A group of researchers from the Graz University of Technology (Austria), previously known for developing attack methods , ΠΈ , information about a new third-party analysis technique that allows you to determine the exact version of the browser, the operating system used, the CPU architecture, and the use of add-ons to combat hidden identification.
To determine these parameters, it is enough to execute the JavaScript code prepared by the researchers in the browser. In practice, the method can be used not only as an additional source for indirect user identification, but also for determining the system environment parameters for the targeted use of exploits, taking into account OS, architecture, and browser. The method is also effective when using browsers with hidden identification blocking mechanisms, such as Tor Browser. Source code prototype code with method implementation under the MIT license.
The determination is made on the basis of the allocation of property state patterns characteristic of different browsers in JavaScript and the characteristics of the execution time of operations, depending on the features of the JIT, CPU and memory allocation mechanisms. Defining properties is done by generating a list of all objects available from JavaScript. As it turned out, the number of objects directly correlates with the browser engine and its version.
function getProperties(o) {
varresult = [];
while (o !== null) {
result = result.concat(Reflect.ownKeys(o));
o = Object.getPrototypeOf(o);
}
return result;
}
For example, for Firefox, the support for 2247 properties is declared in the documentation, while the actual number of certain properties, taking into account undocumented ones, is 15709 (in Tor Browser - 15639), for Chrome 2698 properties are declared, but 13570 are actually offered (in Chrome for Android - 13119) . The number and values ββof properties vary from version to version of the browser and across different operating systems.
The values ββand presence of certain properties can be used to determine the OS type. For example, in Kubuntu, the window.innerWidth property is set to 1000, and in Windows 10 it is set to 1001. On Windows, the window.navigator.activeVRDisplays property is available, but on Linux it is not. Many specific calls are provided for Android, but there is no window.SharedWorker. To identify the operating system, it is also proposed to use the analysis of WebGL parameters, the state of which depends on the drivers. In addition, calling WEBGL_debug_renderer_infoextension allows you to get information about the OpenGL rendering engine, which is different for each operating system.
To determine the CPU, an assessment of differences in the execution time of various typical code blocks is used, the processing of which depends on the architecture of the instruction set, taking into account the behavior of the JIT (it is determined how many CPU registers will be involved and in which cases the JIT will generate efficient code with optimizations and involving extended instructions, and when not ). To determine the type of memory allocation system and operating system, the difference in memory allocation time for various structures is also measured, which can be used to judge the size of memory blocks.
The parameters determined during the execution of the script are compared with the reference values ββtypical for pre-tested environments. During the test, the developed technique made it possible to accurately determine 40 different test environments, determining the versions of the browsers used, the CPU manufacturer, the operating system used, and whether it was running on real hardware or in a virtual machine.
Separately, the possibility of defining browser add-ons and even individual add-on settings, including add-ons designed to block hidden identification methods or private browsing activity, is noted. In the context of the proposed method, such additions become another source of data for identification. Additions are determined through an assessment of the distortions of the parameters of the original environment introduced by the additions.
Among other identification methods, it is possible to note the consideration of such indirect data as , list of supported MIME types, header-specific options ( ΠΈ ), analysis of established , availability of certain Web APIs specific to video cards rendering with WebGL and , with CSS, analysis of the features of working with ΠΈ .
Source: opennet.ru