Leakuidator: Leaky Resource Attacks and Countermeasures

Mojtaba Zaheri, Reza Curtmola

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed. In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then propose Leakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level, Leakuidator identifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implemented Leakuidator as a browser extension for three Chromium-based browsers. Experimental results show that Leakuidator introduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings
EditorsJoaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, Moti Yung
PublisherSpringer Science and Business Media Deutschland GmbH
Pages143-163
Number of pages21
ISBN (Print)9783030900212
DOIs
StatePublished - 2021
Event17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021 - Virtual, Online
Duration: Sep 6 2021Sep 9 2021

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume399 LNICST

Conference

Conference17th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2021
CityVirtual, Online
Period9/6/219/9/21

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Leakuidator: Leaky Resource Attacks and Countermeasures'. Together they form a unique fingerprint.

Cite this