Presentation is loading. Please wait.

Presentation is loading. Please wait.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

Published byRosalind McBride Modified over 9 years ago

Similar presentations

Presentation on theme: "I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,"— Presentation transcript:

1 I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †, Yan Chen § § Northwestern University † Columbia University

2 Roadmap Background System Design Evaluation Summary

3 Referer : http://online.wsj.com/ Cookie : id = 12345 User Tracker (doubleclick) visit Referer : http://www.cnn.com/ Cookie : id = 12345

4 4 Web tracking is serious Prevalent More than 90% of Alexa Top 500 web sites [Roesner, NSDI 2012] A web page usually has multiple tracking elements “There is no such thing as anonymous online tracking” --- Arvind Narayanan Not only browsing history, but also other sensitive information: location, name, email, … Leaked out information can be correlated together

5 5 No effective defense approach Disable third-party cookie Can be easily bypassed Blacklist-based anti-tracking tools Priori knowledge of tracking server Do-not-track header No enforcement

6 TrackingFree Goals and Challenges Anti-tracking Completeness Functionality/compatbility Performance Core Idea : TrackingFree partitions client-side states into multiple isolation units so that the identifiers still exists but not unique any more! Referer : http://online.wsj.com/ Cookie : id = 12345 Referer : http://www.cnn.com/ Cookie : id = 24578

7 Out-of-scope threats TrackingFree doesn’t address following threats: Within-Site Tracking. Tracking by exploiting browser vulnerabilities Stateless tracking.

8 Roadmap Background System Design Evaluation Summary

9 Architecture

10 10 Contents Allocation Mechanism Initial Contents Allocation Handles those top frames that are navigated by users directly Derivative Contents Allocation Handles those frames that are generated due to the contents on other frames, which we call child frame

11 11 Initial Contents Allocation

12 12 Derivative Contents Allocation Principal Switch Should we switch principle for child frame? Principal Selection How to choose target principal?

13 13 Principal Switch The deficiencies of two intuitive yet extreme policies : Not privacy-preserving (no switch) Unnecessary overhead (too much switch) Our solution: switch principal only if the following two conditions are met: Cross-site User-triggered Same principal Different principal

14 14 Principal Selection The deficiency of two intuitive yet extreme policies Break compatibility (always create new principal) Break anti-tracking capacity (create at most one principal for each domain) Our solution: Maintains an in-degree-bounded graph for principals The in-degree of the graph is set to two

15 15 Principal Communication Explicit communication is widely used, but break the isolation mechanism. Our solution: we restrict the use of explicit communication as follows: Third-party elements in one principle can not explicitly communicate with other principals. First-party elements can only explicitly communicate with the first-party elements placed in its neighbor principals 3119 4852 0 6

16 16 Principal Communication Implicit Communication History Sharing UI history manager Accepts information from other managers Only UI manager gets associated with browser UI Communication through navigation URL

17 17 Preference Configure User preference can be abused to store tracking identifier. (e.g. strict transport security) Completely isolating user preference affects user preference. Our solution: Isolate user preference. Apply user-initiated changes to all of the principals. Monitor GUI message to determine user-initiated preference change.

18 Roadmap Background System Design Evaluation Summary

19 Evaluation Anti-tracking capability Formal proof Experiments with real world websites Performance Overhead (latency, memory, disk) Compatibility

20 Assumptions: Non-tracking servers will not set tracking identifiers for third-party trackers. On non-tracking host web sites, first-party elements will not send third-party tracking identifiers to other principals. Formal Proof Use Alloy to formally analyze TrackingFree ’s anti- tracking ability. Alloy is the most popular formal proof system Describe TrackingFree’s behaviors on an existing Alloy Web model [Akhawe et al. CSF 2010]. Formally verified trackers can correlate TrackingFree user’s activities up to three principals without site collaboration.

