fprandom randomizing
play

FPRandom: Randomizing core browser objects to break advanced device - PowerPoint PPT Presentation

Feb 03, 2024 •25 likes •245 views

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques Pierre Laperdrix, Benoit Baudry, Vikas Mishra Outline 1) What is fingerprint-based tracking? 2) Randomizing core browser objects a. Generating

  1. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques Pierre Laperdrix, Benoit Baudry, Vikas Mishra

  2. Outline 1) What is fingerprint-based tracking? 2) Randomizing core browser objects a. Generating instability b. Example n ° 1: Ordering of JavaScript properties c. Example n ° 2: Canvas fingerprinting 3) Evaluation and conclusion 2/22

  3. 3/22

  4. AmIUnique.org • Launched in November 2014 • 400,000+ fingerprints collected so far 4/22

  5. Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 HTTP headers text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 gzip, deflate, br en-US,en;q=0.5 Plugins Plugin 1: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 2: Shockwave Flash 26.0 r0; libflashplayer.so Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux x86_64 Screen resolution 1920x1080x24 Timezone -480 (UTC+8) OS Linux 4.11.5-200.fc25.x86_64 WebGL vendor NVIDIA Corporation WebGL renderer GeForce GTX 650 Ti/PCIe/SSE2 Canvas 5/22

  6. Can we be tracked? • 94.2% of collected Browser Screen fingerprints are resolution unique (2010) OS • 89.4% of collected Fonts fingerprints are unique (2016) • Smartphones are Timezone also prone to Plugins fingerprinting 6/22

  7. Outline 1) What is fingerprint-based tracking? 2) Randomizing core browser objects a. Generating instability b. Example n ° 1: Ordering of JavaScript properties c. Example n ° 2: Canvas fingerprinting 3) Evaluation and conclusion 7/22

  8. Proposed defense: making attributes unstable for tracking • Most attributes in a fingerprint are predictable and do not drastically change over time • Normal evolution behavior • Desired evolution behavior How? 8/22

  9. Creation of multiple execution paths Result n ° 1 Result n ° 2 Result n ° 3 Result n ° 4 Parameters Result n ° 5 Execution Result n ° 6 path Result n ° 7 Result n ° 8 Result n ° 9 Execution path 9/22

  10. Two approaches 1. Remove the determinism of specific browser functions Production of different results 2. Alter the rendering of multimedia elements Production of different renderings 10/22

  11. Example n ° 1: Ordering of JavaScript properties • Special JavaScript objects have their own enumeration order. • Navigator object • Firefox “ vibrate;javaEnabled;getGamepads;mozGetUserMedia;requestMediaKeySystemAccess;regist erProtocolHandler;registerContentHandler;taintEnabled;permissions;mimeTypes;plugins;doN otTrack;oscpu;vendor;vendorSub;productSub[…]” • Chrome “vendorSub;productSub;vendor;maxTouchPoints;hardwareConcurrency;cookieEnabled;appCo deName;appName;appVersion;platform;product;userAgent;language;languages;onLine;doNo tTrack;geolocation;mediaDevices;plugins[…]” Browser can be unmasked 11/22

  12. Example n ° 1: Ordering of JavaScript properties • The JavaScript language follows the ECMAScript specification. • Section 13.7.5.15 “mechanics and order of enumerating the properties is not specified” Provide protection by randomizing the enumeration order 12/22

  13. Example n ° 1: Ordering of JavaScript properties • First change  We activate the “JS_MORE_DETERMINISTIC” flag. Latin-1 Character Code point Result 1 2 3 4 ‘a’ 97 a p p V e r s i o n 0 1 ‘a’ 97 ‘p’ 112 3 0 2 ‘p’ 112 a p p N a m e appVersion > ‘V’ 86 4 8 appName ‘N’ 78 13/22

  14. Example n ° 1: Ordering of JavaScript properties • Second change  We change the string comparison function. Latin-1 Character Code point Result 1 2 3 4 appVersion > ‘V’ 86 a p p V e r s i o n 4 8 appName ‘N’ 78 a p p N a m e Random Boolean: Yes or No 14/22

  15. Example n ° 1: Ordering of JavaScript properties • Generation of a Boolean for every possible combination of the Latin-1 character set • Creation of a random enumeration order for each session Prevent trackers from using this technique by creating unstable orders 15/22

