More Web Proxy on the site http://driver.im/

research-article

Open access

Picasso: Lightweight Device Class Fingerprinting for Web Clients

Authors:

Elie Bursztein,

Artem Malyshev,

Tadek Pietraszek,

Kurt ThomasAuthors Info & Claims

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Pages 93 - 102

https://doi.org/10.1145/2994459.2994467

Published: 24 October 2016 Publication History

Abstract

In this work we present Picasso: a lightweight device class fingerprinting protocol that allows a server to verify the software and hardware stack of a mobile or desktop client. As an example, Picasso can distinguish between traffic sent by an authentic iPhone running Safari on iOS from an emulator or desktop client spoofing the same configuration. Our fingerprinting scheme builds on unpredictable yet stable noise introduced by a client's browser, operating system, and graphical stack when rendering HTML5 canvases. Our algorithm is resistant to replay and includes a hardware-bound proof of work that forces a client to expend a configurable amount of CPU and memory to solve challenges. We demonstrate that Picasso can distinguish 52 million Android, iOS, Windows, and OSX clients running a diversity of browsers with 100% accuracy. We discuss applications of Picasso in abuse fighting, including protecting the Play Store or other mobile app marketplaces from inorganic interactions; or identifying login attempts to user accounts from previously unseen device classes.

References

[1]

G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the Conference on Computer and Communications Security, 2014.

Digital Library

[2]

T. Ahrens. Type rendering mix. http://blog.typekit.com/2013/12/18/type-rendering-mix/.

[3]

A. Bates, R. Leonard, H. Pruse, D. Lowd, and K. Butler. Leveraging usb to establish host identity using commodity devices. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), 2014.

[4]

K. Boda, Á. M. Földes, G. G. Gulyás, and S. Imre. User tracking on the web via cross-browser fingerprinting. In Information Security Technology for Applications. 2012.

Digital Library

[5]

C. Dwork, A. Goldberg, and M. Naor. On memory-bound functions for fighting spam. In In Proceedings of Advances in Cryptology, 2003.

[6]

P. Eckersley. How unique is your web browser? In Proceedings of the Privacy Enhancing Technologies Symposium, 2010.

Digital Library

[7]

D. Fifield and S. Egelman. Fingerprinting web users through font metrics. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2015.

[8]

H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Y. Zhao. Detecting and characterizing social spam campaigns. In Proceedings of the ACM SIGCOM Internet Measurement Conference, 2010.

Digital Library

[9]

C. Grier, K. Thomas, V. Paxson, and M. Zhang. @ spam: the underground on 140 characters or less. In Proceedings of the 17th ACM conference on Computer and communications security, 2010.

Digital Library

[10]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the Third ACM Symposium on Cloud Computing, 2012.

Digital Library

[11]

G. Gugliotta. Deciphering old texts, one woozy, curvy word at a time. http://www.nytimes.com/2011/03/29/science/29recaptcha.html, 2011.

[12]

G. Ho, D. Boneh, L. Ballard, and N. Provos. Tick tock: building browser red pills from timing side channels. In Proceedings of the USENIX Workshop on Offensive Technologies, 2014.

Digital Library

[13]

C. Hoffberger. Youtube strips universal and sony of 2 billion fake views. http://bit.ly/10MpDse, 2012.

[14]

T.-K. Huang, M. S. Rahman, H. V. Madhyastha, and M. Faloutsos. An analysis of socware cascades in online social networks. In Proceedings of the International Conference on the World Wide Web, 2013.

Digital Library

[15]

T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. Proceedings of the IEEE Transactions on Dependable and Secure Computing, 2005.

Digital Library

[16]

P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy, 2016.

[17]

B. Laurie and R. Clayton. Proof-of-work proves not to work; version 0.2. In In Proceedings of the Workshop on Economics and Information Security, 2004.

[18]

C. Lever, M. Antonakakis, B. Reaves, P. Traynor, and W. Lee. The core of the matter: Analyzing malicious traffic in cellular carriers. In Proceedings of the Network and Distributed System Security Conference, 2013.

[19]

K. Mowery, D. Bogenreif, S. Yilek, and H. Shacham. Fingerprinting information in javascript implementations. In Proceedings of the Workshop on Web 2.0 Security and Privacy, 2011.

[20]

K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in html5. In Proceedings of the Workshop on Web 2.0 Security and Privacy, 2012.

[21]

M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, and F. Wien. Fast and reliable browser identification with javascript engine fingerprinting. In Proceedings of the Workshop on Web 2.0 Security and Privacy, 2013.

[22]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 541--555. IEEE, 2013.

Digital Library

[23]

R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A fistful of red-pills: How to automatically generate procedures to detect cpu emulators. In Proceedings of the USENIX Workshop on Offensive Technologies, 2009.

Digital Library

[24]

R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld. Physical one-way functions. Science, 2002.

[25]

U. Rührmair, F. Sehnke, J. Sölter, G. Dror, S. Devadas, and J. Schmidhuber. Modeling attacks on physical unclonable functions. In Proceedings of the Conference on Computer and Communications Security, 2010.

