-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
AudioBuffer noise injection in Private Browsing can be negated using …
…a looping audio buffer source https://bugs.webkit.org/show_bug.cgi?id=270767 rdar://124156971 Reviewed by Chris Dumez, Charlie Wolfe and Matthew Finkel. Implement several mitigations to make it impractical to reverse noise injection by looping a single audio sample many times in a single audio buffer and averaging the results. 1. Adjust noise injection to use normally-distributed noise, instead of a uniform random distribution. This raises the bar for "averaging-style" attacks, which can currently converge on a stable result by averaging the min/max values in the random distribution. A similar attack will now require more iterations to converge on the original value. 2. Store previously-generated random values while applying noise, and reapply these random values to the values that are encountered repeatedly. This ensures that an attacker does not gain more information about the original value, by causing it to be computed repeatedly in the same audio buffer. 3. Instead of uniformly applying a fixed noise level (0.001) for all readback using `OfflineAudioContext`, allow certain node types that are known to expose hardware or OS differences (i.e. `DynamicsCompressorNode` and `OscillatorNode`) to increase the amount of injected noise beyond the baseline of 0.1%. `AudioBufferSourceNode`, in particular, will amplify the noise level more, depending on the number of times the audio buffer is looped. * Source/WebCore/Modules/webaudio/AudioBasicProcessorNode.h: * Source/WebCore/Modules/webaudio/AudioBuffer.cpp: (WebCore::AudioBuffer::releaseMemory): Replace the single boolean flag (`m_needsAdditionalNoise`) with a `m_noiseInjectionMultiplier`, which indicates the magnitude of noise injection (the standard deviation of the normal distribution used to inject noise). (WebCore::AudioBuffer::copyToChannel): (WebCore::AudioBuffer::zero): (WebCore::AudioBuffer::copyTo const): (WebCore::AudioBuffer::applyNoiseIfNeeded): * Source/WebCore/Modules/webaudio/AudioBuffer.h: (WebCore::AudioBuffer::increaseNoiseInjectionMultiplier): (WebCore::AudioBuffer::noiseInjectionMultiplier const): (WebCore::AudioBuffer::setNeedsAdditionalNoise): Deleted. * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp: (WebCore::AudioBufferSourceNode::noiseInjectionMultiplier const): Increase the noise injection level for an audio buffer, if it's downstream from an `AudioBufferSourceNode` that loops many times. For an audio buffer source that loops more than 200 times, this boosts the existing noise level for the audio buffer by a factor of 0.005 per loop, leading to a massive amount of noise in the case where a tiny sample is looped back-to-back in a large buffer. * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.h: * Source/WebCore/Modules/webaudio/AudioNode.h: (WebCore::AudioNode::noiseInjectionMultiplier const): Add a subclassing hook that allows each `AudioNode` subclass to inject additional noise when reading back the final `AudioBuffer`. This allows us to selectively increase the amount of injected noise when using specific types of audio nodes, which are known to expose larger differences w.r.t. the underlying OS or CPU architecture. * Source/WebCore/Modules/webaudio/AudioNodeOutput.cpp: (WebCore::AudioNodeOutput::forEachInputNode const): Add a helper method to iterate over each input node (i.e. the next destination in the processing graph) that's attached to this output. Note that this must be called from underneath the context's graph lock. * Source/WebCore/Modules/webaudio/AudioNodeOutput.h: * Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp: (WebCore::AudioWorkletNode::process): Increase the noise level when passing raw data into worklets, to adjust for the new normally- distributed noise injection. * Source/WebCore/Modules/webaudio/BaseAudioContext.h: (WebCore::BaseAudioContext::referencedSourceNodes const): Add a helper method to iterate over all source nodes in the audio context; must be called only when the context's graph lock is held. * Source/WebCore/Modules/webaudio/DynamicsCompressorNode.h: Add additional buffer readback noise when using certain audio node types. * Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp: (WebCore::OfflineAudioContext::OfflineAudioContext): (WebCore::OfflineAudioContext::lazyInitialize): (WebCore::OfflineAudioContext::increaseNoiseMultiplierIfNeeded): Upon initialization, traverse the audio processing graph in search for audio nodes that warrant additional noise injection, and accumulate this extra noise on the target buffer. * Source/WebCore/Modules/webaudio/OfflineAudioContext.h: * Source/WebCore/Modules/webaudio/OscillatorNode.h: * Source/WebCore/platform/audio/AudioUtilities.cpp: (WebCore::AudioUtilities::applyNoise): Switch to normally-distributed noise injection, rather than uniformally random noise. Additionally, ensure that if a value appears again in the same buffer, it'll use the same, previously computed noise multiplier value instead of a newly generated random value. * Source/WebCore/platform/audio/AudioUtilities.h: * Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm: (TestWebKitAPI::TEST): * Tools/TestWebKitAPI/Tests/WebKitCocoa/audio-fingerprinting.html: Add a new test case to exercise these mitigations. Originally-landed-as: 272448.707@safari-7618-branch (3c7dd17). rdar://128089250 Canonical link: https://commits.webkit.org/278815@main
- Loading branch information
1 parent
7fc383d
commit 775bac3
Showing
18 changed files
with
222 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.