Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chuan Yue, chuanyue@mines.edu Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks IEEE Workshop on Mobile Security Technologies.

Published byMarlene Briggs Modified over 7 years ago

Similar presentations

Presentation on theme: "Chuan Yue, chuanyue@mines.edu Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks IEEE Workshop on Mobile Security Technologies."— Presentation transcript:

1 Chuan Yue, chuanyue@mines.edu
Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks IEEE Workshop on Mobile Security Technologies (MoST), 2016 Chuan Yue, 5/26/2016

2 Outline Introduction and Background Attacks
Potential Defense Mechanisms Conclusion and Discussions 5/26/2016

3 Smartphone Sensors Sensors Measurement Category Accelerometer acceleration forces Motion Sensors Gyroscope rotation rates Barometer atmospheric pressure Environmental Thermometer temperature Ambient Light Sensor light intensity  Magnetometer/Compass  strength and direction of the magnetic field Position Sensors Proximity Sensor presence of nearby objects They have enabled mobile apps to have richer functionality and better interactivity. 5/26/2016

4 Related Important Research Areas
design new security mechanisms (e.g., sensor-based multi-factor user authentication) analyze and protect against potential security/privacy risks (e.g., our work) 5/26/2016

5 Motion Sensors Device acceleration forces (in meters per second squared: m/s2) along three axes. Device rotation rates alpha, beta, and gamma (in degrees per second) around the three axes z, x, and y, respectively. (figure source: developer.apple.com) Motion sensors provide high-entropy data, and are inherently pertinent to the behaviors of users. Meanwhile, apps have unrestricted motion sensor data access on both iOS and Android smartphone platforms. 5/26/2016

6 Motion Sensor Data Collection from Mobile Web Users
(figure source: appsonmob.com) Browsers and WebView components have further extended the unrestricted motion sensor data access to regular webpages. Mobile Web Users include browser users and app users (through WebView) –attacks can potentially affect almost all the smartphone users! 5/26/2016

7 HTML5 DeviceMotionEvent Interface (www.w3.org specification)
User agents implementing this specification must provide a new DOM event, named devicemotion. The corresponding event must be of type DeviceMotionEvent and must fire on the window object. 5/26/2016

8 JavaScript Code for Registering to Receive devicemotion Events
window.addEventListener("devicemotion", function(event) { // Process event.acceleration, event.accelerationIncludingGravity, // event.rotationRate and event.interval, e.g.: var acc_values = event.acceleration.x + “:” + event.acceleration.y + “:” +; event.acceleration.z; var rot_values = event.rotationRate.alpha + “:” + event.rotationRate.beta + “:” +; event.rotationRate.gamma; var interval_value = event.interval; }, true); 5/26/2016

9 JavaScript Security Model in Browsers and WebView
Web Browser Sandbox Sandbox Same Origin Policy (SOP) Motion sensor data collection can create a powerful side-channel and bypass SOP! <script> JavaScript code in pageA </script> <script> JavaScript code in pageB </script> 5/26/2016 9

10 Outline Introduction and Background Attacks
Potential Defense Mechanisms Conclusion and Discussions 5/26/2016

11 User Fingerprinting Attacks - Privacy
domainA.com domainA.com domainB.com (in an iframe) DOM events window events window events first-party user fingerprinting attacks third-party user fingerprinting attacks 5/26/2016

12 Cross-Site Input Inference Attacks - Security
domainA.com domainA.com username A window events password A DOM events domainB.com (in an iframe) domainB.com (in an iframe) window events username B password B parent-to-child cross-site input inference attacks child-to-parent cross-site input inference attacks 5/26/2016

13 First-Party User Fingerprinting Attacks - Privacy
domainA.com Can raise severe privacy concerns: A first-party website may purposefully authorize a third-party website to learn about its users. A first-party website may accidentally allow a third-party website to do so due to insecure JavaScript inclusion practices. Users may not want to be tracked by a first-party website in the first place. DOM events window events All the popular web browsers provide the privacy configuration features such as disabling first-party cookies and sending the “Do Not Track” requests to websites [22]. 5/26/2016