Digital Library

[26]

K. Thomas, F. Li, C. Grier, and V. Paxson. Consequences of connectivity: Characterizing account hijacking on twitter. In Proceedings of the Conference on Computer and Communications Security, 2014.

Digital Library

[27]

T. Unger, M. Mulazzani, D. Fruhwirt, M. Huber, S. Schrittwieser, and E. Weippl. Shpf: enhancing http(s) session security with browser fingerprinting. In Proceedings of the International Conference on Availability, Reliability and Security, 2013.

Digital Library

[28]

L. Von Ahn and L. Dabbish. Labeling images with a computer game. In Proceedings of the SIGCHI conference on Human factors in computing systems, 2004.

Digital Library

Cited By

Kalantari FZaeifi MSafaei YBitaab MOest AStringhini GShoshitaishvili YDoupé AVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud BrowsersProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688455(681-703)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688455
Callejo PGómez Fernández IBagnulo M(2024)“Animation” URL in NFT marketplaces considered harmful for privacyInternational Journal of Information Security10.1007/s10207-024-00908-x23:6(3749-3763)Online publication date: 17-Sep-2024
https://doi.org/10.1007/s10207-024-00908-x
Pau KLee VOoi SPang Y(2023)The Development of a Data Collection and Browser Fingerprinting SystemSensors10.3390/s2306308723:6(3087)Online publication date: 13-Mar-2023
https://doi.org/10.3390/s23063087
Show More Cited By

Index Terms

Picasso: Lightweight Device Class Fingerprinting for Web Clients
1. Security and privacy
  1. Security services
    1. Authentication
    2. Pseudonymity, anonymity and untraceability

Recommendations

The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

We present the first large-scale studies of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser ...
Google authentication risks on iOS
Mobile! 2016: Proceedings of the 1st International Workshop on Mobile Development

The Google Identity Platform is a system that allows a user to sign in to applications and other services by using a Google account. Google Sign-In is one such method for providing one’s identity to the Google Identity Platform. Google Sign-In is ...
Haven't we met before? - Detecting Device Fingerprinting Activity on Android Apps
EICC '24: Proceedings of the 2024 European Interdisciplinary Cybersecurity Conference

This paper examines the prevalence of device fingerprinting in Android apps, a technique for apps to uniquely identify the device an app is executed on. Methods are investigated and refined to detect device fingerprinting on mobile devices. While device ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

October 2016

130 pages

ISBN:9781450345644

DOI:10.1145/2994459

Program Chairs:
Long Lu
Stony Brook University
,
Mohammad Mannan
Concordia University

Copyright © 2016 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

SPSM '16 Paper Acceptance Rate 13 of 31 submissions, 42%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
1,833
Total Downloads

Downloads (Last 12 months)582
Downloads (Last 6 weeks)145

Reflects downloads up to 17 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kalantari FZaeifi MSafaei YBitaab MOest AStringhini GShoshitaishvili YDoupé AVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud BrowsersProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688455(681-703)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688455
Callejo PGómez Fernández IBagnulo M(2024)“Animation” URL in NFT marketplaces considered harmful for privacyInternational Journal of Information Security10.1007/s10207-024-00908-x23:6(3749-3763)Online publication date: 17-Sep-2024
https://doi.org/10.1007/s10207-024-00908-x
Pau KLee VOoi SPang Y(2023)The Development of a Data Collection and Browser Fingerprinting SystemSensors10.3390/s2306308723:6(3087)Online publication date: 13-Mar-2023
https://doi.org/10.3390/s23063087
Kunimoto MOkubo T(2023)Analysis and Consideration of Detection Methods to Prevent Fraudulent Access by Utilizing Attribute Information and the Access Log HistoryJournal of Information Processing10.2197/ipsjjip.31.60231(602-608)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.602
Li XAmin Azad BRahmati ANikiforakis N(2023)Scan Me If You Can: Understanding and Detecting Unwanted Vulnerability ScanningProceedings of the ACM Web Conference 202310.1145/3543507.3583394(2284-2294)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583394
Zhang DZhang JBu YChen BSun CWang T(2022)A Survey of Browser Fingerprint Research and ApplicationWireless Communications & Mobile Computing10.1155/2022/33633352022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3363335
Musch MKirchner RBoll MJohns MSuga YSakurai KDing XSako K(2022)Server-Side BrowsersProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517414(1168-1181)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517414
Rivera ETengana LSolano JLópez CFlórez JOchoa M(2022)Scalable and Secure HTML5 Canvas-Based User AuthenticationApplied Cryptography and Network Security Workshops10.1007/978-3-031-16815-4_30(554-574)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-16815-4_30
Reitinger NMazurek M(2021)ML-CB: Machine Learning Canvas BlockProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00562021:3(453-473)Online publication date: 27-Apr-2021
https://doi.org/10.2478/popets-2021-0056
Andriamilanto NAllard TLe Guelvouit GGarel A(2021)A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web AuthenticationACM Transactions on the Web10.1145/347802616:1(1-62)Online publication date: 28-Sep-2021
https://dl.acm.org/doi/10.1145/3478026
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents