Sensor-Based Mobile Web Fingerprinting and Attacks

 
Sensor-based Mobile Web Fingerprinting
and Cross-site Input Inference Attacks
 
Chuan Yue, chuanyue@mines.edu
 
IEEE Workshop on Mobile Security Technologies (MoST), 2016
 
1
 
5/26/2016
 
Outline
 
Introduction and Background
Attacks
Potential Defense Mechanisms
Conclusion and Discussions
 
2
 
5/26/2016
 
Smartphone Sensors
 
3
 
They have enabled mobile apps
to have 
richer functionality
 and
better interactivity.
 
5/26/2016
 
 Related Important Research Areas
 
5/26/2016
 
4
 
design new security mechanisms
(e.g., sensor-based multi-factor
user authentication)
 
analyze and protect against
potential security/privacy risks
(e.g., our work)
 
Motion Sensors
 
5
 
Motion sensors provide high-entropy data, and are 
inherently pertinent
to the behaviors of users
.  Meanwhile, apps have 
unrestricted motion
sensor data access
 on both iOS and Android smartphone platforms.
 
Device 
rotation rates
 
alpha
,
beta
, and 
gamma
 (in degrees
per second) around the three
axes z, x, and y, respectively.
 
Device 
acceleration
forces
 (in meters per
second squared: m/s
2
)
along three axes.
 
5/26/2016
 
 
Motion Sensor Data Collection from
Mobile Web Users
 
6
 
Browsers
 and 
WebView components
 have further extended the
unrestricted motion sensor data access
 to regular webpages.
Mobile Web Users 
include
 browser users
 and 
app users
 (through
WebView) –attacks 
can potentially
 
affect almost all the smartphone users
!
 
5/26/2016
 
 
HTML5 DeviceMotionEvent Interface
(www.w3.org specification)
 
7
 
5/26/2016
 
User agents implementing this specification must provide a new DOM event, named
devicemotion
. The corresponding event must be of type 
DeviceMotionEvent
 and
must fire on the 
window
 object.
 
 
JavaScript Code for Registering to
Receive devicemotion Events
 
8
 
window
.addEventListener("devicemotion", 
function(event)
 {
    // Process event.acceleration, event.accelerationIncludingGravity,
    // event.rotationRate and event.interval, e.g.:
 
    var acc_values = event.
acceleration.x
 + “:” +
                                  event.
acceleration.y
 + “:” +;
                                  event.
acceleration.z
;
    var rot_values = event.
rotationRate.
alpha
 + “:” +
                                  event.
rotationRate.
beta
 + “:” +;
                                  event.
rotationRate.
gamma
;
    var interval_value = event.interval;
 
}
, true);
 
5/26/2016
Web Browser
Sandbox
JavaScript Security Model in
Browsers and WebView
http
://
www.domainA.com
:
8080
/pageA.htm
http://www.domainB.com/pageB.htm
<script> JavaScript code in pageB </script>
<script> JavaScript code in pageA </script>
 
Motion sensor
data collection
can create a
powerful side-
channel and
bypass SOP!
Sandbox
Same Origin
Policy (SOP)
5/26/2016
9
 
Outline
 
Introduction and Background
Attacks
Potential Defense Mechanisms
Conclusion and Discussions
 
10
 
5/26/2016
domainA.com
domainA.com
 
 
User Fingerprinting
 Attacks - Privacy
 
first-party
 user
fingerprinting attacks
 
11
 
DOM
events
 
window
events
domainB.com
(in an iframe)
 
window
events
 
third-party
 user
fingerprinting attacks
 
5/26/2016
domainA.com
domainA.com
 
 
Cross-Site Input Inference
 Attacks - Security
 
parent-to-child
 cross-site
input inference attacks
 
12
 
DOM events
 
window
events
domainB.com
(in an iframe)
 
window
events
domainB.com
(in an iframe)
password A
username A
password B
username B
 
child-to-parent
 cross-site
input inference attacks
 
5/26/2016
domainA.com
 
 
First-Party User Fingerprinting
 Attacks - Privacy
 
13
 
DOM
events
 
window
events
 
5/26/2016
 
Can raise 
severe privacy concerns
:
A first-party website may 
purposefully
authorize
 a third-party website to learn
about its users.
A first-party website may 
accidentally allow
a third-party website to do so due to
insecure JavaScript inclusion practices.
Users may 
not want to be tracked
 by a first-
party website in the first place.
 
