I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan§, § Yinzhi Cao†, Yan Chen§ Northwestern University † Columbia University Roadmap • Background • System Design • Evaluation • Summary Tracker (doubleclick) User Referer : http://online.wsj.com/ Cookie : id = 12345 Referer : http://www.cnn.com/ Cookie : id = 12345 visit vis it Web tracking is serious • Prevalent • More than 90% of Alexa Top 500 web sites [Roesner, NSDI 2012] • A web page usually has multiple tracking elements • “There is no such thing as anonymous online tracking” - Arvind Narayanan • Not only browsing history, but also other sensitive information: location, name, email, … • Leaked out information can be correlated together No effective defense approach • Disable third-party cookie • Can be easily bypassed • Blacklist-based anti-tracking tools • Priori knowledge of tracking server • Do-not-track header • No enforcement TrackingFree Goals and Challenges • Anti-tracking Completeness • Functionality/compatbility • Performance Referer : http://online.wsj.com/ Cookie : id = 12345 Referer : http://www.cnn.com/ Cookie : id = 24578 Core Idea : TrackingFree partitions client-side states into multiple isolation units so that the identifiers still exists but not unique any more! Out-of-scope threats • TrackingFree doesn’t address following threats: • Within-Site Tracking • Tracking by exploiting browser vulnerabilities • Stateless tracking Roadmap • Background • System Design • Evaluation • Summary Principal domain: a.com domain: b.com Profile tab: Profile tab: mail.a.com online.b.com/n tab: news.a.com iframe: tracking.com Persistent Storage iframe: trackiing.com Persistent Storage Architecture Principal iframe: online.b.com/m window: pop.c.com iframe: tracking.com History Manager History Manager Principal Kernel Interface Message Policy  Enforcer Principal Manager Public  History Manager Domain  Data  Manager Preference Configure Kernel Principal Backend Legend  user­activated flag navigation cross-principal message non-user-activated flag history update message session data user preference Contents Allocation Mechanism • Initial Contents Allocation • Handles those top frames that are navigated by users directly • Derivative Contents Allocation • Handles those frames that are generated due to the contents on other frames, which we call child frame 10 Roadmap • Background • System Design • Evaluation • Summary Evaluation • Anti-tracking capability • Formal proof • Experiments with real world websites • Performance • Overhead (latency, memory, disk) • Compatibility Formal Proof • Use Alloy to formally analyze TrackingFree ’s •Assumptions: anti-tracking ability • Non-tracking Alloy is the most popular formal system servers will not set proof tracking identifiers for third-party trackers • Describe TrackingFree’s behaviors on an existing non-tracking host web first-party AlloyOn Web model [Akhawe et al.sites, CSF 2010] elements will not send third-party tracking identifiers to other principals • Formally verified trackers can correlate TrackingFree user’s activities up to three principals without site collaboration • Anti-tracking Capability with Real World Web Sites Gathered tracking tokens on Alexa Top web sites by following the tracker detection of [Roesner et al NSDI 2012] • Detection based on the observation that each tracking request must contain the user’s globally unique identifier • Some false negative, no false positive 21 Anti-tracking Capability with Real World Web Sites Visit 2,032 valid URLs from Alexa Top 500 Tracking Host •b.scorecardresearch.com web sites ad.doubleclick.ne Prevalence (# Domains) Tracking Token(s) 133 UIDR 117 id, gads 75 •ib.adnxs.com Gathered 647 tracking tokens p.twitter.com 70 anj utma 56 id •cm.g.doubleclick.net TrackingFree eliminated all of them ad.yieldmanager.com 52 bx bs.serving-sys.com 40 A4 cdn.api.twitter.com 40 utmz secureus.imrworldwide.com 38 IMRID adfarm.mediaplex.com 31 Top 10 Tracking Hosts 22 svid Performance Latency Overhead Source Cost(ms) Principal Construction 322.36 Extra IPC 349.06 Render/JS Engine Instrumentatio n 139.21 Overall Overhead: ~3% - ~20% (1) Address (2) Bar Navigation without with Principal Principal (3) Cross Site Navigation (4) Within-site Avg Overhead Overhead19.43% 8.29% 3.36% Avg 4.70% Memory/Disk Overhead Memory Overhead on 12 Web Pages (~25MB/Principa Memory Chromium TrackingFre e Increase Principal 477.1(MB) 505(MB) 27.9(MB) Principals 623.6(MB) 702.8(MB) 79.2(MB) 12 Principals 434.6(MB) 642.5(MB) 297.9(MB) Disk Overhead on 12 Web Pages (~0.6MB/Principal) Memory Chromium TrackingFre e Increase Principal 21.3(MB) 21.8(MB) 0.5(MB) Principals 22.5(MB) 25.9MB) 3.4(MB) 12 Principals 23.7(MB) 29.4(MB) 5.7(MB) Compatibility • Manually tested TrackingFree’s compatibility on Alexa Top 50 websites • Compatibility on first-party websites • Results: 50/50 • Compatibility on third-party services • • • • Cross-site online payments (1/1) Cross-site content sharing (31/31) Single sign-on (35/36) Overall results: 67/68 Case study: Logging Yahoo using Facebook Account Principal Yahoo Client-side Local  Storage (6) Data(F) carried on URL (8) Data(F) (2) Data(Y) carried on URL (1) click login using FB Server-side (3) Data(Y) (7) Data(F) 26 Principal Facebook Local  Storage Roadmap • Background • System Design • Evaluation • Summary 27 Summary • We designed and implemented TrackingFree browser that completely protect users from third-party web tracking by isolating resources in different principals • We theoretically and experimentally proved TrackingFree’s anti-tracking capability • TrackingFree incurs affordable overhead and compatibility cost Thanks & Questions? http://list.cs.northwestern.edu/WebSecu rity Domain Data Manager • Backup slides… Related Work • Existing Anti-tracking Mechanisms • Do Not Track(DNT) ： almost useless • Blacklist-based Tool: require priori knowledge • Disabling Third-party Cookie: easy to bypass • Existing Multi-principal Browsers • No anti-tracking capability Related Work Browser Isolation Mechanism Contents Allocation M echanism Anti-tracking Capa bility IE8 In-memory Isolation Tab based No Chromium In-memory Isolation Top-frame based No Gazelle In-memory Isolation SOP based No OP In-memory Isolation Web Page based No AppIsolation Technique-specific Stor age User Configuration base d Not complete Tahoma Virtual Machine User Configuration base d Not complete Stainless Technique-specific Stor age User Configuration base d Not complete Fluid, MultiFiref ox Profile User Configuration base d Not complete TrackingFree Profile Indegree-bounded Princi pal Graph based Complete