21 21 Gathered tracking tokens on Alexa Top web sites by following the tracker detection of [Roesner et al. NSDI 2012]. Detection based on the observation that each tracking request must contain the user’s globally unique identifier. Some false negative, no false positive. Anti-tracking Capability with Real World Web Sites

22 22 Visit 2,032 valid URLs from Alexa Top 500 web sites. Gathered 647 tracking tokens TrackingFree eliminated all of them. Anti-tracking Capability with Real World Web Sites Tracking HostPrevalence (# Domains) Tracking Token(s) b.scorecardresearch.com133UIDR ad.doubleclick.ne117id, __gads ib.adnxs.com75anj p.twitter.com70__utma cm.g.doubleclick.net56id ad.yieldmanager.com52bx bs.serving-sys.com40A4 cdn.api.twitter.com40__utmz secure-us.imrworldwide.com38IMRID adfarm.mediaplex.com31svid Top 10 Tracking Hosts

23 Performance Latency Overhead SourceCost(ms) Principal Construction322.36 Extra IPC349.06 Render/JS Engine Instrumentation139.21 Overall Overhead: ~3% - ~20% (1). Address Bar Navigation without Principal Avg. Overhead 8.29% (2). Address Bar Navigation with Principal Avg. Overhead 3.36% (3). Cross Site Navigation Avg. Overhead 19.43% (4). Within-site Navigation Avg. Overhead 4.70%

24 Memory/Disk Overhead MemoryChromiumTrackingFreeIncrease 1 Principal477.1(MB)505(MB)27.9(MB) 4 Principals623.6(MB)702.8(MB)79.2(MB) 12 Principals434.6(MB)642.5(MB)297.9(MB) MemoryChromiumTrackingFreeIncrease 1 Principal21.3(MB)21.8(MB)0.5(MB) 4 Principals22.5(MB)25.9MB)3.4(MB) 12 Principals23.7(MB)29.4(MB)5.7(MB) Disk Overhead on 12 Web Pages (~0.6MB/Principal) Memory Overhead on 12 Web Pages (~25MB/Principal)

25 Compatibility Manually tested TrackingFree’s compatibility on Alexa Top 50 websites Compatibility on first-party websites Results: 50/50 Compatibility on third-party services Cross-site online payments (1/1) Cross-site content sharing (31/31) Single sign-on (35/36) Overall results: 67/68

26 26 Case study: Logging Yahoo using Facebook Account

27 27 Roadmap Background System Design Evaluation Summary

28 We designed and implemented TrackingFree browser that completely protect users from third- party web tracking by isolating resources in different principals. We theoretically and experimentally proved TrackingFree’s anti-tracking capability. TrackingFree incurs affordable overhead and compatibility cost.

29 Thanks & Questions? http://list.cs.northwestern.edu/WebSecurity

30 Domain Data Manager Backup slides…

31 Related Work Existing Anti-tracking Mechanisms Do Not Track(DNT) : almost useless Blacklist-based Tool: require priori knowledge Disabling Third-party Cookie: easy to bypass Existing Multi-principal Browsers No anti-tracking capability

32 Related Work BrowserIsolation MechanismContents Allocation Mechanism Anti-tracking Capability IE8In-memory IsolationTab basedNo ChromiumIn-memory IsolationTop-frame basedNo GazelleIn-memory IsolationSOP basedNo OPIn-memory IsolationWeb Page basedNo AppIsolationTechnique-specific StorageUser Configuration basedNot complete TahomaVirtual MachineUser Configuration basedNot complete StainlessTechnique-specific StorageUser Configuration basedNot complete Fluid, MultiFirefox ProfileUser Configuration basedNot complete TrackingFreeProfileIndegree-bounded Principal Graph based Complete

Download ppt "I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,"

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
The Internet and the Web

The Internet and the Web
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
$200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $500 $100 Category One Category Two Category.

$200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $500 $100 Category One Category Two Category.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Similar presentations

Ads by Google