Webデバイストラッキング手法の紹介

1f745ff900e1be51aedae18cae76593c?s=47 Kurochan
January 20, 2019

 Webデバイストラッキング手法の紹介

1f745ff900e1be51aedae18cae76593c?s=128

Kurochan

January 20, 2019
Tweet

Transcript

  1. WebσόΠετϥοΩϯάख๏ͷ
 ঺հ @kuro_m88
 ৘ใՊֶएखͷձ ౙͷਞ 2019/01/20

  2. ࣗݾ঺հ • ࠇ࡚ ༏ଠ (@kuro_m88) • ৘ใՊֶएखͷձ װࣄ • ࢓ࣄ͸αʔόαΠυΤϯδχΞ

    • झຯͰαʔόӡ༻Λ͍ͯ͠·͢
  3. ຊ೔͓࿩͢Δ͜ͱ • ݸਓతʹWebσόΠετϥοΩϯάख๏͕ͲΜͳ΋ͷ͕ ଘࡏ͢Δͷ͔ௐ΂ͯɺڵຯਂ͔ͬͨख๏ͷ঺հ

  4. σόΠετϥοΩϯάͱ͸

  5. σόΠετϥοΩϯάΛ͍ͨ͠ཧ༝ • αʔόଆ͕ಉ͡ਓͱͷ௨৴Ͱ͋ΔࣄΛ஌Γ͍ͨ • Ұൠʹ = • ෳ਺σόΠεʹ·͕ͨΔ৔߹͸ΫϩεσόΠετϥοΩϯά

  6. σόΠετϥοΩϯάͰͰ͖Δ͜ͱ (ྫ) • ηογϣϯ(ϩάΠϯ)ͷҡ࣋ • ϦεΫϕʔεೝূ • σδλϧϑΥϨϯδΫε • ߦಈλʔήςΟϯά޿ࠂ

  7. σόΠετϥοΩϯάͷͨΊʹඞཁ ͳ͜ͱ • ಉҰ୺຤Λಛఆ/ਪఆ͢ΔͨΊͷ৘ใΛूΊͳ͚Ε͹ͳΒͳ͍ • Fingerprintingͱݴ͏ͱը໘ղ૾౓΍GPUͷڍಈ΍ UserAgent͕ྫͱͯ͠Α͘ڍ͛ΒΕΔ͕ɺεϚϗͷ৔߹͸
 ΄ͱΜͲҰॹʹͳͬͯ͠·͏

  8. σόΠετϥοΩϯάख๏ʹ
 ·ͭΘΔٞ࿦ • ݱ࣮ੈքͰԿ͔͠ΒͷαʔϏεΛఏڙ͢ΔதͰσόΠεΛτϥο Ωϯά͢Δࡍ͸ϢʔβʹڐՄΛऔͬͨΓ(ΦϓτΠϯ)ɺڋ൱͢Δ ͜ͱ͕Ͱ͖ͨΓ(ΦϓτΞ΢τ)͢Δ͜ͱ͕ଟ͍ • Ϣʔβͷίϯτϩʔϧ͕ޮ͔ͳ͍ํ๏͸໰୊ʹͳΔ͜ͱ͕ଟ͍ • ࠓճ͸ٕज़ͷ࿩ͷΈ͠·͢

  9. σόΠετϥοΩϯάٕज़6બʂ • Cookie • IP Address • HSTS Super Cookie

    • TCP Timestamp • SSL Session Ticket • IP Address (࠶)
  10. Cookie

  11. Cookie • Web։ൃ͍ͯ͠ΔਓͳΒ͖ͬͱ஌͍ͬͯΔ͸ͣ# • Same Origin Policy͕͋Δ • ྫ: example.com

    ͷCookie͸example.jpͷαʔό͔Β͸ݟΒΕͳ͍ • Cookie SyncΛ͢Δ͜ͱͰτϥοΩϯάͰ͖Δൣғ͕ͻΖ͕Δ • Apple͸ITPͱ͍͏΋ͷΛಋೖ͠CookieʹΑΔτϥοΩϯάʹ
 ੍ݶΛ͔͚͍ͯΔ • εϚϗͩͱIDFA/AdIDͱ͍͏΋ͷ΋͋Δ
  12. • ޿ࠂͷDSPͱSSPͷؒͳͲͰΑ͘ߦΘΕΔॲཧ Cookie Sync example.com: AAAA example.jp: BBBB example.com: AAAA

    redirect example.jp, param: =AAAA example.jp: BBBB, param: AAAA example.com: AAAA example.jp: BBBB =
  13. IP Address

  14. IP Address • 192.168.0.1ͷΑ͏ʹॻ͖ද͞ΕΔ΋ͷ • ʮΠϯλʔωοτ্ͷॅॴ ʯͳͲͱݴΘΕΔ͜ͱ΋ • 32bit, 2^32

    ≒ 43ԯ ௨Γͷදݱ͕Ͱ͖Δ • ஍ٿਓޱ73ԯਓʹ1ׂͭͮͭΓ౰ͯΒΕͳ͍ͱ͍͏ܽ఺Λ࣋ͭ
  15. IP Address͚ͩͰ͸τϥοΩϯάෆ ೳ • ʮΠϯλʔωοτ্ͷॅॴ ʯ= Ͱ͸ͳ͍ • ͱ͍͏ΑΓ •

