From a59c59f089297cf8b8ff9af5ab30789d7da6d803 Mon Sep 17 00:00:00 2001 From: Libor Polčák Date: May 26 2022 10:16:18 +0000 Subject: Small text tweaks Mainly inspired by notes of Radek --- diff --git a/paper.tex b/paper.tex index c66ac5d..f2f1356 100644 --- a/paper.tex +++ b/paper.tex @@ -49,7 +49,7 @@ \begin{abstract} {The Web is used daily by billions. Even so, users are not protected from many - threats by default. This position paper builds on previous web privacy and + threats by default. This paper builds on previous web privacy and security research and introduces \jshelter{}, a webextension that fights to return the browser to users. Moreover, we introduce a library helping with common webextension development tasks and fixing @@ -57,11 +57,11 @@ focuses on fingerprinting prevention, limitations of rich web APIs, prevention of attacks connected to timing, and learning information about the computer, the browser, the user, and surrounding physical environment and - location. We discovered a loophole in the sensor timestamps that lets any + location. During the research of sensor APIs, we discovered a loophole in the sensor timestamps that lets any page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. \jshelter{} provides a fingerprinting report and other feedback - that can be used by future security research and data protection - authorities. Thousands of users around the world use the webextension every day.} + that can be used by future web privacy research. + Thousands of users around the world use the webextension every day.} \end{abstract} \keywords{Browser fingerprinting, web privacy, web security, webextension APIs, JavaScript} @@ -113,13 +113,17 @@ fingerprinting. Moreover, \jshelter{} blocks attempts to misuse the browser as a access the local network. \jshelter{} educates users by explaining fingerprinting APIs in a report. \jshelter{} integrates several previous research projects like Chrome Zero~\cite{js0} and little-lies-based fingerprinting prevention -\cite{PriVaricator,FPRandom}. We needed to solve reliable -injection of modifications to all visited pages, iframes, and web workers. We introduce NoScript Commons Library +\cite{PriVaricator,FPRandom}. Unfortunately, current webextension APIs lack a +reliable way to modify JavaScript APIs in different contexts like iframes and +web workers. Not only did we solve the reliable injection but +this paper introduces NoScript Commons Library (NSCL)\footnote{\url{https://noscript.net/commons-library}} that -other privacy- and security-related webextensions can reuse to solve common tasks. +other privacy- and security-related webextensions can reuse to solve common +tasks like reliable injection of JavaScript code into the page JavaScript +context before the page scripts are able to access the context. We implemented \jshelter{} for Firefox -and Chromium-based browsers like Chrome, Opera, and Edge. We provide experience -from user feedback that should be valuable to other research projects. +and Chromium-based browsers like Chrome, Opera, and Edge. So we gathered experience +from user feedback that can be valuable to other research projects. The evaluation shows that \jshelter{} prevents many attacks, including learning (1) browser and computer fingerprints, (2) user biometrics, (3) computer clock-skew, and @@ -242,8 +246,8 @@ use JavaScript APIs to create a unique fingerprint. -Current research distinguishes targeted and not targeted -fingerprinting~\cite{fingerprinting_survey}. Not targeted fingerprinting focuses +Current research distinguishes targeted and non-targeted +fingerprinting~\cite{fingerprinting_survey}. Non-targeted fingerprinting focuses on observing visiting browsers or computer fingerprints and trying to link their identity to a previous visitor. Targeted fingerprinting tries to detect a tailored fingerprint of an individual, for example, for law enforcement @@ -496,7 +500,7 @@ However, the work is not done, and it is a possible related research question if the hiding in the herd strategy makes sense before it is adopted for all users. Moreover, inconsistencies arise. For example, Tor Browser does not implement WebGL. As Firefox adopts fingerprinting protections from Tor Browser, Firefox modifies readings -from 2D canvas and does not modify WebGL canvas. That creates a false sense of +from a 2D canvas and does not modify a WebGL canvas. That creates a false sense of protection. @@ -522,7 +526,7 @@ the countermeasures. All browsers with the same fingerprint form an anonymity set \cite{anon_terminology}. An observer cannot distinguish between browsers in the anonymity set. With every missed fingerprintable attribute, the anonymity set breaks into smaller sets. For example, Tor Browser strongly recommends -using a specific window size. Suppose a user changes a window size to a value +using a specific window size. Suppose a user changes the window size to a value different from all other Tor Browser users. In that case, a fingerprinter can identify the user solely by this attribute. Moreover, Tor Browser hides the IP address of the user. A @@ -565,7 +569,7 @@ as follows: browsers and consequently can be easily installed into any browser that supports webextensions, including Firefox and all browsers based on Chromium. - \item Do not create a perfect solution instead focus on what other + \item Do not create a perfect solution, instead focus on what other webextensions lack: a consistent approach to the threat T2 and protection from T3, T4\footnote{Currently, \jshelter{} does not provide any protection for T4 but we evaluate possibilities to add such support in the future. For @@ -659,9 +663,34 @@ provide meaningful but rare values, other return meaningless values. This level makes the user fingerprintable because the results of API calls are generally modified in the same way on all websites and in each session. -\jshelter{} currently modifies 97 APIs inspired by Schwarz et al.