Embed Size (px)
Citation preview
Expressive Privacy Control with Pseudonyms
Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall
University of Washington
SIGCOMM 2013 2
Internet Tracking is Pervasive
Alice
Bob
Tracker
User1:UW, CSE, Route to [Alice’s home]User2:SIGCOMM, Hacking, Depression
Trackers link user activities to form large user profiles
SIGCOMM 2013 3
Implications of Tracking for Users
• Pros: • Cons:
Lack of Privacy
Personalization
Better Security
Revenue for Service
SIGCOMM 2013 4
Threat Model: Trackers Correlate Unwanted Traffic
Alice
Bob
Tracker
User1:UW, CSE, Route to [Alice’s home]User2:SIGCOMM, Hacking, Depression
SIGCOMM 2013 5
Goal: Give Users Control over How They are Tracked
Alice
Bob
Tracker
User1: UW, CSE User2: Route to [Alice’s home]User3: SIGCOMM, HackingUser4: Depression
SIGCOMM 2013 6
Implications of Giving Users Control
• Pros: • Cons:
Lack of Privacy
Personalization
Better Security
Revenue for Service
SIGCOMM 2013 7
Current Defenses Provide Insufficient Control
Current Defenses– Application Layer: Third-party cookie blocking,
DoNotTrack– Network Layer: Tor, Proxies
Limitations– Coarse-grained – Not cross-layer
SIGCOMM 2013 8
Outline
• Motivation / Background• Approach: Cross-Layer Pseudonyms• System Design– Application-Layer– Network-Layer
• Implementation and Evaluation• Conclusion
SIGCOMM 2013 9
Trackers Link User Requests
• Important identifiers for Web tracking:– Application info. (cookie, JS localstorage, Flash)– IP Address
Multiple requests are linkable by remote trackers, if they share the same identifiers.
Req. 1 (128.208.7.x), header: cookie(…)
Req. 2 (128.208.7.x), header: cookie(…)
User Tracker
SIGCOMM 2013 10
Approach: Pseudonym Abstraction
• Pseudonym = A set of all identifying features that persist across an activity
• Allow a user to manage a large number of unlinkable pseudonyms– User can choose which ones are used for which operations.
Pseudonym1
IP1
Cookie1
Pseudonym2
IP2
Cookie2
Alice TrackerMedical information
Location-related (Alice’s home)
SIGCOMM 2013 11
How We Want to Use Pseudonyms
Application
IP1
Policy Engine
Alice
OS
IP
Tracker
Pseudonym1
IP1
Cookie1
IPIP Pseudonym2
IP2
Cookie2
DHCP Routers
2. Network-Layer Design
1. Application-Layer Design
Medical
Location
SIGCOMM 2013 12
Application-Layer Design
• Application needs to assign different pseudonyms into different activities.– How to use pseudonyms depends on user and
application.– APIs are provided to define policies.
• Policy in Web browsing: a function of the request information and the state of the browser.– Window ID, tab ID, request ID, URL, whether request is
going to the first-party, etc.
SIGCOMM 2013 13
Sample Pseudonym Policies for the Web
• Default: P1 = P2 = P3• Per-Request: P1 != P2 != P3• Per-First Party: P1 = P2 != P3
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3
SIGCOMM 2013 14
Sample Pseudonym Policies for the Web
• Default: P1 = P2 = P3• Per-Request: P1 != P2 != P3• Per-First Party: P1 = P2 != P3
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3
SIGCOMM 2013 15
Sample Pseudonym Policies for the Web
• Default: P1 = P2 = P3• Per-Request: P1 != P2 != P3• Per-First Party: P1 = P2 != P3
Facebook cannot know the user’s visit to news.com
Article on Politics
facebook.com
news.com
facebook.com
P2
P1
P3
SIGCOMM 2013 16
Pseudonyms in Action
Application
IP1
Policy Engine
Alice
OS
IP
Tracker
Pseudonym1
IP1
Cookie1
IPIP Pseudonym2
IP2
Cookie2
DHCP Routers
2. Network-Layer Design
SIGCOMM 2013 17
Network-Layer Design Consideration
1. Many IP addresses for an end-host
2. Proper mixing
3. Efficient routing
4. Easy revocation
5. Support for small networks
SIGCOMM 2013 18
Network-Layer Design Consideration
1. Many IP addresses for an end-host
2. Proper mixing
3. Efficient routing
4. Easy revocation
5. Support for small networks
SIGCOMM 2013 19
1) IPv6 Allows Many IPs per Host
IPv6 Address
128bits
Small networks get /64 address space (1.8e19)
SIGCOMM 2013 20
2, 3) Symmetric Encryption for Mixing and Routing
Network Prefix
To route the packet “within” the network
To route the packet “to” the network
Networks can use this part as they want
IPv6 Address
128bits
SIGCOMM 2013 21
2, 3) Symmetric Encryption for Mixing and Routing
128bits
Network Prefix Subnet Host Pseudonym
Network Prefix Encrypted ID
Encrypt DecryptUse symmetric-key encryption
• End-hosts know only encrypted IP addresses• Router uses the base addresses to forward packets– By longest-prefix matching with subnet::host, thus,
the size of routing table does not change.
Base
Encrypted
SIGCOMM 2013 22
Routing Example
Internet
ISP ( Prefix :: … )
Prefix Encrypted ID
Sub::Host::Pseudo
Sub::Host::Pseudo
SIGCOMM 2013 23
Outline
• Motivation / Background• Approach: Cross-Layer Pseudonyms• System Design– Application-Layer– Network-Layer
• Implementation and Evaluation• Conclusion
SIGCOMM 2013 24
IPv6 Internet
Prototype Implementation
Web Browser
Policy Engine
Alice Web Server
IP1
OS
IPIPIP
IPv6 Tunnel Broker
Extension
Gateway/64 network
IPIPIP
function extreme_policy(request, browser){
return request.requestID;}
SIGCOMM 2013 25
Evaluation
• Is the policy framework expressive enough?
• How many pseudonyms are required?
• Do policies effectively preserve privacy?
• Are that many pseudonyms feasible?
• How much overhead in OS and router?
SIGCOMM 2013 26
Pseudonym Policy is Expressive
Name DescriptionTrivial Every request uses the same pseudonymExtreme Every request uses different pseudonymPer tab [1] Request from each tab uses different pseudonymPer 1st-party [2] Based on the connected page (1st-party)’s domainTime-based [3] Change pseudonym every 10 minutes
• We could implement all the protection mechanisms from the related work in a cross-layer manner.
More examples in the paper: Per browsing session, 3rd-party blocking
[1] CookiePie Extension, [2] Milk, Walls et al. HotSec 2012, [3] Tor
SIGCOMM 2013 27
Privacy Preservation over Policies
Trivial
Per-tab
Time-base
d
Per 1st-
party
Per-request
1
10
100
1000
10000
100000
# of
Pse
udon
yms 10 bits
SIGCOMM 2013 28
Privacy Preservation over Policies
Trivial
Per-tab
Time-base
d
Per 1st-
party
Per-request
1
10
100
1000
10000
100000
1
10
100
1000
10000
# of
Pse
udon
yms
# of
acti
vitie
s
SIGCOMM 2013 29
Conclusion
• Pseudonym abstraction: user control over unlinkable identities. – Provided new network addressing and routing
mechanisms that exploit the ample IPv6 address space.
– Enabled various policies with expressive policy framework.
– Prototyped with an extension for web browser to show the feasibility
