I Know Where You’ve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia ∗ , Xinshu Dong † , Zhenkai Liang ∗ , Prateek Saxena ∗ ! ∗ School of Computing, National University of Singapore ! † Advanced Digital Sciences Center !
Geo-location in Browsers ! Threats Benefits 1 !
May I Access Your Geo-location? ! 2 !
Sources of Users’ Geo-locations ! Browser 3 !
Problem Statement ! ? Browser Can we infer the user’s geo- location from his browser? 4 !
Site-Related States in Browser ! Browser ! 5 !
Browser Cache Saves Loading Time ! 1 st : 1360ms 2 nd : 320ms 3 rd : 350ms Browser Cache ! 6 !
Browser Cache Abused: Timing Channels of Leakage ! Felten and Shneider, CCS’00 Browser cache is shared across all sites Browser Cache ! 7 !
Our Contributions ! ! Geo-inference attacks via the browser cache ! ! Infer a user’s country, city or even neighborhood ! ! Prevalence of geo-inference attacks ! ! Five mainstream browsers and TorBrowser ! ! Top 55 Alexa and 11 map websites ! ! Pros & cons of potential solutions ! 8 !
Outline ! ! Problem Statement ! ! Case Studies ! ! Evaluation ! ! Discussion ! 9 !
! ! Case Studies ! ! Can we infer a user’s country? ! ! Can we infer a user’s city? ! ! Can we infer a user’s neighborhood? ! 10 !
How to Infer a User’s Country? ! • Google has 191 regional sites, and one site represents one country or region. • Measure image load time of Google’s logo from Google’s 191 regional sites 11 !
Measuring Image Load Time ! Before Loading Before Loading img.onload Fires Fires var image = document.createElement(`img'); image.setAttribute(`startTime', (new Date().getTime())); image.onload = function() { var endTime = new Date().getTime(); var loadTime = endTime - parseInt(this.getAttribute(`startTime')); ...... } 12 !
How to Infer a User’s City? ! Measure page Measure page load time of Craigslist’s load time of Craigslist’s 712 712 city city sites, determine which page sites, determine which page is cached is cached 13 !
Measuring Page Load Time ! Before Loading Before Loading iframe.onload Fires Fires var page = document.createElement(`iframe'); page.setAttribute(`startTime', (new Date()).getTime()); page.onload = function () { var endTime = (new Date()).getTime(); var loadTime = ( endTime - parseInt(this.getAttribute(`startTime'))); ...... } 14 !
How to Infer a User’s Neighborhood? ! Measure Measure the the image image load load time time of of map map tiles of tiles of the the user’s user’s city city from from Google Google Maps, Maps, determine determine which which tiles tiles are are cached cached 15 !
Evaluation ! Questions to be answered: ! ! (Prevalence) How many browsers and websites are susceptible to geo-inference attacks? ! ! (Reliability) How big is the time difference between resources load time without cache and that with cache? ! 16 !
Evaluation Setup ! ! Websites: 191 Google’s regional sites, 100 Craigslist’s city sites, and 4,646 map tiles of New York City from Google Maps. ! ! Browsers: Five mainstream browsers, i.e., Chrome, Firefox, Safari, Opera and IE, as well as TorBrowser (version 3.5.2.1) on both desktop and available mobile platforms. ! ! Locations: US, UK, Australia, Singapore, and Japan, via VPN service Hotspot Shield. ! 17 !
Websites with Location-Related ! Resources in Browser Cache ! Total 11 map service sites ! 62% of 55 top Alexa global sites ! 18 !
Browsers Susceptible to ! Geo-Inference Attacks ! Mainstream Browsers ! Desktop Platforms ! Mobile Platforms ! 19 !
Reliability (Time Difference) ! 2000" 1800" 1600" 1400" 1200" 1000" 800" 600" 400" 200" 0" 1" 3" 5" 7" 9" 11" 13" 15" 17" 19" 21" 23" 25" 27" 29" 31" 33" 35" 37" 39" 41" 43" 45" 47" 49" 51" 53" 55" 57" 59" 61" 63" 65" 67" 69" 71" 73" 75" 77" 79" 81" 83" 85" 87" 89" 91" 93" 95" 97" 99" Without"Cache" With"Cache" The huge difference between the page load time (in millisecond) of 100 Craigslist sites without cache (> 1000 ms) and with cache ( ≈ 220 ms) indicates geo-inference attacks with Craigslist 20 !
Discussion of Defense Solutions ! ! Private Browsing Mode and TorBrowser ! ! Randomizing timing measurements ! ! Segregating browser cache ! 21 !
Private Browsing Mode ! is not the Cure ! Private Browsing Mode ! Clear browser cache after closing window. ! ! Disable disk cache, enable memory cache. ! ! It cannot prevent one site from inferring geo-location of another site ! ! Confirmed by experiments. ! Browser Cache ! ! TorBrowser is VPN + Private Browsing Mode ! 22 !
Randomizing Timing Measurements ! ! Add noise into timing measurement mechanisms. ! ! Intricate engineering effort. ! Browser Cache ! 23 !
Segregating Browser Cache ! ! Deploy Same-Origin Policy on browser cache. [Jackson et al. WWW’06] ! ! High performance overhead measured in our experiment ! Browser Cache ! 24 !
To Cache or Not To Cache? ! ! No cache for location-sensitive resources. ! ! Cache-Control: no-cache HTTP response header ! ! Identifying location-sensitive resource ! ! Developer assistance ! ! Automated tool to detect location-sensitive resources ! 25 !
Conclusion ! ! Geo-inference attacks via the browser cache ! ! All five mainstream browsers and TorBrowser, as well as 11 map service sites and 62% of Alexa Top 100 websites, are susceptible to such attacks. ! ! Discussion of existing and potential defenses. ! ! Calling for actions ! 26 !
Yaoqi Jia ! E-mail: jiayaoqi@comp.nus.edu.sg ! 27 !
Recommend
More recommend