coverup: upload and download via passive participation · 2019-03-05 · participation alone raises...
TRANSCRIPT
![Page 1: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/1.jpg)
||
CoverUp: Upload and Download via Passive Participation
David Sommer, Aritra Dhar, Luka Malisa
Esfandiar Mohammadi, Srdjan Čapkun, Daniel Ronzani
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 1
![Page 2: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/2.jpg)
||
Were you Ever Afraid to …
… download something that is easily accessible?
Maybe someone is watching?
2NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
mass surveillance↯
whistleblowers
free speech
accessing primary sources (e.g., WikiLeaks)
(essential for an informed democracy)
![Page 3: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/3.jpg)
||
Participation alone raises suspicion Little deniability
Bootstrapping Problem
Motivation: Deniability and Participation
ACN - Strong anonymity Hide which users are connected to whom
Limits surveillance and censorship
3NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
small anonymity set
Low number of connected users
unattractive degree of anonymity
Unattractive latency and/or bandwidth
![Page 4: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/4.jpg)
||
Our contribution: Passive Participation
4
passive
❶
❷❸cover traffic
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
participant
active
passivecover traffic
❶
❷❸
participantreal traffic
Web site visitors passively produce cover traffic
User visits reddit
Reddit respondsand includes a pieceof JavaScript code
This JS code producescover traffic
❶
❷
❸
![Page 5: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/5.jpg)
||
Our contribution: Passive Participation
5
passive
❶
❷❸cover traffic
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
participant
active
passivecover traffic
❶
❷❸
participantreal traffic
Web site visitors passively produce cover traffic
Indistinguishability Larger anonymity set
Anonymity set size = active + passive
Mitigates bootstrapping
Provides deniability
≈
![Page 6: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/6.jpg)
||
CoverUp: Contributions
Uses Passive Participation Uni-directional channel: Feed
Bi-directional channel: Transfer
Working Prototype
Analyzed Network Timing leakage
6NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
![Page 7: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/7.jpg)
||
JS code in sandboxed iframe due to Same-Origin-Policy
Attacker controls: Network (monitor/drop/fake)
Entry Server (reddit)
CoverUp server (delivers js code)
Feed Server (delivers feed)
Active user’s machine not compromised
.
.
.
passive participants
Feed Server
CoverUp server
activeparticipants
(3) connects clients via JS to
(2) triggers clients to connect to
(4) sendsmessages to
CoverUp Tool
(5) extract feed
browser
(1) connects to
feed feed
feed
CoverUp Tool
(5) extract feed
browser
feed
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 7
CoverUp: Feed
![Page 8: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/8.jpg)
||
.
.
.
passive participants
Feed Server
CoverUp server
activeparticipants
(3) connects clients via JS to
(2) triggers clients to connect to
(4) sendsmessages to
CoverUp Tool
(5) extract feed
browser
(1) connects to
feed feed
feed
CoverUp Tool
(5) extract feed
browser
feed
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 8
CoverUp: Feed
Indistinguishability Active and passive participants: same protocol
Difference: CoverUp Tool
Provides Deniability
![Page 9: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/9.jpg)
||
Protecting Passive Participants
9
Feed Server
CoverUp Tool
localstorage
passive participant
+ +
=
active participant
Fountain Codes + All-or-Nothing Scheme
Only one packet stored
→ protects passive participants
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
Browser
JavaScript
![Page 10: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/10.jpg)
||
CoverUp: Transfer
CoverUp Toolbrowser
JavaScript
Extension
response8
localstorage
request1
7
3
6
2
5
4
www
Bi-directional channel Adds upstream channel
Involves extension
Using TLS
Indistinguishability Trust Transfer Server
Trust CoverUp Server
Augments Feed
10NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
Active participant
Transfer Server
![Page 11: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/11.jpg)
||
Evaluating the Indistinguishability Assertion
Protocol transcripts are indistinguishable Everything else identical?
But active users have CoverUp tool and browser extension (in Transfer)
What can network attacker do? Measure execution time by network timestamps
Timing leakage Evaluation
Mitigation
11NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
![Page 12: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/12.jpg)
||
Periodic Periodic
Setup: LAN, entry, transfer, and feed server
Feed and Transfer scenarios:
Strong attacker model: No other processes running on the system
High-precision time resolution
3 Million measurements
Loading
CoverUp JavaScript
Transfer Server
time
Browser
CoverUp: Experimental Setup
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 12
![Page 13: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/13.jpg)
||
Request dispatch time: add truncated Gaussian noise
Continual observation for half a year
< 5 hours of visiting the entry server
(Periodic-observations) per day
< 50 connecting to the entry server
(Loading-observations) per day
t
p
0
13NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
*t0 w
p
t0 w
p
CoverUp: Privacy Budget
![Page 14: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/14.jpg)
||
CoverUp: Implementation
CoverUp Tool Implemented in Java
Features: feed, chat and interactive browsing
Uses crypto APIs from whisper systems and JCA
Browser extension Chrome extension based on WebExtension API
Feed/Transfer and CoverUp server Implemented using Java EE Servlet API
Hosted on Apache Tomcat webserver
Available for download and testing: http://coverup.ethz.ch
14NSDI'19 - 28.02.2019David Sommer, Aritra Dhar
![Page 15: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/15.jpg)
||
CoverUp: Performance
Performance Packet size: 75KB every 60s avg.
Goodput: 10KBit/s
Per user overhead Around 660 MB/month or 22MB/day
Privacy guarantee Attacker’s advantage < 2∙ 10−3
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 15
cnn.com: 4.0MBamazon.com: 5.0MBalibaba.com: 5.4MB
google.com: 0.3MB
![Page 16: CoverUp: Upload and Download via Passive Participation · 2019-03-05 · Participation alone raises suspicion Little deniability Bootstrapping Problem Motivation: Deniability and](https://reader034.vdocuments.site/reader034/viewer/2022042403/5f158e926157d8317a6dfe55/html5/thumbnails/16.jpg)
||
CoverUp: Summary
Passive Participation Increases anonymity set (Bootstrapping)
Hides Intention (Deniability)
Adding Noise reduces Timing Leakage Maintains feasible usability
Measurements available
NSDI'19 - 28.02.2019David Sommer, Aritra Dhar 16
Available for testing: https://coverup.ethz.chAvailable for download: https://github.com/sommerda/CoverUp-source-code
Feed Server
CoverUp server
(3) connects clients via JS to
(2) triggers clients to connect to
(4) sendsmessages to
CoverUp Tool
(5) extract feed
browser
feed