2011 IEEE Symposium on Security and Privacy1081-6011/11 $26.00 - PDF document

152 148 150 156 159 2011 IEEE Symposium on Security and Privacy1081-6011/11 $26.00 © 2011 IEEEDOI 10.1109/SP.2011.23147 154 151 153 155 160 158 161 157 149 IStillKnowWhatYouVisitedLastSummer Leakingbrowsinghistoryviauserinteractionandsidechannelattacks ZacharyWeinberg zack.weinberg@sv.cmu.edu EricY.Chen eric.chen@sv.cmu.edu PavithraRameshJayaraman prameshj@andrew.cmu.edu CollinJackson collin.jackson@sv.cmu.edu CarnegieMellonUniversity Abstract —Historysnifngattacksallowwebsitestolearn aboutusers'visitstoothersites.Themajorbrowsershave recentlyadoptedadefenseagainstthecurrentstrategiesfor historysnifng.Inauserstudywith307participants,we demonstratethathistorysnifngremainsfeasibleviainteractive techniqueswhicharenotcoveredbythedefense.Whilethese beenknownsince2002([ 1 ],[ 2 ]),andxesforithavebeen beingdiscussedfornearlyaslongbybothbrowservendors andsecurityresearchers. In2010,L.DavidBaronofMozilladevelopedadefense[ 3 ] thatblocksallknown,automatedtechniquesforthisattack, whilestilldistinguishingvisitedfromunvisitedlinksand allowingsiteauthorssomecontroloverhowthisdistinctionis made.ThelatestversionsofFirefox,Chrome,Safari,andIE alladoptthisdefense.Whileitisagreatsteptowardclosing thisprivacyleak,inthispaperwewilldemonstratethatit Baron'sdefensedoesincludeprotectionagainstside-channel attacks,particularlytimingattacks.Inoursecondexperiment, wedemonstrateaside-channelattackthatremainspossible:The dominantcolorofthecomputerscreencanbemadetodepend onwhetheralinkisvisited.Thelightofthescreenreectsoff thevictimandhisorhersurroundings.Ifthevictimpossessesa “webcam”(asmallcomputer-controlledvideocamera,pointed atthevictim'sface—thisisbuiltintomanyrecentlaptops, andisapopularaccessoryfordesktopPCs)itcanbeused todetectthecolorofthereectedlight.Thisattackmaynot bepracticalfortypicalsites,ifonlybecauseusersarechary SectionVIcoversrelatedwork,andSectionVIIconcludes. II.B ACKGROUND A.TheWebplatform TheWorldWideWebwasoriginallyconceivedin1990asan interfacetolargecollectionsofstaticdocuments(“pages”)[ 5 ]. Inthisparadigm,itisobviouslyusefulforuserstobeableto tellwhethertheyhaveseenaparticularpagebefore,nomatter whoisreferringtoit.NCSAMosaic,oneoftherstgraphical Webbrowsers,drewhyperlinksinblueiftheyreferredtoa pagethathadnotyetbeenvisited,inpurpleotherwise[ 6 ]; ofcolorispartiallytransparent,orwhetheralineoftextis underlined,canproducemeasurabledifferencesinthetime todrawthepage.Theredoesn'tevenneedtobearendering difference.AllcurrentbrowsersprocessCSSselectorsfrom righttoleft[22],soifastylerulesuchas [class * ="abc"]:visited{...} appearssomewhereinthestylesheetsforapage,layoutwill takelongerifanylinkonthepageisvisited. Timingisbynomeanstheonlytypeofside-channelattack. Asanexample,inthecourseoftheexperimentsdescribedin thispaper,wediscoveredasidechannelforhistorysnifngin earlybetaversionsofFirefox4(whichimplementsBaron's defense).Forsometime,Firefoxhaslookeduphistorydatabase entriesinthebackground,meanwhiledrawingthepageasit wouldappearifalllinkswereunvisited.Ifanyofthelinksturn outtohavebeenvisited,thepageisredrawn.Changingthe targetofalinkwillstartthiswholeprocessover.Sofar,there isnoproblem,becausetheredrawsareinvisibletostandard JavaScript.However,asanextensionforbenchmarkingand testing,earlybetasofFirefox4wouldgenerateaJavaScript eventcalled MozAfterPaint