All the popular web browsers provide the 
privacy configuration features 
such as
disabling 
first-party
 cookies and sending the “Do Not Track” requests to websites [22].
domainA.com
 
 
Third-Party User Fingerprinting
 Attacks - Privacy
 
14
domainB.com
(in an iframe)
 
window
events
 
5/26/2016
 
Can 
directly
 and 
severely compromise the
privacy
 of mobile web users, and 
can indeed
be pervasively performed
, e.g., third-party
advertisements
 are often included in iframes
on millions of first-party websites:
Malicious
 or 
compromised
 advertising
websites [9], [20] definitely have the strong
motivations to perform such attacks.
Legitimate 
behavioral advertising 
websites
that infer user privacy for profit [16], [17] also
have the strong motivations to do so.
 
 
Related Work on Web Fingerprinting Attacks
 
15
 
5/26/2016
 
Fingerprinting is the most challenging type of 
web
tracking
 attacks (
the Panopticlick study by Eckersley [8]
)
Avoiding basic 
stateful 
techniques such as HTTP cookies is tricky (e.g.,
need to configure the appropriate settings in browsers)
Avoiding 
advanced stateful
 techniques such as supercookies and
HTML5 local storage ([1, 3, 11, 12, 15]) is harder (e.g., need to find
ways to disable them)
Avoiding 
stateless
 fingerprinting techniques will be most challenging
browser fingerprinting
 (e.g., characteristics of the browsers) [8]
smartphone fingerprinting 
(e.g., hardware manufacturing imperfections) [4,6,7]
 
Ours are more about 
user fingerprinting
behavioral biometrics
across browsers and devices
domainA.com
 
 
Parent-to-Child Cross-Site
Input Inference
 Attacks - Security
 
16
 
DOM events
 
window
events
domainB.com
(in an iframe)
password B
username B
 
5/26/2016
 
A parent document directly has the URL
(context) information of its child documents.
 
Can cause 
severe consequences
.  One
representative scenario is for insecure or even
malicious Web Single Sign-On (SSO) 
relying
party websites
 [19] to 
infer
 users’ highly
valuable 
SSO identity provider accounts
 (e.g.,
Gmail, Facebook, and Yahoo) typed in iframes.
domainA.com
 
 
Child-to-Parent Cross-Site
Input Inference
 Attacks - Security
 
17
domainB.com
(in an iframe)
 
window
events
password A
username A
 
5/26/2016
 
A child document can use the document.referrer value to
obtain the URL (context) information of its parent document.
 
Similar to the third-party user fingerprinting
attacks on data collection, not on goal.
 
Can 
directly
 and 
severely
 
compromise the
security
 of mobile web users, and 
can be
pervasively performed
, e.g., prevalence of
using iframes to include 
advertisements
 into
millions of first-party websites.
Malicious
 or 
compromised
 advertising
websites [9], [20] can be the main threat
sources.
 