  16. Example n ° 2: Canvas fingerprinting • Canvas API to draw shapes and render strings • Depends on both hardware and software Send JavaScript script Receive canvas result 16/22

  17. Example n ° 2: Canvas fingerprinting 1 2 3 17/22

  18. Example n ° 2: Canvas fingerprinting • Two changes  Apply very small modifications when parsing a new color canvas.Context.fillStyle = “rgba(102, 204, 0, 0.7)” ; “rgba(103, 203, 0, 0.7)” ;  Chose a random font canvas.Context.font = “18pt Arial” ; “18pt Times New Roman” ; 18/22

  19. Example n ° 2: Canvas fingerprinting Prevent trackers from using this technique by creating random canvas renderings 19/22

  20. Outline 1) What is fingerprint-based tracking? 2) Randomizing core browser objects a. Generating instability b. Example n ° 1: Ordering of JavaScript properties c. Example n ° 2: Canvas fingerprinting 3) Evaluation and conclusion 20/22

  21. Evaluation • 25% increase in execution time for modified functions • User study  Very small impact on the user experience  Improvements needed on the selection of fonts • Crawl of the top 1,000 Alexa websites  No visible breakage  No noticeable change in loading times 21/22

  22. Conclusion • With FPRandom, we break the stability of the following attributes: the enumeration order of special JS objects, Canvas fingerprinting and AudioContext fingerprinting. • Two different approaches  Remove the determinism of specific browser functions by exploiting the JavaScript specification  Alter the rendering of multimedia elements • Future work: modify additional APIs to preemptively improve user’s privacy 22/22

Recommend

RANDOMIZING AND RANDOMIZING AND AUTOMATING ASSESSMENT AUTOMATING ASSESSMENT WITH R WITH R exams

RANDOMIZING AND RANDOMIZING AND AUTOMATING ASSESSMENT AUTOMATING ASSESSMENT WITH R WITH R exams

RANDOMIZING AND RANDOMIZING AND AUTOMATING ASSESSMENT AUTOMATING ASSESSMENT WITH R WITH R exams exams 1 THE THE exams exams PACKAGE PACKAGE by @AchimZeileis and others, Statistics, Universitt Innsbruck www.r-exams.org latest release

379 views • 14 slides
Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski) MIT Detecting Network Effects Randomizing Over Randomized Experiments Guillaume Saint Jacques Martin Saveski Jean Pouget-Abadie MIT MIT

1.16k views • 89 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Random write is still slow at SSD 1200 random write (4KB) 1000 sequential write (512KB)

Random write is still slow at SSD 1200 random write (4KB) 1000 sequential write (512KB)

SHRD: Improving Spatial Locality in Flash Storage Accesses by Sequentializing in Host and Randomizing in Device Yun Ho Jeong 2 and Kyung Ho Kim 2 Hyukjoong Kim 1 , Dongkun Shin 1 , Sungkyunkwan University 1 Samsung Electronics 2 Presented at

728 views • 34 slides
Genome 559, Winter 2012 Review Comparing networks Node degree distributions Power law

Genome 559, Winter 2012 Review Comparing networks Node degree distributions Power law

Ab initio gene prediction Genome 559, Winter 2012 Review Comparing networks Node degree distributions Power law distribution c P k ( ) k for k 0, c > 1 Network motifs - over and under representation Randomizing

795 views • 24 slides
Using Game Theory Nupul Kukreja , William G.J. Halfond, Milind Tambe ASE 2013 1 Outline

Using Game Theory Nupul Kukreja , William G.J. Halfond, Milind Tambe ASE 2013 1 Outline

Randomizing Regression Tests Using Game Theory Nupul Kukreja , William G.J. Halfond, Milind Tambe ASE 2013 1 Outline Motivation Problem(s) with traditional test scheduling Game Theory and Randomization Modeling software testing

300 views • 10 slides
Random Forests COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Random

Random Forests COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Random

Random Forests COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Random Forests 1 / 10 Outline 1 Motivation 2 Bagging 3 Randomizing Split Dimension 4 Training 5 Inference 6 Out-of-Bag Statistical Risk Estimate COMPSCI 371D

241 views • 10 slides

More recommend