What Are You Searching For A Remote Keylogging

  • Slides: 17
Download presentation
What Are You Searching For? A Remote Keylogging Attack on Search Engine Autocomplete John

What Are You Searching For? A Remote Keylogging Attack on Search Engine Autocomplete John V. Monaco, Naval Postgraduate School USENIX Security 2019 Presenter: Tang Ke 2020/2/28 1

Search engine autocomplete • Search query: Packet capture: 2

Search engine autocomplete • Search query: Packet capture: 2

Attack overview • Predict search queries using only client traffic • Combine multiple independent

Attack overview • Predict search queries using only client traffic • Combine multiple independent weak predictors • • Escaped URL characters HTTP 2 header compression Key-press time intervals Natural language 3

Threat model • Capture encrypted traffic at the NIC • Victim types lowercase English

Threat model • Capture encrypted traffic at the NIC • Victim types lowercase English letters + Space • No typos/backspace • Autocomplete requests triggered by keydown events 4

Attack workflow Time (Packet trace) Keystroke detection Tokenization and are the 0. 2 0.

Attack workflow Time (Packet trace) Keystroke detection Tokenization and are the 0. 2 0. 1 0. 4 lazy onto that 0. 1 0. 3 the lazy dog the lazy fox and that dog cat dog fox Dictionary pruning 0. 3 0. 2 Word identification Beam search 5

Autocomplete GET requests 6

Autocomplete GET requests 6

Keystroke detection • Find the longest increasing subsequence (LIS) of packet sizes 7

Keystroke detection • Find the longest increasing subsequence (LIS) of packet sizes 7

Tokenization • Packet size difference • GET /complete/search? q=t&cp=1 • GET /complete/search? q=th&cp=2 +1

Tokenization • Packet size difference • GET /complete/search? q=t&cp=1 • GET /complete/search? q=th&cp=2 +1 • GET /complete/search? q=the&cp=3 +1 • GET /complete/search? q=the%20&cp=4 +3 • GET /complete/search? q=the%20 l&cp=5 +1 • GET /complete/search? q=the%20 la&cp=6 +1 • GET /complete/search? q=the%20 laz&cp=7 +1 • GET /complete/search? q=the%20 lazy&cp=8 +1 8

HPACK (HTTP 2 header compression) Static Huffman Encoding 9

HPACK (HTTP 2 header compression) Static Huffman Encoding 9

PETAL (Preset Encoding Table Information Leakage) 10

PETAL (Preset Encoding Table Information Leakage) 10

Incremental compression 11

Incremental compression 11

Dictionary pruning 12

Dictionary pruning 12

Word identification D Packet arrivals O Short G S Short Long Time • Use

Word identification D Packet arrivals O Short G S Short Long Time • Use a Bi. RNN to predict keys 13

Language model and beam search Which word comes next? > the lazy ____ 1)

Language model and beam search Which word comes next? > the lazy ____ 1) dog 2) car 3) hat 4) big Top 50 hypotheses: the lazy dog the blue car and some fox … how they run 14

Data collection and results • Data collect • • • Browser automation with Selenium

Data collection and results • Data collect • • • Browser automation with Selenium Replay keystrokes with uinput 4 k unique queries 2 search engines (Google, Baidu) 2 browsers (Chrome, Firefox) 16 k total queries recorded • Keystroke detection and tokenization accuracy • > 99% (Google and Baidu) • Example • Truth • he is recovering from a sprained • Good hypotheses • he is recovering from a sprained he is recovering from a strained • Bad hypotheses • to be president from a position is to learn from such a position • Top-50 classification accuracy (entire query is correct) • 15% (Google) • 13% (Baidu) 15

Conclusions • This attack has many of moving parts… • Several independent weak side

Conclusions • This attack has many of moving parts… • Several independent weak side channels combine to create a strong one • Language modeling is key • The predictability of human behavior is difficult to mask • Where else does incremental compression occur? • Thin clients/websites with autosave feature? • Mapping services (latitude/longitude changes incrementally)? 16

Thank you • Source code • kreep (keystroke recognition and entropy elimination program) https:

Thank you • Source code • kreep (keystroke recognition and entropy elimination program) https: //github. com/vmonaco/kreep • Contact the author • https: //vmonaco. com 17

TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
Lab federated searching searching distributed data searching harvestedLab federated searching searching distributed data searching harvested
BAB 9 Searching Searching n n n SearchingBAB 9 Searching Searching n n n Searching
SEARCHING ARRAY Searching Searching adalah pencarian data denganSEARCHING ARRAY Searching Searching adalah pencarian data dengan
Searching Google Searching Google Advanced Search format SearchingSearching Google Searching Google Advanced Search format Searching
Searching Techniques Contents Definition searching Different Searching MethodsSearching Techniques Contents Definition searching Different Searching Methods
CSE 1341 Sorting Searching Searching Sorting Searching dataCSE 1341 Sorting Searching Searching Sorting Searching data
Searching Arrays ANSIC Searching Searching looking for somethingSearching Arrays ANSIC Searching Searching looking for something
Environmental Remote Sensing What is Remote Sensing RemoteEnvironmental Remote Sensing What is Remote Sensing Remote
Wireless Remote IO Wireless Remote IO Wireless RemoteWireless Remote IO Wireless Remote IO Wireless Remote
Remote Sensing What is Remote Sensing Remote meansRemote Sensing What is Remote Sensing Remote means
Remote Sensing What is Remote Sensing Remote meansRemote Sensing What is Remote Sensing Remote means
Advanced Searching Tips If you are searching fromAdvanced Searching Tips If you are searching from
Are You Remote Presented by 1 Remote AccessAre You Remote Presented by 1 Remote Access
Are You Remote Presented by 1 Remote AccessAre You Remote Presented by 1 Remote Access