14 Third-Party User Fingerprinting Attacks - Privacy
Can directly and severely compromise the privacy of mobile web users, and can indeed be pervasively performed, e.g., third-party advertisements are often included in iframes on millions of first-party websites: Malicious or compromised advertising websites [9], [20] definitely have the strong motivations to perform such attacks. Legitimate behavioral advertising websites that infer user privacy for profit [16], [17] also have the strong motivations to do so. domainA.com domainB.com (in an iframe) window events 5/26/2016

15 Related Work on Web Fingerprinting Attacks
Fingerprinting is the most challenging type of web tracking attacks (the Panopticlick study by Eckersley [8]) Avoiding basic stateful techniques such as HTTP cookies is tricky (e.g., need to configure the appropriate settings in browsers) Avoiding advanced stateful techniques such as supercookies and HTML5 local storage ([1, 3, 11, 12, 15]) is harder (e.g., need to find ways to disable them) Avoiding stateless fingerprinting techniques will be most challenging browser fingerprinting (e.g., characteristics of the browsers) [8] smartphone fingerprinting (e.g., hardware manufacturing imperfections) [4,6,7] Ours are more about user fingerprinting behavioral biometrics across browsers and devices 5/26/2016

16 Parent-to-Child Cross-Site Input Inference Attacks - Security
Can cause severe consequences. One representative scenario is for insecure or even malicious Web Single Sign-On (SSO) relying party websites [19] to infer users’ highly valuable SSO identity provider accounts (e.g., Gmail, Facebook, and Yahoo) typed in iframes. domainA.com window events DOM events domainB.com (in an iframe) username B password B A parent document directly has the URL (context) information of its child documents. 5/26/2016

17 Child-to-Parent Cross-Site Input Inference Attacks - Security
domainA.com Similar to the third-party user fingerprinting attacks on data collection, not on goal. Can directly and severely compromise the security of mobile web users, and can be pervasively performed, e.g., prevalence of using iframes to include advertisements into millions of first-party websites. Malicious or compromised advertising websites [9], [20] can be the main threat sources. username A password A domainB.com (in an iframe) window events A child document can use the document.referrer value to obtain the URL (context) information of its parent document. 5/26/2016

18 Related Work on Input Inference Attacks
Based on behavioral biometrics of smartphone users [2, 5, 10, 13, 18] assume a malicious app is installed on a smartphone often use both touch-screen and motion sensor data focus on touchscreen lock PINs or passwords (that could be valuable only if they are reused by the smartphone owner on some online services or if the smartphone itself is also stolen) Ours are much broader and severer Infer highly valuable user inputs (e.g., passwords) on any website no malicious app needs to be installed 5/26/2016

19 Effectiveness of the Attacks
Our user fingerprinting attacks and cross-site input inference attacks can be modeled as multi-class classification problems: The former: n users are n different classes with n unique fingerprints The later: different soft-keyboard keys are different classes Train and use machine learning classifiers Basic and statistical features 5/26/2016

20 Challenges in Feature Extraction
One main challenge is on segmenting (or aligning) the motion sensor data for individual user actions. Touch events and keyboard events are associated with DOM elements, protected by SOP, and cannot be directly used by a third-party for segmentation. 5/26/2016

21 More Challenges in User Fingerprinting
Accuracy and Scalability Considerations Feature value distribution, e.g., high between- subjects entropy and low within-subjects entropy indicate relevancy. Impacts of multiple factors including different gestures (e.g., touch/long press), touch activities (e.g., select/scroll), DOM element types (e.g., button/link), and rendering locations (e.g., top/ right/bottom) on the selection of features. Number of bits of fingerprint distribution entropy Attack Strategies 5/26/2016

22 More Challenges in Input Inference
Accuracy, Context Information Attack Strategies username hot area password device orientation input field keyboard layout keystroke 5/26/2016

