Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011
Authentication • Usernames and Passwords weakening • Third-party data loss can compromise your user accounts Thursday, May 26, 2011
Extra Authentication • Two-Factor Authentication • Secure but inconvenient • User Fingerprinting • Geolocation • Browser Metadata • System Architecture • Browser Environment Thursday, May 26, 2011
Fingerprinting for Good and Evil • User Authentication • Protect high-value accounts • User Identification • Deanonymize, track across sessions Thursday, May 26, 2011
Browser Metadata • Examine and record browser family, version, and operating system • If the configuration changes, check for account compromise • Easy data to collect Thursday, May 26, 2011
Many Techniques for Browser Fingerprinting Thursday, May 26, 2011
Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011
Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011
Extension Verification • Users customize browser behavior with extensions • Previously-observed extension behavior provides an identity signal • Sudden absence of extensions increases likelihood of account hijack Thursday, May 26, 2011
NoScript • NoScript provides JavaScript policy • Default Deny • Whitelisted domains may execute code • Whitelist contents are user-defined • Radical changes may indicate account hijack • Entries could reveal private information Thursday, May 26, 2011
Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011
Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011
Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011
At Scale • Crawled Alexa Top 1,000 Domains • Generated 689 whitelist probes • Created test suite for all 689 domains • 120s with NoScript disabled • 23s with NoScript enabled Thursday, May 26, 2011
Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011
Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011
JavaScript Fingerprinting • Fingerprint JavaScript performance 1. Measure time to execute various JS snippets 2. Normalize to build fingerprint vector • Unforgeable • Agnostic to JavaScript features Thursday, May 26, 2011
Snippet Selection • Off-the-Shelf JavaScript Benchmarks • 26 tests from SunSpider • 9 tests from V8 Benchmark Suite • 4 custom tests • Benchmarks characterize browser performance Thursday, May 26, 2011
Browser Detection Thursday, May 26, 2011
Ask Everyone You Know • Collected 1,015 data samples on Amazon Mechanical Turk • JavaScript Fingerprint • User reported: • Operating System • CPU Architecture, Speed, and Cores • RAM Thursday, May 26, 2011
Browser Classification • 24 Major Browser Versions • Chrome, Firefox, IE, Safari, Opera, SeaMonkey • Generated characteristic fingerprint for each • 79.8% accuracy on all 1,015 samples Thursday, May 26, 2011
Chrome Versioning • Over 85% of misclassifications • Chrome 6.0 to Chrome 11.0 in 7+ months 6.0 7.0 8.0 9.0 10.0 11.0 Chrome 6.0 - 0.18 0.19 0.17 0.25 0.25 Chrome 7.0 0.18 - 0.09 0.16 0.25 0.24 Chrome 8.0 0.19 0.09 - 0.17 0.27 0.26 Chrome 9.0 0.17 0.16 0.17 - 0.17 0.18 Chrome 10.0 0.25 0.25 0.27 0.17 - 0.09 Chrome 11.0 0.25 0.24 0.26 0.18 0.09 - Thursday, May 26, 2011
Operating System Detection • Small effect on fingerprints • Examined 403 Firefox 3.6 samples • Windows: 98.5% correct • OS X: 100% correct • Linux: 25% correct Thursday, May 26, 2011
Processor Architecture Detection • Unavailable through JavaScript APIs • JITs expose low-level behavior • 15 processor architectures • Core 2, Pentium Dual Core, Pentium 4, Athlon 64... • 45.3% accuracy Thursday, May 26, 2011
Conclusions • NoScript Whitelist Fingerprinting • Extensions can be fingerprinted • User-defined state can be extracted • JavaScript Performance Fingerprinting • Proof-of-concept based on JS benchmarks • Browser, OS, and Architecture detection • Unforgable fingerprint Thursday, May 26, 2011
Thank You! Questions? Thursday, May 26, 2011
Recommend
More recommend