ABSTRACT
In this paper, we report on the applicability of combinatorial sequence testing methods to the problem of fingerprinting browsers based on their behavior during a TLS handshake. We created an appropriate abstract model of the TLS handshake protocol and used it to map browser behavior to a feature vector and use them to derive a distinguisher. Using combinatorial methods, we created test sets consisting of TLS server-side messages as sequences that are sent to the client as server responses during the TLS handshake. Further, we evaluate our approach with a case study showing that combinatorial properties have an impact on browsers' behavior.
- Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the Web for Finger-printers. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 1129--1140. Google ScholarDigital Library
- Y. Chee, C. Colbourn, D. Horsley, and J. Zhou. 2013. Sequence Covering Arrays. SIAM Journal on Discrete Mathematics 27, 4 (2013), 1844--1861.Google ScholarCross Ref
- G. Dhadyalla, N. Kumari, and T. Snell. 2014. Combinatorial Testing for an Automotive Hybrid Electric Vehicle Control System: A Case Study. In 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops. 51--57. Google ScholarDigital Library
- Tim Dierks and Eric Rescorla. 2008. RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2. https://tools.ietf.org/html/rfc5246. (2008). Accessed: 2019-01-07.Google Scholar
- Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Privacy Enhancing Technologies, Mikhail J. Atallah and Nicholas J. Hopper (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1--18. Google ScholarDigital Library
- Esra Erdem, Katsumi Inoue, Johannes Oetsch, Jörg Pührer, Hans Tompits, and Cemal Yilmaz. 2011. Answer-set programming as a new approach to event-sequence testing. (2011).Google Scholar
- David Fifield and Serge Egelman. 2015. Fingerprinting Web Users Through Font Metrics. In Financial Cryptography and Data Security, Rainer Böhme and Tatsuaki Okamoto (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 107--124.Google Scholar
- M. Z. Mohd Hazli, Z. Kamal Z., and O. Rozmie R. 2012. Sequence-based interaction testing implementation using Bees Algorithm. In 2012 IEEE Symposium on Computers Informatics (ISCI). 81--85.Google ScholarCross Ref
- D. R. Kuhn, J. M. Higdon, J. F. Lawrence, R. N. Kacker, and Y. Lei. 2012. Combinatorial Methods for Event Sequence Testing. In 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation. 601--609. Google ScholarDigital Library
- H. Mercan and C. Yilmaz. 2014. Pinpointing Failure Inducing Event Orderings. In 2014 IEEE International Symposium on Software Reliability Engineering Workshops. 232--237. Google ScholarDigital Library
- N. Mouha, M. S. Raunak, D. R. Kuhn, and R. Kacker. 2018. Finding Bugs in Cryptographic Hash Function Implementations. IEEE Transactions on Reliability 67, 3 (Sep. 2018), 870--884.Google ScholarCross Ref
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP (2012), 1--12.Google Scholar
- Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FC Wien. 2013. Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), Vol. 5. Citeseer.Google Scholar
- SQLite project. 2019. SQLite. https://www.sqlite.org/index.html. (2019). Accessed: 2019-01-07.Google Scholar
- Python Software Foundation. 2019. Python. https://www.python.org/. (2019). Accessed: 2019-01-07.Google Scholar
- Research project of the Electronic Frontier Foundation. 2019. Panopticlick. https://panopticlick.eff.org/. (2019). Accessed: 2019-01-07.Google Scholar
- Dimitris E Simos, Josip Bozic, Bernhard Garn, Manuel Leithner, Feng Duan, Kristoffer Kleine, Yu Lei, and Franz Wotawa. 2018. Testing TLS using planning-based combinatorial methods and execution framework. Software Quality Journal (2018), 1--27.Google Scholar
- D. E. Simos, R. Kuhn, A. G. Voyiatzis, and R. Kacker. 2016. Combinatorial methods in security testing. IEEE Computer 49 (2016), 40--43.Google ScholarCross Ref
- Juraj Somorovsky. 2016. Systematic Fuzzing and Testing of TLS Libraries. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1492--1504. Google ScholarDigital Library
- Kazuhisa Tanabe, Ryohei Hosoya, and Takamichi Saito. 2019. Combining Features in Browser Fingerprinting. In Advances on Broadband and Wireless Computing, Communication and Applications, Leonard Barolli, Fang-Yie Leu, Tomoya Enokido, and Hsing-Chung Chen (Eds.). Springer International Publishing, Cham, 671--681.Google Scholar
- The Perl Foundation. 2019. Perl. https://www.perl.org/. (2019). Accessed: 2019-01-07.Google Scholar
- Thomas Unger, Martin Mulazzani, Dominik Fruhwirt, Markus Huber, Sebastian Schrittwieser, and Edgar Weippl. 2013. Shpf: Enhancing http (s) session security with browser fingerprinting. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on. IEEE, 255--261.Google ScholarDigital Library
- Z. B. Ratliff. 2018. Black-box Testing Mobile Applications Using Sequence Covering Arrays. (2018). undergraduate thesis, Texas A&M University.Google Scholar
- Zachary Ratliff. 2019. CSCM-Tool. https://github.com/zachratliff22/CSCM-Tool. (2019). Accessed: 2019-01-07.Google Scholar
- Browser fingerprinting using combinatorial sequence testing
Recommendations
A Two-Step TLS-Based Browser fingerprinting approach using combinatorial sequences
Highlights- Browser Fingerprinting.
- TLS Protocol.
Graphical abstractDisplay Omitted
AbstractWe propose a two-step TLS-based fingerprinting approach using combinatorial sequences and properties of TLS handshake messages. Our approach combines fingerprinting based on attributes of the initial ClientHello message with the ...
Combinatorial Methods for Event Sequence Testing
ICST '12: Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and ValidationMany software testing problems involve sequences of events. This paper applies combinatorial methods to testing problems that have n distinct events, where each event occurs exactly once. The methods described in this paper were motivated by testing ...
A combinatorial testing strategy for concurrent programs
One approach to testing concurrent programs is called reachability testing, which derives test sequences automatically and on-the-fly, without constructing a static model. Existing reachability testing algorithms are exhaustive in that they are intended ...
Comments