![Page 1: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/1.jpg)
Fast and efficient Browser Identification withJavaScript Engine Fingerprinting
Martin Mulazzani, Philipp Reschl, Manuel Leithner,Markus Huber, Edgar Weippl
SBA ResearchVienna, Austria
![Page 2: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/2.jpg)
Outline
Motivation & Background
JavaScript Engine FingerprintingMethodologyMinimal FingerprintsDecision Trees
EvaluationEvaluation - Tor Browser BundleEvaluation - Survey
![Page 3: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/3.jpg)
Motivation
Browser Identification:
I Accurately identify the browser used by the client
I Webserver point-of-view
I Motivated by nmap for TCP/IP fingerprintingI Limitations of UserAgent string:
I Can be set arbitrarilyI Not a security feature
Different use cases:
I Detect UserAgent string manipulations
I Detect session hijacking
I Browser-specific malware
![Page 4: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/4.jpg)
Motivation
Browser Identification:
I Accurately identify the browser used by the client
I Webserver point-of-view
I Motivated by nmap for TCP/IP fingerprintingI Limitations of UserAgent string:
I Can be set arbitrarilyI Not a security feature
Different use cases:
I Detect UserAgent string manipulations
I Detect session hijacking
I Browser-specific malware
![Page 5: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/5.jpg)
Browser Market
Browser market currently very competitive:
I Man-years of development time
I Fight for market shares, especially smartphones
I Become more & more powerful (e.g., Cloud computing,HTML5, ...)
I New features:I JIT, GPU rendering, remote rendering, SandboxingI Mostly performance or security
![Page 6: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/6.jpg)
Browser Market :)
![Page 7: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/7.jpg)
Methodology
Our approach:I Use JavaScript (ECMAScript 5.1) conformance tests
I test262 - http://test262.ecmascript.orgI Sputnik - http://sputnik.googlelabs.com
I More than 11.000 test cases
I Javascript engines fail at different test cases
In the future:I Enhance session security
I by locking session to specific browser version
I Increase user privacyI by detecting (attacking) fingerprinting
![Page 8: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/8.jpg)
Methodology
Our approach:I Use JavaScript (ECMAScript 5.1) conformance tests
I test262 - http://test262.ecmascript.orgI Sputnik - http://sputnik.googlelabs.com
I More than 11.000 test cases
I Javascript engines fail at different test cases
In the future:I Enhance session security
I by locking session to specific browser version
I Increase user privacyI by detecting (attacking) fingerprinting
![Page 9: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/9.jpg)
Methodology
Our approach:I Use JavaScript (ECMAScript 5.1) conformance tests
I test262 - http://test262.ecmascript.orgI Sputnik - http://sputnik.googlelabs.com
I More than 11.000 test cases
I Javascript engines fail at different test cases
In the future:I Enhance session security
I by locking session to specific browser version
I Increase user privacyI by detecting (attacking) fingerprinting
![Page 10: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/10.jpg)
Related Work
Recent paper by Mowery et.al, W2SP 2011
I Use 39 Javascript benchmarks e.g., Sunspider or V8Benachmark Suite
I Generate normalized fingerprint based on time pattern
I On average 190 seconds runtime
Our approach:
I Takes less then 200ms (3 orders of magnitude faster)
I not stalling the CPU noticeably
I Few hundred lines of Javascript max.
I Collected > 150 OS and browser combinations
![Page 11: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/11.jpg)
Related Work
Recent paper by Mowery et.al, W2SP 2011
I Use 39 Javascript benchmarks e.g., Sunspider or V8Benachmark Suite
I Generate normalized fingerprint based on time pattern
I On average 190 seconds runtime
Our approach:
I Takes less then 200ms (3 orders of magnitude faster)
I not stalling the CPU noticeably
I Few hundred lines of Javascript max.
I Collected > 150 OS and browser combinations
![Page 12: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/12.jpg)
Related Work
Other related work:
I EFF’s Panopticlick, PETS 2010I Mowery et.al, W2SP 2012
I uses novel HTML5 features and WebGL rendering
I Upcoming paper on HTML5 and CSS3 features (ARES 2013)
![Page 13: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/13.jpg)
test262
![Page 14: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/14.jpg)
test262: Browser - OS Combinations
![Page 15: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/15.jpg)
test262: Browser - OS Combinations
![Page 16: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/16.jpg)
Distinguish Browsers
Random subset of test262 test cases:
Web Browser 15.4.4.4-5-c-i-1 13.0-13-s
Opera 11.61 ! %
Firefox 10.0.1 ! %
Internet Explorer 9 % !
Chrome 17 % %
Web Browser S15.2.3.6 A1 10.6-7-1 S10.4.2.1 A1
Opera 11.61 % % %
Firefox 10.0.1 % ! %
Internet Explorer 9 % % !
Chrome 17 ! % !
![Page 17: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/17.jpg)
Two Methods
Propose two different methods:
1. Minimal fingerprintsI Find out if a browser is lying about it’s UserAgent
2. Iterative decision treesI Find browser with no a-priory knowledge
Sharing is caring:
I Will release code & collected dataset
I Lost due to hardware failure
I Drop me an email for current version
I Always test your backups!
![Page 18: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/18.jpg)
Two Methods
Propose two different methods:
1. Minimal fingerprintsI Find out if a browser is lying about it’s UserAgent
2. Iterative decision treesI Find browser with no a-priory knowledge
Sharing is caring:
I Will release code & collected dataset
I Lost due to hardware failure
I Drop me an email for current version
I Always test your backups!