everytimethebrowsernished redrawingapage.Anattackercouldinstallahandlerforthis event,repeatedlychangethetargetofalink,andaftereach change,countthenumberoftimesFirefoxcallstheevent handler.Ifitgetscalledtwice,thecurrentlinktargetisvisited. WereportedthisbugtoMozilla[ 23 ],anditwasxedinbeta10 (byremovingtheextension). D.Defense Asmentionedpreviously,in2010Barondevelopeda defense[ 3 ]whichblocksallknowntechniquesforautomated snifng.Toblockdirectsnifng,thecomputedstyleAPIs pretendthatalllinksareunvisited.Toblockindirectandside- channelsnifng,CSS'sabilitytocontrolthevisited/unvisited distinctionislimited,sothatvisitedlinksarealwaysthe samesizeandtakethesameamountoftimetodrawastheir unvisitedcounterparts.Stylerulesapplyingtolinksingeneral, orunvisitedlinks,canstilldoeverythingtheycouldbefore thedefensewasimplemented.Stylerulesforvisitedlinks, however,canonlychangevisiblegraphicalelements(text, background,border,etc.)fromonesolidcolortoanothersolid color.Theycannotremoveorintroducegradients,andthey cannotchangethetransparencyofacolor.Forexample,the stylerulesshowninFigure1stillworkasdesigned.However, supposethe text-decoration propertywasmovedfrom the a ruletothe a:visited rule.Olderbrowserswouldthen underlineunvisitedlinksbutnotvisitedlinks,butbrowsers thatimplementthedefensewouldunderlinealllinks. Itisalsonecessarytoensurethatselectormatchingtakes thesameamountoftimewhetherornotanylinksarevisited. Todoso,Baronadjustedthealgorithmforselectormatching abit.Abrowserthatimplementsthedefensewillonlydoone historylookupperstylerule,anditwilldoitlast,afterallthe otherworkofselectormatching.Thus,theexampleselector inSection III-C nowtakesthesameamountoftimewhether ornotanylinksarevisited.Also,arulethatneedsmorethan onelookup,suchas :visited+:visited{...} whichismeanttoapplytothesecondoftwovisitedlinksina row,willbeignoredbyabrowserthatimplementsthedefense (technically,itwillnevermatchanyelements). Baron'sdefensewasrapidlyadoptedbybrowservendors;as ofthiswriting,itisincludedinFirefox4,Chrome9,Safari5, andIE9(inorderofadoption). IV.E XPERIMENT 1:I NTERACTIVEATTACKS Baron'sdefensemakesnoattempttoaddressinteractive attacks,wherevictims'actionsonasiterevealtheirbrowsing history.Interactiveattacksobviouslyrequirevictimstointeract withamalicioussite,andcannothopetoprobenearlyasmany linksastheautomatedattacksthatarenolongerpossible.It mightalsoseemthataninteractiveattackwouldbehardto disguiseaslegitimateinteraction.Weclaimthatthesearenot signicantobstacles:weclaimthatinteractiveattackscanbe disguisedas“normal”interactivetasksthatuserswillnotnd surprisingorsuspicious,andthattheycanstillprobeauseful numberoflinks.Todemonstratetheseclaims,wedesigned fourinteractivetasksthatcouldbeusedtoprobebrowser history,andtestedthemonpeoplerecruitedfromAmazon's MechanicalTurkservice[24]. A.Thetasks AllofourtasksoperatewithintheconstraintsofBaron's defense:theyusevisited-linkstylesonlytochangethecolor oftextorgraphicsonthescreen.Theyaredesignedtoprobe 8to100linkseach,whichissmall,butasdemonstrated byJang,nottoosmallforthesitescurrentlymakinguseof automatedhistoryexploits.Finally,eachtaskmasquerades asaninteractionthatwouldnotbeoutofplaceonahonest website.Itiscommonforwebsitestochallengetheirvisitorsto performataskthatisrelativelyeasyforahuman,butdifcult forsoftware[ 25 ].Thisistopreventautomatedabuseofa site(“spam”poststoamessageboard,forinstance).Such challengesarereferredtoasCAPTCHAs. 