Pro Yearly is
on sale
from
$80
to $50! »
Speaker Deck
Speaker Deck Pro
Sign in
Sign up
for free
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Technology
11
11k
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Tweet
Share
More Decks by Kurochan
See All by Kurochan
kurochan
0
230
kurochan
1
2.4k
kurochan
0
330
kurochan
5
970
kurochan
2
660
kurochan
2
96
kurochan
1
4.1k
kurochan
4
5.2k
kurochan
0
5.3k
Other Decks in Technology
See All in Technology
line_devday2020
0
360
ko_fujita1
0
110
line_devday2020
0
260
line_devday2020
0
430
tsukubachallenge
0
130
line_devday2020
0
140
harshbothra
0
430
yoku0825
2
150
voyage_tech
0
230
noriyukitakei
0
220
clustervr
0
170
kouxyz21
0
460
Featured
See All Featured
morganepeng
92
13k
orderedlist
PRO
327
35k
malarkey
192
8.4k
nonsquared
81
3.3k
mthomps
39
2.2k
iamctodd
13
1.7k
davidbonilla
69
3.5k
jmmastey
7
440
lara
172
9.4k
productmarketing
5
590
jponch
101
4.9k
jonrohan
1021
370k
Transcript
WebσόΠετϥοΩϯάख๏ͷ հ @kuro_m88 ใՊֶएखͷձ ౙͷਞ 2019/01/20
ࣗݾհ • ࠇ࡚ ༏ଠ (@kuro_m88) • ใՊֶएखͷձ װࣄ • ࣄαʔόαΠυΤϯδχΞ
• झຯͰαʔόӡ༻Λ͍ͯ͠·͢
ຊ͓͢Δ͜ͱ • ݸਓతʹWebσόΠετϥοΩϯάख๏͕ͲΜͳͷ͕ ଘࡏ͢Δͷ͔ௐͯɺڵຯਂ͔ͬͨख๏ͷհ
σόΠετϥοΩϯάͱ
σόΠετϥοΩϯάΛ͍ͨ͠ཧ༝ • αʔόଆ͕ಉ͡ਓͱͷ௨৴Ͱ͋ΔࣄΛΓ͍ͨ • Ұൠʹ = • ෳσόΠεʹ·͕ͨΔ߹ΫϩεσόΠετϥοΩϯά
σόΠετϥοΩϯάͰͰ͖Δ͜ͱ (ྫ) • ηογϣϯ(ϩάΠϯ)ͷҡ࣋ • ϦεΫϕʔεೝূ • σδλϧϑΥϨϯδΫε • ߦಈλʔήςΟϯάࠂ
σόΠετϥοΩϯάͷͨΊʹඞཁ ͳ͜ͱ • ಉҰΛಛఆ/ਪఆ͢ΔͨΊͷใΛूΊͳ͚ΕͳΒͳ͍ • Fingerprintingͱݴ͏ͱը໘ղ૾GPUͷڍಈ UserAgent͕ྫͱͯ͠Α͘ڍ͛ΒΕΔ͕ɺεϚϗͷ߹ ΄ͱΜͲҰॹʹͳͬͯ͠·͏
σόΠετϥοΩϯάख๏ʹ ·ͭΘΔٞ • ݱ࣮ੈքͰԿ͔͠ΒͷαʔϏεΛఏڙ͢ΔதͰσόΠεΛτϥο Ωϯά͢ΔࡍϢʔβʹڐՄΛऔͬͨΓ(ΦϓτΠϯ)ɺڋ൱͢Δ ͜ͱ͕Ͱ͖ͨΓ(ΦϓτΞτ)͢Δ͜ͱ͕ଟ͍ • Ϣʔβͷίϯτϩʔϧ͕ޮ͔ͳ͍ํ๏ʹͳΔ͜ͱ͕ଟ͍ • ࠓճٕज़ͷͷΈ͠·͢
σόΠετϥοΩϯάٕज़6બʂ • Cookie • IP Address • HSTS Super Cookie
• TCP Timestamp • SSL Session Ticket • IP Address (࠶)
Cookie
Cookie • Web։ൃ͍ͯ͠ΔਓͳΒ͖ͬͱ͍ͬͯΔͣ# • Same Origin Policy͕͋Δ • ྫ: example.com
ͷCookieexample.jpͷαʔό͔ΒݟΒΕͳ͍ • Cookie SyncΛ͢Δ͜ͱͰτϥοΩϯάͰ͖Δൣғ͕ͻΖ͕Δ • AppleITPͱ͍͏ͷΛಋೖ͠CookieʹΑΔτϥοΩϯάʹ ੍ݶΛ͔͚͍ͯΔ • εϚϗͩͱIDFA/AdIDͱ͍͏ͷ͋Δ
