First, this is likely more of a Chromium question than a V8 question. I think you'd get better luck and feedback working with https://www.chromium.org/Home/chromium-security/ for this concern.
Second, be aware that there's many different ways to fingerprint, and browsers do track this: - https://github.com/samyk/evercookie basically combines a number of known exploits and browser features to make a difficult-to-remove cookie. - https://github.com/jonasstrehle/supercookie uses favicons to bypass content blockers and cache clear attempts, though browsers rapidly patched that hole. - Other methods like hardware testing, benchmarking, canvas fingerprinting, enumerating extensions, enumerating fonts, and so on are also often used (and often combined) to derive a fingerprint as well. Hardware benchmarks themselves due to their very nature cannot be defeated without literally replacing the implementations used. Now, for instrumentation: 1. First, load a page, record all heap allocations in the dev tools, and ensure it reproduces that way. Lot of stuff to sift through, but you won't need to even patch the script. 2. Failing that, try to see if it reproduces if wrapped in a `with ((() => { setupStuff(); return new Proxy(window, logGetAndDefineProperty) })()) { <script in question> }`. If necessary, you could inject it through mitmproxy. This should log not just `sigs`, but every property accessed on that object, so you can additionally figure out what they're trying to check. (You can also modify this to watch other property access attempts.) This could avoid any need to patch V8, and so I'd suggest trying this first. (Chromium compiles take a very long time, so you'll save a lot of time if this works.) Do note that you may also need to patch `window.window`, `window.self`, `Document.prototype.defaultView`, and similar to return the proxied window, if it doesn't reproduce without it, so the script doesn't know. You can also just use a map of wrapped function to unwrapped name and replace `Function.prototype.toString` if it checks that as well. If it's an inline script, you could store the script in a string, set the current script's `textContent` to that source string (https://2ality.com/2014/05/current-script.html can help you locate this) and then `eval` it in that wrapper, careful to not save any persistent variables. 3. If that fails, I'd suggest instrumenting property definition (for both object literals and property assignment) within the interpreter. And in addition, try to see if it reproduces with the V8 flag `--jitless` (you can pass that to Chromium at startup via `--js-flags=--jitless`). If it doesn't (and you've already controlled for timers), then it's a bug in V8's JIT. 4. Instrumenting the JIT will be very non-trivial, hence why I'm leaving it out here and making it the path of last resort. On Monday, November 7, 2022 at 1:12:47 PM UTC-8 fpetronij...@raf.rs wrote: > Hello, during my academic research I came across one website which has > very disturbing levels of fingerprinting. It manages to detect that I come > from same device despite me hooking, randomizing and changing more then 850 > >0.0 entropy values. Including using VPN connection or proxies. I found the > script that is responsible for that but the issue is that its heavily > heavily obfuscated. I believe this vendor is abusing some zero day in > Chromium to access some extremely high entropy values and I want to find > out what this is and report it. The only thing I know about this script is > that they save their collector variables inside object that has key "sigs". > They append 124 attributes to this key which are objects representing some > values. I was wondering is it possible somewhere in v8 to hook object > creation and sniff for all objects that get added to this key value and > dump them somewhere? In theory it sounds very possible, but in practice > could it be done? Pseudo code of them doing this fingerprinting is > something like this. > > > obj1 = {} > obj1['sigs '] = {canvas:hash... etc etc} //some important values, > > var obj2 = {} > obj2['sigs '] = {......} //some important values > > > var obj3 = {} > obj3['sigs '] = {..........} //some important values > > > > I tried many things on JavaScript land, but they have too many integrity > checks and it simply doesn't work. This has to be approached in my opinion > lower level, such as V8. Is it possible even to do this in runtime and dump > all objects that are using "sigs" as key value? > > Best regards > -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-users/93b2a1a5-0370-45dd-8213-bf2d00d9c38bn%40googlegroups.com.