2 Themostcommon typeofCAPTCHAisarequesttotypeeitherafewwords,or astringofrandomlettersandnumbers,fromanimageshown onthescreen.ThetextismanipulatedtodefeatOCRsoftware. AnothercommontypeofCAPTCHAisavisualpuzzle,to besolvedusingthemouse;visualpuzzlesarealsocommonly presentedastruegames(thatis,intendedonlytoentertain). Interactiveattacksnecessarilyinvolveplacinghyperlinkson thescreen,andtheninducingvictimstodosomethingwith themthatwillrevealtotheattackerwhichonesarevisitedlinks. Hyperlinkshavebuilt-ininteractivebehaviorthatwillreveal thatsomethingshyisgoingon,ifavictimexperimentswith thepageratherthanjustfollowingtheinstructions.Forinstance, clickingonalink(visibleornot)willcausethebrowserto loadthelinkdestination;hoveringthemousepointerovera link(again,visibleornot)willdisplaythelink'sdestination 2 CAPTCHAisacontrivedacronymforCompletelyAutomatedPublic TuringtesttotellComputersandHumansApart. Fig.2.Ourfourinteractivetasks.Toptobottom:wordCAPTCHA,characterCAPTCHA,chessboard,andvisualmatching.ScreenshotstakenwithSafari4.0. Fig.3.7-segmentLCDsymbolsstackedtotestthreelinkspercomposite character.The � atthebottomisalwaysvisible,butthe
,  ,and  areonly visibleifaURLwasvisited. URLsomewhereinthebrowser's“chrome”(suchasthestatus barortheURLbar);selectingallthetextonthepagewill revealtextthathasbeenhiddenbydrawingitwiththesame colorasthebackground.Fortunatelyfortheattacker,allthese inconvenientbehaviorscanbesuppressedbypositioninga transparentimageoverallthehyperlinks. Figure2showswhateachofourinteractiveattackslooked liketoaparticipantintheexperiment,includingtheinstructions foreach.Notethatwedidnotincludethenoise,lines,or distortionstypicalofrealCAPTCHAs;imagerecognition softwarewouldhavenotroublewithanyofthem.(Ifwehad donethis,thetaskswouldalsohavebeenmoredifcultfor ourparticipants.)Anattackerdeterminedtomaketheirphony CAPTCHAslookasmuchlikerealonesaspossiblecoulduse SVGtransformationstodistortthetext,and/orincludelines andvisualnoiseinthetransparentimagesuperimposedonthe linkstosuppresstheirnormalbehavior. 1)WordCAPTCHA: Thisisthesimplesttask.Victimsare askedtotypeseveralshortEnglishwords.Eachwordisa hyperlinktoanURLthattheattackerwishestoprobe;if visited,thewordisstyledtobedrawninblackasusual,but ifunvisited,itisdrawninthesamecolorasthebackground. Thus,victimsseeonlywordscorrespondingtositestheyhave visited.Theattackermustarrangeforatleastonewordtobe visiblenomatterwhat;otherwise,avictimwhohasvisited none oftheURLstheattackerisprobingwillseeablank CAPTCHAandthinkthesitehasmalfunctioned. Thistaskiseasytoperform,andsimpletoimplement,but canonlyprobeasmallnumberoflinks,sinceattackerscannot expecttheirvictimstobewillingtotypemorethanafew words.Inourstudy,weusedamaximumoftenwords,of whichonewasalwaysvisibleandonealwaysinvisible;thus wecouldtestnomorethaneightlinks. 2)CharacterCAPTCHA: Thistaskisverysimilartothe previousone,butbycleverchoiceoffontandsymbols,ittests thevisitednessofthreelinksper character typed.Victimsare askedtotypewhatappearstobeastringofletters,numbers, anddashesfromarestrictedcharacterset,inafontthatmimics seven-segmentLCDsymbols.AsshowninFigure3,each visiblecharacterisactually four characters,superimposed, threeofthemvisibleonlyifanassociatedlinkisvisited.No matterwhichcombinationofsymbolsis“on,”theircomposite willalwaysbeacharacterthatthevictimcantype,andeach combinationproducesadifferentcomposite.
