Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fast and ecient Browser Identi
cation with 
JavaScript Engine Fingerprinting 
Martin Mulazzani, Philipp Reschl, Manuel Leithner, 
Markus Huber, Edgar Wei...
Outline 
Motivation  Background 
JavaScript Engine Fingerprinting 
Methodology 
Minimal Fingerprints 
Decision Trees 
Eval...
Motivation 
Browser Identi
cation: 
I Accurately identify the browser used by the client 
I Webserver point-of-view 
I Motivated by nmap for TCP/IP
ngerprinting 
I Limitations of UserAgent string: 
I Can be set arbitrarily 
I Not a security feature 
Dierent use cases: 
...
c malware
Motivation 
Browser Identi
cation: 
I Accurately identify the browser used by the client 
I Webserver point-of-view 
I Motivated by nmap for TCP/IP
ngerprinting 
I Limitations of UserAgent string: 
I Can be set arbitrarily 
I Not a security feature 
Dierent use cases: 
...
c malware
Browser Market 
Browser market currently very competitive: 
I Man-years of development time 
I Fight for market shares, es...
Browser Market :)
Methodology 
Our approach: 
I Use JavaScript (ECMAScript 5.1) conformance tests 
I test262 - http://test262.ecmascript.org...
c browser version 
I Increase user privacy 
I by detecting (attacking)
ngerprinting
Methodology 
Our approach: 
I Use JavaScript (ECMAScript 5.1) conformance tests 
I test262 - http://test262.ecmascript.org...
c browser version 
I Increase user privacy 
I by detecting (attacking)
ngerprinting
Methodology 
Our approach: 
I Use JavaScript (ECMAScript 5.1) conformance tests 
I test262 - http://test262.ecmascript.org...
c browser version 
I Increase user privacy 
I by detecting (attacking)
ngerprinting
Related Work 
Recent paper by Mowery et.al, W2SP 2011 
I Use 39 Javascript benchmarks e.g., Sunspider or V8 
Benachmark Su...
ngerprint based on time pattern 
I On average 190 seconds runtime 
Our approach: 
I Takes less then 200ms (3 orders of mag...
Related Work 
Recent paper by Mowery et.al, W2SP 2011 
I Use 39 Javascript benchmarks e.g., Sunspider or V8 
Benachmark Su...
ngerprint based on time pattern 
I On average 190 seconds runtime 
Our approach: 
I Takes less then 200ms (3 orders of mag...
Related Work 
Other related work: 
I EFF's Panopticlick, PETS 2010 
I Mowery et.al, W2SP 2012 
I uses novel HTML5 features...
test262
test262: Browser - OS Combinations
test262: Browser - OS Combinations
Distinguish Browsers 
Random subset of test262 test cases: 
Web Browser 15.4.4.4-5-c-i-1 13.0-13-s 
Opera 11.61 ! % 
Firef...
Two Methods 
Propose two dierent methods: 
1. Minimal
ngerprints 
I Find out if a browser is lying about it's UserAgent 
2. Iterative decision trees 
I Find browser with no a-p...
Upcoming SlideShare
Loading in …5
×

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting

1,183 views

Published on

Web browsers are crucial software components in today’s usage of the Internet, but the reliable detection of whether a client is using a specific browser can still be considered a nontrivial problem. Reliable browser identification is crucial for online security and privacy e.g., regarding drive-by downloads and user tracking, and can be used to enhance the user’s security. So far the UserAgent string is often used to identify a given browser, but it is a self-reported string provided by the client and can be changed arbitrarily.

In this paper we propose a new method for identifying web browsers based on the underlying Javascript engine, which can be executed on the client side within a fraction of a second. Our method is three orders of magnitude faster than previous work on Javascript engine fingerprinting, and can be implemented with well below a few hundred lines of code. We show the feasibility of our method with a survey and discuss the consequences for user privacy and browser security. Furthermore, we collected data for more than 150 browser and operating system combinations, and present algorithms to make browser identification as fast as possible. UserAgent string modifications become easily detectable with JavaScript engine fingerprinting, which is shown exemplarily on the Tor browser bundle as it uses a uniform UserAgent string across different browser versions. Finally, we propose to use our results for enhancing state-of-the-art session management (with or without SSL), as reliable browser identification can be used to increase the complexity of session hijacking attacks considerably.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Fast and efficient Browser Identification with JavaScript Engine Fingerprinting