![Page 19: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/19.jpg)
Minimal Fingerprints
Goal: Determine minimal fingerprints
1. Define the testset (=set of browsers)
2. Collect failed test cases
3. Calculate minimal fingerprints
4. For every client: Run fingerprints
Result: If browser version ∈ testset: confirm browser version
“Mind the gap:”
I Propably not for every testset solvable
I Can become “big”
![Page 20: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/20.jpg)
Minimal Fingerprints
Goal: Determine minimal fingerprints
1. Define the testset (=set of browsers)
2. Collect failed test cases
3. Calculate minimal fingerprints
4. For every client: Run fingerprints
Result: If browser version ∈ testset: confirm browser version
“Mind the gap:”
I Propably not for every testset solvable
I Can become “big”
![Page 21: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/21.jpg)
Decision Trees
Goal: Minimize number of tests run at the client
1. Define the testset (=set of browsers)
2. Collect failed test cases
3. Calculate uniqueness of every failed test case
4. Build binary decision tree, iteratively
Result: Minimal path through decision tree for unknown browsers
Benefits:
I O(logn) instead of O(n)
I Thus even faster
I Can be used as first stage for minimal fingerprinting
![Page 22: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/22.jpg)
Decision Trees
Goal: Minimize number of tests run at the client
1. Define the testset (=set of browsers)
2. Collect failed test cases
3. Calculate uniqueness of every failed test case
4. Build binary decision tree, iteratively
Result: Minimal path through decision tree for unknown browsers
Benefits:
I O(logn) instead of O(n)
I Thus even faster
I Can be used as first stage for minimal fingerprinting
![Page 23: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/23.jpg)
Decision Trees
15.4.4.4-5-c-i-1
10.6-7-1 13.0-13-s
![Page 24: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/24.jpg)
Evaluation - Tor Browser Bundle
Basics Tor:
I Internet anonymization network
I Hides a user’s real IP adress
I Hundreds of thousands users every day
I Approx. 3000 servers run by volunteers
Tor Browser Bundle:I Among other features: Uniform UserAgent
I to increase size of the anonymity set
I Everything prepackaged (Tor, Vidalia, Firefox, ...)
I Runs without admin rights
![Page 25: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/25.jpg)
Evaluation - Tor Browser Bundle
Basics Tor:
I Internet anonymization network
I Hides a user’s real IP adress
I Hundreds of thousands users every day
I Approx. 3000 servers run by volunteers
Tor Browser Bundle:I Among other features: Uniform UserAgent
I to increase size of the anonymity set
I Everything prepackaged (Tor, Vidalia, Firefox, ...)
I Runs without admin rights
![Page 26: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/26.jpg)
Evaluation - Tor Browser Bundle
Uniform UserAgent:
I Tor - Mozilla/5.0 (Windows NT 6.1; rv:5.0)Gecko/20100101 Firefox/5.0
I Real - Mozilla/5.0 (X11; Linux x86 64; rv:9.0.1)Gecko/20111222 Firefox/9.0.1
Vulnerable to Javascript Engine Fingerprinting?
I Yes!
I Every Firefox > 3.5 can be easily distinguished
I Can harm user privacy and decrease anonymity set
I However, not a real attack on Tor
![Page 27: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/27.jpg)
Evaluation - Tor Browser Bundle
Uniform UserAgent:
I Tor - Mozilla/5.0 (Windows NT 6.1; rv:5.0)Gecko/20100101 Firefox/5.0
I Real - Mozilla/5.0 (X11; Linux x86 64; rv:9.0.1)Gecko/20111222 Firefox/9.0.1
Vulnerable to Javascript Engine Fingerprinting?
I Yes!
I Every Firefox > 3.5 can be easily distinguished
I Can harm user privacy and decrease anonymity set
I However, not a real attack on Tor
![Page 28: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/28.jpg)
Evaluation - Tor Browser Bundle
![Page 29: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/29.jpg)
Evaluation - Survey
Tested our fingerprinting with a survey:
I 189 participants
I Open for a few weeks in Summer 2011
I 10 test cases per browser in testsetI Testset:
I IE 8I IE 9I Chrome 10I Firefox 4
Ground truth:
I UserAgent String
I Manual identification by participant
![Page 30: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/30.jpg)
Evaluation - Survey
Tested our fingerprinting with a survey:
I 189 participants
I Open for a few weeks in Summer 2011
I 10 test cases per browser in testsetI Testset:
I IE 8I IE 9I Chrome 10I Firefox 4
Ground truth:
I UserAgent String
I Manual identification by participant
![Page 31: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/31.jpg)
Evaluation - Survey
Performance:
I All files: 24 Kilobytes
I Fingerprints: (4x) 2.500-3.000 Bytes
I 90 ms on average on PC
I 200 ms on average on smartphone
Results:I 175 out of 189 browsers covered by testset
I 100 % detection rateI No false positives!
I 14 not covered were mostly smartphones
I 1 UserAgent manipulation discovered
![Page 32: Fast and efficient Browser Identification with JavaScript ...1.De ne the testset (=set of browsers) 2.Collect failed test cases 3.Calculate uniqueness of every failed test case 4.Build](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fcb017e708231d445e8a5/html5/thumbnails/32.jpg)
Evaluation - Survey
Performance:
I All files: 24 Kilobytes
I Fingerprints: (4x) 2.500-3.000 Bytes
I 90 ms on average on PC
I 200 ms on average on smartphone
Results:I 175 out of 189 browsers covered by testset
I 100 % detection rateI No false positives!
I 14 not covered were mostly smartphones
I 1 UserAgent manipulation discovered