security ty p privacy cy us user e expect ectati tion ons
play

Security ty, P Privacy cy, & & Us User E Expect ectati - PowerPoint PPT Presentation

Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science & Engineering University of Washington


  1. Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science & Engineering University of Washington

  2. Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er + many c collaborators! Assistant Professor Computer Science & Engineering University of Washington

  3. New t technologies b bring n new b benefits… … but but a also so new new r risk sks. s. Franziska Roesner 3 10/20/2016

  4. Impr proving ng S Secur urity & & Privacy Security and privacy challenges often arise when user expectations don’t match real system properties. Educ ducate, de design be better U UIs, increa ease e tran ansp spar arency. Build s d systems that b better match us user e expe pectatio ions. Franziska Roesner 4 10/20/2016

  5. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Modern OSes: Permission Granting Franziska Roesner 5 10/20/2016

  6. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Modern OSes: Permission Granting F. F. R Roesner, T. Kohno, D. Wetherall . “Detecting and Defending Against Third-Party Tracking on the Web.” In USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2012. F. R F. Roesner, C. Rovillos, T. Kohno, D. Wetherall. “ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets.” In USENIX ;login: 2012. A. Lerner, A. Kornfeld Simpson, T. Kohno, and F. Ro Roesner. “Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 201.” In USENIX Security Symposium 2016. Franziska Roesner 6 10/20/2016

  7. Ads Ads T Tha hat Follow Y You Advertisers (and others) track your browsing behaviors for the purposes of targeted ads, website analytics, and personalized content. I. The Web: Third-Party Web Tracking 7 10/20/2016

  8. Third rd-Party W arty Web T Trac acki king Browsing p g profi file e for u user er 1 123: cnn.com theonion.com adult-site.com political-site.com These ads allow crite teo.com to link your visits between sites, even if you never click on the ads. I. The Web: Third-Party Web Tracking 8 10/20/2016

  9. Conc ncerns A About ut Privac acy I. The Web: Third-Party Web Tracking 9 10/18/16

  10. Understan anding t the T Tracki king E Ecosystem In 2011, much discussion about tracking, but limited understanding of how it actually works. Ou Our Go Goal: systematically study web tracking ecosystem to inform policy and defenses. Challeng enges es: – No agreement on definition of tracking. – No automated way to detect trackers. (State of the art: blacklists) I. The Web: Third-Party Web Tracking 10 10/20/2016

  11. Our App ur Approac ach ANAL NALYZE ZE (1) Reverse-engineer trackers’ methods. (2) Develop tracking taxonomy. MEA EASURE (3) Build automated detection tool. (4) Measure prevalence in the wild. (5) Evaluate existing defenses. BUILD ILD (6) Develop new defenses. I. The Web: Third-Party Web Tracking 11 10/20/2016

  12. Web B Background Websites store info in cookies in the browser. – Only accessible to the site that set them. – A utomatically included with web requests. cookie: id=123 theonion.com server cookie: id=123 cookie: id=456 cnn.com server cookie: id=456 I. The Web: Third-Party Web Tracking 12 10/20/2016

  13. Ano Anonym ymous T Trac acki king Trackers included in other sites use cookies containing unique identifiers to create browsing profiles. cookie: id=789 crit iteo. o.com om use user 789 789: theonion.com, cnn.com, adult-site.com, … cookie: id=789 I. The Web: Third-Party Web Tracking 13 10/20/2016

  14. Our T ur Trac acki king Taxonomy [NSDI ’12] In the wild, tracking is much more complicated. (1) Trackers don’t just use cookies. – Flash cookies, HTML5 LocalStorage, etc. (2) Trackers exhibit different behaviors. – Within-site vs. cross-site. – Anonymous vs. non-anonymous. – Specific behavior types: analyt an lytics, van anill illa, f forced ed, refer erred ed, p personal. I. The Web: Third-Party Web Tracking 14 10/20/2016

  15. Other er T Tracker ers? “Personal” Trackers I. The Web: Third-Party Web Tracking 15 10/20/2016

  16. Personal al T Trac acki king cookie: id=franzi.roesner cookie: id=franzi.roesner facebook ook.com om user er franzi zi.roesn esner er: theonion.com, cnn.com, adult-site.com, … cookie: id=franzi.roesner • Tracking is not anonymous (linked to accounts). • Users directly visit tracker’s site  evades some defenses. I. The Web: Third-Party Web Tracking 16 10/20/2016

