【论文阅读#4】Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

一、论文信息

本文是发表在NDSS 2020上的一篇文章，与上一篇作者从加密流量中提取移动应用程序指纹不同的是，本篇文章主要针对于浏览器上的扩展应用（extension），并且提取指纹的方式也是通过扩展的一些静态与动态的特征。除此之外，作者还探究了扩展指纹对用户造成的隐私威胁程度，基于扩展的一些性质，可能无意中泄露用户的敏感信息，例如国家、性别、民族等。

1.1、摘要原文

With users becoming increasingly privacy-aware and browser vendors incorporating anti-tracking mechanisms, browser fingerprinting has garnered significant attention. Accordingly, prior work has proposed techniques for identifying browser extensions and using them as part of a device s fingerprint.  While previous studies have demonstrated how extensions can be detected through their web accessible resources, there exists a significant gap regarding techniques that indirectly detect extensions through behavioral artifacts. In fact, no prior study has demonstrated that this can be done in an automated fashion. In this paper, we bridge this gap by presenting the first fully automated creation and detection of behavior-based extension fingerprints. We also introduce two novel fingerprinting techniques that monitor extensions communication patterns, namely outgoing HTTP requests and intra-browser message exchanges. These techniques comprise the core of Carnus, a modular system for the static and dynamic analysis of extensions, which we use to create the largest set of extension fingerprints to date. We leverage our dataset of 29,428 detectable extensions to conduct a comprehensive investigation of extension fingerprinting in realistic settings and demonstrate the practicality of our attack. Our in-depth analysis confirms the robustness of our techniques, as 83.6% - 87.92% of our behavior-based fingerprints remain effective against a state-of-the-art countermeasure.

Subsequently, we aim to explore the true extent of the privacy threat that extension fingerprinting poses to users, and present a novel study on the feasibility of inference attacks that reveal private and sensitive user information based on the functionality and nature of their extensions. We first collect over 1.44 million public user reviews of our detectable extensions, which provide a unique macroscopi