICoeGSh7OMXxfGuJEJYblGXRgN9V9hcE/edit.Google Scholar
- Y. Tian, Y.-C. Liu, A. Bhosale, L.-S. Huang, P. Tague, and C. Jackson. All your screens are belong to us: Attacks exploiting the HTML5 screen sharing API. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2014. Google ScholarDigital Library
- Tor. Tor project. https://www.torproject.org.Google Scholar
- T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg. Effective attacks and provable defenses for website fingerprinting. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, Aug. 2014. Google ScholarDigital Library
- T. Wang and I. Goldberg. On realistically attacking Tor with website fingerprinting. Technical report, 2015.Google Scholar
- Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland), Oakland, CA, May 2011. Google ScholarDigital Library
- G. Wondracek, T. Holz, E. Kirda, and C. Kruegel. A practical attack to de-anonymize social network users. In Proceedings of the 31th IEEE Symposium on Security and Privacy (Oakland), Oakland, CA, May 2010. Google ScholarDigital Library
- K. Yasuda. Quota management API. http://www.w3.org/TR/quota-api/, 2013.Google Scholar
Recommendations
Browser Feature Usage on the Modern Web
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceModern web browsers are incredibly complex, with millions of lines of code and over one thousand JavaScript functions and properties available to website authors. This work investigates how these browser features are used on the modern, open web. We ...
An investigation of older persons' browser usage
UAHCI'07: Proceedings of the 4th international conference on Universal access in human computer interaction: coping with diversityThis paper reports on a study comparing Microsoft Internet Explorer 7 and Mozilla Firefox 2 with 18 participants aged 60 years old and over. The participants performed six groups of tasks related to browsing, navigation, navigation enhancement, bookmark,...
Comments