Transcript Slides
Expressive Privacy Control
with Pseudonyms
Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter,
Thomas Anderson, Arvind Krishnamurthy, David Wetherall
University of Washington
Internet Tracking is Pervasive
Alice
Tracker
User1:
UW, CSE, Route to [Alice’s home]
User2:
SIGCOMM, Hacking, Depression
Bob
Trackers link user activities to form large user profiles
SIGCOMM 2013
2
Implications of Tracking for Users
• Cons:
• Pros:
Personalization
Better Security
Lack of Privacy
Revenue for Service
SIGCOMM 2013
3
Threat Model: Trackers Correlate
Unwanted Traffic
Alice
Tracker
User1:
UW, CSE, Route to [Alice’s home]
User2:
SIGCOMM, Hacking, Depression
Bob
SIGCOMM 2013
4
Goal: Give Users Control over How
They are Tracked
Alice
Tracker
User1: UW, CSE
User2: Route to [Alice’s home]
User3: SIGCOMM, Hacking
User4: Depression
Bob
SIGCOMM 2013
5
Implications of Giving Users Control
• Cons:
• Pros:
Personalization
Better Security
Lack of Privacy
Revenue for Service
SIGCOMM 2013
6
Current Defenses Provide
Insufficient Control
Current Defenses
– Application Layer: Third-party cookie blocking,
DoNotTrack
– Network Layer: Tor, Proxies
Limitations
– Coarse-grained
– Not cross-layer
SIGCOMM 2013
7
Outline
• Motivation / Background
• Approach: Cross-Layer Pseudonyms
• System Design
– Application-Layer
– Network-Layer
• Implementation and Evaluation
• Conclusion
SIGCOMM 2013
8
Trackers Link User Requests
Multiple requests are linkable by remote trackers, if they
share the same identifiers.
User
Req. 1 (128.208.7.x), header: cookie(…)
Tracker
Req. 2 (128.208.7.x), header: cookie(…)
• Important identifiers for Web tracking:
– Application info. (cookie, JS localstorage, Flash)
– IP Address
SIGCOMM 2013
9
Approach: Pseudonym Abstraction
• Pseudonym = A set of all identifying features that
persist across an activity
• Allow a user to manage a large number of unlinkable
pseudonyms
– User can choose which ones are used for which
operations.
Pseudonym1
Alice
Medical information
Tracker
Cookie1
IP1
Pseudonym2
Cookie2
Location-related (Alice’s home)
IP2
SIGCOMM 2013
10
How We Want to Use Pseudonyms
Alice
1. Application-Layer Design
Application
Policy Engine
Pseudonym1
Tracker
Medical
Cookie1
IP1
IP
IP
IP
IP1
Pseudonym2
OS
Cookie2
Location
IP2
DHCP
Routers
2. Network-Layer Design
SIGCOMM 2013
11
Application-Layer Design
• Application needs to assign different pseudonyms
into different activities.
– How to use pseudonyms depends on user and
application.
– APIs are provided to define policies.
• Policy in Web browsing: a function of the request
information and the state of the browser.
– Window ID, tab ID, request ID, URL, whether request
is going to the first-party, etc.
