
Research Article
Leakuidator: Leaky Resource Attacks and Countermeasures
@INPROCEEDINGS{10.1007/978-3-030-90022-9_8, author={Mojtaba Zaheri and Reza Curtmola}, title={Leakuidator: Leaky Resource Attacks and Countermeasures}, proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part II}, proceedings_a={SECURECOMM PART 2}, year={2021}, month={11}, keywords={}, doi={10.1007/978-3-030-90022-9_8} }
- Mojtaba Zaheri
Reza Curtmola
Year: 2021
Leakuidator: Leaky Resource Attacks and Countermeasures
SECURECOMM PART 2
Springer
DOI: 10.1007/978-3-030-90022-9_8
Abstract
Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed.
In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then proposeLeakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level,Leakuidatoridentifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implementedLeakuidatoras a browser extension for three Chromium-based browsers. Experimental results show thatLeakuidatorintroduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.