~\cite{js0}, +% To determine the number of APIs: +% Copy wrapping_groups from levels.js +% let is_api_undefined = () => true +% let are_all_api_unsupported = () => true +% wrapping_groups.groups.forEach(function (group) { +% group.id = group.name; +% if (!are_all_api_unsupported(group.wrappers)) { +% wrapping_groups.group_names.push(group.name); +% wrapping_groups.empty_level[group.id] = 0; +% } +% wrapping_groups.group_map[group.id] = group +% for (wrapper_name of group.wrappers) { +% wrapping_groups.wrapper_map[wrapper_name] = group.name; +% } +% }); +% Object.prototype.length = function() +% { +% var cnt = 0; +% for (var api in this) { +% cnt++; +% } +% return cnt; +% } +% wrapping_groups.wrapper_map.length() +\jshelter{} currently modifies 113 APIs which includes APIs considered by +previous works of Schwarz et al.~\cite{js0}, Iqbal et al.~\cite{fingerprint_fingerprinters}, Snyder et -al.~\cite{webapi-vibrate} and APIs declined by Apple. For each API, we decide +al.~\cite{webapi-vibrate} and APIs that Apple declined to implement. For each API, we decide its relevance on an individual basis. Usually, we do not modify APIs that are already explicitly permitted by the user, but the analysis might provide an example where the user still wants to limit the precision of the API. For example, @@ -669,9 +698,10 @@ Geolocation API allows the page to learn a very precise location while the user interested in services in the city. Hence, \jshelter{} allows fine-tuning the precision of the Geolocation. -The slightest mismatch between the results of two APIs can make the user more visible to -fingerprinters~\cite{fingerprinting_survey,everyone_different,jstemplates_property_traversal}. Hence, all -protections are considered from the point of fingerprintability, the threat +Additionally, the slightest mismatch between the results of two APIs can make the user more visible to +fingerprinters~\cite{fingerprinting_survey,everyone_different,jstemplates_property_traversal}. +Hence, each protection that we decide to implement in \jshelter{} +is considered from the point of fingerprintability, the threat to leak information about the browser or user and other threats presented in §\ref{sec:threats}. When it does not require much work, \jshelter{} tries to mimic a stationary device with consistent and plausible readings. @@ -736,7 +766,7 @@ same value in each tab. We observed sensor readings from several devices to learn the fluctuations of stationary devices in different environments. Most of the sensors have small deviations. However, magnetometer readings have big fluctuations. -\jshelter{} simulates Magnetometer fluctuation by using a series of sines for each axis. +\jshelter{} simulates Magnetometer fluctuations by using a series of sines for each axis. Each sine has a unique amplitude, phase shift, and period. The number of sines per axis is chosen pseudorandomly. \jshelter{} currently employs 20 to 30 sines for each axis. @@ -819,7 +849,7 @@ from \verb|Performance.prototype|. We tackle this issue in two steps. (1) Before we implement a protection, we analyse the prototype chain and pick the correct object implementing the property or method to wrap. Left alone, this approach is brittle: it can be broken by changes in the DOM APIs specification -or by browser implementation. Therefore \jshelter{} applies an additional step. +or by browser implementation. Therefore, \jshelter{} applies an additional step. (2)~The injection code checks at runtime whether the property (or method) is actually implemented as an own property by the object defined in step 1 or if the property is inherited. @@ -834,25 +864,36 @@ In fact, the techniques adopted and further honed while developing \jshelter{} h NoScript Security Suite\footnote{\url{https://noscript.net/}}, refactored into the NSCL and made publicly available for reusing and contributing back. -This aims to minimise the maintenance burden and mitigate the danger of -introducing insidious bugs and security vulnerabilities due to feature -mismatches and multiple code paths by abstracting the common functionality -shared among security and privacy webextensions, providing consistent -implementations across multiple browser engines and shielding developers from -the browser-dependent implementation details. + +NSCL abstracts common functionality +shared among security and privacy webextensions. The goal is +to