 
Related Work on Input Inference Attacks
 
18
 
5/26/2016
 
Based on behavioral biometrics of smartphone users
[2, 5, 10, 13, 18]
assume
 a malicious app is installed on a smartphone
often use both 
touch-screen
 and 
motion sensor
 data
focus on touchscreen 
lock PINs or passwords 
(that could be
valuable only if they are reused by the smartphone owner on
some online services or if the smartphone itself is also stolen)
Ours are much 
broader
 and 
severer
Infer 
highly valuable user inputs
 (e.g., passwords) on 
any website
no malicious app 
needs to be installed
 
 
Effectiveness of the Attacks
 
19
 
5/26/2016
 
Our 
user fingerprinting
 attacks and 
cross-site input
inference
 attacks can be modeled as 
multi-class
classification
 problems:
The former: n 
users
 are n different
     classes with n unique fingerprints
 
The later: different 
soft-keyboard keys
    are different classes
 
Train and use machine learning classifiers
Basic and statistical features
 
 
 
Challenges in Feature Extraction
 
20
 
5/26/2016
 
One main challenge is on 
segmenting
 (or aligning)
the motion sensor data for individual user actions.
 
 
Touch events 
and
keyboard events 
are
associated with 
DOM
elements, protected by
SOP
, and cannot be
directly used by a third-
party for segmentation.
 
 
More Challenges in User Fingerprinting
 
21
 
5/26/2016
 
Accuracy and Scalability Considerations
Feature value distribution
, e.g., high between-
subjects entropy and low within-subjects entropy
indicate relevancy.
Impacts of multiple factors
 including different
gestures (e.g., touch/long press), touch activities
(e.g., select/scroll), DOM element types (e.g.,
button/link), and rendering locations (e.g., top/
right/bottom) on the selection of features.
Number of bits of 
fingerprint distribution entropy
Attack Strategies
 
 
 
More Challenges in Input Inference
 
22
 
5/26/2016
 
Accuracy, Context Information
Attack Strategies
 
password
username
 
hot
area
 
device
orientation
 
input
field
 
keystroke
 
keyboard
layout
 
Outline
 
Introduction and Background
Attacks
Potential Defense Mechanisms
Conclusion and Discussions
 
23
 
5/26/2016
 
 
Toward Usable Defense Mechanisms
 
24
 
5/26/2016
 
It is important to design 
fine-grained
 defense mechanisms
that could be more 
usable
 and 
effective
 in practice.
 
 
completely block
webpages’ access to
the motion sensor data
 
always ask a user to grant
or deny motion sensor
data access requests on
individual webpages
 
 
 
Element-based Sensor Data Access Control
 
25
 
5/26/2016
 
Add a new 
boolean attribute
, e.g.,
“disable-motion-sensor-data” for HTML
input elements
Sufficiently protect 
against both parent-to-
child and child-to-parent cross-site input
inference attacks
Need 
browser
 (browser extension) support
Need 
individual websites
 opt in to the
protection (compatibility and freedom)
Completely 
transparent
 to end users
Can be extended to HTML 
form elements
 
password
username
 
 
Frame-based Sensor Data Access Control
 
26
 
5/26/2016
 
Add a new 
value
 “allow-sensor-data” for the 
iframe
sandbox
 
attribute
 in HTML5
 
 
 
Sufficiently protect 
against both third-party user fingerprinting
and child-to-parent cross-site input inference attacks
Need 
browser
 (browser extension) support, and need to
carefully 
delimit the scope
 of the new attribute value
Need 
individual websites
 opt in to the protection
(compatibility and freedom)
Completely 
transparent
 to end users
 
<iframe src="demo_iframe_sandbox_origin.htm"
sandbox
="allow-same-origin allow-scripts"></iframe>
 
 
Domain-based Sensor Data Access Control
 
27
 
5/26/2016
 
Similar to existing domain-based privacy
and content settings in web browsers
Default-deny, default allow, ask users at the
site level; managing exceptions
Sufficiently protect 
against all the four types
of attacks
Need 
browser
 (browser extension) support
No change to any website
Not transparent
: users need to be aware of
this mechanism and properly use it
 
 
 
Domain and Attack Specific Data Perturbation
 
28
 
5/26/2016
 
Browser
 (browser extension) 
detect
 the specific attacks
that may occur, and then 
perturb
 the sensor data
e.g., adding noise or decreasing collection frequency
Should leverage the research results on attacks
Should not affect the functionality of apps
Protect 
against all the four types of attacks
Need 
browser
 (browser extension) support
No change to any website
Transparent
 to end users
Protection is only 
statistical
 rather than deterministic
 
 
 
Summary of the Four Potential
Defense Mechanisms
 
29
 
5/26/2016
 
 
Conclusion and Discussions
 
Motion sensor based attacks to web users
user fingerprinting attacks
cross-site input inference attacks
Four potential defense mechanisms
Hope to raise researchers’ and developers’ attention
Welcome your questions and discussions
   
Thank You!
 
