Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention

Authors: 

Soroush Karami, University of Illinois at Chicago; Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J. Maso, and Erik Trickel, Arizona State University; Panagiotis Ilia, University of Illinois at Chicago; Yan Shoshitaishvili and Adam Doupé, Arizona State University; Jason Polakis, University of Illinois at Chicago

Abstract: 

Online tracking has garnered significant attention due to the privacy risk it poses to users. Among the various approaches, techniques that identify which extensions are installed in a browser can be used for fingerprinting browsers and tracking users, but also for inferring personal and sensitive user data. While preventing certain fingerprinting techniques is relatively simple, mitigating behavior-based extension-fingerprinting poses a significant challenge as it relies on hiding actions that stem from an extension's functionality. To that end, we introduce the concept of DOM Reality Shifting, whereby we split the reality users experience while browsing from the reality that webpages can observe. To demonstrate our approach we develop Simulacrum, a prototype extension that implements our defense through a targeted instrumentation of core Web API interfaces. Despite being conceptually straightforward, our implementation highlights the technical challenges posed by the complex and often idiosyncratic nature and behavior of web applications, modern browsers, and the JavaScript language. We experimentally evaluate our system against a state-of-theart DOM-based extension fingerprinting system and find that Simulacrum readily protects 95.37% of susceptible extensions. We then identify trivial modifications to extensions that enable our defense for the majority of the remaining extensions. To facilitate additional research and protect users from privacy-invasive behaviors we will open-source our system.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {279963,
author = {Soroush Karami and Faezeh Kalantari and Mehrnoosh Zaeifi and Xavier J. Maso and Erik Trickel and Panagiotis Ilia and Yan Shoshitaishvili and Adam Doup{\'e} and Jason Polakis},
title = {Unleash the Simulacrum: Shifting Browser Realities for Robust {Extension-Fingerprinting} Prevention},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
isbn = {978-1-939133-31-1},
address = {Boston, MA},
pages = {735--752},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/karami},
publisher = {USENIX Association},
month = aug
}

Presentation Video