Information Technology Reference
In-Depth Information
ifications essentially require the development of TCP/IP assembly and HTTP
parsing facilities comparable to those of a full-fledged web browser.
2.1 Naive Chaining
The first step of the Link Chaining technique is to naively match all response
URLs with all request URLs across all connections. A ”URL match” is defined
as a literal match between a URL in any response of one connection (e.g. in a
web page) and a URL in the first line of any request in another connection (e.g.
in a GET request). The complete set of URL matches can be represented as a
list of adjacencies (ordered pairs) forming one or more directed graphs, where
each node is a TCP connection.
Naive chaining identifies every single adjacency. This includes adjacencies
representing link traversals that never actually occurred. By including all adja-
cencies, naive chaining produces a set of comprehensive starting graphs for the
Link Chaining Attack. Many edges must be removed from these graphs before
individual user session fragments can be isolated.
2.2 Removing Impossible Adjacencies
In the second phase of Link Chaining, the impossible edges in the graphs are
removed. An edge is considered impossible if the link traversal it represents could
never happen. The TCP and HTTP protocol mechanisms impose structural and
temporal constraints on the traversal of links. Certain connections cannot be
chained because it would imply an impossible link traversal. Two impossibilities
are defined based on these constraints:
1. Connections Chained Backward in Time
2. URLs Chained Backward in Time
Each is discussed in turn.
Connections Chained Backward in Time.
When a page containing URL
pointers to other resources is downloaded, it is followed by a flurry of requests.
Some of these are due to the browser automatically requesting resources associ-
ated with the page, others are due to a user's clicking of a hyperlink. These are
implicit and explicit requests respectively. In terms of HTTP protocol specifica-
tion, no distinction is made between implicit and explicit requests.
If the requested resources are on the same server, and the web server and
browser are so configured, HTTP requests may be issued on the same, already
open TCP connection used to download the initial page. Otherwise, a new con-
nection is opened to issue the request. HTTP requests can also be sent on older
connections to the same server that are still open. This flexible connection reuse
policy is made possible by HTTP/1.1 [2], and it affords us only one temporal
constraint on the chaining of connections:
Constraint 1
: For any two TCP connections A and B, if B is closed
before A is opened, A cannot be chained to B.