SIGCOMM 2013
12
Sample Pseudonym Policies for the Web
Article on Politics
P1
news.com
P2
facebook.com
facebook.com
P3
• Default: P1 = P2 = P3
• Per-Request: P1 != P2 != P3
• Per-First Party: P1 = P2 != P3
SIGCOMM 2013
13
Sample Pseudonym Policies for the Web
Article on Politics
P1
news.com
P2
facebook.com
facebook.com
P3
• Default: P1 = P2 = P3
• Per-Request: P1 != P2 != P3
• Per-First Party: P1 = P2 != P3
SIGCOMM 2013
14
Sample Pseudonym Policies for the Web
Article on Politics
P1
news.com
P2
facebook.com
facebook.com
P3
• Default: P1 = P2 = P3
• Per-Request: P1 != P2 != P3
• Per-First Party: P1 = P2 != P3
SIGCOMM 2013
Facebook cannot know
the user’s visit to news.com
15
Pseudonyms in Action
Alice
Tracker
Application
Policy Engine
Pseudonym1
Cookie1
IP1
IP
IP
IP
IP1
Pseudonym2
OS
Cookie2
IP2
DHCP
Routers
2. Network-Layer Design
SIGCOMM 2013
16
Network-Layer Design Consideration
1. Many IP addresses for an end-host
2. Proper mixing
3. Efficient routing
4. Easy revocation
5. Support for small networks
SIGCOMM 2013
17
Network-Layer Design Consideration
1. Many IP addresses for an end-host
2. Proper mixing
3. Efficient routing
4. Easy revocation
5. Support for small networks
SIGCOMM 2013
18
1) IPv6 Allows Many IPs per Host
128bits
IPv6 Address
Small networks get /64 address space (1.8e19)
SIGCOMM 2013
19
2, 3) Symmetric Encryption
for Mixing and Routing
128bits
IPv6 Address
Network Prefix
To route the packet
“within” the network
To route the packet
“to” the network
Networks can use this part as they want
SIGCOMM 2013
20
2, 3) Symmetric Encryption
for Mixing and Routing
128bits
Base
Network Prefix
Subnet
Use symmetric-key encryption
Encrypted
Network Prefix
Host
Encrypt
Pseudonym
Decrypt
Encrypted ID
• End-hosts know only encrypted IP addresses
• Router uses the base addresses to forward packets
– By longest-prefix matching with subnet::host, thus,
the size of routing table does not change.
SIGCOMM 2013
21
Routing Example
Prefix
Internet
Encrypted ID
Sub::Host::Pseudo
Sub::Host::Pseudo
SIGCOMM 2013
ISP ( Prefix :: … )
22
Outline
• Motivation / Background
• Approach: Cross-Layer Pseudonyms
• System Design
– Application-Layer
– Network-Layer
• Implementation and Evaluation
• Conclusion
SIGCOMM 2013
23
Prototype Implementation
Alice
Web Server
Web Browser
Policy
Engine
Extension
function
extreme_policy(request, browser)
{
IPv6
return request.requestID;
IP1
}
Internet
IP
IP
IP
OS
Gateway
/64 network
IPv6 Tunnel Broker
IP
IPIP
SIGCOMM 2013
24
Evaluation
• Is the policy framework expressive enough?
• How many pseudonyms are required?
• Do policies effectively preserve privacy?
• Are that many pseudonyms feasible?
• How much overhead in OS and router?
SIGCOMM 2013
25
Pseudonym Policy is Expressive
• We could implement all the protection mechanisms
from the related work in a cross-layer manner.
Name
Description
Trivial
Every request uses the same pseudonym
Extreme
Every request uses different pseudonym
Per tab [1]
Request from each tab uses different pseudonym
Per 1st-party [2]
Based on the connected page (1st-party)’s domain
Time-based [3]
Change pseudonym every 10 minutes
More examples in the paper: Per browsing session, 3rd-party blocking
[1] CookiePie Extension, [2] Milk, Walls et al. HotSec 2012, [3] Tor
SIGCOMM 2013
26
Privacy Preservation over Policies
# of Pseudonyms
100000
10000
10 bits
1000
100
10
1
SIGCOMM 2013
27
Privacy Preservation over Policies
10000
10000
1000
1000
100
100
10
10
1
# of activities
# of Pseudonyms
100000
1
SIGCOMM 2013
28
Conclusion
• Pseudonym abstraction: user control over
unlinkable identities.
– Provided new network addressing and routing
mechanisms that exploit the ample IPv6 address
space.
– Enabled various policies with expressive policy
framework.
– Prototyped with an extension for web browser to
show the feasibility
SIGCOMM 2013
29