About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part II

Research Article

Leakuidator: Leaky Resource Attacks and Countermeasures

Download(Requires a free EAI acccount)
2 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-030-90022-9_8,
        author={Mojtaba Zaheri and Reza Curtmola},
        title={Leakuidator: Leaky Resource Attacks and Countermeasures},
        proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part II},
        proceedings_a={SECURECOMM PART 2},
        year={2021},
        month={11},
        keywords={},
        doi={10.1007/978-3-030-90022-9_8}
    }
    
  • Mojtaba Zaheri
    Reza Curtmola
    Year: 2021
    Leakuidator: Leaky Resource Attacks and Countermeasures
    SECURECOMM PART 2
    Springer
    DOI: 10.1007/978-3-030-90022-9_8
Mojtaba Zaheri1,*, Reza Curtmola1
  • 1: New Jersey Institute of Technology, Newark
*Contact email: mojtaba.zaheri@njit.edu

Abstract

Leaky resource attacks leverage the popularity of resource-sharing services to conduct targeted deanonymization on the web. They are simple to execute because many resource-sharing services are inherently vulnerable due to the trade-offs made between security and functionality. Even though previous work has shown that such attacks can lead to serious privacy threats, defending against this threat is an area that has remained largely unaddressed.

In this work, we advance the state of the art on leaky resource attacks on both attack effectiveness and attack mitigation fronts. We first show that leaky resource attacks have a larger attack surface than what was previously believed, by showing reliable attack implementations that work across a broader range of browsers and by identifying new variants of the attack. We then proposeLeakuidator, the first client-side defense that can be deployed right away, without buy-in from browser vendors and website owners. At a high level,Leakuidatoridentifies potentially suspicious requests made when a webpage is rendered and for each such request: (1) renders the request by first removing cookies from it, and (2) initiates a second request that is identical with the original request (i.e., contains the cookies that were removed), but does not render its response. This additional request maintains compatibility with existing web functionality, such as analytics and tracking services. We have implementedLeakuidatoras a browser extension for three Chromium-based browsers. Experimental results show thatLeakuidatorintroduces a small overhead and thus the impact on user experience is minimal. The extension also includes usability knobs, allowing users to reuse past choices and to adjust how strict is the criteria for identifying potentially suspicious requests.

Published
2021-11-04
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-030-90022-9_8
Copyright © 2021–2025 ICST
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL