What Browsers Do in the Shaders: A Measurement Study of WebGPU Privacy

Igor Santos-Grueiro

arxiv: 2606.26412 · v1 · pith:KL6NHL6Qnew · submitted 2026-06-24 · 💻 cs.CR

What Browsers Do in the Shaders: A Measurement Study of WebGPU Privacy

Igor Santos-Grueiro This is my paper

Pith reviewed 2026-06-26 01:06 UTC · model grok-4.3

classification 💻 cs.CR

keywords WebGPUprivacy leakagepipeline compilationGPU statebrowser isolationmeasurement studyshaderfingerprinting

0 comments

The pith

WebGPU persistent pipeline compilation state can be probed to reveal prior GPU activity across origins.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures how WebGPU exposes privacy signals through shared browser, driver, and GPU state that validation does not fully isolate. Controlled experiments identify persistent pipeline compilation state as the clearest detectable surface, with cold and warm probes showing differences that indicate earlier workloads. A participant field study finds WebGPU activity patterns distinctive within the sample, while a page crawl shows real-world use is mostly limited to basic adapter checks. The work separates claims about leakage, compatibility, and exposure to argue that mitigations must target specific surfaces rather than apply uniform rules.

Core claim

Our controlled results identify persistent pipeline compilation state as the clearest surface. Cold/warm pipeline probes reveal prior compilation state across selected origin, profile, and browser placements. Controlled browser/native experiments also show native GPU activity can be inferred from browser-visible observables under labeled workloads. Other resource probes provide weaker positive results and negative controls. The participant field study shows active WebGPU behavior is highly distinctive within the sample, with deterministic components stable within runs and lower exact stability across repeated visits. A page-load crawl finds WebGPU use mainly as adapter probing and static sup

What carries the argument

Cold/warm pipeline probes that detect persistent pipeline compilation state across boundaries

If this is right

Pipeline-cache partitioning would block the clearest observed leakage path.
Source-level key separation can serve as a practical proxy for testing cache isolation.
Privacy analysis for WebGPU must be performed surface by surface rather than with blanket policies.
Active WebGPU behavior patterns are distinctive enough to support fingerprinting within the studied sample.
Real-world pages rarely exercise the heavier shader and pipeline surfaces that carry the strongest signals.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar state-persistence effects could appear in other browser-exposed GPU interfaces if they share compilation caches.
Aggressive cache clearing on navigation or profile changes might be needed to limit cross-context leakage.
Performance cost of proposed mitigations could be measured by comparing page-load times before and after cache resets.
The same probe technique might be adapted to test isolation between different browser profiles or private modes.

Load-bearing premise

That signals observed in controlled lab scenarios and a small participant field study will generalize across diverse real-world GPU drivers, OSes, and browser versions without substantial confounding from unmeasured variables.

What would settle it

No observable difference in pipeline compilation behavior between cold and warm states when tested across a broad sample of real GPU drivers, operating systems, and browser versions.

Figures

Figures reproduced from arXiv: 2606.26412 by Igor Santos-Grueiro.

**Figure 2.** Figure 2: Pipeline-state probe. evidence for the controlled claims; Appendix A.1 lists the repeat artifacts. 4.2 Pipeline Compilation State Leakage The strongest controlled surface is WebGPU pipeline compilation state: whether creating a shader module, compute pipeline, or render pipeline behaves like a fresh compile or a cache hit in the browser/backend stack. That behavior can reveal earlier activity in a browser… view at source ↗

read the original abstract

WebGPU lets ordinary web pages run GPU workloads through a validated programming model. Validation protects memory safety, but shared browser, driver, OS, and GPU state can still expose privacy-relevant signals. We present WGPULens, a framework for measuring those signals across controlled scenarios, browser-native co-residency, a participant field study, public page loads, and mitigation policies. Our framework separates measurements: controlled scenarios support leakage, boundary, and mitigation claims; participant runs support deployment, compatibility, and fingerprintability; and a Tranco crawl measures WebGPU exposure in real-world pages. Our controlled results identify persistent pipeline compilation state as the clearest surface. Cold/warm pipeline probes reveal prior compilation state across selected origin, profile, and browser placements. Controlled browser/native experiments also show native GPU activity can be inferred from browser-visible observables under labeled workloads. Other resource probes provide weaker positive results and negative controls. The participant field study shows active WebGPU behavior is highly distinctive within the sample, with deterministic components stable within runs and lower exact stability across repeated visits. A page-load crawl finds WebGPU use mainly as adapter probing and static support code, with no observed page-load shader, pipeline, queue, query, or map activity. Mitigation pilots identify source-level key separation as a proxy for evaluating pipeline-cache partitioning. Overall, WGPULens shows that WebGPU privacy analysis must be surface-specific: browsers need to measure which GPU state crosses which boundary, which browser-visible signals reveal it, and what the corresponding mitigations cost.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

WebGPU pipeline compilation state leaks across origins and WGPULens measures it with controlled probes plus field data.

read the letter

The main thing here is that WebGPU's validated pipeline model creates a persistent compilation state that crosses origins, and the authors built WGPULens to probe it through cold/warm tests, participant runs, and a Tranco crawl.

They do solid work separating the measurement layers. The controlled experiments isolate the leakage surface cleanly, the field study shows distinctiveness in active use, and the crawl confirms most real pages stick to basic adapter checks. Negative controls on other resources add credibility, and everything stays empirical without fitted parameters.

The soft spots are around scale and diversity. Participant numbers and hardware coverage are not spelled out in the abstract, so it is hard to judge how far the fingerprintability results travel beyond the tested setups. The native GPU inference part looks weaker than the pipeline claim and may need tighter validation.

This is for browser privacy engineers and people tracking side channels in new web APIs. A reader who cares about WebGPU deployment or cross-origin leakage would get usable data from the framework and the specific findings.

Send it to peer review. The multi-method design gives convergent evidence on a timely surface, and the central leakage result holds up on the description given.

Referee Report

2 major / 3 minor

Summary. The manuscript introduces WGPULens, a framework for measuring WebGPU privacy signals via controlled probes, browser-native co-residency tests, a participant field study, a Tranco crawl of public pages, and mitigation pilots. Controlled results identify persistent pipeline compilation state as the primary leakage surface, with cold/warm pipeline probes demonstrating prior compilation across origins, profiles, and browsers; additional experiments show inference of native GPU activity from browser observables. The field study reports high distinctiveness of active WebGPU behavior with stable deterministic components within runs, while the crawl finds WebGPU usage limited to adapter probing and static code with no shader/pipeline activity. The work concludes that WebGPU privacy analysis must be surface-specific.