  1. 1. Fast and ecient Browser Identi
  2. 2. cation with JavaScript Engine Fingerprinting Martin Mulazzani, Philipp Reschl, Manuel Leithner, Markus Huber, Edgar Weippl SBA Research Vienna, Austria
  3. 3. Outline Motivation Background JavaScript Engine Fingerprinting Methodology Minimal Fingerprints Decision Trees Evaluation Evaluation - Tor Browser Bundle Evaluation - Survey
  4. 4. Motivation Browser Identi
  5. 5. cation: I Accurately identify the browser used by the client I Webserver point-of-view I Motivated by nmap for TCP/IP
  6. 6. ngerprinting I Limitations of UserAgent string: I Can be set arbitrarily I Not a security feature Dierent use cases: I Detect UserAgent string manipulations I Detect session hijacking I Browser-speci
  7. 7. c malware
  8. 8. Motivation Browser Identi
  9. 9. cation: I Accurately identify the browser used by the client I Webserver point-of-view I Motivated by nmap for TCP/IP
  10. 10. ngerprinting I Limitations of UserAgent string: I Can be set arbitrarily I Not a security feature Dierent use cases: I Detect UserAgent string manipulations I Detect session hijacking I Browser-speci
  11. 11. c malware
  12. 12. Browser Market Browser market currently very competitive: I Man-years of development time I Fight for market shares, especially smartphones I Become more more powerful (e.g., Cloud computing, HTML5, ...) I New features: I JIT, GPU rendering, remote rendering, Sandboxing I Mostly performance or security
  13. 13. Browser Market :)
  14. 14. Methodology Our approach: I Use JavaScript (ECMAScript 5.1) conformance tests I test262 - http://test262.ecmascript.org I Sputnik - http://sputnik.googlelabs.com I More than 11.000 test cases I Javascript engines fail at dierent test cases In the future: I Enhance session security I by locking session to speci
  15. 15. c browser version I Increase user privacy I by detecting (attacking)
  16. 16. ngerprinting
  17. 17. Methodology Our approach: I Use JavaScript (ECMAScript 5.1) conformance tests I test262 - http://test262.ecmascript.org I Sputnik - http://sputnik.googlelabs.com I More than 11.000 test cases I Javascript engines fail at dierent test cases In the future: I Enhance session security I by locking session to speci
  18. 18. c browser version I Increase user privacy I by detecting (attacking)
  19. 19. ngerprinting
  20. 20. Methodology Our approach: I Use JavaScript (ECMAScript 5.1) conformance tests I test262 - http://test262.ecmascript.org I Sputnik - http://sputnik.googlelabs.com I More than 11.000 test cases I Javascript engines fail at dierent test cases In the future: I Enhance session security I by locking session to speci
  21. 21. c browser version I Increase user privacy I by detecting (attacking)
  22. 22. ngerprinting
  23. 23. Related Work Recent paper by Mowery et.al, W2SP 2011 I Use 39 Javascript benchmarks e.g., Sunspider or V8 Benachmark Suite I Generate normalized
  24. 24. ngerprint based on time pattern I On average 190 seconds runtime Our approach: I Takes less then 200ms (3 orders of magnitude faster) I not stalling the CPU noticeably I Few hundred lines of Javascript max. I Collected 150 OS and browser combinations
  25. 25. Related Work Recent paper by Mowery et.al, W2SP 2011 I Use 39 Javascript benchmarks e.g., Sunspider or V8 Benachmark Suite I Generate normalized
  26. 26. ngerprint based on time pattern I On average 190 seconds runtime Our approach: I Takes less then 200ms (3 orders of magnitude faster) I not stalling the CPU noticeably I Few hundred lines of Javascript max. I Collected 150 OS and browser combinations
  27. 27. Related Work Other related work: I EFF's Panopticlick, PETS 2010 I Mowery et.al, W2SP 2012 I uses novel HTML5 features and WebGL rendering I Upcoming paper on HTML5 and CSS3 features (ARES 2013)
  28. 28. test262
  29. 29. test262: Browser - OS Combinations
  30. 30. test262: Browser - OS Combinations
  31. 31. Distinguish Browsers Random subset of test262 test cases: Web Browser 15.4.4.4-5-c-i-1 13.0-13-s Opera 11.61 ! % Firefox 10.0.1 ! % Internet Explorer 9 % ! Chrome 17 % % Web Browser S15.2.3.6 A1 10.6-7-1 S10.4.2.1 A1 Opera 11.61 % % % Firefox 10.0.1 % ! % Internet Explorer 9 % % ! Chrome 17 ! % !
  32. 32. Two Methods Propose two dierent methods: 1. Minimal
  33. 33. ngerprints I Find out if a browser is lying about it's UserAgent 2. Iterative decision trees I Find browser with no a-priory knowledge Sharing is caring: I Will release code collected dataset I Lost due to hardware failure I Drop me an email for current version I Always test your backups!
  34. 34. Two Methods Propose two dierent methods: 1. Minimal
  35. 35. ngerprints I Find out if a browser is lying about it's UserAgent 2. Iterative decision trees I Find browser with no a-priory knowledge Sharing is caring: I Will release code collected dataset I Lost due to hardware failure I Drop me an email for current version I Always test your backups!
