«

»

Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification

by Pierre Laperdrix, Walter Rudametkin, Benoit Baudry
Abstract:
The diversity of software components (e.g., browsers, plugins, fonts) is a wonderful opportunity for users to customize their platforms. Yet, this massive customization creates a privacy issue: all browsers are now slightly different from one another, allowing third parties to collect unique and stable fingerprints to track users. Although software diversity appears to be the source of this privacy issue, we claim that this same diversity, combined with automatic reconfiguration techniques, provides the essential ingredients to constantly change browsing platforms. Constant change acts as a moving target defense strategy against browser fingerprint tracking by breaking an essential property for the exploitation of a browser fingerprint: its stability over time. We leverage virtualization and modular software architectures to automatically assemble and reconfigure a user’s software components at multiple levels. We operate on the operating system, the browser, the lists of fonts and plugins. This work is the first application of software reconfiguration to build a moving target defense against browser fingerprint tracking. The main objective is to automatically modify the fingerprint a platform exhibits. We have developed a prototype called \textitBlink to experiment the effectiveness of our approach at randomizing fingerprints. We have assembled and reconfigured thousands of platforms, and we observe that all of them exhibit different fingerprints, and that commercial fingerprinting solutions are not able to detect that the different platforms actually correspond to a single user.
Reference:
Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification (Pierre Laperdrix, Walter Rudametkin, Benoit Baudry), In Proc. of the Int. Symp. on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), 2015.
Bibtex Entry:
@inproceedings{laperdrix15,
title = {Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification},
author = {Laperdrix, Pierre and Rudametkin, Walter and Baudry, Benoit},
url = {http://diversify-project.eu/papers/laperdrix15.pdf},
year = {2015},
keywords={diversity, web, privacy},
booktitle = {Proc. of the Int. Symp. on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)},
url = {https://hal.inria.fr/hal-01121108/document},
abstract = {The diversity of software components (e.g., browsers, plugins, fonts) is a wonderful opportunity for users to customize their platforms. Yet, this massive customization creates a privacy issue: all browsers are now slightly different from one another, allowing third parties to collect unique and stable fingerprints to track users. Although software diversity appears to be the source of this privacy issue, we claim that this same diversity, combined with automatic reconfiguration techniques, provides the essential ingredients to constantly change browsing platforms. Constant change acts as a moving target defense strategy against browser fingerprint tracking by breaking an essential property for the exploitation of a browser fingerprint: its stability over time.
We leverage virtualization and modular software architectures to automatically assemble and reconfigure a user's software components at multiple levels. We operate on the operating system, the browser, the lists of fonts and plugins.
This work is the first application of software reconfiguration to build a moving target defense against browser fingerprint tracking. The main objective is to automatically modify the fingerprint a platform exhibits. We have developed a prototype called \textit{Blink} to experiment the effectiveness of our approach at randomizing fingerprints. We have assembled and reconfigured thousands of platforms, and we observe that all of them exhibit different fingerprints, and that commercial fingerprinting solutions are not able to detect that the different platforms actually correspond to a single user.},
X-International-Audience = {yes},
X-Language = {EN},
x-abbrv = {SEAMS}
}