• ࠂͷDSPͱSSPͷؒͳͲͰΑ͘ߦΘΕΔॲཧ Cookie Sync example.com: AAAA example.jp: BBBB example.com: AAAA
redirect example.jp, param: =AAAA example.jp: BBBB, param: AAAA example.com: AAAA example.jp: BBBB =
IP Address
IP Address • 192.168.0.1ͷΑ͏ʹॻ͖ද͞ΕΔͷ • ʮΠϯλʔωοτ্ͷॅॴ ʯͳͲͱݴΘΕΔ͜ͱ • 32bit, 2^32
≒ 43ԯ ௨Γͷදݱ͕Ͱ͖Δ • ٿਓޱ73ԯਓʹ1ׂͭͮͭΓͯΒΕͳ͍ͱ͍͏ܽΛ࣋ͭ
IP Address͚ͩͰτϥοΩϯάෆ ೳ • ʮΠϯλʔωοτ্ͷॅॴ ʯ= Ͱͳ͍ • ͱ͍͏ΑΓ •
͜ͷͨΊʹૹ৴ݩIP͕͔ͬͯಉҰૹ৴ݩͱݶΒͳ͍'
NAT • NetworkAddressTranslation • Global IPΞυϨεΛԆ໋/અ͢Δٕज़ • PrivateIPΛ༻͍ɺ(srcIP,srcPort,dstIP,dstPort,protocolNum)ͷ Έ߹ΘͤͰΞυϨεΛ1ରଟͰϚοϐϯά͢Δ •
ISP͕ߦ͏߹CareerGradeNATͱ͔LargeScaleNAT ͱݺΕΔ
ͱ͍͏͜ͱ… • Global IPͱPrivate IP͕1ରଟͰϚοϐϯά͞Ε͍ͯΔ͔Β ಛఆͰ͖ͳ͍ • Global IPͱPrivate IPͷΈ߹Θ͕ͤಘΒΕΕ
ಛఆͰ͖ΔͷͰ • ※2ஈҎ্ͷଟஈNATͷ߹ಛఆෆೳ
XHRํࣜ • JavaScriptͷXHRͰదͳൣғͷશͯͷPrivateIPʹϦΫΤετ Λૹ৴͠ɺฦ͖ͬͯͨͷͷϨεϙϯελΠϜΛಛྔͱ͢Δ • ύέοτΛେྔʹૹΔͱ߈ܸʹͳΓ͔Ͷͳ͍ εΩϟϯ͢Δ
WebRTCํࣜ • WebRTCͷRTCPeerConnectionͷicecandidateΛར༻͢Δ • WebRTC(P2P)ͷʮNAT͑ʯͷͨΊͷٕज़ • Private IP͕औಘͰ͖Δ ΓऔΓ͢ΔͨΊʹ͓ޓ͍ͷIPΞυϨε (Private/Global)
Λަ͢Δ
HSTS Super Cookie
HSTS Super Cookie • HSTSͱ͍͏ϓϩτίϧΛར༻ͨ͠ख๏ • HSTS: webαʔό͕httpͰΞΫηε͞Εͨ࣌ʹ࣍ճ͔Β httpsͰଓͯ͠΄͍͠ͱ͍͏ใΛՃ͢Δ •
HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ ͞Εͯ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
HSTS Super Cookie • HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ͞Εͯ ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ • httpͰΞΫηεͤͨ͞ͷͷhttpsͰ௨৴͕དྷͨ => 1bitͷใྔ
• 32ݸͷαϒυϝΠϯΛ༻ҙͯ͠ɺHSTS͕༗ޮ/ແޮΛϥϯμϜʹ Γସ͑Δͱ32bitͷใྔʹͳΓɺ43ԯσόΠε͕ࣝผͰ͖Δ
HSTS Super Cookie • Super CookieΛ"هԱͤ͞Δ" HSTS ON HSTS OFF
HSTS ON a.example.com b.example.com c.example.com
HSTS Super Cookie • Super CookieΛ"ಡΈग़͢" • HTTPͰΞΫηεͤ͞Δ • HSTS͕༗ޮͳͱ͜Ζ͚ͩHTTPͷͭΓ͕
HTTPSͰϦΫΤετ͕͘Δ 1 0 1 HTTP HTTPS HTTPS ϢʔβͷID: 011 a.example.com b.example.com c.example.com
࣮ࡍͷڍಈ
TCP Timestamp
TCP Timestamp
RFC1323 • TCP Timestampʹ͍ͭͯنఆ • Timestamp1msʙ1ඵִؒͰ૿ܾ͢·Γ • OptionalͳϑΟʔϧυ • ߋ৽ִؒ໌ࣔ͞Ε͍ͯͳ͍,
࣮ґଘ
TCPͷγʔέϯε൪߸ͱͷҧ͍ʁ • TCP Timestamp ≠ TCP Sequence ' • γʔέϯε൪߸σʔλͷόΠτຖʹৼΒΕΔ(32bit)
