fingerprinting information in javascript implementations
play

Fingerprinting Information in JavaScript Implementations Keaton - PowerPoint PPT Presentation

Sep 16, 2022 •420 likes •684 views

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011 Authentication Usernames and Passwords weakening Third-party data loss can compromise

  1. Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011

  2. Authentication • Usernames and Passwords weakening • Third-party data loss can compromise your user accounts Thursday, May 26, 2011

  3. Extra Authentication • Two-Factor Authentication • Secure but inconvenient • User Fingerprinting • Geolocation • Browser Metadata • System Architecture • Browser Environment Thursday, May 26, 2011

  4. Fingerprinting for Good and Evil • User Authentication • Protect high-value accounts • User Identification • Deanonymize, track across sessions Thursday, May 26, 2011

  5. Browser Metadata • Examine and record browser family, version, and operating system • If the configuration changes, check for account compromise • Easy data to collect Thursday, May 26, 2011

  6. Many Techniques for Browser Fingerprinting Thursday, May 26, 2011

  7. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  8. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  9. Extension Verification • Users customize browser behavior with extensions • Previously-observed extension behavior provides an identity signal • Sudden absence of extensions increases likelihood of account hijack Thursday, May 26, 2011

  10. NoScript • NoScript provides JavaScript policy • Default Deny • Whitelisted domains may execute code • Whitelist contents are user-defined • Radical changes may indicate account hijack • Entries could reveal private information Thursday, May 26, 2011

  11. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  12. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  13. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  14. At Scale • Crawled Alexa Top 1,000 Domains • Generated 689 whitelist probes • Created test suite for all 689 domains • 120s with NoScript disabled • 23s with NoScript enabled Thursday, May 26, 2011

  15. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  16. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  17. JavaScript Fingerprinting • Fingerprint JavaScript performance 1. Measure time to execute various JS snippets 2. Normalize to build fingerprint vector • Unforgeable • Agnostic to JavaScript features Thursday, May 26, 2011

  18. Snippet Selection • Off-the-Shelf JavaScript Benchmarks • 26 tests from SunSpider • 9 tests from V8 Benchmark Suite • 4 custom tests • Benchmarks characterize browser performance Thursday, May 26, 2011

  19. Browser Detection Thursday, May 26, 2011

  20. Ask Everyone You Know • Collected 1,015 data samples on Amazon Mechanical Turk • JavaScript Fingerprint • User reported: • Operating System • CPU Architecture, Speed, and Cores • RAM Thursday, May 26, 2011

  21. Browser Classification • 24 Major Browser Versions • Chrome, Firefox, IE, Safari, Opera, SeaMonkey • Generated characteristic fingerprint for each • 79.8% accuracy on all 1,015 samples Thursday, May 26, 2011

  22. Chrome Versioning • Over 85% of misclassifications • Chrome 6.0 to Chrome 11.0 in 7+ months 6.0 7.0 8.0 9.0 10.0 11.0 Chrome 6.0 - 0.18 0.19 0.17 0.25 0.25 Chrome 7.0 0.18 - 0.09 0.16 0.25 0.24 Chrome 8.0 0.19 0.09 - 0.17 0.27 0.26 Chrome 9.0 0.17 0.16 0.17 - 0.17 0.18 Chrome 10.0 0.25 0.25 0.27 0.17 - 0.09 Chrome 11.0 0.25 0.24 0.26 0.18 0.09 - Thursday, May 26, 2011

  23. Operating System Detection • Small effect on fingerprints • Examined 403 Firefox 3.6 samples • Windows: 98.5% correct • OS X: 100% correct • Linux: 25% correct Thursday, May 26, 2011

  24. Processor Architecture Detection • Unavailable through JavaScript APIs • JITs expose low-level behavior • 15 processor architectures • Core 2, Pentium Dual Core, Pentium 4, Athlon 64... • 45.3% accuracy Thursday, May 26, 2011

  25. Conclusions • NoScript Whitelist Fingerprinting • Extensions can be fingerprinted • User-defined state can be extracted • JavaScript Performance Fingerprinting • Proof-of-concept based on JS benchmarks • Browser, OS, and Architecture detection • Unforgable fingerprint Thursday, May 26, 2011

  26. Thank You! Questions? Thursday, May 26, 2011

Recommend

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani , Philipp Reschl, Manuel Leithner, Markus Huber, Edgar Weippl SBA Research Vienna, Austria Outline Motivation &amp; Background JavaScript Engine

539 views • 33 slides
Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp;

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp;

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp; Tim van Zalingen UvA February 6, 2018 Supervisors (KPMG): Aidan Barrington &amp; Ruben de Vries Research Project 82 Sjors Haanen &amp; Tim van

331 views • 30 slides
k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.03k views • 54 slides
Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.1k views • 57 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C of the Internet Take JavaScript for instance. It's widely criticized in the POPL community for getting many things wrong. But it must have

655 views • 44 slides
Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application Had a rough childhood Very misunderstood Performance difference across browsers Benchmark Pros/Cons JavaScript: WebGL &amp; Canvas

939 views • 18 slides
J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript Java JavaScript is interpreted by the browser JavaScript 1/15 JS W HERE T O &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;script

591 views • 15 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript Called Testing JS but really about embracing the front end Classic JS meme about &quot;this&quot; This tweet could have ended half way through and

844 views • 45 slides
Web server reconnaissance Reconnaissance and fingerprinting Finding information about a target

Web server reconnaissance Reconnaissance and fingerprinting Finding information about a target

Web server reconnaissance Reconnaissance and fingerprinting Finding information about a target web server/web site May be illegal to perform reconnaissance on a web server and web site without prior approval/permission. Simulate via

290 views • 15 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read http://eloquentjavascript.net/ chapters 1-4. CS 152: Programming Language Paradigms JavaScript Prof. Tom Austin San Jos State University History of

550 views • 17 slides
Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps &amp; Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

832 views • 69 slides
What is TypeScript? TypeScript = JavaScript TypeScript = Modern JavaScript TypeScript = Modern

What is TypeScript? TypeScript = JavaScript TypeScript = Modern JavaScript TypeScript = Modern

What is TypeScript? TypeScript = JavaScript TypeScript = Modern JavaScript TypeScript = Modern JavaScript + Types Open source and open development Closely track ECMAScript standard Innovate in type system Best of breed tooling Continuously

909 views • 53 slides
Javascript Concepts for OO-Programmers 11) Javascript Concepts Objects for OO-Programmers

Javascript Concepts for OO-Programmers 11) Javascript Concepts Objects for OO-Programmers

Javascript Concepts for OO-Programmers 11) Javascript Concepts Objects for OO-Programmers JavaScript Object Notation (JSON) Using JSON instead of AJAX Constructors Emmanuel Benoist Prototypes Reflexion Fall Term 2013-14 Methods and

103 views • 9 slides
CSc 337 LECTURE 7: UNOBTRUSIVE JAVASCRIPT Unobtrusive JavaScript JavaScript event code seen

CSc 337 LECTURE 7: UNOBTRUSIVE JAVASCRIPT Unobtrusive JavaScript JavaScript event code seen

CSc 337 LECTURE 7: UNOBTRUSIVE JAVASCRIPT Unobtrusive JavaScript JavaScript event code seen previously was obtrusive , in the HTML; this is bad style now we'll see how to write unobtrusive JavaScript code HTML with no JavaScript code

877 views • 30 slides

More recommend