  36. 36. Minimal Fingerprints Goal: Determine minimal
  37. 37. ngerprints 1. De
  38. 38. ne the testset (=set of browsers) 2. Collect failed test cases 3. Calculate minimal
  39. 39. ngerprints 4. For every client: Run
  40. 40. ngerprints Result: If browser version 2 testset: con
  41. 41. rm browser version Mind the gap: I Propably not for every testset solvable I Can become big
  42. 42. Minimal Fingerprints Goal: Determine minimal
  43. 43. ngerprints 1. De
  44. 44. ne the testset (=set of browsers) 2. Collect failed test cases 3. Calculate minimal
  45. 45. ngerprints 4. For every client: Run
  46. 46. ngerprints Result: If browser version 2 testset: con
  47. 47. rm browser version Mind the gap: I Propably not for every testset solvable I Can become big
  48. 48. Decision Trees Goal: Minimize number of tests run at the client 1. De
  49. 49. ne the testset (=set of browsers) 2. Collect failed test cases 3. Calculate uniqueness of every failed test case 4. Build binary decision tree, iteratively Result: Minimal path through decision tree for unknown browsers Bene
  50. 50. ts: I O(logn) instead of O(n) I Thus even faster I Can be used as
  51. 51. rst stage for minimal
  52. 52. ngerprinting
  53. 53. Decision Trees Goal: Minimize number of tests run at the client 1. De
  54. 54. ne the testset (=set of browsers) 2. Collect failed test cases 3. Calculate uniqueness of every failed test case 4. Build binary decision tree, iteratively Result: Minimal path through decision tree for unknown browsers Bene
  55. 55. ts: I O(logn) instead of O(n) I Thus even faster I Can be used as
  56. 56. rst stage for minimal
  57. 57. ngerprinting
  58. 58. Decision Trees 15.4.4.4- 5-c-i-1 10.6-7-1 13.0-13-s
  59. 59. Evaluation - Tor Browser Bundle Basics Tor: I Internet anonymization network I Hides a user's real IP adress I Hundreds of thousands users every day I Approx. 3000 servers run by volunteers Tor Browser Bundle: I Among other features: Uniform UserAgent I to increase size of the anonymity set I Everything prepackaged (Tor, Vidalia, Firefox, ...) I Runs without admin rights
  60. 60. Evaluation - Tor Browser Bundle Basics Tor: I Internet anonymization network I Hides a user's real IP adress I Hundreds of thousands users every day I Approx. 3000 servers run by volunteers Tor Browser Bundle: I Among other features: Uniform UserAgent I to increase size of the anonymity set I Everything prepackaged (Tor, Vidalia, Firefox, ...) I Runs without admin rights
  61. 61. Evaluation - Tor Browser Bundle Uniform UserAgent: I Tor - Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 I Real - Mozilla/5.0 (X11; Linux x86 64; rv:9.0.1) Gecko/20111222 Firefox/9.0.1 Vulnerable to Javascript Engine Fingerprinting? I Yes! I Every Firefox 3:5 can be easily distinguished I Can harm user privacy and decrease anonymity set I However, not a real attack on Tor
  62. 62. Evaluation - Tor Browser Bundle Uniform UserAgent: I Tor - Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 I Real - Mozilla/5.0 (X11; Linux x86 64; rv:9.0.1) Gecko/20111222 Firefox/9.0.1 Vulnerable to Javascript Engine Fingerprinting? I Yes! I Every Firefox 3:5 can be easily distinguished I Can harm user privacy and decrease anonymity set I However, not a real attack on Tor
  63. 63. Evaluation - Tor Browser Bundle
  64. 64. Evaluation - Survey Tested our
  65. 65. ngerprinting with a survey: I 189 participants I Open for a few weeks in Summer 2011 I 10 test cases per browser in testset I Testset: I IE 8 I IE 9 I Chrome 10 I Firefox 4 Ground truth: I UserAgent String I Manual identi
  66. 66. cation by participant
  67. 67. Evaluation - Survey Tested our
  68. 68. ngerprinting with a survey: I 189 participants I Open for a few weeks in Summer 2011 I 10 test cases per browser in testset I Testset: I IE 8 I IE 9 I Chrome 10 I Firefox 4 Ground truth: I UserAgent String I Manual identi
  69. 69. cation by participant
  70. 70. Evaluation - Survey Performance: I All
  71. 71. les: 24 Kilobytes I Fingerprints: (4x) 2.500-3.000 Bytes I 90 ms on average on PC I 200 ms on average on smartphone Results: I 175 out of 189 browsers covered by testset I 100 % detection rate I No false positives! I 14 not covered were mostly smartphones I 1 UserAgent manipulation discovered
  72. 72. Evaluation - Survey Performance: I All
  73. 73. les: 24 Kilobytes I Fingerprints: (4x) 2.500-3.000 Bytes I 90 ms on average on PC I 200 ms on average on smartphone Results: I 175 out of 189 browsers covered by testset I 100 % detection rate I No false positives! I 14 not covered were mostly smartphones I 1 UserAgent manipulation discovered
  74. 74. Thank you for your time! Questions? mmulazzani@sba-research.org

×