ABSTRACT
Physical device fingerprinting exploits hardware features to uniquely identify a machine. This technique has been used for authentication, license binding, or attackers identification, among other tasks. More recently, hardware features have also been introduced to identify web users and perform web tracking. A particular type of hardware fingerprint exploits differences in the computer internal clock signals. However, previous methods to test for these differences relied on complex experiments performed by running native code in the target machine. In this paper, we show a new way to compute a hardware finger- printing, based on timing the execution of sequences of instructions readily available in API functions. Due to its simplicity, this method can also be performed remotely by simply timing few seemingly innocuous lines of JavaScript code. We tested our approach with different functions, such as common string manipulation or widespread cryptographic routines, and found that several of them can be used as basic blocks for fingerprinting. Using this technique, we implemented a tool called CryptoFP. We tested its native implementation in a homogeneous scenario, to distinguish among a perfectly identical (both in software and hardware) set of computers. CryptoFP was able to correctly discriminate all the identical computers in this scenario and recognize the same computer also under different CPU load configurations, outperforming every other hardware fingerprinting method. We then show how CryptoFP can be implemented using a combination of the HTML5 Cryptography API and standard timing API for web device fingerprinting. In this case, we compared our method, both in the same homogeneous scenario and by performing an experiment with real-world users running heterogeneous devices, against other state-of-the-art web device fingerprinting solutions. In both cases, our approach clearly outperforms all existing methods.
Supplemental Material
- M Ayenson, DJ Wambach, A Soltani, N Good, and CJ Hoofnagle. 2011. Flash cookies and privacy II: Now with HTML5 and Etags respawning (2011). Social Science Research Network Working Paper Series (2011).Google Scholar
- Suman Banerjee and Vladimir Brik. 2011. Wireless device fingerprinting. In Encyclopedia of Cryptography and Security. Springer, 1388--1390.Google Scholar
- Duane S Boning and James E Chung. 1996. Statistical metrology: Understanding spatial variation in semiconductor manufacturing. In Proceedings of the Micro-electronic Manufacturing. International Society for Optics and Photonics.Google Scholar
- Andrew Bortz and Dan Boneh. 2007. Exposing private information by timing web applications. In Proceedings of the 16th international conference on World Wide Web (WWW). ACM, 621--628. Google ScholarDigital Library
- Keith A Bowman, Steven G Duvall, and James D Meindl. 2002. Impact of die-to-die and within-die parameter fluctuations on the maximum clock frequency distribution for gigascale integration. IEEE Journal of solid-state circuits 37, 2 (2002), 183--190.Google ScholarCross Ref
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Network and Distributed System Symposium (NDSS).Google ScholarCross Ref
- Anupam Das, Nikita Borisov, and Matthew Caesar. 2016. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses. In Proceedings of the Network and Distributed System Symposium (NDSS).Google ScholarCross Ref
- Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable.. In Proceedings of the Network and Distributed System Symposium (NDSS).Google ScholarCross Ref
- Peter Eckersley. 2010. How unique is your web browser?. In Proceedings of the Privacy Enhancing Technologies (PETS). Google ScholarDigital Library
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388--1401. Google ScholarDigital Library
- Edward W Felten and Michael A Schneider. 2000. Timing attacks on web privacy. In Proceedings of the 7th ACM conference on Computer and Communications Security (CCS). ACM. Google ScholarDigital Library
- Russ Fink. 2007. A statistical approach to remote physical device fingerprinting. In Proceedings of the Military Communications Conference (MILCOM).Google ScholarCross Ref
- Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie V Randwyk, and Douglas Sicker. 2006. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting.. In Proceedings of the USENIX Security Symposium (SEC). Google ScholarDigital Library
- Blaise Gassend, Dwaine Clarke, Marten Van Dijk, and Srinivas Devadas. 2002. Silicon physical random functions. In Proceedings of the ACM Conference on Computer and CBommunications Security (CCS). Google ScholarDigital Library
- GNU/Linux. 2018. Stress, tool to impose load on and stress test systems. https://linux.die.net/man/1/stress.Google Scholar
- Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU. In Proceedings of the Network and Distributed System Symposium (NDSS).Google ScholarCross Ref
- WebAssembly W3C Community Group. 2018. WebAssembly. http://webassembly.org/.Google Scholar
- Jun Huang, Wahhab Albazrqaoe, and Guoliang Xing. 2014. Blueid: A practical system for bluetooth device identification. In INFOCOM, 2014 Proceedings IEEE. IEEE, 2849--2857.Google ScholarCross Ref
- Clint Huffman. 2014. Windows Performance Analysis Field Guide. Elsevier. Google ScholarDigital Library