minimise the development and maintenance burden on webextension maintainers. +Shared common code paths between webextensions lead to more code review. As the +browser APIs often provide multiple ways to achieve the same goal, a shared +code between webextensions prevents feature mismatches. For example an attacker +can access an API through the window object, an iframe, or a worker. A +webextension modifying the API needs to modify each possibility. By modifying +only some ways to access the API, the webextension not only gives an attacker the +possibility to learn original values offered by the API, but also reveals that +the browser is behaving strangely. Additionally, NSCL +provides consistent +implementation across multiple browser engines. Hence, developers do not need to +study browser-dependent implementation details. The NSCL tackles issue 2 in its \verb|DocStartInjection| -module\footnote{\url{https://github.com/hackademix/nscl/20220330/main/service/DocStartInjection.js}}, -by preprocessing URL-dependent configuration inside a \verb|BeforeNavigate| event handler. +module\footnote{\url{https://github.com/hackademix/nscl/20220330/main/service/DocStartInjection.js}}. +NSCL allows to preprocess URL-dependent configuration inside a \verb|BeforeNavigate| event handler. This event is fired every time the browser starts -loading a new page and notifies the webextension of the destination URL, which \jshelter{} uses -to build a configuration object in advance and make it available to the content script -before it starts its own processing. This technique always succeeds in +loading a new page. As the event handler has access to the destination URL, it +allows \jshelter{} +to build a configuration object in advance. Later, \jshelter{} content script +can access the pre-configuration. +This technique always succeeds in pre-configuring the webextension -on document start, before any page script can run, on Firefox; but on Chromium it might sometimes fail due to race conditions. +on document start event (before any page script can run) on Firefox; but on Chromium it might sometimes fail due to race conditions. As a safety net for these edge cases, when no configuration object is found by the content script, the special \verb|SyncMessage| API\footnote{\url{https://github.com/hackademix/nscl/20220330/main/common/SyncMessage.js}}, -an ugly (because based on the deprecated synchronous \verb|XMLHttpRequest| API) but effective hack provided by the NSCL, is used to still retrieve the correct settings in a timely manner. +an ugly (because based on the deprecated synchronous \verb|XMLHttpRequest| API) but effective hack provided by the NSCL, is used to retrieve the correct settings in a timely manner. To address issue 3, the configuration of the webextension (\verb|manifest.json|) @@ -902,10 +943,8 @@ special powers and therefore do not need those safety measures, NSCL provides sh \section{Evaluation} \label{sec:results} -\jshelter{} is available as a webextension in \url{addons.mozilla.org}, Chrome -Store, and Opera Store from early development stages. We employ the release early, -release often strategy, but we do not release early if we are concerned about -possible security bugs in the new version. +This section evaluates the different \jshelter{} parts and discusses the +feedback received from the users. \subsection{Fingerprinting inconsistencies} @@ -971,11 +1010,13 @@ should be validated; long-lasting (at least tens of minutes) measurements might remove the randomisation noise and reveal the clock skew. Nevertheless, Polčák and Franková~\cite{jucs15} observed that timestamps provided by JavaScript are affected by time synchronisations (such as NTP). -Hence, we advise to combining \jshelter{} round and randomisation with +Hence, we advise to combine \jshelter{} round and randomisation with continuous-time synchronisation to hide built-in clock skew. \subsection{Sensors} +\subsubsection{Sensor timestamp loophole} + \begin{figure*}[ht!] \centering \parbox{0.3\textwidth}{\centering @@ -1008,6 +1049,8 @@ uniquely identify the reading without leaking anything about a device. Future work can determine if such behaviour appears in the wild. If all devices and browsers incorporate the loophole, we should provide a random boot time. +\subsubsection{Fake magnetometer evaluation} + Figure~\ref{fig:magnetomer} shows readings from a real and fake magnetometer. The left part (a) shows a stationary device. The magnetic field is not stable due to small changes in Earth's magnetic field and other noise. The middle part of @@ -1170,6 +1213,11 @@ protected. \subsection{Feedback from users} +\jshelter{} is available as a webextension in \url{addons.mozilla.org}, Chrome +Store, and Opera Store from early development stages. We employ the release early, +release often strategy, but we do not release early if we are concerned about +possible security bugs in the new version. + Some users found \jshelter{} immediately after initial upload to webextension sites. Nevertheless, the number of users increased massively only after an announcement by Free Software Foundation. Figure~\ref{fig:users}, shows \jshelter{} users in time