TY - GEN
T1 - Leakuidator
T2 - 17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021
AU - Zaheri, Mojtaba
AU - Curtmola, Reza
N1 - Publisher Copyright:
© 2021, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
PY - 2021
Y1 - 2021
N2 - Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed. In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then propose Leakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level, Leakuidator identifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implemented Leakuidator as a browser extension for three Chromium-based browsers. Experimental results show that Leakuidator introduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.
AB - Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed. In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then propose Leakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level, Leakuidator identifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implemented Leakuidator as a browser extension for three Chromium-based browsers. Experimental results show that Leakuidator introduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.
UR - http://www.scopus.com/inward/record.url?scp=85120072476&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85120072476&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-90022-9_8
DO - 10.1007/978-3-030-90022-9_8
M3 - Conference contribution
AN - SCOPUS:85120072476
SN - 9783030900212
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 143
EP - 163
BT - Security and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings
A2 - Garcia-Alfaro, Joaquin
A2 - Li, Shujun
A2 - Poovendran, Radha
A2 - Debar, Hervé
A2 - Yung, Moti
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 6 September 2021 through 9 September 2021
ER -