[tor-dev] Panopticlick summer project

Gunes Acar gunes.acar at esat.kuleuven.be
Mon Mar 17 02:59:46 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

My name is Gunes Acar, a 2nd year PhD student at Computer Security and
Industrial Cryptography (COSIC) group of University of Leuven.

I work with Prof. Claudia Diaz and study online tracking and browser
fingerprinting. I'd like to work on "Panopticlick"
(https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick)
summer
project and other fingerprinting related issues which I tried to
outline below:

1) Collaborate with Peter at EFF to port/open-source Panopticlick:
https://trac.torproject.org/projects/tor/ticket/6119#comment:4
a) implement necessary modifications - e.g. we won't be having cookies
or real IP addresses to match returning visitors.
b) consider security implications of storing fingerprints (e.g. what
happens if someone gets access to fingerprint database?)

2) Add machine-readability support outlined in Tor Automation
proposals:
https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
a) which one(s) should we implement? JSON, YAML, XML?

3) Survey the literature for fingerprinting attacks published since
Panopticlick. Implement those that may apply to TBB:
a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch
at #6253 works
b) JS engine fingerprinting (Mulazzani et al.)
c) CSS & rendering engine fingerprinting, (Unger et al.)
...

4) Check with realworld fingerprinting scripts to see if they collect
anything that is not considered before. Check if TBB's FP
countermeasures work against them. (We can use data from FPDetective
study to find sites with fingerprinting scripts)

5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case
they consider an update.

6) Convert fixed FP-related bugs into regression tests.
https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=closed

7) Build test cases to check the severity of fingerprinting related
open tickets, e.g.:
https://trac.torproject.org/projects/tor/ticket/8770
https://trac.torproject.org/projects/tor/ticket/10299

8) Work on potential fingerprinting bugs that ESR31 may bring.

9) ESR transitions seem to create a lot of FP-related issues that need
to be checked manually (e.g. #9608). Consider developing a tool that
iterates over the host objects of two browsers to compare them
automatically (e.g. to pinpoint new objects, new methods, updated
default values, etc.). Similar to "diff tool" mentioned here:
https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint

10) Evaluate the font-limits of TBB by checking the average # of fonts
Top 1 Million sites use. We can either collect fresh data with
FPDetective or use the existing (~1 year old) data.


More on my background relevant to fingerprinting and TBB code base:

We recently published a paper called "FPDetective: Dusting the Web for
Fingerprinters" (CCS'13) to measure the prevalence of browser
fingerprinting on the Internet. As a part of this study, we built
instrumented browsers from Chromium and PhantomJS source code and
developed a framework to detect fingerprinting
(https://github.com/fpdetective/).

I also got my hands dirty with the TBB source code to seek
vulnerabilities in FP countermeasures. Two ways I found to circumvent
existing font limits were as follows:
https://trac.torproject.org/projects/tor/ticket/8270#comment:2
https://trac.torproject.org/projects/tor/ticket/5798#comment:13

Other pointers:
My website: http://www.esat.kuleuven.be/cosic/?page_id=126
FPDetective website: https://www.cosic.esat.kuleuven.be/fpdetective/
My (first & only) Tor patch:
https://trac.torproject.org/projects/tor/ticket/10472
My Tor FAQ profile: http://tor.stackexchange.com/users/731/gacar

Looking for your comments,
Cheers,
Gunes

N.B.: I won't be applying to GSoC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTJmUiAAoJEPb7JcMmVt4g4jAH/2JLUKPGo52JpfsHeMtLZgQm
JVoEELKuNVjwJ5KqgO4OhIqpS6yl/cggLsUe19fNrC5I++5w5lGWM3JRqCU/T5OV
PLwRrs1lc1wU2zWkcKN/uvZyFys1xAsA2NzyYRZdKOjoGiDI8a3wgYM/o8a5PSt0
+wTJ6OdtRpFuXk9CrxUScx6kbLEYCoQeGcAmQe+ZIUWo6CzeQr/3yP8Jz7B3Uyqq
ccSJACFuif2naQFiCDqyuQLIZu/9jMFGbYMg81OhZeeOWhmq4FwCjZOR8bzj8zqV
i3N8hFXTRSYLjOg5AWVX+JMsCWJAX3rTrYe6X5GKA/tIm1gMJhwtedfaE38eHOM=
=2stA
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list