Pierre Laperdrix

Postdoc at Stony Brook University

Contact Me

About Me

I am currently a postdoctoral researcher in the PragSec lab at Stony Brook University.

I obtained my PhD working on browser fingerprinting in the DiverSE team at INRIA Rennes where I developed the AmIUnique.org and Fingerprint Central websites.

My main domains of interests are computer security and privacy with a touch of software engineering. Outside of computer science, I love to live thousands of adventures through video games, movies or comics.

Scientific publications

  • Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

    Meng Luo, Pierre Laperdrix, Nima Honarmand, Nick Nikiforakis
    Proceedings of the 26th Network and Distributed System Security Symposium (NDSS 2019)
    San Diego, CA, USA (acceptance rate: 17%)

    PDF available soon

    Recent market share statistics show that mobile device traffic has overtaken that of traditional desktop computers. Users spend an increasing amount of time on their smartphones and tablets, while the web continues to be the platform of choice for delivering new applications to users. In this environment, it is necessary for web applications to utilize all the tools at their disposal to protect mobile users against popular web application attacks. In this paper, we perform the first study of the support of popular web-application security mechanisms (such as the Content-Security Policy, HTTP Strict Transport Security, and Referrer Policy) across mobile browsers. We design 395 individual tests covering 8 different security mechanisms, and utilize them to evaluate the security-mechanism support in the 20 most popular browser families on Android. Moreover, by collecting and testing browser versions from the last seven years, we evaluate a total of 351 unique browser versions against the aforementioned tests, collecting more than 138K test results. By analyzing these results, we find that, although mobile browsers generally support more security mechanisms over time, not all browsers evolve in the same way. We discover popular browsers, with millions of downloads, which do not support the majority of the tested mechanisms, and identify design choices, followed by the majority of browsers, which leave hundreds of popular websites open to clickjacking attacks. Moreover, we discover the presence of multi-year vulnerability windows between the time when popular websites start utilizing a security mechanism and when mobile browsers enforce it. Our findings highlight the need for continuous security testing of mobile web browsers, as well as server-side frameworks which can adapt to the level of security that each browser can guarantee.


  • FP-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies

    Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy
    Proceedings of the 27th USENIX Security Symposium (USENIX Sec. 2018)
    Baltimore, MD, USA (acceptance rate: 19%)

    PDF

    By exploiting the diversity of device and browser configurations, browser fingerprinting established itself as a viable technique to enable stateless user tracking in production. Companies and academic communities have responded with a wide range of countermeasures. However , the way these countermeasures are evaluated does not properly assess their impact on user privacy, in particular regarding the quantity of information they may indirectly leak by revealing their presence. In this paper, we investigate the current state of the art of browser fingerprinting countermeasures to study the inconsistencies they may introduce in altered fingerprints , and how this may impact user privacy. To do so, we introduce FP-SCANNER as a new test suite that explores browser fingerprint inconsistencies to detect potential alterations, and we show that we are capable of detecting countermeasures from the inconsistencies they introduce. Beyond spotting altered browser fingerprints, we demonstrate that FP-SCANNER can also reveal the original value of altered fingerprint attributes, such as the browser or the operating system. We believe that this result can be exploited by fingerprinters to more accurately target browsers with countermeasures.


  • FP-STALKER: Tracking Browser Fingerprint Evolutions

    Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy
    Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018)
    San Francisco, CA, USA (acceptance rate: 11%)

    PDF

    Browser fingerprinting has emerged as a technique to track users without their consent. Unlike cookies, fingerprinting is a stateless technique that does not store any information on devices, but instead exploits unique combinations of attributes handed over freely by browsers. The uniqueness of fingerprints allows them to be used for identification. However, browser fingerprints change over time and the effectiveness of tracking users over longer durations has not been properly addressed. In this paper, we show that browser fingerprints tend to change frequently—from every few hours to days—due to, for example, software updates or configuration changes. Yet, despite these frequent changes, we show that browser fingerprints can still be linked, thus enabling long-term tracking. FP-STALKER is an approach to link browser fingerprint evolutions. It compares fingerprints to determine if they originate from the same browser. We created two variants of FP-STALKER, a rule-based variant that is faster, and a hybrid variant that exploits machine learning to boost accuracy. To evaluate FP-STALKER, we conduct an empirical study using 98,598 fingerprints we collected from 1,905 distinct browser instances. We compare our algorithm with the state of the art and show that, on average, we can track browsers for 54.48 days, and 26 % of browsers can be tracked for more than 100 days.


  • Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale

    Alejandro Gómez-Boix, Pierre Laperdrix, Benoit Baudry
    Proceedings of the 2018 edition of The Web Conference (WWW 2018)
    Lyon, France (acceptance rate: 15%)

    PDF

    Browser fingerprinting is a stateless technique, which consists in collecting a wide range of data about a device through browser APIs. Past studies have demonstrated that modern devices present so much diversity that fingerprints can be exploited to identify and track users online. With this work, we want to evaluate if browser fingerprinting is still effective at uniquely identifying a large group of users when analyzing millions of fingerprints over a few months. We collected 2,067,942 browser fingerprints from one of the top 15 French websites. The analysis of this novel dataset sheds a new light on the ever-growing browser fingerprinting domain. The key insight is that the percentage of unique fingerprints in our dataset is much lower than what was reported in the past: only 33.6% of fingerprints are unique by opposition to over 80% in previous studies. We show that non-unique fingerprints tend to be fragile. If some features of the fingerprint change, it is very probable that the fingerprint will become unique. We also confirm that the current evolution of web technologies is benefiting users' privacy significantly as the removal of plugins brings down substantively the rate of unique desktop machines.


  • FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques

    Pierre Laperdrix, Benoit Baudry, Vikas Mishra
    Proceedings of the 9th International Symposium on Engineering Secure Software and Systems (ESSoS 2017)
    Bonn, Germany (acceptance rate: 37%)

    - Distinguished Artifact Award
    PDF Slides Artifact

    The rich programming interfaces (APIs) provided by web browsers can be diverted to collect a browser fingerprint. A small number of queries on these interfaces are sufficient to build a fingerprint that is statistically unique and very stable over time. Consequently, the fingerprint can be used to track users. Our work aims at mitigating the risk of browser fingerprinting for users privacy by 'breaking' the stability of a fingerprint over time. We add randomness in the computation of selected browser functions, in order to have them deliver slightly different answers for each browsing session. Randomization is possible thanks to the following properties of browsers implementations: (i) some functions have a nondeterministic specification, but a deterministic implementation; (ii) multimedia functions can be slightly altered without deteriorating user's perception. We present FPRandom, a modified version of Firefox that adds randomness to mitigate the most recent fingerprinting algorithms, namely canvas fingerprinting, AudioContext fingerprinting and the unmasking of browsers through the order of JavaScript properties. We evaluate the effectiveness of FPRandom by testing it against known fingerprinting tests. We also conduct a user study and evaluate the performance overhead of randomization to determine the impact on the user experience.


  • Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints

    Pierre Laperdrix, Walter Rudametkin, Benoit Baudry
    Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P 2016)
    San Jose, CA, USA (acceptance rate: 13%)

