Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Technology
11
12k
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Tweet
Share
More Decks by Kurochan
See All by Kurochan
kurochan
0
1.2k
kurochan
1
1.4k
kurochan
0
1.3k
kurochan
1
3.8k
kurochan
0
1.3k
kurochan
5
2.1k
kurochan
1
1.7k
kurochan
2
1k
kurochan
1
4.5k
Other Decks in Technology
See All in Technology
tosh2230
3
280
chaspy
6
1.3k
1027kg
0
200
oliva
7
1.1k
akitok_
1
660
viva_tweet_x
1
420
koukyo1994
3
490
yunoda
0
130
karabish
0
250
robcrowley
0
150
masakazu
0
170
futo23
1
330
Featured
See All Featured
kneath
294
39k
trallard
14
720
addyosmani
311
21k
stephaniewalter
260
11k
dougneiner
118
7.9k
shpigford
165
19k
lara
590
61k
davidbonilla
70
3.6k
hatefulcrawdad
257
17k
hannesfritz
28
950
paulrobertlloyd
72
1.4k
swwweet
206
6.9k
Transcript
WebσόΠετϥοΩϯάख๏ͷ հ @kuro_m88 ใՊֶएखͷձ ౙͷਞ 2019/01/20
ࣗݾհ • ࠇ࡚ ༏ଠ (@kuro_m88) • ใՊֶएखͷձ װࣄ • ࣄαʔόαΠυΤϯδχΞ
• झຯͰαʔόӡ༻Λ͍ͯ͠·͢
ຊ͓͢Δ͜ͱ • ݸਓతʹWebσόΠετϥοΩϯάख๏͕ͲΜͳͷ͕ ଘࡏ͢Δͷ͔ௐͯɺڵຯਂ͔ͬͨख๏ͷհ
σόΠετϥοΩϯάͱ
σόΠετϥοΩϯάΛ͍ͨ͠ཧ༝ • αʔόଆ͕ಉ͡ਓͱͷ௨৴Ͱ͋ΔࣄΛΓ͍ͨ • Ұൠʹ = • ෳσόΠεʹ·͕ͨΔ߹ΫϩεσόΠετϥοΩϯά
σόΠετϥοΩϯάͰͰ͖Δ͜ͱ (ྫ) • ηογϣϯ(ϩάΠϯ)ͷҡ࣋ • ϦεΫϕʔεೝূ • σδλϧϑΥϨϯδΫε • ߦಈλʔήςΟϯάࠂ
σόΠετϥοΩϯάͷͨΊʹඞཁ ͳ͜ͱ • ಉҰΛಛఆ/ਪఆ͢ΔͨΊͷใΛूΊͳ͚ΕͳΒͳ͍ • Fingerprintingͱݴ͏ͱը໘ղ૾GPUͷڍಈ UserAgent͕ྫͱͯ͠Α͘ڍ͛ΒΕΔ͕ɺεϚϗͷ߹ ΄ͱΜͲҰॹʹͳͬͯ͠·͏
σόΠετϥοΩϯάख๏ʹ ·ͭΘΔٞ • ݱ࣮ੈքͰԿ͔͠ΒͷαʔϏεΛఏڙ͢ΔதͰσόΠεΛτϥο Ωϯά͢ΔࡍϢʔβʹڐՄΛऔͬͨΓ(ΦϓτΠϯ)ɺڋ൱͢Δ ͜ͱ͕Ͱ͖ͨΓ(ΦϓτΞτ)͢Δ͜ͱ͕ଟ͍ • Ϣʔβͷίϯτϩʔϧ͕ޮ͔ͳ͍ํ๏ʹͳΔ͜ͱ͕ଟ͍ • ࠓճٕज़ͷͷΈ͠·͢
σόΠετϥοΩϯάٕज़6બʂ • Cookie • IP Address • HSTS Super Cookie
• TCP Timestamp • SSL Session Ticket • IP Address (࠶)
Cookie
Cookie • Web։ൃ͍ͯ͠ΔਓͳΒ͖ͬͱ͍ͬͯΔͣ# • Same Origin Policy͕͋Δ • ྫ: example.com
ͷCookieexample.jpͷαʔό͔ΒݟΒΕͳ͍ • Cookie SyncΛ͢Δ͜ͱͰτϥοΩϯάͰ͖Δൣғ͕ͻΖ͕Δ • AppleITPͱ͍͏ͷΛಋೖ͠CookieʹΑΔτϥοΩϯάʹ ੍ݶΛ͔͚͍ͯΔ • εϚϗͩͱIDFA/AdIDͱ͍͏ͷ͋Δ
• ࠂͷDSPͱSSPͷؒͳͲͰΑ͘ߦΘΕΔॲཧ Cookie Sync example.com: AAAA example.jp: BBBB example.com: AAAA
