UCognito: Private browsing without tears

Meng Xu, Yeongjin Jang, Xinyu Xing, Taesoo Kim, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and addons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons). Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called UCOGNITO on Linux. Our evaluations show that UCOGNITO, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, UCOGNITO incurs only negligible performance overhead: e.g., 0%-2.5% in benchmarks for standard JavaScript and webpage loading.

Original languageEnglish (US)
Title of host publicationCCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages438-449
Number of pages12
ISBN (Electronic)9781450338325
DOIs
StatePublished - Oct 12 2015
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: Oct 12 2015Oct 16 2015

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume2015-October
ISSN (Print)1543-7221

Other

Other22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
CountryUnited States
CityDenver
Period10/12/1510/16/15

Fingerprint

Linux

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Xu, M., Jang, Y., Xing, X., Kim, T., & Lee, W. (2015). UCognito: Private browsing without tears. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 438-449). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October). Association for Computing Machinery. https://doi.org/10.1145/2810103.2813716
Xu, Meng ; Jang, Yeongjin ; Xing, Xinyu ; Kim, Taesoo ; Lee, Wenke. / UCognito : Private browsing without tears. CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. pp. 438-449 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{1c7f703878cb44a2900ae67c45d54dc7,
title = "UCognito: Private browsing without tears",
abstract = "While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and addons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons). Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called UCOGNITO on Linux. Our evaluations show that UCOGNITO, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, UCOGNITO incurs only negligible performance overhead: e.g., 0{\%}-2.5{\%} in benchmarks for standard JavaScript and webpage loading.",
author = "Meng Xu and Yeongjin Jang and Xinyu Xing and Taesoo Kim and Wenke Lee",
year = "2015",
month = "10",
day = "12",
doi = "10.1145/2810103.2813716",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "438--449",
booktitle = "CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security",

}

Xu, M, Jang, Y, Xing, X, Kim, T & Lee, W 2015, UCognito: Private browsing without tears. in CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 2015-October, Association for Computing Machinery, pp. 438-449, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 10/12/15. https://doi.org/10.1145/2810103.2813716

UCognito : Private browsing without tears. / Xu, Meng; Jang, Yeongjin; Xing, Xinyu; Kim, Taesoo; Lee, Wenke.

CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. p. 438-449 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - UCognito

T2 - Private browsing without tears

AU - Xu, Meng

AU - Jang, Yeongjin

AU - Xing, Xinyu

AU - Kim, Taesoo

AU - Lee, Wenke

PY - 2015/10/12

Y1 - 2015/10/12

N2 - While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and addons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons). Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called UCOGNITO on Linux. Our evaluations show that UCOGNITO, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, UCOGNITO incurs only negligible performance overhead: e.g., 0%-2.5% in benchmarks for standard JavaScript and webpage loading.

AB - While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and addons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons). Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called UCOGNITO on Linux. Our evaluations show that UCOGNITO, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, UCOGNITO incurs only negligible performance overhead: e.g., 0%-2.5% in benchmarks for standard JavaScript and webpage loading.

UR - http://www.scopus.com/inward/record.url?scp=84954192577&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954192577&partnerID=8YFLogxK

U2 - 10.1145/2810103.2813716

DO - 10.1145/2810103.2813716

M3 - Conference contribution

AN - SCOPUS:84954192577

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 438

EP - 449

BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -

Xu M, Jang Y, Xing X, Kim T, Lee W. UCognito: Private browsing without tears. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2015. p. 438-449. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2810103.2813716