I Know Where Youve Been: ! Geo-Inference Attacks via the Browser - - PowerPoint PPT Presentation

I Know Where You’ve Been: ! Geo-Inference Attacks via the Browser Cache!

Yaoqi Jia Yaoqi Jia∗, Xinshu Dong†, Zhenkai Liang ∗, Prateek Saxena∗ !

∗School of Computing, National University of Singapore ! †Advanced Digital Sciences Center!

Geo-location in Browsers!

Benefits Threats

1!

May I Access Your Geo-location?!

2!

Sources of Users’ Geo-locations!

3!

Browser

Problem Statement!

4!

Browser

?

Can we infer the user’s geo- location from his browser?

Site-Related States in Browser!

5!

Browser!

Browser Cache Saves Loading Time!

6!

Browser Cache!

1st: 1360ms 2nd: 320ms 3rd: 350ms

Browser Cache Abused: Timing Channels of Leakage!

7!

Browser Cache! Felten and Shneider, CCS’00

Browser cache is shared across all sites

Our Contributions!

! Geo-inference attacks via the browser cache!

! Infer a user’s country, city or even neighborhood!

! Prevalence of geo-inference attacks!

! Five mainstream browsers and TorBrowser! ! Top 55 Alexa and 11 map websites!

! Pros & cons of potential solutions!

8!

Outline!

! Problem Statement! ! Case Studies! ! Evaluation! ! Discussion!

9!

Case Studies!

! Can we infer a user’s country?!

!

! Can we infer a user’s city?!

!

! Can we infer a user’s neighborhood?!

10!

How to Infer a User’s Country?!

• Google has 191 regional

sites, and one site represents one country

• r region.
• Measure image load

time of Google’s logo from Google’s 191 regional sites

11!

Measuring Image Load Time!

var image = document.createElement(`img'); image.setAttribute(`startTime', (new Date().getTime())); image.onload = function() { var endTime = new Date().getTime(); var loadTime = endTime - parseInt(this.getAttribute(`startTime')); ...... }

Before Loading Before Loading img.onload Fires Fires

12!

How to Infer a User’s City?!

Measure page Measure page load time of Craigslist’s load time of Craigslist’s 712 712 city city sites, determine which page sites, determine which page is cached is cached

13!

Measuring Page Load Time!

var page = document.createElement(`iframe'); page.setAttribute(`startTime', (new Date()).getTime()); page.onload = function () { var endTime = (new Date()).getTime(); var loadTime = ( endTime - parseInt(this.getAttribute(`startTime'))); ...... }

Before Loading Before Loading iframe.onload Fires Fires

14!

How to Infer a User’s Neighborhood?!

15!

Measure Measure the the image image load load time time of

• f map

map tiles tiles of

• f the

the user’s user’s city city from from Google Google Maps, Maps, determine determine which which tiles tiles are are cached cached

Evaluation!

Questions to be answered:!

! (Prevalence) How many browsers and websites are

susceptible to geo-inference attacks?!

! (Reliability) How big is the time difference between

resources load time without cache and that with cache?!

16!

Evaluation Setup!

! Websites: 191 Google’s regional sites, 100

Craigslist’s city sites, and 4,646 map tiles of New York City from Google Maps.!

! Browsers: Five mainstream browsers, i.e., Chrome,

Firefox, Safari, Opera and IE, as well as TorBrowser (version 3.5.2.1) on both desktop and available mobile platforms. !

! Locations: US, UK, Australia, Singapore, and

Japan, via VPN service Hotspot Shield. !

17!

Websites with Location-Related! Resources in Browser Cache!

62% of 55 top Alexa global sites!

18!

Total 11 map service sites!

Browsers Susceptible to ! Geo-Inference Attacks!

19!

Mainstream Browsers! Desktop Platforms! Mobile Platforms!

Reliability (Time Difference)!

The huge difference between the page load time (in millisecond) of 100 Craigslist sites without cache (> 1000 ms) and with cache (≈ 220 ms) indicates geo-inference attacks with Craigslist

0" 200" 400" 600" 800" 1000" 1200" 1400" 1600" 1800" 2000"

1" 3" 5" 7" 9" 11" 13" 15" 17" 19" 21" 23" 25" 27" 29" 31" 33" 35" 37" 39" 41" 43" 45" 47" 49" 51" 53" 55" 57" 59" 61" 63" 65" 67" 69" 71" 73" 75" 77" 79" 81" 83" 85" 87" 89" 91" 93" 95" 97" 99"

Without"Cache" With"Cache"

20!

Discussion of Defense Solutions!

! Private Browsing Mode and TorBrowser! ! Randomizing timing measurements! ! Segregating browser cache!

21!

Private Browsing Mode

Private Browsing Mode ! is not the Cure!

! Clear browser cache after

closing window.!

! Disable disk cache, enable

memory cache.!

! It cannot prevent one site from

inferring geo-location of another site!

! Confirmed by experiments.!

! TorBrowser is VPN + Private

Browsing Mode!

22!

Browser Cache!

Randomizing Timing Measurements!

! Add noise into timing

measurement

• mechanisms. !

! Intricate engineering

effort.!

23!

Browser Cache!

Segregating Browser Cache!

! Deploy Same-Origin

Policy on browser

• cache. [Jackson et
• al. WWW’06]!

! High performance

• verhead measured

in our experiment!

24!

Browser Cache!

To Cache or Not To Cache?!

! No cache for location-sensitive resources.!

! Cache-Control: no-cache HTTP response header!

! Identifying location-sensitive resource!

! Developer assistance! ! Automated tool to detect location-sensitive resources!

25!

Conclusion!

! Geo-inference attacks via the browser cache! ! All five mainstream browsers and TorBrowser, as

well as 11 map service sites and 62% of Alexa Top 100 websites, are susceptible to such attacks. !

! Discussion of existing and potential defenses.! ! Calling for actions !

26!

Yaoqi Jia! E-mail: jiayaoqi@comp.nus.edu.sg!

27!