SLIDE 1
Picasso: Light-weight device class fingerprinting for web clients
Elie Bursztein, Artem Malyshev, Tadek Pietraszek, Kurt Thomas
g.co/research/protect
Title
Interesting story here
Subpoint
Picasso: Light-weight device class fingerprinting for web clients - - PowerPoint PPT Presentation
Picasso: Light-weight device class fingerprinting for web clients - - PowerPoint PPT Presentation
Picasso: Light-weight device class fingerprinting for web clients Elie Bursztein , Artem Malyshev, Tadek Pietraszek, Kurt Thomas Title Interesting story here Subpoint g.co/research/protect Keeping online interactions meaningful
SLIDE 2
SLIDE 3
g.co/research/protect
Keeping online interactions meaningful
SLIDE 4
g.co/research/protect
Different interaction requires distinct level of trust
Trust required Interaction Impact
Account recovery Bank transfer Content creation Content consumption Content like
SLIDE 5
g.co/research/protect
Trust
Verification methods trade-off
Human interaction
Phone call SMS Hard captcha No captcha Picasso
SLIDE 6
g.co/research/protect
Goals
Remote device class attestation
Allow to enforce quotas and help anomaly detection
Proof of work
Enforce that attacker will expend 20ms of iOS time per request
SLIDE 7
g.co/research/protect
Requirements
Cross-platform and cross-language
Any platform (Android, iOS) and any language (Javascript, SWIFT)
Emulators detection
Safari on iPhone vs Safari on an emulator
Accurate browsers and OS discrimination
Chrome OSX vs Safari OSX, Chrome Windows vs Chrome OSX
SLIDE 8
g.co/research/protect
Constraints
No device modification
Must run on off-the-shelf devices
Tamper proof
Code to be shipped to clients and potentially executed offline
Fast and lightweight
Can be downloaded/executed often even on low-end devices
SLIDE 9
g.co/research/protect
Mission Impossible?
SLIDE 10
System overview
SLIDE 11
g.co/research/protect
Use the graphical stack as a physically unclonable function
SLIDE 12
g.co/research/protect
Principle
Challenge id
Graphical instruction Graphical instruction Graphical instruction Graphical instruction Graphic rendering
Image unique to device type
SLIDE 13
g.co/research/protect
Graphical primitives used
Quadratic curve Bezier curve Circle Font F
SLIDE 14
g.co/research/protect
Telling apart bots from devices
SLIDE 15
g.co/research/protect
Why Picasso?
SLIDE 16
Evaluation
SLIDE 17
Demo
SLIDE 18
SLIDE 19
g.co/research/protect
Is the graphical stack really a PUF?
SLIDE 20
g.co/research/protect
Browser difference heatmap
Chrome vs Firefox Chrome vs Safari Firefox vs Safari
SLIDE 21
g.co/research/protect
Safari on iPhone vs Safari on an emulator
Red imply pixels are differents
SLIDE 22
g.co/research/protect
Evaluation metrics
Uniqueness
Fraction of challenge response which are unique to a given device class
Stability
Number of distinct challenges response generated by a given class of device
SLIDE 23
g.co/research/protect
Stability illustrated
Stability
Picasso
SLIDE 24
g.co/research/protect
Uniqueness illustrated
Uniqueness
Picasso
SLIDE 25
g.co/research/protect
Uniqueness confusion matrix
SLIDE 26
g.co/research/protect
Chrome uniqueness confusion matrix
SLIDE 27
g.co/research/protect
Windows uniqueness confusion matrix
SLIDE 28
g.co/research/protect
Stability
SLIDE 29
War story
SLIDE 30
g.co/research/protect
Brute-force attempts from EC2 via proxies
SLIDE 31
g.co/research/protect
Proxies geo-distribution
SLIDE 32
Thanks
g.co/research/protect