    ͜ͷͨΊʹૹ৴ݩIP͕෼͔ͬͯ΋ಉҰૹ৴ݩͱ͸ݶΒͳ͍'
  16. NAT • NetworkAddressTranslation • Global IPΞυϨεΛԆ໋/અ໿͢Δٕज़ • PrivateIPΛ༻͍ɺ(srcIP,srcPort,dstIP,dstPort,protocolNum)ͷ ૊Έ߹ΘͤͰΞυϨεΛ1ରଟͰϚοϐϯά͢Δ •

    ISP͕ߦ͏৔߹͸CareerGradeNATͱ͔LargeScaleNAT
 ͱݺ͹ΕΔ
  17. ͱ͍͏͜ͱ͸… • Global IPͱPrivate IP͕1ରଟͰϚοϐϯά͞Ε͍ͯΔ͔Β
 ಛఆͰ͖ͳ͍ • Global IPͱPrivate IPͷ૊Έ߹Θ͕ͤಘΒΕΕ͹


    ಛఆͰ͖ΔͷͰ͸ • ※2ஈҎ্ͷଟஈNATͷ৔߹͸ಛఆෆೳ
  18. XHRํࣜ • JavaScriptͷXHRͰద౰ͳൣғͷશͯͷPrivateIPʹϦΫΤετ Λૹ৴͠ɺฦ͖ͬͯͨ΋ͷͷϨεϙϯελΠϜΛಛ௃ྔͱ͢Δ • ύέοτΛେྔʹૹΔͱ߈ܸʹͳΓ͔Ͷͳ͍ εΩϟϯ͢Δ

  19. WebRTCํࣜ • WebRTCͷRTCPeerConnectionͷicecandidateΛར༻͢Δ • WebRTC(P2P)ͷʮNAT௒͑ʯͷͨΊͷٕज़ • Private IP͕औಘͰ͖Δ ௚઀΍ΓऔΓ͢ΔͨΊʹ͓ޓ͍ͷIPΞυϨε
 (Private/Global)


    Λަ׵͢Δ
  20. HSTS Super Cookie

  21. HSTS Super Cookie • HSTSͱ͍͏ϓϩτίϧΛར༻ͨ͠ख๏ • HSTS: webαʔό͕httpͰΞΫηε͞Εͨ࣌ʹ࣍ճ͔Β
 httpsͰ઀ଓͯ͠΄͍͠ͱ͍͏৘ใΛ෇Ճ͢Δ •

    HSTSΛೝࣝͨ͠ϒϥ΢β͸࣍ճҎ߱httpͰURL͕ೖྗ ͞Εͯ΋࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
  22. HSTS Super Cookie • HSTSΛೝࣝͨ͠ϒϥ΢β͸࣍ճҎ߱httpͰURL͕ೖྗ͞Εͯ΋
 ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ • httpͰΞΫηεͤͨ͞΋ͷͷhttpsͰ௨৴͕དྷͨ => 1bitͷ৘ใྔ

    • 32ݸͷαϒυϝΠϯΛ༻ҙͯ͠ɺHSTS͕༗ޮ/ແޮΛϥϯμϜʹ
 ੾Γସ͑Δͱ32bitͷ৘ใྔʹͳΓɺ໿43ԯσόΠε͕ࣝผͰ͖Δ
  23. HSTS Super Cookie • Super CookieΛ"هԱͤ͞Δ" HSTS ON HSTS OFF

    HSTS ON a.example.com b.example.com c.example.com
  24. HSTS Super Cookie • Super CookieΛ"ಡΈग़͢" • HTTPͰΞΫηεͤ͞Δ • HSTS͕༗ޮͳͱ͜Ζ͚ͩHTTPͷͭ΋Γ͕


    HTTPSͰϦΫΤετ͕͘Δ 1 0 1 HTTP HTTPS HTTPS ϢʔβͷID: 011 a.example.com b.example.com c.example.com
  25. ࣮ࡍͷڍಈ

  26. TCP Timestamp

  27. TCP Timestamp

  28. RFC1323 • TCP Timestampʹ͍ͭͯنఆ • Timestamp͸1msʙ1ඵִؒͰ૿΍ܾ͢·Γ • OptionalͳϑΟʔϧυ • ߋ৽ִؒ͸໌ࣔ͞Ε͍ͯͳ͍,

    ࣮૷ґଘ
  29. TCPͷγʔέϯε൪߸ͱͷҧ͍͸ʁ • TCP Timestamp ≠ TCP Sequence ' • γʔέϯε൪߸͸σʔλͷόΠτຖʹৼΒΕΔ(32bit)

