Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Technology
11
12k
Webデバイストラッキング手法の紹介
Kurochan
January 20, 2019
Tweet
Share
More Decks by Kurochan
See All by Kurochan
kurochan
0
12
kurochan
0
2.6k
kurochan
1
3.1k
kurochan
1
2.7k
kurochan
1
5.5k
kurochan
0
2.7k
kurochan
6
3.6k
kurochan
1
3.1k
kurochan
2
2.4k
Other Decks in Technology
See All in Technology
last9
0
240
tomoyuki
0
530
clustervr
PRO
0
130
soracom
0
160
sayokomiura
0
620
line_developers
PRO
2
710
funnysystems
1
1.2k
miyakemito
0
170
yaegashi
0
150
sayokomiura
0
320
weblyzard
1
2.2k
ufoo68
0
190
Featured
See All Featured
bryan
101
11k
destraynor
146
19k
caitiem20
311
17k
sstephenson
146
12k
roundedbygravity
84
7.9k
brettharned
93
3.1k
eileencodes
114
26k
lauravandoore
12
1.8k
malarkey
119
16k
reverentgeek
167
7.4k
tanoku
86
8.7k
lynnandtonic
274
17k
Transcript
WebσόΠετϥοΩϯάख๏ͷ հ @kuro_m88 ใՊֶएखͷձ ౙͷਞ 2019/01/20
ࣗݾհ • ࠇ࡚ ༏ଠ (@kuro_m88) • ใՊֶएखͷձ װࣄ • ࣄαʔόαΠυΤϯδχΞ
• झຯͰαʔόӡ༻Λ͍ͯ͠·͢
ຊ͓͢Δ͜ͱ • ݸਓతʹWebσόΠετϥοΩϯάख๏͕ͲΜͳͷ͕ ଘࡏ͢Δͷ͔ௐͯɺڵຯਂ͔ͬͨख๏ͷհ
σόΠετϥοΩϯάͱ
σόΠετϥοΩϯάΛ͍ͨ͠ཧ༝ • αʔόଆ͕ಉ͡ਓͱͷ௨৴Ͱ͋ΔࣄΛΓ͍ͨ • Ұൠʹ = • ෳσόΠεʹ·͕ͨΔ߹ΫϩεσόΠετϥοΩϯά
σόΠετϥοΩϯάͰͰ͖Δ͜ͱ (ྫ) • ηογϣϯ(ϩάΠϯ)ͷҡ࣋ • ϦεΫϕʔεೝূ • σδλϧϑΥϨϯδΫε • ߦಈλʔήςΟϯάࠂ
σόΠετϥοΩϯάͷͨΊʹඞཁ ͳ͜ͱ • ಉҰΛಛఆ/ਪఆ͢ΔͨΊͷใΛूΊͳ͚ΕͳΒͳ͍ • Fingerprintingͱݴ͏ͱը໘ղ૾GPUͷڍಈ UserAgent͕ྫͱͯ͠Α͘ڍ͛ΒΕΔ͕ɺεϚϗͷ߹ ΄ͱΜͲҰॹʹͳͬͯ͠·͏
σόΠετϥοΩϯάख๏ʹ ·ͭΘΔٞ • ݱ࣮ੈքͰԿ͔͠ΒͷαʔϏεΛఏڙ͢ΔதͰσόΠεΛτϥο Ωϯά͢ΔࡍϢʔβʹڐՄΛऔͬͨΓ(ΦϓτΠϯ)ɺڋ൱͢Δ ͜ͱ͕Ͱ͖ͨΓ(ΦϓτΞτ)͢Δ͜ͱ͕ଟ͍ • Ϣʔβͷίϯτϩʔϧ͕ޮ͔ͳ͍ํ๏ʹͳΔ͜ͱ͕ଟ͍ • ࠓճٕज़ͷͷΈ͠·͢
σόΠετϥοΩϯάٕज़6બʂ • Cookie • IP Address • HSTS Super Cookie
• TCP Timestamp • SSL Session Ticket • IP Address (࠶)
Cookie
Cookie • Web։ൃ͍ͯ͠ΔਓͳΒ͖ͬͱ͍ͬͯΔͣ# • Same Origin Policy͕͋Δ • ྫ: example.com
ͷCookieexample.jpͷαʔό͔ΒݟΒΕͳ͍ • Cookie SyncΛ͢Δ͜ͱͰτϥοΩϯάͰ͖Δൣғ͕ͻΖ͕Δ • AppleITPͱ͍͏ͷΛಋೖ͠CookieʹΑΔτϥοΩϯάʹ ੍ݶΛ͔͚͍ͯΔ • εϚϗͩͱIDFA/AdIDͱ͍͏ͷ͋Δ
• ࠂͷDSPͱSSPͷؒͳͲͰΑ͘ߦΘΕΔॲཧ Cookie Sync example.com: AAAA example.jp: BBBB example.com: AAAA