30
 
5/26/2016
Slide Note
Embed
Share

This content discusses sensor-based mobile web fingerprinting, cross-site input inference attacks, smartphone sensors, motion sensor data collection, and HTML5 DeviceMotionEvent interface. It highlights the potential security risks associated with sensor data access on mobile devices and the need for new defense mechanisms to protect user privacy. The research areas focus on designing security mechanisms like sensor-based multi-factor authentication and analyzing security risks. The content emphasizes the significance of motion sensors in providing high-entropy data and their accessibility by various apps and web components.

  • Sensor-based
  • Mobile web
  • Fingerprinting
  • Security risks
  • Motion sensors

Uploaded on Sep 13, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks IEEE Workshop on Mobile Security Technologies (MoST), 2016 Chuan Yue, chuanyue@mines.edu 5/26/2016 1

  2. Outline Introduction and Background Attacks Potential Defense Mechanisms Conclusion and Discussions 5/26/2016 2

  3. Smartphone Sensors Sensors Measurement Category Accelerometer acceleration forces Motion Sensors Gyroscope rotation rates Barometer atmospheric pressure Environmental Sensors Thermometer temperature Ambient Light Sensor light intensity strength and direction of the magnetic field Magnetometer/Compass Position Sensors Proximity Sensor presence of nearby objects They have enabled mobile apps to have richer functionality and better interactivity. 5/26/2016 3

  4. Related Important Research Areas design new security mechanisms (e.g., sensor-based multi-factor user authentication) analyze and protect against potential security/privacy risks (e.g., our work) 5/26/2016 4

  5. Motion Sensors Device acceleration forces (in meters per second squared: m/s2) along three axes. Device rotation rates alpha, beta, and gamma (in degrees per second) around the three axes z, x, and y, respectively. (figure source: developer.apple.com) Motion sensors provide high-entropy data, and are inherently pertinent to the behaviors of users. Meanwhile, apps have unrestricted motion sensor data access on both iOS and Android smartphone platforms. 5/26/2016 5

  6. Motion Sensor Data Collection from Mobile Web Users (figure source: appsonmob.com) Browsers and WebView components have further extended the unrestricted motion sensor data access to regular webpages. Mobile Web Users include browser users and app users (through WebView) attacks can potentiallyaffect almost all the smartphone users! 5/26/2016 6

  7. HTML5 DeviceMotionEvent Interface (www.w3.org specification) User agents implementing this specification must provide a new DOM event, named devicemotion. The corresponding event must be of type DeviceMotionEvent and must fire on the window object. 5/26/2016 7

  8. JavaScript Code for Registering to Receive devicemotion Events window.addEventListener("devicemotion", function(event) { // Process event.acceleration, event.accelerationIncludingGravity, // event.rotationRate and event.interval, e.g.: var acc_values = event.acceleration.x + : + event.acceleration.y + : +; event.acceleration.z; var rot_values = event.rotationRate.alpha + : + event.rotationRate.beta + : +; event.rotationRate.gamma; var interval_value = event.interval; }, true); 5/26/2016 8

  9. JavaScript Security Model in Browsers and WebView Web Browser Sandbox Sandbox Same Origin Policy (SOP) http://www.domainA.com:8080/pageA.htm Motion sensor data collection can create a powerful side- channel and bypass SOP! <script> JavaScript code in pageA </script> http://www.domainB.com/pageB.htm <script> JavaScript code in pageB </script> 5/26/2016 9

