CE441: Data and Network Security - Privacyce.sharif.edu/~b_momeni/ce441/13-privacy.pdf · 2019. 12. 1. · How to achieve plausible deniability? If a feature must be blocked in private

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

CE441: Data and Network SecurityPrivacy

Behnam Momeni, PhD

Department of Computer EngineeringSharif University of Technology

Fall 2019

B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 1 / 26

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

What Does Privacy Mean? Absolute Privacy

Outline

1 What Does Privacy Mean?Absolute PrivacyPrivacy Through k -Anonymity

2 Private Web Browsing

3 Non-Private Web Browsing


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


What Does Privacy Mean?

Each principal may have several associated information itemsOther principals might learn about and use those items

e.g. a human has a nameother people may learn that name

...a network user installs an email client with an specific versionan email server may interact with it and learn about its version

...a web user has some browsing habits and searching interestsa search engine may learn about those habits and interests and usethem to deliver more effective advertisements

Some usages of these information items might benefit principalsIndependent of their usefulness/harmfulness, solely the principalsthemselves are allowed to determine who may

1 collect/learn their associated information items2 and keep/maintain them for which amount of time3 and they should be used for which purposes


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Absolute Privacy

The notion of absolute privacy is an idealThe principal determines authorized parties to obtain specificinformation and keep them for limited time and use them forexplicitly confirmed purposes

It requires a method to communicate the decisions of principalsHow to ask a web server to stop tracking your browsing habits...by sending the DNT HTTP request header which is an abbreviationof Do Not Track

And it cannot be enforced but by cooperation of adversary!Might be enforced through law or other non-technical methodse.g. the European Union General Data Protection Regulation (GDPR)requiring user consent before storing cookies which are not strictlynecessary: https://gdpr.eu/

1 DNT: 1


https://gdpr.eu/

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

What Does Privacy Mean? Privacy Through k -Anonymity

Outline

1 What Does Privacy Mean?Absolute PrivacyPrivacy Through k -Anonymity




.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


k -Anonymity

Adversary tries to collect information about principalsDevising technical measures to make a principal indistinguishablefrom k other principals realizes a degree of privacy

Small k → privacy breachLarge k → even though some private information is collected, it isnot associated with the true principal

e.g. a web user visits n websites and adversary learns that...an unknown person has visited a specific website...or a known person has visited some unknown websites...or n colluding websites know that n possibly distinct persons havevisited them and so on

In each scenario some amount of information is leaking...but at least one key information item is missing which partiallyprotects the user privacy


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Adversarial Models

Local (Client-Side) AdversaryUser interacts with some servers within some sessionsAdversary might have access to the same computer either beforeor after the sessionIf adversary has access to the computer before the session, it mustbe restricted so the software base is not compromised

Session fixation can be defended by changing session identifiersInstalling a key logger can trivially compromise the user privacy

Remote (Server-Side) AdversaryThe contacted server may try to track user...find other servers which had been contacted by the same user...find out that the same user had used this server previously

Network AdversaryMonitors network traffic to learn who is visiting which serversUnique IP addresses facilitate such tracking and logging activities

...covered in the next lecture


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Private Web Browsing Local Adversary

Outline

1 What Does Privacy Mean?

2 Private Web BrowsingLocal AdversaryRemote Adversary



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Private Web Browsing – Local Adversary

In the local adversary threat modeluser visits one or more websites in the private browsing sessionthe private window is closedand then, the local adversary starts investigating the computerused

Plausible deniability is not a goali.e. adversary can find out that private browsing was used...but must not learn any information about the visited websites

The saved state which is maintained by the browser might leaksome information

e.g. bookmarks and downloaded filesThe OS might exacerbate the problem too!

e.g. DNS cache


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Private Web Browsing – Local Data Leakage

Browsers usually allow cookies in the private window...so you can login in a private windowbut all cookies are removed when the private window is closed

Web Storage and history are also removed similar to the cookies1 What about the swap partition? or a page file?

