First of all, thank you for responding back!
I'm well aware of very broad commercial and non commercial fingerprintable
methods including those that you have posted, but nothing like that is what
they are doing. As previously said, they seem to be doing something very
weird as even swapping hundreds of > 0.0 entropy attributes is still
sticking to my old device and they know that I am the same one. The reason
why I think they have something concernable for privacy is due to the fact
that they use some exploit for detecting Runtime.enable domain which
devtool protocol uses so they could detect if someone is trying to tamper
with it or not, and trust me, Google has been fighting with this for long
time and these guys still manage to even in version 107 find a bypass for
it, thus my reason to think they use something very odd for fingerprints as
well which I kind of proved on my own tests.
On that side, I do have some questions for your instrumentation suggestions.
1. I made heap allocation in devtools and I have dumped and saved it to a
disk. I found in there that they indeed make "ctor" object by traversing
all strings, but I can't go any further then this because there are 50k
strings in there and I'm not sure what could be useful for me or not and on
top of that, those strings are kind of spread out. I can't prove that some
of those are part of 'sigs' key or they are just being used for other
purposes.
2. I already tried to for example hook into Object's getter by doing
following
Object.defineProperty(Object.prototype, "sig ", {
get() {
return this.sigStorage
},
set(x) {
console.log(x)
this.sigStorage = x;
}
});
But the script has heavy integrity checks. Nothing happens. There are also
tricks which this script uses to even check for spoofing via
Function.prototype.toString as they can check if it equals to some object
in the end etc. They have 100s of integrity checks and this just isnt
possible to do.
3. Could you give me any direction how could i in runtime instrument it so
that i can dump entire content of every object that contains "sig"? What
function in V8 should i override or where to look more precisely?
I read a lot about v8 internals, and one cool thing that I have advantage
here is that all those objects that are being created under key "sigs" are
same shape so that means they must share same HiddenClass and be in same
starting memory spot, so if I could just somehow find that memory spot, I
could recursively go through all other maps / transitions and pull all the
values from it, but this is just in theory, in practice im not even sure
where to look...
On Wednesday, November 9, 2022 at 12:53:05 AM UTC+1 impi...@gmail.com wrote:
> First, this is likely more of a Chromium question than a V8 question. I
> think you'd get better luck and feedback working with
> https://www.chromium.org/Home/chromium-security/ for this concern.
>
> Second, be aware that there's many different ways to fingerprint, and
> browsers do track this:
>
> - https://github.com/samyk/evercookie basically combines a number of
> known exploits and browser features to make a difficult-to-remove cookie.
> - https://github.com/jonasstrehle/supercookie uses favicons to bypass
> content blockers and cache clear attempts, though browsers rapidly patched
> that hole.
> - Other methods like hardware testing, benchmarking, canvas
> fingerprinting, enumerating extensions, enumerating fonts, and so on are
> also often used (and often combined) to derive a fingerprint as well.
> Hardware benchmarks themselves due to their very nature cannot be defeated
> without literally replacing the implementations used.
>
> Now, for instrumentation:
>
> 1. First, load a page, record all heap allocations in the dev tools,
> and ensure it reproduces that way. Lot of stuff to sift through, but you
> won't need to even patch the script.
> 2. Failing that, try to see if it reproduces if wrapped in a `with
> ((() => { setupStuff(); return new Proxy(window, logGetAndDefineProperty)
> })()) { <script in question> }`. If necessary, you could inject it through
> mitmproxy. This should log not just `sigs`, but every property accessed on
> that object, so you can additionally figure out what they're trying to
> check. (You can also modify this to watch other property access attempts.)
>
> This could avoid any need to patch V8, and so I'd suggest trying this
> first. (Chromium compiles take a very long time, so you'll save a lot of
> time if this works.) Do note that you may also need to patch
> `window.window`, `window.self`, `Document.prototype.defaultView`, and
> similar to return the proxied window, if it doesn't reproduce without it,
> so the script doesn't know. You can also just use a map of wrapped
> function
> to unwrapped name and replace `Function.prototype.toString` if it checks
> that as well.
>
> If it's an inline script, you could store the script in a string, set
> the current script's `textContent` to that source string (
> https://2ality.com/2014/05/current-script.html can help you locate
> this) and then `eval` it in that wrapper, careful to not save any
> persistent variables.
> 3. If that fails, I'd suggest instrumenting property definition (for
> both object literals and property assignment) within the interpreter. And
> in addition, try to see if it reproduces with the V8 flag `--jitless` (you
> can pass that to Chromium at startup via `--js-flags=--jitless`). If it
> doesn't (and you've already controlled for timers), then it's a bug in
> V8's
> JIT.
> 4. Instrumenting the JIT will be very non-trivial, hence why I'm
> leaving it out here and making it the path of last resort.
>
>
> On Monday, November 7, 2022 at 1:12:47 PM UTC-8 fpetronij...@raf.rs wrote:
>
>> Hello, during my academic research I came across one website which has
>> very disturbing levels of fingerprinting. It manages to detect that I come
>> from same device despite me hooking, randomizing and changing more then 850
>> >0.0 entropy values. Including using VPN connection or proxies. I found the
>> script that is responsible for that but the issue is that its heavily
>> heavily obfuscated. I believe this vendor is abusing some zero day in
>> Chromium to access some extremely high entropy values and I want to find
>> out what this is and report it. The only thing I know about this script is
>> that they save their collector variables inside object that has key "sigs".
>> They append 124 attributes to this key which are objects representing some
>> values. I was wondering is it possible somewhere in v8 to hook object
>> creation and sniff for all objects that get added to this key value and
>> dump them somewhere? In theory it sounds very possible, but in practice
>> could it be done? Pseudo code of them doing this fingerprinting is
>> something like this.
>>
>>
>> obj1 = {}
>> obj1['sigs '] = {canvas:hash... etc etc} //some important values,
>>
>> var obj2 = {}
>> obj2['sigs '] = {......} //some important values
>>
>>
>> var obj3 = {}
>> obj3['sigs '] = {..........} //some important values
>>
>>
>>
>> I tried many things on JavaScript land, but they have too many integrity
>> checks and it simply doesn't work. This has to be approached in my opinion
>> lower level, such as V8. Is it possible even to do this in runtime and dump
>> all objects that are using "sigs" as key value?
>>
>> Best regards
>>
>
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-users/3da44ef2-9135-4d61-9944-67910b4b883dn%40googlegroups.com.