    PDF Slides Video

    Worldwide, the number of people and the time spent browsing the web keeps increasing. Accordingly, the technologies to enrich the user experience are evolving at an amazing pace. Many of these evolutions provide for a more interactive web (e.g., boom of JavaScript libraries, weekly innovations in HTML5), a more available web (e.g., explosion of mobile devices), a more secure web (e.g., Flash is disappearing, NPAPI plugins are being deprecated), and a more private web (e.g., increased legislation against cookies, huge success of extensions such as Ghostery and AdBlock). Nevertheless, modern browser technologies, which provide the beauty and power of the web, also provide a darker side, a rich ecosystem of exploitable data that can be used to build unique browser fingerprints. Our work explores the validity of browser fingerprinting in today’s environment. Over the past year, we have collected 118,934 fingerprints composed of 17 attributes gathered thanks to the most recent web technologies. We show that innovations in HTML5 provide access to highly discriminating attributes, notably with the use of the Canvas API which relies on multiple layers of the user’s system. In addition, we show that browser fingerprinting is as effective on mobile devices as it is on desktops and laptops, albeit for radically different reasons due to their more constrained hardware and software environments. We also evaluate how browser fingerprinting could stop being a threat to user privacy if some technological evolutions continue (e.g., disappearance of plugins) or are embraced by browser vendors (e.g., standard HTTP headers).


  • Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification

    Pierre Laperdrix, Walter Rudametkin, Benoit Baudry
    Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)
    Florence, Italy (acceptance rate: 29%)

    PDF Slides

    The diversity of software components (e.g., browsers, plugins, fonts) is a wonderful opportunity for users to customize their platforms. Yet, massive customization creates a privacy issue: browsers are slightly different from one another, allowing third parties to collect unique and stable fingerprints to track users. Although software diversity appears to be the source of this privacy issue, we claim that this same diversity, combined with automatic reconfiguration, provides the essential ingredients to constantly change browsing platforms. Constant change acts as a moving target defense strategy against fingerprint tracking by breaking one essential property: stability over time. We leverage virtualization and modular architectures to automatically assemble and reconfigure software components at multiple levels. We operate on operating systems, browsers, fonts and plugins. This work is the first application of software reconfiguration to build a moving target defense against browser fingerprint tracking. The main objective is to automatically modify the fingerprint a platform exhibits. We have developed a prototype called Blink to experiment the effectiveness of our approach at randomizing fingerprints. We have assembled and reconfigured thousands of platforms, and we observe that all of them exhibit different fingerprints, and that commercial fingerprinting solutions are not able to detect that the different platforms actually correspond to a single user.

Magazine publication

  • Le fingerprinting : une nouvelle technique de traçage

    Pierre Laperdrix, Benoit Baudry
    MISC n°81, french security-focused magazine. September/October 2015, pp.52-57
    Full article (in French)

    Le « browser fingerprinting » désigne l’activité de collecte par un navigateur d’un certain nombre d’informations sur l’appareil d’un internaute pour bâtir une empreinte (fingerprint). De nombreuses études ont montré que cette empreinte est unique dans la très grande majorité des cas et évolue très lentement. Il est ainsi possible de l’utiliser pour tracer les internautes, sans laisser aucune trace sur l’appareil.

PhD Thesis

  • Browser Fingerprinting: Exploring Device Diversity to Augment Authentication and Build Client-Side Countermeasures

    Pierre Laperdrix
    Defense in October 2017
    PDF

Current projects




Past Projects

Blink

Blink
Open Source


Msvip

Multi-Screen Virtual Interactive Presentation (MSVIP) Project

In partnership with Excense, we created a virtual showcase to demonstrate the ability of connected devices to engage audiences in lively and interactive presentation. Built around the Microsoft PixelSense technology, the master of ceremony operates on a touch-enabled table and can control any number of tablets or computers remotely connected to it to provide added value to his or her presentation.

The example built for the device was an interactive presentation of my engineering school, the INSA de Rennes. The app is now used during Open days to give an overview of the school to visitors.

Overview of the MSVIP concept

MSVIP in action 1

MSVIP in action 2

MSVIP in action 3


Msvip

Daedalus Project

We built a maze generator for a Virtual reality game where one player is put against another to get out of a maze. The biggest challenge for this project was to build an easy-to-use software that proposed different generation strategies. A real effort was put into having a nice and comprehensive graphical interface that would give any creator the freedom to create the maze of his or her dream.

Overview of the VR game

Overview of the interface of the generator

From the generator to the VR game

Overview of the generation process