Significance. If the empirical results hold, the paper makes a meaningful contribution by providing convergent evidence from complementary methods on an emerging web API's privacy surfaces. The identification of pipeline compilation state via direct cold/warm probes, the negative controls on other resources, and the real-world crawl data are useful for browser implementers. The framework's separation of measurement goals (leakage vs. deployment vs. exposure) and the pilot on source-level key separation as a mitigation proxy add practical value. The absence of invented parameters or circular derivations strengthens the observational claims.

major comments (2)

[§4] §4 (Controlled Scenarios): The central claim that cold/warm pipeline probes reveal prior compilation state across placements is load-bearing, yet the abstract notes limited detail on sample sizes, statistical thresholds, and hardware diversity; the main text must report exact run counts, GPU/OS configurations tested, and criteria for 'revealing' state to rule out driver-specific confounds.
[Participant Field Study] Participant Field Study section: The claim that active WebGPU behavior is 'highly distinctive' within the sample and supports fingerprintability requires explicit reporting of participant count, number of repeated visits, and quantitative stability metrics (e.g., exact match rates or similarity scores across runs) to substantiate the deployment and fingerprintability conclusions.

minor comments (3)

[Figures] Figure captions and legends for probe timing plots should explicitly label cold vs. warm conditions and include error bars or confidence intervals for all reported timings.
[Related Work] Related Work: Add citations to prior WebGL/WebGPU fingerprinting studies (e.g., on shader compilation or adapter enumeration) to better situate the novelty of the pipeline-state surface.
[Tranco Crawl] Tranco Crawl section: Specify the exact Tranco list version/date used and the total number of pages successfully loaded to allow replication of the exposure measurements.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the positive evaluation and recommendation of minor revision. The two requests for additional quantitative details are well-taken and will be addressed directly in the revised manuscript.

read point-by-point responses

Referee: [§4] §4 (Controlled Scenarios): The central claim that cold/warm pipeline probes reveal prior compilation state across placements is load-bearing, yet the abstract notes limited detail on sample sizes, statistical thresholds, and hardware diversity; the main text must report exact run counts, GPU/OS configurations tested, and criteria for 'revealing' state to rule out driver-specific confounds.

Authors: We agree that the current reporting is insufficient for reproducibility and to exclude confounds. The revised §4 will report exact run counts per configuration, the full list of tested GPU models, OS versions, and browser versions, the statistical thresholds applied, and the precise decision criteria used to classify a probe as revealing prior state (including how driver variability was assessed). revision: yes
Referee: Participant Field Study section: The claim that active WebGPU behavior is 'highly distinctive' within the sample and supports fingerprintability requires explicit reporting of participant count, number of repeated visits, and quantitative stability metrics (e.g., exact match rates or similarity scores across runs) to substantiate the deployment and fingerprintability conclusions.

Authors: We accept this point. The revised Participant Field Study section will state the exact participant count, the number of repeated visits per participant, and the quantitative stability metrics (exact match rates and similarity scores) that underlie the distinctiveness and fingerprintability claims. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is a pure empirical measurement study. Its claims rest on direct observations from controlled cold/warm pipeline probes, participant field runs, and page-load crawls. No equations, first-principles derivations, or statistical predictions appear in the provided text; therefore no step reduces a reported signal to a fitted parameter or self-citation defined by the study itself. All load-bearing results are external browser/GPU behavior measured under labeled conditions, satisfying the self-contained criterion for a score of 0.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The study rests on standard domain assumptions about browser process isolation and GPU driver state persistence; no free parameters or invented entities are introduced in the abstract.

axioms (1)

domain assumption Browser-visible observables can reflect native GPU compilation and execution state across origin boundaries.
This premise underpins all leakage claims from the cold/warm pipeline probes.

pith-pipeline@v0.9.1-grok · 5804 in / 1151 out tokens · 32019 ms · 2026-06-26T01:06:34.446273+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

73 extracted references · 3 linked inside Pith

[1]

FPDetective: Dusting the web for fingerprinters

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 1129– 1140, 2013

2013
[2]

FP-Radar: Longitudinal measurement and early detection of browser fingerprinting.Proceedings on Pri- vacy Enhancing Technologies, 2022(2):557–577, 2022

Pouneh Nikkhah Bahrami, Umar Iqbal, and Zubair Shafiq. FP-Radar: Longitudinal measurement and early detection of browser fingerprinting.Proceedings on Pri- vacy Enhancing Technologies, 2022(2):557–577, 2022

2022
[3]

DarthShader: Fuzzing We- bGPU shader translators and compilers

Lukas Bernhard, Nico Schiller, Moritz Schloegel, Nils Bars, and Thorsten Holz. DarthShader: Fuzzing We- bGPU shader translators and compilers. InProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security, pages 690–704, 2024. 14

2024
[4]

Fingerprinting protections

Brave Software. Fingerprinting protections. https://github.com/brave/brave-browser/ wiki/Fingerprinting-Protections, 2026

2026
[5]

(Cross- )browser fingerprinting via OS and hardware level fea- tures

Yinzhi Cao, Song Li, and Erik Wijmans. (Cross- )browser fingerprinting via OS and hardware level fea- tures. InNetwork and Distributed System Security Sym- posium, 2017

2017
[6]

Chrome ships We- bGPU

Chrome Developers. Chrome ships We- bGPU. https://developer.chrome.com/blog/ webgpu-release/, 2023

2023
[7]

WebGPU is now sup- ported in major browsers

Chrome for Developers. WebGPU is now sup- ported in major browsers. https://web.dev/blog/ webgpu-supported-major-browsers, 2026

2026
[8]

Abu-Ghazaleh, Andres Marquez, and Kevin J

Sankha Baran Dutta, Hoda Naghibijouybari, Nael B. Abu-Ghazaleh, Andres Marquez, and Kevin J. Barker. Leaky buddies: Cross-component covert channels on integrated CPU-GPU systems. In48th ACM/IEEE An- nual International Symposium on Computer Architec- ture, pages 972–984, 2021

2021
[9]

Abu-Ghazaleh, Andres Marquez, and Kevin J

Sankha Baran Dutta, Hoda Naghibijouybari, Arjun Gupta, Nael B. Abu-Ghazaleh, Andres Marquez, and Kevin J. Barker. Spy in the GPU-box: Covert and side channel attacks on multi-GPU systems. In50th ACM/IEEE Annual International Symposium on Com- puter Architecture, pages 45:1–45:13, 2023

2023
[10]

How unique is your web browser? InPrivacy Enhancing Technologies Symposium, pages 1–18, 2010

Peter Eckersley. How unique is your web browser? InPrivacy Enhancing Technologies Symposium, pages 1–18, 2010

2010
[11]

Online track- ing: A 1-million-site measurement and analysis

Steven Englehardt and Arvind Narayanan. Online track- ing: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388– 1401, 2016

2016
[12]

WebGPU-SPY: Finding fingerprints in the sandbox through GPU cache attacks

Ethan Ferguson, Adam Wilson, and Hoda Naghibijouy- bari. WebGPU-SPY: Finding fingerprints in the sandbox through GPU cache attacks. InProceedings of the 19th ACM Asia Conference on Computer and Communica- tions Security, pages 158–171, 2024

2024
[13]

Grand pwning unit: Accelerating mi- croarchitectural attacks with the GPU

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Grand pwning unit: Accelerating mi- croarchitectural attacks with the GPU. In2018 IEEE Symposium on Security and Privacy, pages 195–210, 2018

2018
[14]

Generic and automated drive-by GPU cache attacks from the browser

Lukas Giner, Roland Czerny, Christoph Gruber, Fabian Rauscher, Andreas Kogler, Daniel De Almeida Braga, and Daniel Gruss. Generic and automated drive-by GPU cache attacks from the browser. InProceedings of the 19th ACM Asia Conference on Computer and Commu- nications Security, pages 128–140, 2024

2024
[15]

Hiding in the crowd: An analysis of the effec- tiveness of browser fingerprinting at large scale

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. Hiding in the crowd: An analysis of the effec- tiveness of browser fingerprinting at large scale. InThe Web Conference, pages 309–318, 2018

2018
[16]

Privacy bud- get

Google Privacy Sandbox. Privacy bud- get. https://privacysandbox.google.com/ protections/privacy-budget, 2024

2024
[17]

WebGPU im- plementation status

GPU for the Web Community Group. WebGPU im- plementation status. https://github.com/gpuweb/ gpuweb/wiki/Implementation-Status, 2026

2026
[18]

Behind bars: A side-channel attack on NVIDIA MIG cache partitioning using mem- ory barriers

Cheng Gu, Reese Levine, Zhenkai Zhang, Tyler Sorensen, and Yanan Guo. Behind bars: A side-channel attack on NVIDIA MIG cache partitioning using mem- ory barriers. In35th USENIX Security Symposium. USENIX Association, 2026

2026
[19]

Unveiling privacy risks in WebGPU through hardware-based device fingerprinting

Konrad Hohentanner, Nils Kemmerzell, and Steffen Florschütz. Unveiling privacy risks in WebGPU through hardware-based device fingerprinting. InProceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 65–75, 2025

2025
[20]

Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors

Umar Iqbal, Steven Englehardt, and Zubair Shafiq. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. InIEEE Symposium on Security and Privacy, pages 1143–1161, 2021

2021
[21]

WEBGL_debug_renderer_info

Khronos Group. WEBGL_debug_renderer_info. https://registry.khronos.org/webgl/ extensions/WEBGL_debug_renderer_info/, 2014

2014
[22]

Trusted browsers for uncertain times

David Kohlbrenner and Hovav Shacham. Trusted browsers for uncertain times. In25th USENIX Secu- rity Symposium. USENIX Association, 2016

2016
[23]

DRAWN APART: A device identification tech- nique based on remote GPU fingerprinting

Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, and Yuval Yarom. DRAWN APART: A device identification tech- nique based on remote GPU fingerprinting. InNetwork and Distributed System Security Symposium, 2022

2022
[24]

Poster: LockedA- part: Faster GPU fingerprinting through the com- pute API

Tomer Laor and Yossi Oren. Poster: LockedA- part: Faster GPU fingerprinting through the com- pute API. https://www.uasc.cc/proceedings25/ uasc25-laor.pdf, 2025

2025
[25]

Browser fingerprinting: A survey.ACM Transactions on the Web, 14(2), 2020

Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. Browser fingerprinting: A survey.ACM Transactions on the Web, 14(2), 2020

2020
[26]

Stealing webpages rendered on your browser by exploiting GPU vulnerabilities

Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. InIEEE Symposium on Security and Privacy, pages 19–33, 2014. 15

2014
[27]

SafeRace: Assessing and addressing WebGPU memory safety in the presence of data races

Reese Levine, Ashley Lee, Neha Abbas, Kyle Little, and Tyler Sorensen. SafeRace: Assessing and addressing WebGPU memory safety in the presence of data races. Proceedings of the ACM on Programming Languages, 9(OOPSLA2):697–725, 2025

2025
[28]

Llamas on the web: Memory- efficient, performance-portable, and multi-precision LLM inference with WebGPU

Reese Levine, Rithik Sharma, Nikhil Jain, Abhijit Ramesh, Zheyuan Chen, Neha Abbas, James Contini, and Tyler Sorensen. Llamas on the web: Memory- efficient, performance-portable, and multi-precision LLM inference with WebGPU. https://arxiv.org/ abs/2605.20706, 2026

Pith/arXiv arXiv 2026
[29]

Who touched my browser fin- gerprint? A large-scale measurement study and classifi- cation of fingerprint dynamics

Song Li and Yinzhi Cao. Who touched my browser fin- gerprint? A large-scale measurement study and classifi- cation of fingerprint dynamics. InInternet Measurement Conference, pages 370–385, 2020

2020
[30]

Characterizing WebGPU dispatch over- head for LLM inference across four GPU vendors, three backends, and three browsers

J˛ edrzej Maczan. Characterizing WebGPU dispatch over- head for LLM inference across four GPU vendors, three backends, and three browsers. https://arxiv.org/ abs/2604.02344, 2026

Pith/arXiv arXiv 2026
[31]

WEBGL_debug_renderer_info ex- tension

MDN Web Docs. WEBGL_debug_renderer_info ex- tension. https://developer.mozilla.org/en-US/ docs/Web/API/WEBGL_debug_renderer_info, 2024

2024
[32]

GPUAdapterInfo

MDN Web Docs. GPUAdapterInfo. https: //developer.mozilla.org/en-US/docs/Web/API/ GPUAdapterInfo, 2026

2026
[33]

WebGPU API

MDN Web Docs. WebGPU API. https://developer. mozilla.org/en-US/docs/Web/API/WebGPU_API, 2026

2026
[34]

Veiled pathways: Investigating covert and side channels within GPU uncore

Yuanqing Miao, Yingtian Zhang, Dinghao Wu, Danfeng Zhang, Gang Tan, Rui Zhang, and Mahmut Taylan Kan- demir. Veiled pathways: Investigating covert and side channels within GPU uncore. InIEEE/ACM Interna- tional Symposium on Microarchitecture, pages 1169– 1183, 2024

2024
[35]

Pixel Perfect: Fingerprinting canvas in HTML5

Keaton Mowery and Hovav Shacham. Pixel Perfect: Fingerprinting canvas in HTML5. InProceedings of W2SP 2012, 2012

2012
[36]

Resist fingerprinting

Mozilla. Resist fingerprinting. https: //firefox-source-docs.mozilla.org/ toolkit/components/resistfingerprinting/ resistfingerprinting/index.html, 2026

2026
[37]

Shipping WebGPU on Windows in Firefox 141

Mozilla Gfx Team. Shipping WebGPU on Windows in Firefox 141. https: //mozillagfx.wordpress.com/2025/07/15/ shipping-webgpu-on-windows-in-firefox-141/ , 2025

2025
[38]

Rendered insecure: GPU side channel attacks are practical

Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu-Ghazaleh. Rendered insecure: GPU side channel attacks are practical. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communi- cations Security, pages 2139–2153, 2018

2018
[39]

Cookieless monster: Exploring the ecosys- tem of web-based device fingerprinting

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Gio- vanni Vigna. Cookieless monster: Exploring the ecosys- tem of web-based device fingerprinting. InIEEE Sym- posium on Security and Privacy, pages 541–555, 2013

2013
[40]

Pixel thief: Exploiting SVG filter leakage in firefox and chrome

Sioli O’Connell, Lishay Aben Sour, Ron Magen, Daniel Genkin, Yossi Oren, Hovav Shacham, and Yuval Yarom. Pixel thief: Exploiting SVG filter leakage in firefox and chrome. In33rd USENIX Security Symposium. USENIX Association, 2024

2024
[41]

Kemerlis, Simha Sethumadha- van, and Angelos D

Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadha- van, and Angelos D. Keromytis. The spy in the sandbox: Practical cache attacks in JavaScript and their implica- tions. InProceedings of the 22nd ACM SIGSAC Confer- ence on Computer and Communications Security, 2015

2015
[42]

Long-term observation on browser fingerprinting: Users’ trackability and perspec- tive.Proceedings on Privacy Enhancing Technologies, 2020(2):558–577, 2020

Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. Long-term observation on browser fingerprinting: Users’ trackability and perspec- tive.Proceedings on Privacy Enhancing Technologies, 2020(2):558–577, 2020

2020
[43]

Whispering pixels: Exploiting unini- tialized register accesses in modern GPUs

Frederik Dermot Pustelnik, Xhani Marvin Saß, and Jean- Pierre Seifert. Whispering pixels: Exploiting unini- tialized register accesses in modern GPUs. InIEEE European Symposium on Security and Privacy, pages 345–360, 2024

2024
[44]

Unveiling web fingerprinting in the wild via code mining and machine learning.Proceedings on Privacy Enhanc- ing Technologies, 2021(1):43–63, 2021

Valentino Rizzo, Stefano Traverso, and Marco Mellia. Unveiling web fingerprinting in the wild via code mining and machine learning.Proceedings on Privacy Enhanc- ing Technologies, 2021(1):43–63, 2021

2021
[45]

Ruan, Yucheng Qin, Xun Zhou, Ruihang Lai, Hongyi Jin, Yixin Dong, Bohan Hou, Meng-Shiun Yu, Yiyan Zhai, Sudeep Agarwal, Hangrui Cao, Siyuan Feng, and Tianqi Chen

Charlie F. Ruan, Yucheng Qin, Xun Zhou, Ruihang Lai, Hongyi Jin, Yixin Dong, Bohan Hou, Meng-Shiun Yu, Yiyan Zhai, Sudeep Agarwal, Hangrui Cao, Siyuan Feng, and Tianqi Chen. WebLLM: A high-performance in- browser LLM inference engine. https://arxiv.org/ abs/2412.15803, 2024

Pith/arXiv arXiv 2024
[46]

Cookies from the past: Timing server-side request processing code for history sniffing.Digital Threats: Research and Practice, 1(4), 2020

Iskander Sanchez-Rola, Davide Balzarotti, and Igor San- tos. Cookies from the past: Timing server-side request processing code for history sniffing.Digital Threats: Research and Practice, 1(4), 2020

2020
[47]

Extension breakdown: Security analysis of browsers extension resources control policies

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. Extension breakdown: Security analysis of browsers extension resources control policies. In26th USENIX Security Symposium, pages 679–694. USENIX Association, 2017. 16

2017
[48]

Clock around the clock: Time-based device fingerprinting

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. Clock around the clock: Time-based device fingerprinting. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1502–1514, 2018

2018
[49]

Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript

Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript. InFinancial Cryptography and Data Security, pages 247–267, 2017

2017
[50]

Prime+Probe 1, JavaScript 0: Overcoming browser- based Side-Channel defenses

Anatoly Shusterman, Ayush Agarwal, Sioli O’Connell, Daniel Genkin, Yossi Oren, and Yuval Yarom. Prime+Probe 1, JavaScript 0: Overcoming browser- based Side-Channel defenses. In30th USENIX Security Symposium, pages 2863–2880. USENIX Association, 2021

2021
[51]

Robust website fingerprinting through the cache occupancy channel

Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, and Yuval Yarom. Robust website fingerprinting through the cache occupancy channel. In28th USENIX Security Sympo- sium. USENIX Association, 2019

2019
[52]

LeftoverLocals: Listening to LLM responses through leaked GPU lo- cal memory

Tyler Sorensen and Heidy Khlaaf. LeftoverLocals: Listening to LLM responses through leaked GPU lo- cal memory. https://arxiv.org/abs/2401.16603, 2024

arXiv 2024
[53]

Automatic dis- covery of emerging browser fingerprinting techniques

Junhua Su and Alexandros Kapravelos. Automatic dis- covery of emerging browser fingerprinting techniques. InThe Web Conference, pages 2178–2188, 2023

2023
[54]

Hot Pixels: Frequency, power, and temperature attacks on GPUs and ARM SoCs

Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom. Hot Pixels: Frequency, power, and temperature attacks on GPUs and ARM SoCs. In32nd USENIX Security Symposium, pages 6275–6292. USENIX Association, 2023

2023
[55]

Fingerprinting protections in Tor Browser

Tor Project. Fingerprinting protections in Tor Browser. https://support.torproject.org/tor-browser/ features/fingerprinting-protections/, 2026

2026
[56]

The clock is still ticking: Timing attacks in the modern web

Tom van Goethem, Wouter Joosen, and Nick Nikiforakis. The clock is still ticking: Timing attacks in the modern web. InProceedings of the 22nd ACM SIGSAC Confer- ence on Computer and Communications Security, pages 1382–1393, 2015

2015
[57]

FP-Scanner: The privacy impli- cations of browser fingerprint inconsistencies

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FP-Scanner: The privacy impli- cations of browser fingerprint inconsistencies. In27th USENIX Security Symposium, pages 135–150. USENIX Association, 2018

2018
[58]

FP-STALKER: Tracking browser fingerprint evolutions

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FP-STALKER: Tracking browser fingerprint evolutions. InIEEE Symposium on Security and Privacy, pages 728–741, 2018

2018
[59]

W3C GPU for the Web Community Group. WebGPU. https://www.w3.org/TR/webgpu/, 2026

2026
[60]

WebGPU Shading Language

W3C GPU for the Web Community Group. WebGPU Shading Language. https://www.w3.org/TR/WGSL/, 2026

2026
[61]

Fletcher, Hovav Shacham, David Kohlbrenner, and Riccardo Paccagnella

Alan Wang, Pranav Gopalkrishnan, Yingchen Wang, Christopher W. Fletcher, Hovav Shacham, David Kohlbrenner, and Riccardo Paccagnella. Pixnapping: Bringing pixel stealing out of the stone age. InProceed- ings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 3266–3280, 2025

2025
[62]

Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W

Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher. GPU.zip: On the side- channel implications of hardware-based graphical data compression. InIEEE Symposium on Security and Pri- vacy, pages 3716–3734, 2024

2024
[63]

WebKit features in Safari 26.0

WebKit. WebKit features in Safari 26.0. https://webkit.org/blog/17333/ webkit-features-in-safari-26-0/, 2025

2025
[64]

Leaky DNN: Stealing deep-learning model secret with GPU context-switching side-channel

Junyi Wei, Yicheng Zhang, Zhe Zhou, Zhou Li, and Mo- hammad Abdullah Al Faruque. Leaky DNN: Stealing deep-learning model secret with GPU context-switching side-channel. In50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pages 125–137, 2020

2020
[65]

FROST: Fingerprinting remotely using OPFS-based SSD timing

Hannes Weissteiner, Tobias Weiser, Roland Czerny, Sud- heendra Raghav Neela, Fabian Rauscher, Jonas Juffin- ger, and Daniel Gruss. FROST: Fingerprinting remotely using OPFS-based SSD timing. InDIMVA, 2026

2026
[66]

Matthew K. L. Wong and Alastair F. Donaldson. We- bGlitch: A randomised testing tool for the WebGPU api. In39th European Conference on Object-Oriented Programming, pages 39:1–39:26, 2025

2025
[67]

Mitigating browser fin- gerprinting in web specifications

World Wide Web Consortium. Mitigating browser fin- gerprinting in web specifications. https://www.w3. org/TR/fingerprinting-guidance/, 2025

2025
[68]

Threat model for the web

World Wide Web Consortium. Threat model for the web. https://www.w3.org/TR/threat-model-web/, 2026

2026
[69]

Web platform design principles

World Wide Web Consortium. Web platform design principles. https://www.w3.org/TR/ design-principles/, 2026. 17

2026
[70]

Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting

Shujiang Wu, Song Li, Yinzhi Cao, and Ningfei Wang. Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting. In 28th USENIX Security Symposium, pages 1645–1660. USENIX Association, 2019

2019
[71]

GPUGuard: Mitigating contention based side and covert channel attacks on GPUs

Qiumin Xu, Hoda Naghibijouybari, Shibo Wang, Nael Abu-Ghazaleh, and Murali Annavaram. GPUGuard: Mitigating contention based side and covert channel attacks on GPUs. InProceedings of the ACM Interna- tional Conference on Supercomputing, pages 497–509, 2019

2019
[72]

EXAM: Exploiting exclusive system-level cache in ap- ple M-series SoCs for enhanced cache occupancy at- tacks

Tianhong Xu, Aidong Adam Ding, and Yunsi Fei. EXAM: Exploiting exclusive system-level cache in ap- ple M-series SoCs for enhanced cache occupancy at- tacks. InProceedings of the 20th ACM ASIA Confer- ence on Computer and Communications Security, pages 1294–1308, 2025

2025
[73]

Invalidate+Compare: A Timer-Free GPU cache attack primitive

Zhenkai Zhang, Kunbei Cai, Yanan Guo, Fan Yao, and Xing Gao. Invalidate+Compare: A Timer-Free GPU cache attack primitive. In33rd USENIX Security Sym- posium, pages 2101–2118. USENIX Association, 2024. A Technical Appendix Table 9: Measurement tasks, datasets, and metrics. Task Dataset Metric Use in the paper Pipeline state controlled AUROC, CI, permu- tat...

2024

[1] [1]

FPDetective: Dusting the web for fingerprinters

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 1129– 1140, 2013

2013

[2] [2]

FP-Radar: Longitudinal measurement and early detection of browser fingerprinting.Proceedings on Pri- vacy Enhancing Technologies, 2022(2):557–577, 2022

Pouneh Nikkhah Bahrami, Umar Iqbal, and Zubair Shafiq. FP-Radar: Longitudinal measurement and early detection of browser fingerprinting.Proceedings on Pri- vacy Enhancing Technologies, 2022(2):557–577, 2022

2022

[3] [3]

DarthShader: Fuzzing We- bGPU shader translators and compilers

Lukas Bernhard, Nico Schiller, Moritz Schloegel, Nils Bars, and Thorsten Holz. DarthShader: Fuzzing We- bGPU shader translators and compilers. InProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security, pages 690–704, 2024. 14

2024

[4] [4]

Fingerprinting protections

Brave Software. Fingerprinting protections. https://github.com/brave/brave-browser/ wiki/Fingerprinting-Protections, 2026

2026

[5] [5]

(Cross- )browser fingerprinting via OS and hardware level fea- tures

Yinzhi Cao, Song Li, and Erik Wijmans. (Cross- )browser fingerprinting via OS and hardware level fea- tures. InNetwork and Distributed System Security Sym- posium, 2017

2017

[6] [6]

Chrome ships We- bGPU

Chrome Developers. Chrome ships We- bGPU. https://developer.chrome.com/blog/ webgpu-release/, 2023

2023

[7] [7]

WebGPU is now sup- ported in major browsers

Chrome for Developers. WebGPU is now sup- ported in major browsers. https://web.dev/blog/ webgpu-supported-major-browsers, 2026

2026

[8] [8]

Abu-Ghazaleh, Andres Marquez, and Kevin J

Sankha Baran Dutta, Hoda Naghibijouybari, Nael B. Abu-Ghazaleh, Andres Marquez, and Kevin J. Barker. Leaky buddies: Cross-component covert channels on integrated CPU-GPU systems. In48th ACM/IEEE An- nual International Symposium on Computer Architec- ture, pages 972–984, 2021

2021

[9] [9]

Abu-Ghazaleh, Andres Marquez, and Kevin J

Sankha Baran Dutta, Hoda Naghibijouybari, Arjun Gupta, Nael B. Abu-Ghazaleh, Andres Marquez, and Kevin J. Barker. Spy in the GPU-box: Covert and side channel attacks on multi-GPU systems. In50th ACM/IEEE Annual International Symposium on Com- puter Architecture, pages 45:1–45:13, 2023

2023

[10] [10]

How unique is your web browser? InPrivacy Enhancing Technologies Symposium, pages 1–18, 2010

Peter Eckersley. How unique is your web browser? InPrivacy Enhancing Technologies Symposium, pages 1–18, 2010

2010

[11] [11]

Online track- ing: A 1-million-site measurement and analysis

Steven Englehardt and Arvind Narayanan. Online track- ing: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388– 1401, 2016

2016

[12] [12]

WebGPU-SPY: Finding fingerprints in the sandbox through GPU cache attacks

Ethan Ferguson, Adam Wilson, and Hoda Naghibijouy- bari. WebGPU-SPY: Finding fingerprints in the sandbox through GPU cache attacks. InProceedings of the 19th ACM Asia Conference on Computer and Communica- tions Security, pages 158–171, 2024

2024

[13] [13]

Grand pwning unit: Accelerating mi- croarchitectural attacks with the GPU

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Grand pwning unit: Accelerating mi- croarchitectural attacks with the GPU. In2018 IEEE Symposium on Security and Privacy, pages 195–210, 2018

2018

[14] [14]

Generic and automated drive-by GPU cache attacks from the browser

Lukas Giner, Roland Czerny, Christoph Gruber, Fabian Rauscher, Andreas Kogler, Daniel De Almeida Braga, and Daniel Gruss. Generic and automated drive-by GPU cache attacks from the browser. InProceedings of the 19th ACM Asia Conference on Computer and Commu- nications Security, pages 128–140, 2024

2024

[15] [15]

Hiding in the crowd: An analysis of the effec- tiveness of browser fingerprinting at large scale

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. Hiding in the crowd: An analysis of the effec- tiveness of browser fingerprinting at large scale. InThe Web Conference, pages 309–318, 2018

2018

[16] [16]

Privacy bud- get

Google Privacy Sandbox. Privacy bud- get. https://privacysandbox.google.com/ protections/privacy-budget, 2024

2024

[17] [17]

WebGPU im- plementation status

GPU for the Web Community Group. WebGPU im- plementation status. https://github.com/gpuweb/ gpuweb/wiki/Implementation-Status, 2026

2026

[18] [18]

Behind bars: A side-channel attack on NVIDIA MIG cache partitioning using mem- ory barriers

Cheng Gu, Reese Levine, Zhenkai Zhang, Tyler Sorensen, and Yanan Guo. Behind bars: A side-channel attack on NVIDIA MIG cache partitioning using mem- ory barriers. In35th USENIX Security Symposium. USENIX Association, 2026

2026

[19] [19]

Unveiling privacy risks in WebGPU through hardware-based device fingerprinting

Konrad Hohentanner, Nils Kemmerzell, and Steffen Florschütz. Unveiling privacy risks in WebGPU through hardware-based device fingerprinting. InProceedings of the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 65–75, 2025

2025

[20] [20]

Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors

Umar Iqbal, Steven Englehardt, and Zubair Shafiq. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. InIEEE Symposium on Security and Privacy, pages 1143–1161, 2021

2021

[21] [21]

WEBGL_debug_renderer_info

Khronos Group. WEBGL_debug_renderer_info. https://registry.khronos.org/webgl/ extensions/WEBGL_debug_renderer_info/, 2014

2014

[22] [22]

Trusted browsers for uncertain times

David Kohlbrenner and Hovav Shacham. Trusted browsers for uncertain times. In25th USENIX Secu- rity Symposium. USENIX Association, 2016

2016

[23] [23]

DRAWN APART: A device identification tech- nique based on remote GPU fingerprinting

Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, and Yuval Yarom. DRAWN APART: A device identification tech- nique based on remote GPU fingerprinting. InNetwork and Distributed System Security Symposium, 2022

2022

[24] [24]

Poster: LockedA- part: Faster GPU fingerprinting through the com- pute API

Tomer Laor and Yossi Oren. Poster: LockedA- part: Faster GPU fingerprinting through the com- pute API. https://www.uasc.cc/proceedings25/ uasc25-laor.pdf, 2025

2025

[25] [25]

Browser fingerprinting: A survey.ACM Transactions on the Web, 14(2), 2020

Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. Browser fingerprinting: A survey.ACM Transactions on the Web, 14(2), 2020

2020

[26] [26]

Stealing webpages rendered on your browser by exploiting GPU vulnerabilities

Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. InIEEE Symposium on Security and Privacy, pages 19–33, 2014. 15

2014

[27] [27]

SafeRace: Assessing and addressing WebGPU memory safety in the presence of data races

Reese Levine, Ashley Lee, Neha Abbas, Kyle Little, and Tyler Sorensen. SafeRace: Assessing and addressing WebGPU memory safety in the presence of data races. Proceedings of the ACM on Programming Languages, 9(OOPSLA2):697–725, 2025

2025

[28] [28]

Llamas on the web: Memory- efficient, performance-portable, and multi-precision LLM inference with WebGPU

Reese Levine, Rithik Sharma, Nikhil Jain, Abhijit Ramesh, Zheyuan Chen, Neha Abbas, James Contini, and Tyler Sorensen. Llamas on the web: Memory- efficient, performance-portable, and multi-precision LLM inference with WebGPU. https://arxiv.org/ abs/2605.20706, 2026

Pith/arXiv arXiv 2026

[29] [29]

Who touched my browser fin- gerprint? A large-scale measurement study and classifi- cation of fingerprint dynamics

Song Li and Yinzhi Cao. Who touched my browser fin- gerprint? A large-scale measurement study and classifi- cation of fingerprint dynamics. InInternet Measurement Conference, pages 370–385, 2020

