1 / 26

2011 02

HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows. Daniel Xiapu Luo§, Brent Peng Zhou §, Edmond W. W. Chan§ Wenke Lee†, Rocky K. C. Chang§, Roberto Perdisci‡ The Hong Kong Polytechnic University§ Georgia Institute of Technology† University of Georgia‡.

diem
Download Presentation

2011 02

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows Daniel Xiapu Luo§, Brent Peng Zhou§, Edmond W. W. Chan§ Wenke Lee†, Rocky K. C. Chang§, Roberto Perdisci‡ The Hong Kong Polytechnic University§ Georgia Institute of Technology† University of Georgia‡ 2011 02

  2. Encrypted Tunnel/Channel Privacy Leakage Major Security Threat to Web Applications

  3. Content Motivation Threat Model HTTPOS Design Implementation Evaluation Conclusion

  4. Motivation HTTPOS

  5. Challenges and Contributions Challengesin a browser-side solution: • Can’t modify the server’s behavior directly • Encrypted tunnels at different layers have different features • Performance degradation HTTPOSContributions: • Provide a comprehensive and configurable suite of traffic transformation techniques • Protect privacy for four popular scenarios • Reduce performance degradation

  6. Content Motivation Threat Model HTTPOS Design Implementation Evaluation Conclusion

  7. Attack Scenarios Attacker Attacker Attacker Attacker Tunnel Entry Point Tunnel Entry Point Encrypted Wireless Channel Encrypted IP Tunnel Encrypted TCP Tunnel Encrypted HTTP Tunnel Client Client Client Client Web Sites Web Sites Web Sites Web Pages Tunnel Exit Point Tunnel Exit Point Wireless Access Point HTTPOS HTTPOS HTTPOS HTTPOS Client Web Site Wireless Client/Tunnel Entry Web Site IP Tunnel Client/Tunnel Entry Web Site TCP Tunnel Client Web Page HTTPS

  8. Targeted Traffic Analysis Attacks P1 P4 P5 P2 P6 P3 t1 t2 t3 t6 t4 t5 P1 P2 P3 P4 P5 P6 Object 1 Object 2 SSWRPQ (SP’02) The number and size of web objects Jaccard Coefficient Inter-arrival time between packets and packet size Cross Correlation BLJL (PET’05) Tuples of (flow direction, packet size) LL-JC (CCS’06) Jaccard Coefficient Tuples of (flow direction, packet size) LL-NBC (CCS’06) Naïve Bayesian Sequence of tuples (flow direction, packet size) CWWZ (SP’10) Sequence Comparison

  9. Content Motivation Threat Model HTTPOS Design Implementation Evaluation Conclusion

  10. Two Defence Strategies in HTTPOS Diffusion Strategy: • Generate features that never appear in the training data set Confusion Strategy: • Make features in flow A similar to those in flow B

  11. Basic Methods in HTTPOS ? Object1 Object2 Request 1+2 Request1 Request2 Object Web Object Part1 Packet Part2 Server A Real Request Useless Request Useless Object Server B TCP MSS Packet Size etc. TCP ADWIN Packet Size etc. HTTP Range Packet Size, Object Size etc. HTTP Pipelining Packet Size, Object Size etc. HTTP Useless Request Packet Size, Object Size etc.

  12. TCP Features Measurement Result Top 2,000 Web Sites from www.Alexa.com 143,333 URLs from 8,845 Web Servers

  13. HTTP Features Measurement Result

  14. HTTPOS’s Operation URL No In cache? Yes Method Based on ADV Get URL information Collect URL information and store them into cache No Support Range? Inject Useless Request Method Based on MSS + ADV Yes Method Based on Multiple Connections + Range No Support Pipelining? Yes Performance Improvement Method Based on Pipelining + Range End

  15. Content Motivation Threat Model HTTPOS Implementation Evaluation Conclusion

  16. Implementation TCP Layer: HTTP Layer: Wireless Channel IPSec Tunnel HTTP proxy SSH Tunnel SOCKS v4 proxy HTTPS Channel HTTPs proxy

  17. Content Motivation Threat Model HTTPOS Implementation Evaluation Conclusion

  18. Evasion Evaluation through IPSec Tunnel Evasion Capability by HTTPOS

  19. Evading CWWZ Attack through HTTPS Channel * * * *

  20. Single Method Performance

  21. Impacts on the performance of Internet browsing Overall Performance in IPSec Tunnel Overall Performance in SSH Tunnel

  22. Impacts on the performance of Google Search Request-to-Response Time Original Request ACK packet Response Injected Request Injection Delay With HTTPOS Processing Time Original Request Response Overall Performance in Wireless Channel Request-to-Response Time Without HTTPOS

  23. Content Motivation Threat Model HTTPOS Implementation Evaluation Conclusion

  24. Limitations URL does not support any features required by HTTPOS Privacy leakage from SSL/TLS record length analysis URLs supporting Range can be divided into randomly overlap partials Useless requests can raise the bar for the CWWZ attack

  25. Conclusion and Future Work Browser-side techniques sufficient and practice to avoid privacy leakage from encrypted HTTP flows HTTPOS Protect your own privacy on demand • Future Work • Further mitigating impact of HTTPOS on performance • Sealing privacy leakages in other web applications

  26. Thanks

More Related