  10. Outline Introduction and Background Attacks Potential Defense Mechanisms Conclusion and Discussions 5/26/2016 10

  11. User Fingerprinting Attacks - Privacy domainA.com domainA.com domainB.com (in an iframe) DOM events window events window events third-party user fingerprinting attacks first-party user fingerprinting attacks 5/26/2016 11

  12. Cross-Site Input Inference Attacks - Security domainA.com domainA.com username A password A window events DOM events domainB.com (in an iframe) window events domainB.com (in an iframe) username B password B child-to-parent cross-site input inference attacks parent-to-child cross-site input inference attacks 5/26/2016 12

  13. First-Party User Fingerprinting Attacks - Privacy domainA.com Can raise severe privacy concerns: A first-party website may purposefully authorize a third-party website to learn about its users. A first-party website may accidentally allow a third-party website to do so due to insecure JavaScript inclusion practices. DOM events window events Users may not want to be tracked by a first- party website in the first place. All the popular web browsers provide the privacy configuration features such as disabling first-party cookies and sending the Do Not Track requests to websites [22]. 5/26/2016 13

  14. Third-Party User Fingerprinting Attacks - Privacy Can directly and severely compromise the privacy of mobile web users, and can indeed be pervasively performed, e.g., third-party advertisements are often included in iframes on millions of first-party websites: domainA.com domainB.com (in an iframe) Malicious or compromised advertising websites [9], [20] definitely have the strong motivations to perform such attacks. window events Legitimate behavioral advertising websites that infer user privacy for profit [16], [17] also have the strong motivations to do so. 5/26/2016 14

  15. Related Work on Web Fingerprinting Attacks Fingerprinting is the most challenging type of web tracking attacks (the Panopticlick study by Eckersley [8]) Avoiding basic stateful techniques such as HTTP cookies is tricky (e.g., need to configure the appropriate settings in browsers) Avoiding advanced stateful techniques such as supercookies and HTML5 local storage ([1, 3, 11, 12, 15]) is harder (e.g., need to find ways to disable them) Avoiding stateless fingerprinting techniques will be most challenging browser fingerprinting (e.g., characteristics of the browsers) [8] smartphone fingerprinting (e.g., hardware manufacturing imperfections) [4,6,7] Ours are more about user fingerprinting behavioral biometrics across browsers and devices 5/26/2016 15

  16. Parent-to-Child Cross-Site Input Inference Attacks - Security Can cause severe consequences. One representative scenario is for insecure or even malicious Web Single Sign-On (SSO) relying party websites [19] to infer users highly valuable SSO identity provider accounts (e.g., Gmail, Facebook, and Yahoo) typed in iframes. domainA.com window events DOM events domainB.com (in an iframe) username B password B A parent document directly has the URL (context) information of its child documents. 5/26/2016 16

  17. Child-to-Parent Cross-Site Input Inference Attacks - Security domainA.com Similar to the third-party user fingerprinting attacks on data collection, not on goal. username A password A Can directly and severely compromise the security of mobile web users, and can be pervasively performed, e.g., prevalence of using iframes to include advertisements into millions of first-party websites. Malicious or compromised advertising websites [9], [20] can be the main threat sources. domainB.com (in an iframe) window events A child document can use the document.referrer value to obtain the URL (context) information of its parent document. 5/26/2016 17

  18. Related Work on Input Inference Attacks Based on behavioral biometrics of smartphone users [2, 5, 10, 13, 18] assume a malicious app is installed on a smartphone often use both touch-screen and motion sensor data focus on touchscreen lock PINs or passwords (that could be valuable only if they are reused by the smartphone owner on some online services or if the smartphone itself is also stolen) Ours are much broader and severer Infer highly valuable user inputs (e.g., passwords) on any website no malicious app needs to be installed 5/26/2016 18

  19. Effectiveness of the Attacks Our user fingerprinting attacks and cross-site input inference attacks can be modeled as multi-class classification problems: The former: n users are n different classes with n unique fingerprints The later: different soft-keyboard keys are different classes Train and use machine learning classifiers Basic and statistical features 5/26/2016 19

  20. Challenges in Feature Extraction One main challenge is on segmenting (or aligning) the motion sensor data for individual user actions. Touch events and keyboard events are associated with DOM elements, protected by SOP, and cannot be directly used by a third- party for segmentation. 5/26/2016 20

  21. More Challenges in User Fingerprinting Accuracy and Scalability Considerations Feature value distribution, e.g., high between- subjects entropy and low within-subjects entropy indicate relevancy. Impacts of multiple factors including different gestures (e.g., touch/long press), touch activities (e.g., select/scroll), DOM element types (e.g., button/link), and rendering locations (e.g., top/ right/bottom) on the selection of features. Number of bits of fingerprint distribution entropy Attack Strategies 5/26/2016 21

  22. More Challenges in Input Inference Accuracy, Context Information Attack Strategies username hot area password device orientation input field keyboard layout keystroke 5/26/2016 22

  23. Outline Introduction and Background Attacks Potential Defense Mechanisms Conclusion and Discussions 5/26/2016 23

  24. Toward Usable Defense Mechanisms always ask a user to grant or deny motion sensor data access requests on individual webpages completely block webpages access to the motion sensor data It is important to design fine-grained defense mechanisms that could be more usable and effective in practice. 5/26/2016 24

  25. Element-based Sensor Data Access Control Add a new boolean attribute, e.g., disable-motion-sensor-data for HTML input elements Sufficiently protect against both parent-to- child and child-to-parent cross-site input inference attacks Need browser (browser extension) support Need individual websites opt in to the protection (compatibility and freedom) Completely transparent to end users Can be extended to HTML form elements username password 5/26/2016 25

  26. Frame-based Sensor Data Access Control Add a new value allow-sensor-data for the iframe sandbox attribute in HTML5 <iframe src="demo_iframe_sandbox_origin.htm" sandbox="allow-same-origin allow-scripts"></iframe> Sufficiently protect against both third-party user fingerprinting and child-to-parent cross-site input inference attacks Need browser (browser extension) support, and need to carefully delimit the scope of the new attribute value Need individual websites opt in to the protection (compatibility and freedom) Completely transparent to end users 5/26/2016 26

  27. Domain-based Sensor Data Access Control Similar to existing domain-based privacy and content settings in web browsers Default-deny, default allow, ask users at the site level; managing exceptions Sufficiently protect against all the four types of attacks Need browser (browser extension) support No change to any website Not transparent: users need to be aware of this mechanism and properly use it 5/26/2016 27

  28. Domain and Attack Specific Data Perturbation Browser (browser extension) detect the specific attacks that may occur, and then perturb the sensor data e.g., adding noise or decreasing collection frequency Should leverage the research results on attacks Should not affect the functionality of apps Protect against all the four types of attacks Need browser (browser extension) support No change to any website Transparent to end users Protection is only statistical rather than deterministic 5/26/2016 28

  29. Summary of the Four Potential Defense Mechanisms Mechanism Main Defense Targets Deployment User Transparency Element-based sensor data access control Both types of cross-site input inference attacks Browser and individual websites Yes Frame-based sensor data access control Third-party user fingerprinting attacks and child-to-parent cross-site input inference attacks Browser and individual websites Yes Domain-based sensor data access control All the four types of attacks Browser No Domain and attack specific data perturbation All the four types of attacks (statistical) Browser Yes 5/26/2016 29

  30. Conclusion and Discussions Motion sensor based attacks to web users user fingerprinting attacks cross-site input inference attacks Four potential defense mechanisms Hope to raise researchers and developers attention Welcome your questions and discussions Thank You! 5/26/2016 30

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#