+  =  ;
+  =  ;  +  =  ;
+  +  =  .Thealways-on � isnecessary becausepositionwithintheoverallstringismeaningful;without it,victimsmightseeaseriesofblankspaces.Inresponse theywouldprobablytypeonlyonespace,andthatwould maketheresultambiguous.Again,attackerscannotexpect theirvictimstotypemorethanafewcharacters,butaneight- characterCAPTCHAofthisdesignwillprobe24sites,anda 12-characteronewillprobe36. Thisattackhasmoretechnicalcomplicationstocopewith thanthepreviousone.Hardlyanyonehasaseven-segmentLCD fontinstalled,butthisisonlyaminorhurdle,asallmodern browsersimplementsite-suppliedfonts[ 26 ].Moreseriously, Baron'shistory-snifngdefensedoesnotallowvisited-link rulestochangethetransparencyofacolor.Thisrestriction preventstimingattacks(drawingpartialtransparencyisslower thandrawingopaquecolor)butalsomakesithardertocompose charactersbystackingthem.Attackerscanworkaroundthis restrictionbymakingthecharacters always benearly(butnot entirely)transparent,whetherornottheyarevisitedlinks;this isallowed.Theyareblackifvisitedandwhiteifunvisited. Eachcompositesegmentisthusdrawninashadeofgray.This mightbeacceptable;ifnot,attackerscouldapplyanSVG colortransformationtomapallshadesofgraytosolidblack. Unfortunately,SVGis not auniversalfeature[ 27 ];IEdidnot supportitatallbeforeversion9(notyetreleasedasofthis writing)andnobrowserimplementsthecompletespec. 3)Chessboardpuzzle: Thistaskpresentsachessboard grid(notnecessarilythesamesizeasastandardchessboard) onthescreen;someofthesquaresareoccupiedbychess pawns.Victimsareaskedtoclickonallofthepawns.In facteverysquarecontainsapawn,buteachisahyperlink toadifferentwebsite,andonlythepawnscorrespondingto visitedsitesaremadevisible,usingthesametechniqueasfor thewordCAPTCHA;invisiblepawnsarethesamecoloras theirbackground.Thisistechnicallystraightforward;theonly complicationisthatthepawnsmustberenderedusingtext orSVGshapes,sotheircolorcanbecontrolledfromCSS. Fortunately,Unicodedenesdingbatsforallthestandardchess pieces;inourimplementationweusedanothersite-supplied fonttoensurethatparticipantsgotpawnsratherthan“missing glyph”symbols.Anattackermightbeabletorelyonsystem fontsforthepawndingbat,butit'seasyenoughtouseasite fontthatthere'snoreasonnotto. Thispuzzleiseasyforvictimstocomplete,andthegridcan beatleasttensquaresonaside—theonlylimitsarethesize ofthescreen,andvictims'patience—sothisattackcantest atleast100links'visitedness.However,itbecomestediousif therearemorethanafewvisiblepawns.Also,ifusedforareal attack,thepagewouldhavenowaytotellhowmanyclicks eachvictimwillmake,soattackersmustresorttoatime-out oranexplicit“goon”button;eithermightseemsuspicious. 4)Patternmatchingpuzzle: Inthistask,victimsareasked toselecttwoimageswhich,when“assembled,”producea compositeimage.ThecompositeismadeupoffourSVG shapes,whosellcolordependsonthevisitednessoffour hyperlinks.Therearefourchoicesforeachofthetwoimages tobeselected;together,theyexhaustthesixteenpossible appearancesofthecompositeimage.Whilethisdoesrelyon SVG,itonlyrequiresbasicdrawingfeaturesthatareuniversally supported(exceptbyIE). Oneencounterwiththispuzzleteststhevisitednessoffour links.Itcouldbepresentedasabrainteaserchallenge,givinga malicioussitetheopportunitytomakeeachvictimsolvemany instancesofthepuzzleinsuccession,andsoprobemanylinks. Itisdecidedlymoredifcultthanourothertasks,butitcould bemadeeasierbynotcomposingtwoimages,orbyadjusting theimagestomakethecorrectanswermoreobvious. B.Procedure Weconstructedawebsitewhichwouldchallengeparticipants tocarryoutinstancesofeachoftheabovefourtasks.We didnotactuallysniffhistoryintheimplementationofthese tasks,becauseourgoalwastoprovethatthesetaskscouldbe