Abstract

Attackers and defenders are engaged in an information arms race,
where gaining a momentary upper-hand can mean the difference
between a successful or thwarted attack. One of the most coveted
pieces of information sought for in this struggle is the true identity
of users and systems performing network communications. Despite
efforts taken to provide anonymity, unique characteristics of
side-channel data is often enough to accurately identify networked
entities, similar to how biological fingerprints can identify individuals.
Thus, leveraging this information allows malefactors to target
vulnerable systems with specially-crafted attacks, and defenders to
identify and prevent such attacks.

In this thesis, we demonstrate the practical benefits of computer
system fingerprinting in identifying and studying online entities,
as well as uncovering vulnerabilities before they can be exploited.
First, we present techniques to uncover previously hidden campaigns
of Man-in-the-Middle (MITM) phishing toolkits. We show
how network timing analysis and TLS fingerprinting can be used
to detect the presence of these toolkits in network communications
from the perspectives of both victim clients and targeted web
servers. Using these techniques, we conduct a longitudinal study
on MITM phishing toolkits in the wild, observing their growing
popularity amongst attackers to target enterprise users.

Second, we study a subset of web bots that utilize Certificate
Transparency logs to identify targets. We develop a distributed
honeypot system which creates TLS certificates for the purpose of
advertising previously non-existent domains, and records the
activity generated towards them from a number of network vantage
points. We find that these bots are wholly distinct from traditional
host-scanning web bots. Moreover, by varying the content
of subdomains included in generated TLS certificates, we identify
bots with varying intentions, revealing a stark contrast in malicious
behavior among these groups.

Third, we conduct a large-scale study of data-saving mobile browsers
on the Android platform. By analyzing browser clients and
the network stacks of the proxy-server infrastructures supporting
them, we discover critical vulnerabilities leaving billions of users
exposed to attacks, including the presence of outdated network
services with many severe CVEs.

Fourth, we investigate environment-based artifacts present in Android
sandboxes that could be used by malware to detect and
bypass analysis systems. We identify features relating to: user
configurations (e.g., screen brightness), populations of files on the
device (e.g., number of photos and songs), and hardware sensors
(e.g., presence of a step counter). Our results show that the failure
of sandbox providers to accurately emulate such features allows
malware to infer the artificiality of the environment with high confidence.

Finally, we explore the state of web application fingerprinting by
auditing popular academic and commercial tools used to identify
PHP web applications on the Internet. Through a series of
laboratory and real-world experiments, we demonstrate that minor
changes to the content produced by popular web applications
severely hampers the performance of these fingerprinting tools.
Our results reveal the limited practical use of these tools, and
emphasize the need for an updated approach that is resilient to the
anti-fingerprinting techniques in use today.