    • ߴ଎ͳωοτϫʔΫͰ͸୹࣌ؒͰΧ΢ϯλ͕1िͯ͠͠·͏ • λΠϜελϯϓ+γʔέϯε൪߸ͰύέοτͷॱংΛอূ͢Δ
  30. TCP TimeStampΛτϥοΩϯάʹར༻͢Δ • ͋Δఔ౓(25msʙ10minఔ౓)ஔ͍ͨ2ͭͷTCPύέοτͷ • ౸ண࣌ࠁ(t1, t2) • TCPλΠϜελϯϓ(ts1, ts2)

    • TCPλΠϜελϯϓͷप೾਺ΛٻΊΔ freq = (ts2 - ts0) * 1000 / (t1 - t0)
  31. TCP TimeStampΛτϥοΩϯάʹར༻ ͢Δ • TCPλΠϜελϯϓΛप೾਺ͰׂΔ • σόΠεͷuptime(ىಈ࣌ؒ)͕ٻ·Δ • uptime͑͞ٻ·Ε͹IPΞυϨεͱֻ͚߹ΘͤΕ͹୺຤͕
 ਪఆՄೳʹ(ͽͬͨΓಉ࣌ࠁʹىಈ͢Δ୺຤͸͍ͳ͍ͱԾఆ)

    uptime = ts1 / freq
  32. uptimeਪఆ͕؆୯ʹࢼͤΔπʔϧ • p0f (http://lcamtuf.coredump.cx/p0f3/) • ىಈͯ͠ΠϯλʔϑΣΠεΛࢦఆ͢Δ͚ͩ .-[ 10.0.3.10/47099 -> 10.0.3.1/22

    (syn) ]- | | client = 10.0.3.10/47099 | os = Linux 3.11 and newer | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.0.3.10/47099 -> 10.0.3.1/22 (uptime) ]- | | client = 10.0.3.10/47099 | uptime = 0 days 0 hrs 8 min (modulo 198 days) | raw_freq = 250.04 Hz |
  33. ͏·͍͔͘ͳͦ͞͏ͳ఺ • Linuxͷ࣮૷ΛݟͨݶΓɺtimestampͷߋ৽͸CPUͷλΠϚʔׂΓࠐΈ͕ ϕʔεͬΆ͍(jiffies) • ୺຤͕εϦʔϓͯ͠Δؒ͸λΠϜελϯϓͷߋ৽͕ࢭ·Δ…ʁ • Linux v4.10͔ΒTCP Timestamp͕ίωΫγϣϯ͝ͱʹϥϯμϜʹͳͬͨ

    • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ commit/?id=95a22caee396cef0bb2ca8fafdd82966a49367bb
  34. SSL Session Ticket

  35. SSL Handshake https://blogs.msdn.microsoft.com/kaushal/2013/08/02/ssl-handshake-and-https-bindings-on-iis/

  36. SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/

  37. SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/

  38. SSL Session TicketΛτϥοΩϯάʹ ࢖͏ ౉ͨ͠νέοτΛ࢖ͬͯ࠶઀ଓͯ͘͠ΔͷͰ
 ಉҰϢʔβͩͱΘ͔Δ

  39. IP Address (࠶)

  40. IPv6 • ͖͞΄Ͳͷྫ͸IPv4 • IPv4͔ΒҠߦதͷٕज़(ͱݴΘΕ͍ͯΔ) • 2001:240:2401:4f7f:d051:d1bf:544e:cfc0 ͜Μͳײ͡Ͱද͞ΕΔ • 128bit,

    2^128 ≒ 340׾ݸ • ਓྨͷ൅ͷໟ1ຊ1ຊʹΞυϨεΛׂΓ౰ͯͯ΋શ͘৺഑ͳ͍
 εέʔϥϏϦςΟ(ͱݴΘΕ͍ͯΔ)
  41. IPv6͸NAT͠ͳ͍ͷ͔ʁ • NAT͸ෆཁ (NAT as a Firewallͷ࣌୅΋ऴΘΔ…ʁ) • → 1IP

    = ͷ࣌୅͕͖͍ͯΔ • සൟʹม͑Δͱ௨৴͕੒ཱ͠ͳ͘ͳΔ • !୹໋ͳIDͱͯ͠ػೳ͠͏Δ
  42. IPv6ͷσϓϩΠঢ়گ • Appleͷ৹ࠪͰIPv6ରԠ͕ඞਢʹ • ೔ຊͷܞଳΩϟϦΞ͸IPv6σϓϩΠʹফۃతͩͬͨ • ૯຿লౖ͕ͬͯ2017೥౓தͷ
 ಋೖΛཁ੥ • ࠓͰ͸ΘΓͱ


    ීٴ͖͍ͯͯ͠Δ͸ͣ
  43. ·ͱΊ • ༷ʑͳσόΠεͷτϥοΩϯάख๏Λௐࠪ͠·ͨ͠ • ཁૉٕज़ͷ໨త͔Β͢ΔͱҙਤͤͣτϥοΩϯάͰ͖ ͯ͠·͏΋ͷʹؔͯ͠͸ηΩϡϦςΟ্ͷཧ༝͔Βम ਖ਼͕Ճ͑ΒΕ͍ͯΔ΋ͷ΋͋Δ