2020

[30] [30]

Characterizing WebGPU dispatch over- head for LLM inference across four GPU vendors, three backends, and three browsers

J˛ edrzej Maczan. Characterizing WebGPU dispatch over- head for LLM inference across four GPU vendors, three backends, and three browsers. https://arxiv.org/ abs/2604.02344, 2026

Pith/arXiv arXiv 2026

[31] [31]

WEBGL_debug_renderer_info ex- tension

MDN Web Docs. WEBGL_debug_renderer_info ex- tension. https://developer.mozilla.org/en-US/ docs/Web/API/WEBGL_debug_renderer_info, 2024

2024

[32] [32]

GPUAdapterInfo

MDN Web Docs. GPUAdapterInfo. https: //developer.mozilla.org/en-US/docs/Web/API/ GPUAdapterInfo, 2026

2026

[33] [33]

WebGPU API

MDN Web Docs. WebGPU API. https://developer. mozilla.org/en-US/docs/Web/API/WebGPU_API, 2026

2026

[34] [34]

Veiled pathways: Investigating covert and side channels within GPU uncore

Yuanqing Miao, Yingtian Zhang, Dinghao Wu, Danfeng Zhang, Gang Tan, Rui Zhang, and Mahmut Taylan Kan- demir. Veiled pathways: Investigating covert and side channels within GPU uncore. InIEEE/ACM Interna- tional Symposium on Microarchitecture, pages 1169– 1183, 2024

2024

[35] [35]

Pixel Perfect: Fingerprinting canvas in HTML5

Keaton Mowery and Hovav Shacham. Pixel Perfect: Fingerprinting canvas in HTML5. InProceedings of W2SP 2012, 2012

2012

[36] [36]

Resist fingerprinting

Mozilla. Resist fingerprinting. https: //firefox-source-docs.mozilla.org/ toolkit/components/resistfingerprinting/ resistfingerprinting/index.html, 2026

2026

[37] [37]

Shipping WebGPU on Windows in Firefox 141

Mozilla Gfx Team. Shipping WebGPU on Windows in Firefox 141. https: //mozillagfx.wordpress.com/2025/07/15/ shipping-webgpu-on-windows-in-firefox-141/ , 2025

2025

[38] [38]

Rendered insecure: GPU side channel attacks are practical

Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu-Ghazaleh. Rendered insecure: GPU side channel attacks are practical. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communi- cations Security, pages 2139–2153, 2018

2018

[39] [39]

Cookieless monster: Exploring the ecosys- tem of web-based device fingerprinting

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Gio- vanni Vigna. Cookieless monster: Exploring the ecosys- tem of web-based device fingerprinting. InIEEE Sym- posium on Security and Privacy, pages 541–555, 2013

2013

[40] [40]

Pixel thief: Exploiting SVG filter leakage in firefox and chrome

Sioli O’Connell, Lishay Aben Sour, Ron Magen, Daniel Genkin, Yossi Oren, Hovav Shacham, and Yuval Yarom. Pixel thief: Exploiting SVG filter leakage in firefox and chrome. In33rd USENIX Security Symposium. USENIX Association, 2024

2024

[41] [41]

Kemerlis, Simha Sethumadha- van, and Angelos D

Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadha- van, and Angelos D. Keromytis. The spy in the sandbox: Practical cache attacks in JavaScript and their implica- tions. InProceedings of the 22nd ACM SIGSAC Confer- ence on Computer and Communications Security, 2015

2015

[42] [42]

Long-term observation on browser fingerprinting: Users’ trackability and perspec- tive.Proceedings on Privacy Enhancing Technologies, 2020(2):558–577, 2020

Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. Long-term observation on browser fingerprinting: Users’ trackability and perspec- tive.Proceedings on Privacy Enhancing Technologies, 2020(2):558–577, 2020

2020

[43] [43]

Whispering pixels: Exploiting unini- tialized register accesses in modern GPUs

Frederik Dermot Pustelnik, Xhani Marvin Saß, and Jean- Pierre Seifert. Whispering pixels: Exploiting unini- tialized register accesses in modern GPUs. InIEEE European Symposium on Security and Privacy, pages 345–360, 2024

2024

[44] [44]

Unveiling web fingerprinting in the wild via code mining and machine learning.Proceedings on Privacy Enhanc- ing Technologies, 2021(1):43–63, 2021

Valentino Rizzo, Stefano Traverso, and Marco Mellia. Unveiling web fingerprinting in the wild via code mining and machine learning.Proceedings on Privacy Enhanc- ing Technologies, 2021(1):43–63, 2021

2021

[45] [45]

Ruan, Yucheng Qin, Xun Zhou, Ruihang Lai, Hongyi Jin, Yixin Dong, Bohan Hou, Meng-Shiun Yu, Yiyan Zhai, Sudeep Agarwal, Hangrui Cao, Siyuan Feng, and Tianqi Chen

Charlie F. Ruan, Yucheng Qin, Xun Zhou, Ruihang Lai, Hongyi Jin, Yixin Dong, Bohan Hou, Meng-Shiun Yu, Yiyan Zhai, Sudeep Agarwal, Hangrui Cao, Siyuan Feng, and Tianqi Chen. WebLLM: A high-performance in- browser LLM inference engine. https://arxiv.org/ abs/2412.15803, 2024

Pith/arXiv arXiv 2024

[46] [46]

Cookies from the past: Timing server-side request processing code for history sniffing.Digital Threats: Research and Practice, 1(4), 2020

Iskander Sanchez-Rola, Davide Balzarotti, and Igor San- tos. Cookies from the past: Timing server-side request processing code for history sniffing.Digital Threats: Research and Practice, 1(4), 2020

2020

[47] [47]

Extension breakdown: Security analysis of browsers extension resources control policies

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. Extension breakdown: Security analysis of browsers extension resources control policies. In26th USENIX Security Symposium, pages 679–694. USENIX Association, 2017. 16

2017

[48] [48]

Clock around the clock: Time-based device fingerprinting

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. Clock around the clock: Time-based device fingerprinting. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1502–1514, 2018

2018

[49] [49]

Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript

Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: High-resolution microarchitectural attacks in JavaScript. InFinancial Cryptography and Data Security, pages 247–267, 2017

2017

[50] [50]

Prime+Probe 1, JavaScript 0: Overcoming browser- based Side-Channel defenses

Anatoly Shusterman, Ayush Agarwal, Sioli O’Connell, Daniel Genkin, Yossi Oren, and Yuval Yarom. Prime+Probe 1, JavaScript 0: Overcoming browser- based Side-Channel defenses. In30th USENIX Security Symposium, pages 2863–2880. USENIX Association, 2021

