EssentialFP: Exposing the Essence of Browser Fingerprinting
By Alexander Sjösten, Daniel Hedin, Andrei Sabelfeld.
In Proceedings of the IEEE European Symposium on Security and Privacy Workshops (SecWeb), September 2021.
Web pages aggressively track users for a variety of purposes from targeted
advertisements to enhanced authentication. As browsers move to restrict
traditional cookie-based tracking, web pages increasingly move to tracking
based on browser fingerprinting. Unfortunately, the state-of-the-art to
detect fingerprinting in browsers is often error-prone, resorting to imprecise
heuristics and crowd-sourced filter lists.
This paper presents EssentialFP, a principled approach to detecting
fingerprinting on the web. We argue that the pattern of
(i) gathering information from a wide browser API surface (multiple browser-specific sources)
and (ii) communicating the information to the network (network sink)
captures the essence of fingerprinting. This pattern enables us to clearly
distinguish fingerprinting from similar types of scripts like analytics and
polyfills. We demonstrate that information flow tracking is an excellent fit
for exposing this pattern. To implement EssentialFP we leverage, extend, and
deploy JSFlow, a state-of-the-art information flow tracker for
JavaScript, in a browser. We illustrate the effectiveness
of EssentialFP to spot fingerprinting on the web by
evaluating it on two categories of web pages: one where the web pages perform
analytics, use polyfills, and show ads, and one where the web pages perform
authentication, bot detection, and fingerprinting-enhanced Alexa top pages.
[Paper]
Supplementary material
Download the VM with EssentialFP (md5: 329a677d0117b990966de609f2238cfb) as well as the benchmark page to try it out.
The VM image is created using Virtualbox, but it has also been tested to work with VMWare Fusion.
In case of an error message in VMWare saying the import of the .ova file failed due to it "did not pass OVF specification conformance or virtual hardware compliance checks", simply click retry and it should work.
To execute the EssentialFP, just run "./run_essentialfp.sh" from the terminal.
The source code for the JSFlow implementation used can be found in "~/jsflow", and the source code for the modified Chromium can be found in "~/chromium/src".
The benchmark page is simply FingerprintJS version 2.1 with all flags enabled.