research-article

Unbundle-Rewrite-Rebundle: Runtime Detection and Rewriting of Privacy-Harming Code in JavaScript Bundles

Authors: Mir Masood Ali, Peter Snyder, Chris Kanich, Hamed HaddadiAuthors Info & Claims

CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Pages 2192 - 2206

https://doi.org/10.1145/3658644.3690262

Published: 09 December 2024 Publication History

Abstract

This work presents Unbundle-Rewrite-Rebundle (URR), a system for detecting privacy-harming portions of bundled JavaScript code and rewriting that code at runtime to remove the privacy-harming behavior without breaking the surrounding code or overall application. URR is a novel solution to the problem of JavaScript bundles, where websites pre-compile multiple code units into a single file, making it impossible for content filters and ad-blockers to differentiate between desired and unwanted resources. Where traditional content filtering tools rely on URLs, URR analyzes the code at the AST level, and replaces harmful AST sub-trees with privacy-and-functionality maintaining alternatives.

We present an open-sourced implementation of URR as a Firefox extension and evaluate it against JavaScript bundles generated by the most popular bundling system (Webpack) deployed on the Tranco 10k. We evaluate URR by precision (1.00), recall (0.95), and speed (0.43s per script) when detecting and rewriting three representative privacy-harming libraries often included in JavaScript bundles, and find URR to be an effective approach to a large-and-growing blind spot unaddressed by current privacy tools.

References

[1]

Mshabab Alrizah, Sencun Zhu, Xinyu Xing, and Gang Wang. 2019. Errors, Misunderstandings, and Attacks: Analyzing the Crowdsourcing Process of Ad-blocking Systems. In Proceedings of the Internet Measurement Conference (Amsterdam, Netherlands) (IMC '19). Association for Computing Machinery, New York, NY, USA, 230--244. https://doi.org/10.1145/3355369.3355588

Digital Library

[2]

Abdul Haddi Amjad, Danial Saleem, Muhammad Ali Gulzar, Zubair Shafiq, and Fareed Zaffar. 2021. TrackerSift: untangling mixed tracking and functional web resources. In Proceedings of the 21st ACM Internet Measurement Conference (Virtual Event). Association for Computing Machinery, New York, NY, USA, 569--576. https://doi.org/10.1145/3487552.3487855

Digital Library

[3]

Abdul Haddi Amjad, Zubair Shafiq, and Muhammad Ali Gulzar. 2023. Blocking JavaScript Without Breaking the Web: An Empirical Investigation. In Proceedings on Privacy Enhancing Technologies. https://doi.org/10.56553/popets-2023-0087

[4]

Sruti Bhagavatula, Christopher Dunn, Chris Kanich, Minaxi Gupta, and Brian Ziebart. 2014. Leveraging Machine Learning to Improve Unwanted Resource Filtering. Association for Computing Machinery, New York, NY, USA, 95--102. https://doi.org/10.1145/2666652.2666662

Digital Library

[5]

Quan Chen, Peter Snyder, Ben Livshits, and Alexandros Kapravelos. 2021. Detecting Filter List Evasion with Event-Loop-Turn Granularity JavaScript Signatures. In IEEE Symposium on Security and Privacy (SP). 1715--1729. https://doi.org/10.1109/SP40001.2021.00007

[6]

Aurore Fass, Michael Backes, and Ben Stock. 2019. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom). Association for Computing Machinery, New York, NY, USA, 1899--1913. https://doi.org/10.1145/3319535.3345656

Digital Library

[7]

Aurore Fass, Michael Backes, and Ben Stock. 2019. JStap: a static pre-filter for malicious JavaScript detection (ACSAC '19). Association for Computing Machinery, New York, NY, USA, 257--269. https://doi.org/10.1145/3359789.3359813

Digital Library

[8]

Aurore Fass, Robert P. Krawczyk, Michael Backes, and Ben Stock. 2018. textscJaSt: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.

[9]

Romain Fouquet. 2023. Improving Web User Privacy Through Content Blocking. Theses. Université de Lille. https://theses.hal.science/tel-04123409

[10]

Kiran Garimella, Orestis Kostakis, and Michael Mathioudakis. 2017. Ad-blocking: A study on performance, privacy and counter-measures. In Proceedings of the ACM on Web Science Conference. 259--262.

Digital Library

[11]

Arthur Gervais, Alexandros Filios, Vincent Lenders, and Srdjan Capkun. 2017. Quantifying web adblocker privacy. In European Symposium on Research in Computer Security. Springer, 21--42.