• ߴͳωοτϫʔΫͰ࣌ؒͰΧϯλ͕1िͯ͠͠·͏ • λΠϜελϯϓ+γʔέϯε൪߸ͰύέοτͷॱংΛอূ͢Δ
TCP TimeStampΛτϥοΩϯάʹར༻͢Δ • ͋Δఔ(25msʙ10minఔ)ஔ͍ͨ2ͭͷTCPύέοτͷ • ౸ண࣌ࠁ(t1, t2) • TCPλΠϜελϯϓ(ts1, ts2)
• TCPλΠϜελϯϓͷपΛٻΊΔ freq = (ts2 - ts0) * 1000 / (t1 - t0)
TCP TimeStampΛτϥοΩϯάʹར༻ ͢Δ • TCPλΠϜελϯϓΛपͰׂΔ • σόΠεͷuptime(ىಈ࣌ؒ)͕ٻ·Δ • uptime͑͞ٻ·ΕIPΞυϨεͱֻ͚߹ΘͤΕ͕ ਪఆՄೳʹ(ͽͬͨΓಉ࣌ࠁʹىಈ͢Δ͍ͳ͍ͱԾఆ)
uptime = ts1 / freq
uptimeਪఆ͕؆୯ʹࢼͤΔπʔϧ • p0f (http://lcamtuf.coredump.cx/p0f3/) • ىಈͯ͠ΠϯλʔϑΣΠεΛࢦఆ͢Δ͚ͩ .-[ 10.0.3.10/47099 -> 10.0.3.1/22
(syn) ]- | | client = 10.0.3.10/47099 | os = Linux 3.11 and newer | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.0.3.10/47099 -> 10.0.3.1/22 (uptime) ]- | | client = 10.0.3.10/47099 | uptime = 0 days 0 hrs 8 min (modulo 198 days) | raw_freq = 250.04 Hz |
͏·͍͔͘ͳͦ͞͏ͳ • Linuxͷ࣮ΛݟͨݶΓɺtimestampͷߋ৽CPUͷλΠϚʔׂΓࠐΈ͕ ϕʔεͬΆ͍(jiffies) • ͕εϦʔϓͯ͠ΔؒλΠϜελϯϓͷߋ৽͕ࢭ·Δ…ʁ • Linux v4.10͔ΒTCP Timestamp͕ίωΫγϣϯ͝ͱʹϥϯμϜʹͳͬͨ
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ commit/?id=95a22caee396cef0bb2ca8fafdd82966a49367bb
SSL Session Ticket
SSL Handshake https://blogs.msdn.microsoft.com/kaushal/2013/08/02/ssl-handshake-and-https-bindings-on-iis/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session TicketΛτϥοΩϯάʹ ͏ ͨ͠νέοτΛͬͯ࠶ଓͯ͘͠ΔͷͰ ಉҰϢʔβͩͱΘ͔Δ
IP Address (࠶)
IPv6 • ͖͞΄ͲͷྫIPv4 • IPv4͔ΒҠߦதͷٕज़(ͱݴΘΕ͍ͯΔ) • 2001:240:2401:4f7f:d051:d1bf:544e:cfc0 ͜Μͳײ͡Ͱද͞ΕΔ • 128bit,
2^128 ≒ 340ݸ • ਓྨͷͷໟ1ຊ1ຊʹΞυϨεΛׂΓͯͯશ͘৺ͳ͍ εέʔϥϏϦςΟ(ͱݴΘΕ͍ͯΔ)
IPv6NAT͠ͳ͍ͷ͔ʁ • NATෆཁ (NAT as a Firewallͷ࣌ऴΘΔ…ʁ) • → 1IP
= ͷ͕͖͍࣌ͯΔ • සൟʹม͑Δͱ௨৴ཱ͕͠ͳ͘ͳΔ • !໋ͳIDͱͯ͠ػೳ͠͏Δ
IPv6ͷσϓϩΠঢ়گ • Appleͷ৹ࠪͰIPv6ରԠ͕ඞਢʹ • ຊͷܞଳΩϟϦΞIPv6σϓϩΠʹফۃతͩͬͨ • ૯লౖ͕ͬͯ2017தͷ ಋೖΛཁ • ࠓͰΘΓͱ
ීٴ͖͍ͯͯ͠Δͣ
·ͱΊ • ༷ʑͳσόΠεͷτϥοΩϯάख๏Λௐࠪ͠·ͨ͠ • ཁૉٕज़ͷత͔Β͢ΔͱҙਤͤͣτϥοΩϯάͰ͖ ͯ͠·͏ͷʹؔͯ͠ηΩϡϦςΟ্ͷཧ༝͔Βम ਖ਼͕Ճ͑ΒΕ͍ͯΔͷ͋Δ
kurochan
line_devday2020
ko_fujita1
tsukubachallenge
harshbothra
yoku0825
voyage_tech
noriyukitakei
clustervr
kouxyz21
morganepeng
orderedlist
malarkey
nonsquared
mthomps
iamctodd
davidbonilla
jmmastey
lara
productmarketing
jponch
jonrohan