Even a removed file is not necessarily erased from disk blocks2 What about the free()ed memory pages?

If they are not zeroed out by application or OS...they might be allocated by another process!

Saved passwords, added bookmarks, downloaded files, andinstalled add-ons will be kept too after closing the private window


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Secure Memory Management

If all data are encrypted before being stored, they can be logicallyremoved by removing their corresponding keyThe mlock(addr, len) API can be used to lock a memory region

Locked memory pages will be kept in memory (cannot be swapped)Sensitive memory pages must be locked

...and their contents must be zeroed out before being unlockedthe key of encrypted and stored data can be kept in amemory-resident page


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Private Web Browsing Remote Adversary

Outline


2 Private Web BrowsingLocal AdversaryRemote Adversary



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Private Web Browsing – Remote Adversary

In the remote adversary threat modela web user visits a website which is controlled by adversary in aprivate window...adversary tries to recognize if user had visited that website

1 in an older private window2 or a public/normal browsing window3 or even using another browser or computer

...adversary tries to find out if user employs private browsingIf a user visits a website with an IP address

...and visits the same website in a private window afterwardswith reasonable probability both sessions will share an IP address...and server can link those two sessions togetherHard to defend in the browser since the attack is launched in theNetwork layer → can be solved by Tor (next lecture)

What if the IP address problem is resolved?


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Super Cookies & Browser Fingerprinting

Super cookie is a generic term to describe anyclient-side storage mechanism (similar to cookies)...providing some form of permanent storage (enabling usertracking)...which is usually hard to detect and/or remove

e.g. Flash cookies, Web Storage

Users might learn about super cookies and remove them...but a unique configuration or functionality allows adversary totrack a browser even after removal of all user dataThese unique characteristics are called fingerprints

Visit the http://panopticlick.eff.org/...then, open a private window and check it againImplemented by the Electronic Frontier Foundation (EFF) to exhibitthe risk of browser fingerprinting


http://panopticlick.eff.org/

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Browser Fingerprinting: HTTP Headers

User-Agent: reveals browser version and OSAccept: acceptable Mime-Types such as text/htmlAccept-Encoding: such as gzipAccept-Language: such as en-USCan set a cookie?DNT: has user enabled the Do Not Track feature?


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Browser Fingerprinting: JavaScript

1 JavaScript can enumerate installed plugins using navigator.plugins2 ...or get Time Zone using new Date().getTimezoneOffset()3 ...or screen resolution and color depth using window.screen4 ...or system installed fonts using an applet

...or by testing all fonts using JavaScript to render sample texts5 Does Web Storage work?6 Does device support touch events?


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


User Fingerprinting: Stylography

It is also possible to fingerprint the user behaviorThis does not change between different browser and OS versions

One aspect of users behavior is how they typeDifferent humans wait for a different amount of time betweencharacters while typing different wordsIt needs to learn about a user’s typing style

A search engine or web-based email service can observe user typinga lot of texts and then sell the learned typing style to adversaries

Read more details in [stylography]

Workaround 1: disable JavaScriptWorkaround 2: type in a text editor and copy into the browser


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Browser Fingerprinting Countermeasures

How to make sure that nothing from the memory is stored into thedisk during a private browsing session?

VM-level solution: create a temporary VM with encrypted storage orin-memory mounted storage

Run the private window in its own temporary VM and then remove it

OS-level solution: use secure memory management for sensitivedata which might be read later by some local adversary

How to stop browser fingerprinting?Fake results of the fingerprintable APIs

e.g. https://github.com/kkapsner/CanvasBlocker

Use a common user agent string!Limit browser fonts to a common standard setBlock flash and applets; Other alternatives?

