fingerprinting information in javascript implementations
play

Fingerprinting Information in JavaScript Implementations Keaton - PowerPoint PPT Presentation

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011 Authentication Usernames and Passwords weakening Third-party data loss can compromise


  1. Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011

  2. Authentication • Usernames and Passwords weakening • Third-party data loss can compromise your user accounts Thursday, May 26, 2011

  3. Extra Authentication • Two-Factor Authentication • Secure but inconvenient • User Fingerprinting • Geolocation • Browser Metadata • System Architecture • Browser Environment Thursday, May 26, 2011

  4. Fingerprinting for Good and Evil • User Authentication • Protect high-value accounts • User Identification • Deanonymize, track across sessions Thursday, May 26, 2011

  5. Browser Metadata • Examine and record browser family, version, and operating system • If the configuration changes, check for account compromise • Easy data to collect Thursday, May 26, 2011

  6. Many Techniques for Browser Fingerprinting Thursday, May 26, 2011

  7. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  8. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  9. Extension Verification • Users customize browser behavior with extensions • Previously-observed extension behavior provides an identity signal • Sudden absence of extensions increases likelihood of account hijack Thursday, May 26, 2011

  10. NoScript • NoScript provides JavaScript policy • Default Deny • Whitelisted domains may execute code • Whitelist contents are user-defined • Radical changes may indicate account hijack • Entries could reveal private information Thursday, May 26, 2011

  11. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  12. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  13. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  14. At Scale • Crawled Alexa Top 1,000 Domains • Generated 689 whitelist probes • Created test suite for all 689 domains • 120s with NoScript disabled • 23s with NoScript enabled Thursday, May 26, 2011

  15. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  16. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  17. JavaScript Fingerprinting • Fingerprint JavaScript performance 1. Measure time to execute various JS snippets 2. Normalize to build fingerprint vector • Unforgeable • Agnostic to JavaScript features Thursday, May 26, 2011

  18. Snippet Selection • Off-the-Shelf JavaScript Benchmarks • 26 tests from SunSpider • 9 tests from V8 Benchmark Suite • 4 custom tests • Benchmarks characterize browser performance Thursday, May 26, 2011

  19. Browser Detection Thursday, May 26, 2011

  20. Ask Everyone You Know • Collected 1,015 data samples on Amazon Mechanical Turk • JavaScript Fingerprint • User reported: • Operating System • CPU Architecture, Speed, and Cores • RAM Thursday, May 26, 2011

  21. Browser Classification • 24 Major Browser Versions • Chrome, Firefox, IE, Safari, Opera, SeaMonkey • Generated characteristic fingerprint for each • 79.8% accuracy on all 1,015 samples Thursday, May 26, 2011

  22. Chrome Versioning • Over 85% of misclassifications • Chrome 6.0 to Chrome 11.0 in 7+ months 6.0 7.0 8.0 9.0 10.0 11.0 Chrome 6.0 - 0.18 0.19 0.17 0.25 0.25 Chrome 7.0 0.18 - 0.09 0.16 0.25 0.24 Chrome 8.0 0.19 0.09 - 0.17 0.27 0.26 Chrome 9.0 0.17 0.16 0.17 - 0.17 0.18 Chrome 10.0 0.25 0.25 0.27 0.17 - 0.09 Chrome 11.0 0.25 0.24 0.26 0.18 0.09 - Thursday, May 26, 2011

  23. Operating System Detection • Small effect on fingerprints • Examined 403 Firefox 3.6 samples • Windows: 98.5% correct • OS X: 100% correct • Linux: 25% correct Thursday, May 26, 2011

  24. Processor Architecture Detection • Unavailable through JavaScript APIs • JITs expose low-level behavior • 15 processor architectures • Core 2, Pentium Dual Core, Pentium 4, Athlon 64... • 45.3% accuracy Thursday, May 26, 2011

  25. Conclusions • NoScript Whitelist Fingerprinting • Extensions can be fingerprinted • User-defined state can be extracted • JavaScript Performance Fingerprinting • Proof-of-concept based on JS benchmarks • Browser, OS, and Architecture detection • Unforgable fingerprint Thursday, May 26, 2011

  26. Thank You! Questions? Thursday, May 26, 2011

Recommend


More recommend