redirect example.jp, param: =AAAA example.jp: BBBB, param: AAAA example.com: AAAA example.jp: BBBB =
IP Address
IP Address • 192.168.0.1ͷΑ͏ʹॻ͖ද͞ΕΔͷ • ʮΠϯλʔωοτ্ͷॅॴ ʯͳͲͱݴΘΕΔ͜ͱ • 32bit, 2^32
≒ 43ԯ ௨Γͷදݱ͕Ͱ͖Δ • ٿਓޱ73ԯਓʹ1ׂͭͮͭΓͯΒΕͳ͍ͱ͍͏ܽΛ࣋ͭ
IP Address͚ͩͰτϥοΩϯάෆ ೳ • ʮΠϯλʔωοτ্ͷॅॴ ʯ= Ͱͳ͍ • ͱ͍͏ΑΓ •
͜ͷͨΊʹૹ৴ݩIP͕͔ͬͯಉҰૹ৴ݩͱݶΒͳ͍'
NAT • NetworkAddressTranslation • Global IPΞυϨεΛԆ໋/અ͢Δٕज़ • PrivateIPΛ༻͍ɺ(srcIP,srcPort,dstIP,dstPort,protocolNum)ͷ Έ߹ΘͤͰΞυϨεΛ1ରଟͰϚοϐϯά͢Δ •
ISP͕ߦ͏߹CareerGradeNATͱ͔LargeScaleNAT ͱݺΕΔ
ͱ͍͏͜ͱ… • Global IPͱPrivate IP͕1ରଟͰϚοϐϯά͞Ε͍ͯΔ͔Β ಛఆͰ͖ͳ͍ • Global IPͱPrivate IPͷΈ߹Θ͕ͤಘΒΕΕ
ಛఆͰ͖ΔͷͰ • ※2ஈҎ্ͷଟஈNATͷ߹ಛఆෆೳ
XHRํࣜ • JavaScriptͷXHRͰదͳൣғͷશͯͷPrivateIPʹϦΫΤετ Λૹ৴͠ɺฦ͖ͬͯͨͷͷϨεϙϯελΠϜΛಛྔͱ͢Δ • ύέοτΛେྔʹૹΔͱ߈ܸʹͳΓ͔Ͷͳ͍ εΩϟϯ͢Δ
WebRTCํࣜ • WebRTCͷRTCPeerConnectionͷicecandidateΛར༻͢Δ • WebRTC(P2P)ͷʮNAT͑ʯͷͨΊͷٕज़ • Private IP͕औಘͰ͖Δ ΓऔΓ͢ΔͨΊʹ͓ޓ͍ͷIPΞυϨε (Private/Global)
Λަ͢Δ
HSTS Super Cookie
HSTS Super Cookie • HSTSͱ͍͏ϓϩτίϧΛར༻ͨ͠ख๏ • HSTS: webαʔό͕httpͰΞΫηε͞Εͨ࣌ʹ࣍ճ͔Β httpsͰଓͯ͠΄͍͠ͱ͍͏ใΛՃ͢Δ •
HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ ͞Εͯ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ
HSTS Super Cookie • HSTSΛೝࣝͨ͠ϒϥβ࣍ճҎ߱httpͰURL͕ೖྗ͞Εͯ ࠷ॳ͔ΒhttpsͰΞΫηε͢ΔΑ͏ʹͳΔ • httpͰΞΫηεͤͨ͞ͷͷhttpsͰ௨৴͕དྷͨ => 1bitͷใྔ
• 32ݸͷαϒυϝΠϯΛ༻ҙͯ͠ɺHSTS͕༗ޮ/ແޮΛϥϯμϜʹ Γସ͑Δͱ32bitͷใྔʹͳΓɺ43ԯσόΠε͕ࣝผͰ͖Δ
HSTS Super Cookie • Super CookieΛ"هԱͤ͞Δ" HSTS ON HSTS OFF
HSTS ON a.example.com b.example.com c.example.com
HSTS Super Cookie • Super CookieΛ"ಡΈग़͢" • HTTPͰΞΫηεͤ͞Δ • HSTS͕༗ޮͳͱ͜Ζ͚ͩHTTPͷͭΓ͕
HTTPSͰϦΫΤετ͕͘Δ 1 0 1 HTTP HTTPS HTTPS ϢʔβͷID: 011 a.example.com b.example.com c.example.com
࣮ࡍͷڍಈ
TCP Timestamp
TCP Timestamp
RFC1323 • TCP Timestampʹ͍ͭͯنఆ • Timestamp1msʙ1ඵִؒͰ૿ܾ͢·Γ • OptionalͳϑΟʔϧυ • ߋ৽ִؒ໌ࣔ͞Ε͍ͯͳ͍,
࣮ґଘ
TCPͷγʔέϯε൪߸ͱͷҧ͍ʁ • TCP Timestamp ≠ TCP Sequence ' • γʔέϯε൪߸σʔλͷόΠτຖʹৼΒΕΔ(32bit)
• ߴͳωοτϫʔΫͰ࣌ؒͰΧϯλ͕1िͯ͠͠·͏ • λΠϜελϯϓ+γʔέϯε൪߸ͰύέοτͷॱংΛอূ͢Δ
TCP TimeStampΛτϥοΩϯάʹར༻͢Δ • ͋Δఔ(25msʙ10minఔ)ஔ͍ͨ2ͭͷTCPύέοτͷ • ౸ண࣌ࠁ(t1, t2) • TCPλΠϜελϯϓ(ts1, ts2)