redirect example.jp, param: =AAAA example.jp: BBBB, param: AAAA example.com: AAAA example.jp: BBBB =
IP Address
IP Address • 192.168.0.1ͷΑ͏ʹॻ͖ද͞ΕΔͷ • ʮΠϯλʔωοτ্ͷॅॴ ʯͳͲͱݴΘΕΔ͜ͱ • 32bit, 2^32
≒ 43ԯ ௨Γͷදݱ͕Ͱ͖Δ • ٿਓޱ73ԯਓʹ1ׂͭͮͭΓͯΒΕͳ͍ͱ͍͏ܽΛ࣋ͭ
IP Address͚ͩͰτϥοΩϯάෆ ೳ • ʮΠϯλʔωοτ্ͷॅॴ ʯ= Ͱͳ͍ • ͱ͍͏ΑΓ •
͜ͷͨΊʹૹ৴ݩIP͕͔ͬͯಉҰૹ৴ݩͱݶΒͳ͍'
NAT • NetworkAddressTranslation • Global IPΞυϨεΛԆ໋/અ͢Δٕज़ • PrivateIPΛ༻͍ɺ(srcIP,srcPort,dstIP,dstPort,protocolNum)ͷ Έ߹ΘͤͰΞυϨεΛ1ରଟͰϚοϐϯά͢Δ •
ISP͕ߦ͏߹CareerGradeNATͱ͔LargeScaleNAT ͱݺΕΔ
ͱ͍͏͜ͱ… • Global IPͱPrivate IP͕1ରଟͰϚοϐϯά͞Ε͍ͯΔ͔Β ಛఆͰ͖ͳ͍ • Global IPͱPrivate IPͷΈ߹Θ͕ͤಘΒΕΕ
ಛఆͰ͖ΔͷͰ • ※2ஈҎ্ͷଟஈNATͷ߹ಛఆෆೳ
XHRํࣜ • JavaScriptͷXHRͰదͳൣғͷશͯͷPrivateIPʹϦΫΤετ Λૹ৴͠ɺฦ͖ͬͯͨͷͷϨεϙϯελΠϜΛಛྔͱ͢Δ • ύέοτΛେྔʹૹΔͱ߈ܸʹͳΓ͔Ͷͳ͍ εΩϟϯ͢Δ
WebRTCํࣜ • WebRTCͷRTCPeerConnectionͷicecandidateΛར༻͢Δ • WebRTC(P2P)ͷʮNAT͑ʯͷͨΊͷٕज़ • Private IP͕औಘͰ͖Δ ΓऔΓ͢ΔͨΊʹ͓ޓ͍ͷIPΞυϨε (Private/Global)
Λަ͢Δ
HSTS Super Cookie
HSTS Super Cookie • HSTSͱ͍͏ϓϩτίϧΛར༻ͨ͠ख๏ • HSTS: webαʔό͕httpͰΞΫηε͞Εͨ࣌ʹ࣍ճ͔Β httpsͰଓͯ͠΄͍͠ͱ͍͏ใΛՃ͢Δ •
HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ ͞Εͯ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
HSTS Super Cookie • HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ͞Εͯ ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ • httpͰΞΫηεͤͨ͞ͷͷhttpsͰ௨৴͕དྷͨ => 1bitͷใྔ
• 32ݸͷαϒυϝΠϯΛ༻ҙͯ͠ɺHSTS͕༗ޮ/ແޮΛϥϯμϜʹ Γସ͑Δͱ32bitͷใྔʹͳΓɺ43ԯσόΠε͕ࣝผͰ͖Δ
HSTS Super Cookie • Super CookieΛ"هԱͤ͞Δ" HSTS ON HSTS OFF
HSTS ON a.example.com b.example.com c.example.com
HSTS Super Cookie • Super CookieΛ"ಡΈग़͢" • HTTPͰΞΫηεͤ͞Δ • HSTS͕༗ޮͳͱ͜Ζ͚ͩHTTPͷͭΓ͕
HTTPSͰϦΫΤετ͕͘Δ 1 0 1 HTTP HTTPS HTTPS ϢʔβͷID: 011 a.example.com b.example.com c.example.com
࣮ࡍͷڍಈ
TCP Timestamp
TCP Timestamp
RFC1323 • TCP Timestampʹ͍ͭͯنఆ • Timestamp1msʙ1ඵִؒͰ૿ܾ͢·Γ • OptionalͳϑΟʔϧυ • ߋ৽ִؒ໌ࣔ͞Ε͍ͯͳ͍,
࣮ґଘ
TCPͷγʔέϯε൪߸ͱͷҧ͍ʁ • TCP Timestamp ≠ TCP Sequence ' • γʔέϯε൪߸σʔλͷόΠτຖʹৼΒΕΔ(32bit)
• ߴͳωοτϫʔΫͰ࣌ؒͰΧϯλ͕1िͯ͠͠·͏ • λΠϜελϯϓ+γʔέϯε൪߸ͰύέοτͷॱংΛอূ͢Δ
