EssentialFP: Exposing the Essence of Browser Fingerprinting

By Alexander Sjösten, Daniel Hedin, Andrei Sabelfeld.

In Proceedings of the IEEE European Symposium on Security and Privacy Workshops (SecWeb), September 2021.

Web pages aggressively track users for a variety of purposes from targeted advertisements to enhanced authentication. As browsers move to restrict traditional cookie-based tracking, web pages increasingly move to tracking based on browser fingerprinting. Unfortunately, the state-of-the-art to detect fingerprinting in browsers is often error-prone, resorting to imprecise heuristics and crowd-sourced filter lists.
This paper presents EssentialFP, a principled approach to detecting fingerprinting on the web. We argue that the pattern of (i) gathering information from a wide browser API surface (multiple browser-specific sources) and (ii) communicating the information to the network (network sink) captures the essence of fingerprinting. This pattern enables us to clearly distinguish fingerprinting from similar types of scripts like analytics and polyfills. We demonstrate that information flow tracking is an excellent fit for exposing this pattern. To implement EssentialFP we leverage, extend, and deploy JSFlow, a state-of-the-art information flow tracker for JavaScript, in a browser. We illustrate the effectiveness of EssentialFP to spot fingerprinting on the web by evaluating it on two categories of web pages: one where the web pages perform analytics, use polyfills, and show ads, and one where the web pages perform authentication, bot detection, and fingerprinting-enhanced Alexa top pages.

[Paper]

Supplementary material

Download the VM with EssentialFP (md5: 329a677d0117b990966de609f2238cfb) as well as the benchmark page to try it out.
The VM image is created using Virtualbox, but it has also been tested to work with VMWare Fusion.
In case of an error message in VMWare saying the import of the .ova file failed due to it "did not pass OVF specification conformance or virtual hardware compliance checks", simply click retry and it should work.

To execute the EssentialFP, just run "./run_essentialfp.sh" from the terminal.
The source code for the JSFlow implementation used can be found in "~/jsflow", and the source code for the modified Chromium can be found in "~/chromium/src".

The benchmark page is simply FingerprintJS version 2.1 with all flags enabled.