• TCPλΠϜελϯϓͷपΛٻΊΔ freq = (ts2 - ts0) * 1000 / (t1 - t0)
TCP TimeStampΛτϥοΩϯάʹར༻ ͢Δ • TCPλΠϜελϯϓΛपͰׂΔ • σόΠεͷuptime(ىಈ࣌ؒ)͕ٻ·Δ • uptime͑͞ٻ·ΕIPΞυϨεͱֻ͚߹ΘͤΕ͕ ਪఆՄೳʹ(ͽͬͨΓಉ࣌ࠁʹىಈ͢Δ͍ͳ͍ͱԾఆ)
uptime = ts1 / freq
uptimeਪఆ͕؆୯ʹࢼͤΔπʔϧ • p0f (http://lcamtuf.coredump.cx/p0f3/) • ىಈͯ͠ΠϯλʔϑΣΠεΛࢦఆ͢Δ͚ͩ .-[ 10.0.3.10/47099 -> 10.0.3.1/22
(syn) ]- | | client = 10.0.3.10/47099 | os = Linux 3.11 and newer | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.0.3.10/47099 -> 10.0.3.1/22 (uptime) ]- | | client = 10.0.3.10/47099 | uptime = 0 days 0 hrs 8 min (modulo 198 days) | raw_freq = 250.04 Hz |
͏·͍͔͘ͳͦ͞͏ͳ • Linuxͷ࣮ΛݟͨݶΓɺtimestampͷߋ৽CPUͷλΠϚʔׂΓࠐΈ͕ ϕʔεͬΆ͍(jiffies) • ͕εϦʔϓͯ͠ΔؒλΠϜελϯϓͷߋ৽͕ࢭ·Δ…ʁ • Linux v4.10͔ΒTCP Timestamp͕ίωΫγϣϯ͝ͱʹϥϯμϜʹͳͬͨ
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ commit/?id=95a22caee396cef0bb2ca8fafdd82966a49367bb
SSL Session Ticket
SSL Handshake https://blogs.msdn.microsoft.com/kaushal/2013/08/02/ssl-handshake-and-https-bindings-on-iis/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session Ticket https://techblog.yahoo.co.jp/infrastructure/ssl-session-resumption/
SSL Session TicketΛτϥοΩϯάʹ ͏ ͨ͠νέοτΛͬͯ࠶ଓͯ͘͠ΔͷͰ ಉҰϢʔβͩͱΘ͔Δ
IP Address (࠶)
IPv6 • ͖͞΄ͲͷྫIPv4 • IPv4͔ΒҠߦதͷٕज़(ͱݴΘΕ͍ͯΔ) • 2001:240:2401:4f7f:d051:d1bf:544e:cfc0 ͜Μͳײ͡Ͱද͞ΕΔ • 128bit,
2^128 ≒ 340ݸ • ਓྨͷͷໟ1ຊ1ຊʹΞυϨεΛׂΓͯͯશ͘৺ͳ͍ εέʔϥϏϦςΟ(ͱݴΘΕ͍ͯΔ)
IPv6NAT͠ͳ͍ͷ͔ʁ • NATෆཁ (NAT as a Firewallͷ࣌ऴΘΔ…ʁ) • → 1IP
= ͷ͕͖͍࣌ͯΔ • සൟʹม͑Δͱ௨৴ཱ͕͠ͳ͘ͳΔ • !໋ͳIDͱͯ͠ػೳ͠͏Δ
IPv6ͷσϓϩΠঢ়گ • Appleͷ৹ࠪͰIPv6ରԠ͕ඞਢʹ • ຊͷܞଳΩϟϦΞIPv6σϓϩΠʹফۃతͩͬͨ • ૯লౖ͕ͬͯ2017தͷ ಋೖΛཁ • ࠓͰΘΓͱ
ීٴ͖͍ͯͯ͠Δͣ
·ͱΊ • ༷ʑͳσόΠεͷτϥοΩϯάख๏Λௐࠪ͠·ͨ͠ • ཁૉٕज़ͷత͔Β͢ΔͱҙਤͤͣτϥοΩϯάͰ͖ ͯ͠·͏ͷʹؔͯ͠ηΩϡϦςΟ্ͷཧ༝͔Βम ਖ਼͕Ճ͑ΒΕ͍ͯΔͷ͋Δ
kurochan
last9
tomoyuki
clustervr
soracom
sayokomiura
line_developers
funnysystems
miyakemito
yaegashi
weblyzard
ufoo68
bryan
destraynor
caitiem20
sstephenson
roundedbygravity
brettharned
eileencodes
lauravandoore
malarkey
reverentgeek
tanoku
lynnandtonic