TCP TimeStampΛτϥοΩϯάʹར༻͢Δ • ͋Δఔ(25msʙ10minఔ)ஔ͍ͨ2ͭͷTCPύέοτͷ • ౸ண࣌ࠁ(t1, t2) • TCPλΠϜελϯϓ(ts1, ts2)
• TCPλΠϜελϯϓͷपΛٻΊΔ freq = (ts2 - ts0) * 1000 / (t1 - t0)
TCP TimeStampΛτϥοΩϯάʹར༻ ͢Δ • TCPλΠϜελϯϓΛपͰׂΔ • σόΠεͷuptime(ىಈ࣌ؒ)͕ٻ·Δ • uptime͑͞ٻ·ΕIPΞυϨεͱֻ͚߹ΘͤΕ͕ ਪఆՄೳʹ(ͽͬͨΓಉ࣌ࠁʹىಈ͢Δ͍ͳ͍ͱԾఆ)
uptime = ts1 / freq
uptimeਪఆ͕؆୯ʹࢼͤΔπʔϧ • p0f (http://lcamtuf.coredump.cx/p0f3/) • ىಈͯ͠ΠϯλʔϑΣΠεΛࢦఆ͢Δ͚ͩ .-[ 10.0.3.10/47099 -> 10.0.3.1/22
(syn) ]- | | client = 10.0.3.10/47099 | os = Linux 3.11 and newer | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.0.3.10/47099 -> 10.0.3.1/22 (uptime) ]- | | client = 10.0.3.10/47099 | uptime = 0 days 0 hrs 8 min (modulo 198 days) | raw_freq = 250.04 Hz |
͏·͍͔͘ͳͦ͞͏ͳ • Linuxͷ࣮ΛݟͨݶΓɺtimestampͷߋ৽CPUͷλΠϚʔׂΓࠐΈ͕ ϕʔεͬΆ͍(jiffies) • ͕εϦʔϓͯ͠ΔؒλΠϜελϯϓͷߋ৽͕ࢭ·Δ…ʁ • Linux v4.10͔ΒTCP Timestamp͕ίωΫγϣϯ͝ͱʹϥϯμϜʹͳͬͨ
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ commit/?id=95a22caee396cef0bb2ca8fafdd82966a49367bb
SSL Session Ticket
SSL Handshake https://blogs.msdn.microsoft.com/kaushal/2013/08/02/ssl-handshake-and-https-bindings-on-iis/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session TicketΛτϥοΩϯάʹ ͏ ͨ͠νέοτΛͬͯ࠶ଓͯ͘͠ΔͷͰ ಉҰϢʔβͩͱΘ͔Δ
IP Address (࠶)
IPv6 • ͖͞΄ͲͷྫIPv4 • IPv4͔ΒҠߦதͷٕज़(ͱݴΘΕ͍ͯΔ) • 2001:240:2401:4f7f:d051:d1bf:544e:cfc0 ͜Μͳײ͡Ͱද͞ΕΔ • 128bit,
2^128 ≒ 340ݸ • ਓྨͷͷໟ1ຊ1ຊʹΞυϨεΛׂΓͯͯશ͘৺ͳ͍ εέʔϥϏϦςΟ(ͱݴΘΕ͍ͯΔ)
IPv6NAT͠ͳ͍ͷ͔ʁ • NATෆཁ (NAT as a Firewallͷ࣌ऴΘΔ…ʁ) • → 1IP
= ͷ͕͖͍࣌ͯΔ • සൟʹม͑Δͱ௨৴ཱ͕͠ͳ͘ͳΔ • !໋ͳIDͱͯ͠ػೳ͠͏Δ
IPv6ͷσϓϩΠঢ়گ • Appleͷ৹ࠪͰIPv6ରԠ͕ඞਢʹ • ຊͷܞଳΩϟϦΞIPv6σϓϩΠʹফۃతͩͬͨ • ૯লౖ͕ͬͯ2017தͷ ಋೖΛཁ • ࠓͰΘΓͱ
ීٴ͖͍ͯͯ͠Δͣ
·ͱΊ • ༷ʑͳσόΠεͷτϥοΩϯάख๏Λௐࠪ͠·ͨ͠ • ཁૉٕज़ͷత͔Β͢ΔͱҙਤͤͣτϥοΩϯάͰ͖ ͯ͠·͏ͷʹؔͯ͠ηΩϡϦςΟ্ͷཧ༝͔Βम ਖ਼͕Ճ͑ΒΕ͍ͯΔͷ͋Δ
kurochan
tosh2230
chaspy
1027kg
oliva
akitok_
viva_tweet_x
koukyo1994
yunoda
karabish
robcrowley
masakazu
futo23
kneath
trallard
addyosmani
stephaniewalter
dougneiner
shpigford
lara
davidbonilla
hatefulcrawdad
hannesfritz
paulrobertlloyd
swwweet
