Abstract
Attackers and defenders are engaged in an information arms race, where gaining a momentary upper-hand can mean the difference between a successful or thwarted attack. One of the most coveted pieces of information sought for in this struggle is the true identity of users and systems performing network communications. Despite efforts taken to provide anonymity, unique characteristics of side-channel data is often enough to accurately identify networked entities, similar to how biological fingerprints can identify individuals. Thus, leveraging this information allows malefactors to target vulnerable systems with specially-crafted attacks, and defenders to identify and prevent such attacks.
In this dissertation, we demonstrate the practical benefits of computer system fingerprinting in identifying and studying online entities, as well as uncovering vulnerabilities before they can be exploited. First, we present techniques to uncover previously hidden campaigns of Man-in-the-Middle (MITM) phishing toolkits. We show how network timing analysis and TLS fingerprinting can be used to detect the presence of these toolkits in network communications from the perspectives of both victim clients and targeted web servers. Using these techniques, we conduct a longitudinal study on MITM phishing toolkits in the wild, observing their growing popularity amongst attackers to target enterprise users.
Second, we study a subset of web bots that utilize Certificate Transparency logs to identify targets. We develop a distributed honeypot system which creates TLS certificates for the purpose of advertising previously non-existent domains, and records the activity generated towards them from a number of network vantage points. We find that these bots are wholly distinct from traditional host-scanning web bots. Moreover, by varying the content of subdomains included in generated TLS certificates, we identify bots with varying intentions, revealing a stark contrast in malicious behavior among these groups.
Third, we conduct a large-scale study of data-saving mobile browsers on the Android platform. By analyzing browser clients and the network stacks of the proxy-server infrastructures supporting them, we discover critical vulnerabilities leaving billions of users exposed to attacks, including the presence of outdated network services with many severe CVEs.
Fourth, we investigate environment-based artifacts present in Android sandboxes that could be used by malware to detect and bypass analysis systems. We identify features relating to: user configurations (e.g., screen brightness), populations of files on the device (e.g., number of photos and songs), and hardware sensors (e.g., presence of a step counter). Our results show that the failure of sandbox providers to accurately emulate such features allows malware to infer the artificiality of the environment with high confidence.
Fifth, we audit the security posture of newly-created websites appearing on Certificate Transparency logs. By recording a series of security indicators for each site when they first come online, as well as in the hours to days following, we can study the security posture delta of new sites on the Internet. Through our longitudinal study, we uncover a substantial vulnerability window in which attackers can exploit weaknesses on sites before they are patched at a later time.
Finally, we explore the state of web application fingerprinting by auditing popular academic and commercial tools used to identify web applications on the Internet. Through a series of laboratory and real-world experiments, we demonstrate that minor changes to the content produced by popular web applications severely hampers the performance of fingerprinting tools. To resolve these limitations, we develop a scanner-agnostic middleware module that modifies network traffic between fingerprinting tools and web applications to remedy real-world content changes made by websites, greatly increasing fingerprinting performance.
