fingerprinting information in javascript implementations
play

Fingerprinting Information in JavaScript Implementations Keaton - PowerPoint PPT Presentation

Sep 16, 2022 •420 likes •684 views

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011 Authentication Usernames and Passwords weakening Third-party data loss can compromise

  1. Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011

  2. Authentication • Usernames and Passwords weakening • Third-party data loss can compromise your user accounts Thursday, May 26, 2011

  3. Extra Authentication • Two-Factor Authentication • Secure but inconvenient • User Fingerprinting • Geolocation • Browser Metadata • System Architecture • Browser Environment Thursday, May 26, 2011

  4. Fingerprinting for Good and Evil • User Authentication • Protect high-value accounts • User Identification • Deanonymize, track across sessions Thursday, May 26, 2011

  5. Browser Metadata • Examine and record browser family, version, and operating system • If the configuration changes, check for account compromise • Easy data to collect Thursday, May 26, 2011

  6. Many Techniques for Browser Fingerprinting Thursday, May 26, 2011

  7. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  8. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  9. Extension Verification • Users customize browser behavior with extensions • Previously-observed extension behavior provides an identity signal • Sudden absence of extensions increases likelihood of account hijack Thursday, May 26, 2011

  10. NoScript • NoScript provides JavaScript policy • Default Deny • Whitelisted domains may execute code • Whitelist contents are user-defined • Radical changes may indicate account hijack • Entries could reveal private information Thursday, May 26, 2011

  11. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  12. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  13. Example NoScript Probe <html> <head> <script type="text/javascript" src="http://www.google.com/accounts/hosted/helpcenter/ js/tooltips/TooltipLoader.js"> </script> <script type="text/javascript"> if ("XML_STATUS_OKAY" in window) { // google.com can run JavaScript } else { // google.com cannot run JavaScript } </script> </head><body></body> </html> Thursday, May 26, 2011

  14. At Scale • Crawled Alexa Top 1,000 Domains • Generated 689 whitelist probes • Created test suite for all 689 domains • 120s with NoScript disabled • 23s with NoScript enabled Thursday, May 26, 2011

  15. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  16. Near Future NoScript Whitelist Fingerprinting JavaScript Performance Fingerprinting Thursday, May 26, 2011

  17. JavaScript Fingerprinting • Fingerprint JavaScript performance 1. Measure time to execute various JS snippets 2. Normalize to build fingerprint vector • Unforgeable • Agnostic to JavaScript features Thursday, May 26, 2011

  18. Snippet Selection • Off-the-Shelf JavaScript Benchmarks • 26 tests from SunSpider • 9 tests from V8 Benchmark Suite • 4 custom tests • Benchmarks characterize browser performance Thursday, May 26, 2011

  19. Browser Detection Thursday, May 26, 2011

  20. Ask Everyone You Know • Collected 1,015 data samples on Amazon Mechanical Turk • JavaScript Fingerprint • User reported: • Operating System • CPU Architecture, Speed, and Cores • RAM Thursday, May 26, 2011

  21. Browser Classification • 24 Major Browser Versions • Chrome, Firefox, IE, Safari, Opera, SeaMonkey • Generated characteristic fingerprint for each • 79.8% accuracy on all 1,015 samples Thursday, May 26, 2011

  22. Chrome Versioning • Over 85% of misclassifications • Chrome 6.0 to Chrome 11.0 in 7+ months 6.0 7.0 8.0 9.0 10.0 11.0 Chrome 6.0 - 0.18 0.19 0.17 0.25 0.25 Chrome 7.0 0.18 - 0.09 0.16 0.25 0.24 Chrome 8.0 0.19 0.09 - 0.17 0.27 0.26 Chrome 9.0 0.17 0.16 0.17 - 0.17 0.18 Chrome 10.0 0.25 0.25 0.27 0.17 - 0.09 Chrome 11.0 0.25 0.24 0.26 0.18 0.09 - Thursday, May 26, 2011

  23. Operating System Detection • Small effect on fingerprints • Examined 403 Firefox 3.6 samples • Windows: 98.5% correct • OS X: 100% correct • Linux: 25% correct Thursday, May 26, 2011

  24. Processor Architecture Detection • Unavailable through JavaScript APIs • JITs expose low-level behavior • 15 processor architectures • Core 2, Pentium Dual Core, Pentium 4, Athlon 64... • 45.3% accuracy Thursday, May 26, 2011

  25. Conclusions • NoScript Whitelist Fingerprinting • Extensions can be fingerprinted • User-defined state can be extracted • JavaScript Performance Fingerprinting • Proof-of-concept based on JS benchmarks • Browser, OS, and Architecture detection • Unforgable fingerprint Thursday, May 26, 2011

  26. Thank You! Questions? Thursday, May 26, 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani ,

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting Martin Mulazzani , Philipp Reschl, Manuel Leithner, Markus Huber, Edgar Weippl SBA Research Vienna, Austria Outline Motivation &amp; Background JavaScript Engine

539 views • 33 slides
Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp;

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp;

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &amp; Tim van Zalingen UvA February 6, 2018 Supervisors (KPMG): Aidan Barrington &amp; Ruben de Vries Research Project 82 Sjors Haanen &amp; Tim van

331 views • 30 slides
k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.03k views • 54 slides
Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.1k views • 57 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C of the Internet Take JavaScript for instance. It's widely criticized in the POPL community for getting many things wrong. But it must have

655 views • 44 slides
Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application Had a rough childhood Very misunderstood Performance difference across browsers Benchmark Pros/Cons JavaScript: WebGL &amp; Canvas

939 views • 18 slides
J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript Java JavaScript is interpreted by the browser JavaScript 1/15 JS W HERE T O &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;script

591 views • 15 slides
CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL INFRASTRUCTURE PROTECTION, RESEARCH LEADER THE SPITFIRE MEMORIAL DEFENCE FELLOW UNSW CANBERRA @ ADFA E.SITNIKOVA@ADFA.EDU.AU BACKGROUND

731 views • 22 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. History 13th General Elections HTTP was

612 views • 34 slides
The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result

517 views • 20 slides
DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL? https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz

936 views • 23 slides
Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure

Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure

Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure Engineering at Yammer @rckenned Thursday, November 8, 12 The road to the renaissance Thursday, November 8, 12 Well be taking the long road to the

1.04k views • 48 slides
1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies

1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies

1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies USA General Motors Japan Exxon USSR Mobil West Germany Ford France IBM UK Texaco Italy Chevron Canada AT&amp;T China Dupont India GE

1.41k views • 96 slides

More recommend