  17. Measur urement S Study udy Ques estions: ns: – How prevalent is tracking (of different types)? – How much of a user’s browsing history is captured? – How effective are defenses? Appr Approach: Build tool to automatically crawl web, detect and categorize trackers based on our taxonomy. TrackingObserver: tracking d g det etec ecti tion p platform http:/ ://tracking ngobserver.cs.washing ngton. n.edu du I. The Web: Third-Party Web Tracking 17 10/20/2016

  18. How pr preval alent i is tracki king? (2011) 11) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. (97% of those include at least one cross-site tracker.) 50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers. I. The Web: Third-Party Web Tracking 18 10/18/16

  19. How pr preval alent i is tracki king? (2011) 11) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. Trac acking i is increasi asing! (97% of those include at least one cross-site tracker.) Unique trackers on the top 500 50% of domains embed websites (homepages only): between 4 and 5 trackers. 2011: 383 2013: 409 One domain 2015: 512 includes 43 trackers. I. The Web: Third-Party Web Tracking 19 10/18/16

  20. [USENIX Security ’16] How has has thi his c chan hanged o over t time? The web has existed for a while now… • What about tracking before 2011? (our first study) - What about tracking before 2009? (first academic study) - Solution: time travel! I. The Web: Third-Party Web Tracking 20 10/18/16

  21. Th The e Wayb ybac ack Machi hine ne t to the Rescue ue Time travel for web tracking (lots of challenges!) http://trackingexcavator.cs.washington.edu I. The Web: Third-Party Web Tracking 21 10/18/16

  22. 1996 1996-2016: M More & & More T Tracking More trackers of more types I. The Web: Third-Party Web Tracking 22 10/18/16

  23. 1996 1996-2016: M More & & More T Tracking More trackers of more types, more per site I. The Web: Third-Party Web Tracking 23 10/18/16

  24. 1996 1996-2016: M More & & More T Tracking More trackers of more types, more per site, more coverage I. The Web: Third-Party Web Tracking 24 10/18/16

  25. Who ho/w /what ar are t the he top t p trac ackers? (201 011) I. The Web: Third-Party Web Tracking 25 10/20/2016

  26. Who ho/w /what ar are t the he top t p trac ackers? (201 011) Defenses for personal trackers (red bars) were inadequate. I. The Web: Third-Party Web Tracking 26 10/20/2016

  27. Defen ense: e: ShareM eMeN eNot Prior defenses for personal trackers: ineffective or completely removed social media buttons. Ou Our d defense se: ShareMeNot (for Chrome/Firefox) protects against - tracking without compromising button functionality. Blocks requests to load buttons, replaces with local - versions. On click, shares to social media as expected. Techniques adopted by Ghostery and the EFF. - http://sharemenot.cs.washington.edu I. The Web: Third-Party Web Tracking 27 10/20/2016

  28. Sum ummar ary: W Web T b Tracking Pre-2011: Limited understanding of web tracking. Our work: – Comprehensive tracking taxonomy. – Measurements and archeological study from 1996-2016. – Example results: >500 unique trackers, some able to capture up to 66% of a user’s browsing history. – New defense for “personal trackers” like Facebook, Google, Twitter: built into ShareMeNot, adopted by Ghostery + EFF. I. The Web: Third-Party Web Tracking 28 10/20/2016

  29. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Moderns OSes: Permission Granting F. F. R Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, C. Cowan. “User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems.” In IEEE Symposium on Security & Privacy 2012 (Best Practical Paper Award). F. F. R Roesner, J. Fogarty, T. Kohno. “User Interface Toolkit Mechanisms for Securing Interface Elements.” In ACM Symposium on User Interface Software and Technology (UIST) 2012. F. F. R Roesner, T. Kohno. “Securing Embedded User Interfaces: Android and Beyond.” In USENIX Security 2013. T. Ringer, D. Grossman, F. R Roes esner ner. “AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems.” In ACM Conference on Computer and Communications Security (CCS) 2016. Franziska Roesner 29 10/20/2016

  30. Smartp artphone ( (In)S )Securi rity ty Users accidentally install malicious applications. II. Modern OSes: Permission Granting 30 10/20/2016

Recommend


More recommend