performedbyatypicaluseraccurately,quickly,andwithout frustration.Ifwehadimplementedgenuinehistory-snifng attacks,wewouldnothaveknowntheratioofvisitedto unvisitedlinkstoexpectforeachprompt,norwouldwehave beenabletodetecterrors.Instead,werandomlygeneratedtask instancescorrespondingtoknownproportionsofvisitedand unvisitedlinks.Eachparticipantexperiencedaxednumberof trialsofeachtask,asindicatedinTableI;eachtrialselecteda proportionuniformlyatrandomwithoutreplacementfromthe appropriatecolumnofTableI.Thesiteautomaticallyskipped tasksthatwouldnotworkwithparticipants'browsers(notably thosethatrequiredSVG,forparticipantsusingIE). Werecruited307participantsfromAmazonMechanical Turkfora“userstudy.”Participantswererequiredtobeat least18yearsold,abletoseecomputergraphicsandread English,andbeusingabrowserwithJavaScriptenabled.The precisenatureofthestudywasnotrevealeduntilparticipants visitedthesiteitself.Atthatpointtheyweretold: Wearestudyinghowmuchinformationcanbe extractedfromabrowser'shistoryofvisitedweb pagesbyinteractiveattacks—thatis,attacksthat involveyourdoingsomethingonawebsitethat appearstobeinnocuous.Itusedtobepossibleto probeyourbrowsinghistorywithoutmakingyou doanything,butbrowsersarenowstartingtoblock thoseattacks,sointeractiveprobesmaybecomemore commoninthefuture. Inthisexperimentyouwillcarryoutsometasks similartotheonesthatamalicioussitemightuse toprobeyourbrowsinghistory.Thesetasksdonot actuallyprobeyourbrowsinghistory;insteadwe measurehowquicklyandaccuratelyyoucando them.Fromthis,wewillbeabletoinferhowmuch informationeachofthetaskscouldextractfromyour history. TABLEI P ROPORTIONSOFVISITEDLINKSUSEDFOREACHTASK . N = TOTALNUMBEROFLINKS , V = NUMBEROFVISITEDLINKS . WordCharacter captchacaptchaChessMatching 9trials9trials12trials12trials NVNVNVNV 10112316340 10112616340 10112916541 10224616541 102241216741 103241816741 103369161141 1033618161141 104362736341 104481236341 104482436542 104483636542 105601536742 105603036742 1056045361142 10664342 10664342 10664542 10764543 10764743 10764743 108641143 108641143 10843 10943 10943 10943 44 44 Allparticipantscompletedaconsentformandthenashort demographicsurvey(reproducedinAppendixA),afterwhich theyweregivenbriefoverallinstructions: Thisexperimentisdividedintoseveraltasks.To proceedtothersttask,clickonitsheading,which isrightbelowtheseinstructions.Whenyoucomplete eachtask,theheadingforthenexttaskwillbecome selectable. Thetasksallincludedtheirownspecicinstructions,which arereproducedinFigure2abovethefacsimileofeachtask. Eachtaskalsoincludedaprogressbaratthebottomofits screenarea(notshowninFigure2)whichindicatedthenumber oftrialsremainingforthattask.Whenparticipantsreached theendofasubtask,thepageshowedsomegraphsoftheir performanceonthattask,asareward(wedonotshowanyof thesegraphshere,toavoidconfusionwithouractualanalysis). Attheveryendoftheexperiment,participantswerethanked fortheirassistanceandofferedanopportunitytoseeallofthe datacollected(initsrawform)beforesendingittoourserver. Thetypingtasksgavenofeedbackuntiltheend,butthe clickingtasksindicatederrorsimmediately.Inthechessboard task,eachpawnturnedgreenwhenclicked,butifaparticipant clickedonanemptysquare,aredXwouldappearinthat square.Inthematchingtask,whenasmallimagewasclicked, Fig.4.Overallaccuracyratesforthefourinteractivetasks. itsbrownborderwouldturnblueifthatwasthecorrectchoice, redifnot.Inbothcases,participantshadtoproducethecorrect answersbeforethetaskwouldend.Arealattackcouldrespond toclicksinasimilarfashion,butmightnotbeabletogive exactlythesameerrorfeedback,becauseofthelimitationson visited-linkstylesimposedbyBaron'sdefense.Forinstance,a