How to achieve plausible deniability?If a feature must be blocked in private windows

...block it everywhere including the normal windows


https://github.com/kkapsner/CanvasBlocker

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Non-Private Web Browsing User Tracking

Outline



3 Non-Private Web BrowsingUser Tracking3rd-Party and 4th-Party Cookies


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


User Tracking: Web Bugs

Web bug: originally, a tiny or invisible imageLoaded from a 3rd-party website: the tracker

If a tracker/advertiser embeds a web bug in all websitesEach website can have its own unique web bug URL...the tracker will be notified about browsing activities of user

It is not required to be an imagescript, style, iframe, etc.

And it is not required to be loaded in a browserFind out when an email is checked

Prevention: do not load remote images while loading an email


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


User Tracking: Referer

Referer is an HTTP request headerA misspelling of referrerProvides the URL of the previous page which originated thisrequest

Can be used to link a POST request to its corresponding GETrequest

A privacy risk when sent between different originsThe Origin header is less privacy intrusive

...as it does not include the path and querybut still leaks the previous origin inevitably


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Non-Private Web Browsing 3rd-Party and 4th-Party Cookies

Outline



3 Non-Private Web BrowsingUser Tracking3rd-Party and 4th-Party Cookies


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


3rd-Party and 4th-Party Cookies

Due to accompanying cookies, a web bug learns thatwho is visiting which websites

Each website → a unique URLEach person → a unique cookie

These cookies belong to the tracker...with a 3rd-party origin (different from the main page origin)3rd-party cookies can be set by

an iframe, some script resource, an image, etc.And an iframe might load other script, images, etc. itself

...which can set 4th-party cookies and so on


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Defending Your Privacy Against 3rd-Party Trackers

1 You might use the DNT headerFor those companies which respect Do Not Track preference

2 And/or block all 3rd-party cookies...which might break some websites (e.g. a Like button)...or you might block the 3rd-party cookies of known trackers


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


What About The Referer Request Header?

An iframe receives the enclosing document URL as its RefererDouble iframeing changes the leaked Referer

Main page embeds an iframe from its own domainEmbedded iframe with non-sensitive URL embeds the target resource...target iframe receives the non-sensitive URL as its Referer

And/or use the referrerpolicy HTML attributeunsafe-url: Always send the Refererno-referrer: Never send itsame-origin: Only send it for the same-origin requestsorigin: Send the Origin instead of a complete URLorigin-when-cross-origin: Complete URL for same-origin, just Origin for othersno-referrer-when-downgrade: Nothing for downgrading (https → http)strict-origin: Nothing for downgrading, Origin for normal requestsstrict-origin-when-cross-origin

Complete URL for same-originOrigin for normal cross-origin, nothing for downgrading cross-origin


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

References and Further Reading Bibliography

References and Further Reading

[6.858:MIT6-858F14-lec18.pdf] Nickolai Zeldovich, “MIT 6.858/Computer SystemsSecurity – Lecture 18 - PRIVATE BROWSING,” Massachusetts Institute of Technology,Online: https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/lecture-notes/MIT6_858F14_lec18.pdf, 2014

[stylography] Prima Chairunnanda, Nam Pham, and Urs Hengartner, “Privacy: Gone withthe typing! identifying web users by their typing patterns,” IEEE Third InternationalConference on Privacy, Security, Risk and Trust, pp. 974–980, Online:citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.685.1674&rep=rep1&type=pdf, 2011


https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/lecture-notes/MIT6_858F14_lec18.pdfhttps://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/lecture-notes/MIT6_858F14_lec18.pdfciteseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.685.1674&rep=rep1&type=pdf

What Does Privacy Mean?Absolute PrivacyPrivacy Through k-Anonymity

Private Web BrowsingLocal AdversaryRemote Adversary

Non-Private Web BrowsingUser Tracking3rd-Party and 4th-Party Cookies

References and Further ReadingBibliography

Documents

CE441: Data and Network Security - Privacyce.sharif.edu/~b_momeni/ce441/13-privacy.pdf · 2019. 12. 1. · How to achieve plausible deniability? If a feature must be blocked in private