2021

[51] [51]

Robust website fingerprinting through the cache occupancy channel

Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, and Yuval Yarom. Robust website fingerprinting through the cache occupancy channel. In28th USENIX Security Sympo- sium. USENIX Association, 2019

2019

[52] [52]

LeftoverLocals: Listening to LLM responses through leaked GPU lo- cal memory

Tyler Sorensen and Heidy Khlaaf. LeftoverLocals: Listening to LLM responses through leaked GPU lo- cal memory. https://arxiv.org/abs/2401.16603, 2024

arXiv 2024

[53] [53]

Automatic dis- covery of emerging browser fingerprinting techniques

Junhua Su and Alexandros Kapravelos. Automatic dis- covery of emerging browser fingerprinting techniques. InThe Web Conference, pages 2178–2188, 2023

2023

[54] [54]

Hot Pixels: Frequency, power, and temperature attacks on GPUs and ARM SoCs

Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom. Hot Pixels: Frequency, power, and temperature attacks on GPUs and ARM SoCs. In32nd USENIX Security Symposium, pages 6275–6292. USENIX Association, 2023

2023

[55] [55]

Fingerprinting protections in Tor Browser

Tor Project. Fingerprinting protections in Tor Browser. https://support.torproject.org/tor-browser/ features/fingerprinting-protections/, 2026

2026

[56] [56]

The clock is still ticking: Timing attacks in the modern web

Tom van Goethem, Wouter Joosen, and Nick Nikiforakis. The clock is still ticking: Timing attacks in the modern web. InProceedings of the 22nd ACM SIGSAC Confer- ence on Computer and Communications Security, pages 1382–1393, 2015

2015

[57] [57]

FP-Scanner: The privacy impli- cations of browser fingerprint inconsistencies

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FP-Scanner: The privacy impli- cations of browser fingerprint inconsistencies. In27th USENIX Security Symposium, pages 135–150. USENIX Association, 2018

2018

[58] [58]

FP-STALKER: Tracking browser fingerprint evolutions

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FP-STALKER: Tracking browser fingerprint evolutions. InIEEE Symposium on Security and Privacy, pages 728–741, 2018

2018

[59] [59]

W3C GPU for the Web Community Group. WebGPU. https://www.w3.org/TR/webgpu/, 2026

2026

[60] [60]

WebGPU Shading Language

W3C GPU for the Web Community Group. WebGPU Shading Language. https://www.w3.org/TR/WGSL/, 2026

2026

[61] [61]

Fletcher, Hovav Shacham, David Kohlbrenner, and Riccardo Paccagnella

Alan Wang, Pranav Gopalkrishnan, Yingchen Wang, Christopher W. Fletcher, Hovav Shacham, David Kohlbrenner, and Riccardo Paccagnella. Pixnapping: Bringing pixel stealing out of the stone age. InProceed- ings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 3266–3280, 2025

2025

[62] [62]

Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W

Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher. GPU.zip: On the side- channel implications of hardware-based graphical data compression. InIEEE Symposium on Security and Pri- vacy, pages 3716–3734, 2024

2024

[63] [63]

WebKit features in Safari 26.0

WebKit. WebKit features in Safari 26.0. https://webkit.org/blog/17333/ webkit-features-in-safari-26-0/, 2025

2025

[64] [64]

Leaky DNN: Stealing deep-learning model secret with GPU context-switching side-channel

Junyi Wei, Yicheng Zhang, Zhe Zhou, Zhou Li, and Mo- hammad Abdullah Al Faruque. Leaky DNN: Stealing deep-learning model secret with GPU context-switching side-channel. In50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pages 125–137, 2020

2020

[65] [65]

FROST: Fingerprinting remotely using OPFS-based SSD timing

Hannes Weissteiner, Tobias Weiser, Roland Czerny, Sud- heendra Raghav Neela, Fabian Rauscher, Jonas Juffin- ger, and Daniel Gruss. FROST: Fingerprinting remotely using OPFS-based SSD timing. InDIMVA, 2026

2026

[66] [66]

Matthew K. L. Wong and Alastair F. Donaldson. We- bGlitch: A randomised testing tool for the WebGPU api. In39th European Conference on Object-Oriented Programming, pages 39:1–39:26, 2025

2025

[67] [67]

Mitigating browser fin- gerprinting in web specifications

World Wide Web Consortium. Mitigating browser fin- gerprinting in web specifications. https://www.w3. org/TR/fingerprinting-guidance/, 2025

2025

[68] [68]

Threat model for the web

World Wide Web Consortium. Threat model for the web. https://www.w3.org/TR/threat-model-web/, 2026

2026

[69] [69]

Web platform design principles

World Wide Web Consortium. Web platform design principles. https://www.w3.org/TR/ design-principles/, 2026. 17

2026

[70] [70]

Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting

Shujiang Wu, Song Li, Yinzhi Cao, and Ningfei Wang. Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting. In 28th USENIX Security Symposium, pages 1645–1660. USENIX Association, 2019

2019

[71] [71]

GPUGuard: Mitigating contention based side and covert channel attacks on GPUs

Qiumin Xu, Hoda Naghibijouybari, Shibo Wang, Nael Abu-Ghazaleh, and Murali Annavaram. GPUGuard: Mitigating contention based side and covert channel attacks on GPUs. InProceedings of the ACM Interna- tional Conference on Supercomputing, pages 497–509, 2019

2019

[72] [72]

EXAM: Exploiting exclusive system-level cache in ap- ple M-series SoCs for enhanced cache occupancy at- tacks

Tianhong Xu, Aidong Adam Ding, and Yunsi Fei. EXAM: Exploiting exclusive system-level cache in ap- ple M-series SoCs for enhanced cache occupancy at- tacks. InProceedings of the 20th ACM ASIA Confer- ence on Computer and Communications Security, pages 1294–1308, 2025

2025

[73] [73]

Invalidate+Compare: A Timer-Free GPU cache attack primitive

Zhenkai Zhang, Kunbei Cai, Yanan Guo, Fan Yao, and Xing Gao. Invalidate+Compare: A Timer-Free GPU cache attack primitive. In33rd USENIX Security Sym- posium, pages 2101–2118. USENIX Association, 2024. A Technical Appendix Table 9: Measurement tasks, datasets, and metrics. Task Dataset Metric Use in the paper Pipeline state controlled AUROC, CI, permu- tat...

2024