versionofthechessboardtaskthatreallysniffedhistorycould turnvisiblepawnsgreenwhenclicked,andcouldcausered pawnstoappearinsquaresthathadbeenemptybeforethe click,butcould not convertinvisiblepawnstovisibleXes uponaclick. Itwaspossibleforparticipantstorefusetocarryoutthe typingtasks,byhittingthe RETURN keyoverandoveragain withouttypinganything.Thematchingtaskcouldalsobe skipped,viaanexplicit“skipthistask”button,becauseour implementationsometimesmalfunctionedandwewerenot abletoisolatethebug,sowehadtogivepeopleawayto moveon.Thechessboardtask,however,couldnotbeskipped orrefused. Forcomparisonpurposes,wealsoranthreeautomated history-snifngexploitsonalltheparticipants.Lessthan13% oftheparticipantswereusingabrowserthatblockedthese exploits;seeSection IV-E belowformoreontheexperiment population.Weused wtikay.com 'ssetof7012commonly visitedURLs(derivedfromtheAlexatop5000siteslist[ 15 ], [ 28 ])forthistest;werecordedonlythetotalelapsedtimeand thenumberofURLsdetectedasvisited. C.Results Notalloftheparticipantscompletedallofthetaskssuccess- fully,butwehaveusabledatafromatleast177participantsfor eachtask.Figure4showsrawuseraccuracyrateforallfour tasks.Thechessboardtakesrstplaceinaccuracy,withnearly allparticipantsscoring100%orcloseto.ThewordCAPTCHA issubstantiallyeasierthanthecharacterCAPTCHA;thevisual matchingtaskisdeadlastintermsof average accuracy,butthe characterCAPTCHAhasasurprisingnumberofoutlierswith verypooraccuracy.Weinvestigatedthese,andfoundthatsome participantsbecamesofrustratedwiththetaskthatafterafew trialstheystartedhitting RETURN withoutattemptingtotype Fig.5.Queriesperminuteachievedbythefourinteractivetasks(black)and threeautomatedexploits(gray). anything.Thereareevenafew0%scores,fromparticipants whowouldnotdothistaskatall.Itiswellknownthatstrings ofmeaninglesscharactersarehardertotypethanstringsof words[29],butwedidnotanticipatethisleveloffrustration. Figure5showstheachievablehistory-snifngrateforeach task,withtherateof“traditional”automatedattacksincluded forcomparison.Ofthefourinteractivetasks,thechessboard puzzleistheclearwinner,achievingamedianofnearly 1000queriesperminute.Itshouldberememberedthatthis measurementcombinestwofactors:howfastavictimcando thetask,andhowmanyURLsthetaskencodes.Thechessboard scoreshighlyonbothcounts,butthecharacterCAPTCHA isonlyinsecondplacebecauseitencodesmanyURLs. Conversely,thewordCAPTCHAisquicktocomplete,but doesn'tencodemanyURLsandthereforefallsbehindonQPM. Matchingdoespoorlyonbothfactors.And,unsurprisingly, allofourinteractivetasksaremuchslowerthanautomated snifng. Sinceourstudyconditionsarearticial,ourparticipants' performance(eitherspeedoraccuracy)doesnottranslate directlytoattackeffectivenessunder“wild”conditions.We challengedparticipantstocarryoutdozensofinstancesof ourtasksinquicksuccession,whereasarealattackwould requirevictimstocompleteonlyoneinstance(exceptperhaps forthepattern-matchingtask).However,wedidnotobserve anysignicanteffectoffatigueinourtests,exceptforthe participantswhorefusedtocompletealltherequestedtrialsof thecharacterCAPTCHA.Someoftheerrorsonthetypingtasks werecausedbyparticipantsenteringsomethingcompletely unexpected,ratherthanapossiblebutincorrectanswer;ina realattack,ifthishappened,theattackerwouldhavetodefault tosomeassumptionaboutthelinksitwasprobing(mostlikely, thatnoneofthemwerevisited)whichmightchancetobe correct.Theseeffectswouldtendtomakeagenuineattack moreeffectivethanourresultsindicate. Ontheotherhand,ourparticipantsweretoldinadvancethat theirabilitytocarryoutthetasksquicklyandaccuratelywas beingmeasured;peopleareknowntoperformbetterontasks ofthisnaturewhentheyknowtheirperformanceisbeingtested