- Suman Jana and Sneha K Kasera. 2010. On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Transactions on Mobile Computing 9, 3 (2010), 449--462. Google ScholarDigital Library
- Samy Kamkar. 2018. Evercookie -- virtually irrevocable persistent cookies. http://samy.pl/evercookie/.Google Scholar
- David Kohlbrenner and Hovav Shacham. 2016. Trusted Browsers for Uncertain Times. In Proceedings of the USENIX Security Symposium (Sec). Google ScholarDigital Library
- Tadayoshi Kohno, Andre Broido, and Kimberly C Claffy. 2005. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93--108. Google ScholarDigital Library
- Robert Kotcher, Yutong Pei, Pranjal Jumde, and Collin Jackson. 2013. Cross-origin pixel stealing: timing attacks using CSS filters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 1055--1062. Google ScholarDigital Library
- Fabian Lanze, Andriy Panchenko, Benjamin Braatz, and Thomas Engel. 2014. Letting the puss in boots sweat: Detecting fake access points using dependency of clock skews on temperature. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 3--14. Google ScholarDigital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland).Google ScholarCross Ref
- Jae W Lee, Daihyun Lim, Blaise Gassend, G Edward Suh, Marten Van Dijk, and Srinivas Devadas. {n. d.}. A technique to build a secret key in integrated circuits for identification and authentication applications. In Proceedings of the Symposium on VLSI Circuits. IEEE.Google Scholar
- Robert Martin, John Demme, and Simha Sethumadhavan. 2012. TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In Proceedings of the Annual International Symposium on Computer Architecture (ISCA). Google ScholarDigital Library
- Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. 2011. Fingerprinting information in JavaScript implementations. In Proceedings of the Web 2.0 Workshop on Security and Privacy (W2SP).Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Web 2.0 Workshop on Security and Privacy (W2SP).Google Scholar
- Steven J Murdoch. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM conference on Computer and communications security. ACM, 27--36. Google ScholarDigital Library
- Sani R Nassif. 2000. Modeling and forecasting of manufacturing variations. In Proceedings of the International Workshop on Statistical Metrology.Google ScholarCross Ref
- Ravikanth Pappu, Ben Recht, Jason Taylor, and Neil Gershenfeld. 2002. Physical one-way functions. Science 297, 5589 (2002), 2026--2030.Google Scholar
- Libor Pol?ák and Barbora Franková. 2014. On reliability of clock-skew-based remote computer identification. In Security and Cryptography (SECRYPT), 2014 11th International Conference on. IEEE, 1--8.Google Scholar
- Timothy J Salo. 2007. Multi-Factor Fingerprints for Personal Computer Hardware. In Proceedings of the Military Communications Conference (MILCOM). IEEE.Google ScholarCross Ref
- Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In Proceedings of the USENIX Security Symposium (Sec). Google ScholarDigital Library
- Michael Schwarz, Clementine Maurice, Daniel Gruss, and Stefan Mangard. 2017. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In Proceedings of the International Conference on Financial Cryptography and Data Security (FC).Google ScholarCross Ref
- Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. 2010. Flash Cookies and Privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, Vol. 2010.Google Scholar
- Deian Stefan, Pablo Buiras, Edward Z Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazières. 2013. Eliminating cache-based timing attacks with instruction-based scheduling. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Springer.Google ScholarCross Ref
- Tom Van Goethem, Wouter Joosen, and Nick Nikiforakis. 2015. The Clock is Still Ticking: Timing Attacks in the Modern Web. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Antoine vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland). https://hal.inria.fr/hal-01652021Google Scholar
- W3C. 2018. Web Cryptography API. https://w3c.github.io/webcrypto/Overview.html.Google Scholar
- Yinglei Wang, Wing-kei Yu, Shuo Wu, Greg Malysa, G Edward Suh, and Edwin C Kan. 2012. Flash memory for ubiquitous hardware security functions: True random number generation and device fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland). Google ScholarDigital Library
Index Terms
- Clock Around the Clock: Time-Based Device Fingerprinting
Recommendations
Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWe present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
Experience with heterogenous clock-skew based device fingerprinting
LASER '12: Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment ResultsThe goal of this research is to validate clock skew based device fingerprinting introduced in 2005 and explore the feasibility of its usage and/or modification to facilitate unique device identification across heterogenous target devices with improved ...
Clock Power Analysis of Low Power Clock Gated Arithmetic Logic Unit on Different FPGA
CICN '14: Proceedings of the 2014 International Conference on Computational Intelligence and Communication NetworksThis paper, deals with Latch Free Clock Gating technique for reduction of clock power and total power consumption in Low Power Arithmetic and Logic Unit and we have analysed power reduction on different FPGA devices. Without latch free clock gating ...
Comments