23 Outline Introduction and Background Attacks
Potential Defense Mechanisms Conclusion and Discussions 5/26/2016

24 Toward Usable Defense Mechanisms
always ask a user to grant or deny motion sensor data access requests on individual webpages completely block webpages’ access to the motion sensor data It is important to design fine-grained defense mechanisms that could be more usable and effective in practice. 5/26/2016

25 Element-based Sensor Data Access Control
Add a new boolean attribute, e.g., “disable-motion-sensor-data” for HTML input elements Sufficiently protect against both parent-to-child and child-to-parent cross-site input inference attacks Need browser (browser extension) support Need individual websites opt in to the protection (compatibility and freedom) Completely transparent to end users Can be extended to HTML form elements username password 5/26/2016

26 Frame-based Sensor Data Access Control
Add a new value “allow-sensor-data” for the iframe sandbox attribute in HTML5 Sufficiently protect against both third-party user fingerprinting and child-to-parent cross-site input inference attacks Need browser (browser extension) support, and need to carefully delimit the scope of the new attribute value Need individual websites opt in to the protection (compatibility and freedom) Completely transparent to end users <iframe src="demo_iframe_sandbox_origin.htm" sandbox="allow-same-origin allow-scripts"></iframe> 5/26/2016

27 Domain-based Sensor Data Access Control
Similar to existing domain-based privacy and content settings in web browsers Default-deny, default allow, ask users at the site level; managing exceptions Sufficiently protect against all the four types of attacks Need browser (browser extension) support No change to any website Not transparent: users need to be aware of this mechanism and properly use it 5/26/2016

28 Domain and Attack Specific Data Perturbation
Browser (browser extension) detect the specific attacks that may occur, and then perturb the sensor data e.g., adding noise or decreasing collection frequency Should leverage the research results on attacks Should not affect the functionality of apps Protect against all the four types of attacks Need browser (browser extension) support No change to any website Transparent to end users Protection is only statistical rather than deterministic 5/26/2016

29 Summary of the Four Potential Defense Mechanisms
Main Defense Targets Deployment User Transparency Element-based sensor data access control Both types of cross-site input inference attacks Browser and individual websites Yes Frame-based sensor Third-party user fingerprinting attacks and child-to-parent cross-site input inference attacks Domain-based sensor All the four types of attacks Browser No Domain and attack specific data perturbation All the four types of attacks (statistical) 5/26/2016

30 Conclusion and Discussions
Motion sensor based attacks to web users user fingerprinting attacks cross-site input inference attacks Four potential defense mechanisms Hope to raise researchers’ and developers’ attention Welcome your questions and discussions Thank You! 5/26/2016

Download ppt "Chuan Yue, chuanyue@mines.edu Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks IEEE Workshop on Mobile Security Technologies."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Access Control Methodologies

Access Control Methodologies
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Cloud Usability Framework

Cloud Usability Framework
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
* Hassan Khan,Aaron Atwater,and Urs Hengartner. Outline Background Introduction for IA Previous work on IA challenge Introduction to Itus Itus for app.

* Hassan Khan,Aaron Atwater,and Urs Hengartner. Outline Background Introduction for IA Previous work on IA challenge Introduction to Itus Itus for app.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
SCRIPT LESS ATTACKS STEALING THE PIE WITHOUT TOUCHING THE SILL.

SCRIPT LESS ATTACKS STEALING THE PIE WITHOUT TOUCHING THE SILL.
JavaScript, Fourth Edition

JavaScript, Fourth Edition
TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion Liang Cai and Hao Chen UC Davis.

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion Liang Cai and Hao Chen UC Davis.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.
Chapter 8 Cookies And Security JavaScript, Third Edition.

Chapter 8 Cookies And Security JavaScript, Third Edition.
TOUCHSIGNATURES Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, Feng Hao Newcastle University CryptoForma meeting, Belfast 4 May 2015.

TOUCHSIGNATURES Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, Feng Hao Newcastle University CryptoForma meeting, Belfast 4 May 2015.
CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Similar presentations

Ads by Google