Honors Theses

Advisor

Phu Phung, Ph.D. / Ahmed L. Ouadrhiri, Ph.D.

Department

Computer Science

Publication Date

4-1-2023

Document Type

Honors Thesis

Abstract

While fraud detection companies use fingerprinting methods as a secondary form of identification, attackers can exploit these fingerprinting methods due to the revealing nature of the software and hardware information collected. Attackers can use this sensitive information to target users with known vulnerabilities, monitor a user’s activity, and even reveal their identity without their knowledge or consent. Unfortunately, average users have limited options to opt out of or block fingerprinting attacks.

In this thesis, we propose a solution that enforces dynamic policies on web pages to prevent potential malicious device fingerprinting methods. We employed the Inline Reference Monitor (IRM) approach to supervising JavaScript operations on web pages, including method calls, object creation and access, and property access. When executed, the IRM will intercept these operations, providing runtime policy enforcement to mitigate JavaScript-based dynamic fingerprinting methods that generate unique data at runtime instead of collecting static attributes. In particular, our policy enforces a randomization method rather than normalization or domain- based blocking to constantly change a given device’s fingerprint overtime, making it increasingly difficult for malicious actors to track a device across the web. Our approach can protect user privacy while limiting major site breakage, a common issue with current anti-fingerprinting technologies.

We have performed intensive experiments to demonstrate the effectiveness of our approach. In particular, we replicated and revised an existing fingerprinting attack that collects network link- state information to construct unique fingerprints. We deployed this fingerprinting attack on the cloud and collected data from web users nationwide, which are used by a machine learning model to reveal users’ locations with high accuracy. We have implemented our mitigation method by extending a browser extension prototype. The prototype demonstrated that our proposed method could effectively prevent data collection from the fingerprinting attack.

Permission Statement

This item is protected by copyright law (Title 17, U.S. Code) and may only be used for noncommercial, educational, and scholarly purposes.

Keywords

Undergraduate research


Share

COinS