[12]

Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In 2021 IEEE Symposium on Security and Privacy (SP). 1143--1161. https://doi.org/10.1109/SP40001.2021.00017

[13]

Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, and Zubair Shafiq. 2020. AdGraph: A Graph-Based Approach to Ad and Tracker Blocking. In 2020 IEEE Symposium on Security and Privacy. 763--776. https://doi.org/10.1109/SP40000.2020.00005

[14]

Hieu Le, Salma Elmalaki, Athina Markopoulou, and Zubair Shafiq. 2023. AutoFR: Automated Filter Rule Generation for Adblocking. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 7535--7552. https://www.usenix.org/conference/usenixsecurity23/presentation/le

[15]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'nski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019). https://doi.org/10.14722/ndss.2019.23386

[16]

Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the ACM conference on Computer and communications security. 674--686.

Digital Library

[17]

Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis. 2022. Phish in Sheeptextquoterights Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1651--1668. https://www.usenix.org/conference/usenixsecurity22/presentation/lin-xu

[18]

Chao Liu, Ryen W. White, and Susan Dumais. 2010. Understanding web browsing behaviors through Weibull analysis of dwell time. In Proceedings of the 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval (Geneva, Switzerland) (SIGIR '10). Association for Computing Machinery, New York, NY, USA, 379--386. https://doi.org/10.1145/1835449.1835513

Digital Library

[19]

Ralph C Merkle. 1987. A digital signature based on a conventional encryption function. In Conference on the theory and application of cryptographic techniques. Springer, 369--378.

Digital Library

[20]

Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 319--333.

[21]

Marvin Moog, Markus Demmel, Michael Backes, and Aurore Fass. 2021. Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 569--580. https://doi.org/10.1109/DSN48987.2021.00065

[22]

Alexandra Nisenoff, Arthur Borem, Madison Pickering, Grant Nakanishi, Maya Thumpasery, and Blase Ur. 2023. Defining "Broken": User Experiences and Remediation Tactics When Ad-Blocking or Tracking-Protection Tools Break a Websitetextquoterights User Experience. In 32nd USENIX Security Symposium. USENIX Association, Anaheim, CA, 3619--3636. https://www.usenix.org/conference/usenixsecurity23/presentation/nisenoff-broken

[23]

Emmanouil Papadogiannakis, Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2021. User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users. In Proceedings of the Web Conference (Ljubljana, Slovenia). Association for Computing Machinery, New York, NY, USA, 2130--2141. https://doi.org/10.1145/3442381.3450056

Digital Library

[24]

Enric Pujol, Oliver Hohlfeld, and Anja Feldmann. 2015. Annoyed users: Ads and ad-block usage in the wild. In Proceedings of the Internet Measurement Conference. 93--106.

Digital Library

[25]

Jeremy Rack and Cristian-Alexandru Staicu. 2023. Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (Copenhagen, Denmark). Association for Computing Machinery, New York, NY, USA, 3198--3212. https://doi.org/10.1145/3576915.3623140

Digital Library

[26]

Kimberly Ruth, Aurore Fass, Jonathan Azose, Mark Pearson, Emma Thomas, Caitlin Sadowski, and Zakir Durumeric. 2022. A world wide view of browsing the world wide web. In Proceedings of the 22nd ACM Internet Measurement Conference (Nice, France). Association for Computing Machinery, New York, NY, USA, 317--336. https://doi.org/10.1145/3517745.3561418

Digital Library

[27]

Michael Smith, Peter Snyder, Moritz Haller, Benjamin Livshits, Deian Stefan, and Hamed Haddadi. 2022. Blocked or broken? Automatically detecting when privacy interventions break websites. arXiv preprint arXiv:2203.03528 (2022).

[28]

Michael Smith, Pete Snyder, Benjamin Livshits, and Deian Stefan. 2021. SugarCoat: Programmatically Generating Privacy-Preserving, Web-Compatible Resource Replacements for Content Blocking. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea). Association for Computing Machinery, New York, NY, USA, 2844--2857. https://doi.org/10.1145/3460120.3484578

Digital Library

[29]

Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 179--194. https://doi.org/10.1145/3133956.3133966

Digital Library

[30]

Peter Snyder, Antoine Vastel, and Ben Livshits. 2020. Who Filters the Filters: Understanding the Growth, Usefulness and Efficiency of Crowdsourced Ad Blocking. In Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer Systems (Boston, MA, USA) (SIGMETRICS '20). Association for Computing Machinery, New York, NY, USA, 75--76. https://doi.org/10.1145/3393691.3394228

Digital Library

[31]

Jingxue Sun, Zhiqiu Huang, Ting Yang, Wengjie Wang, and Yuqing Zhang. 2021. A system for detecting third-party tracking through the combination of dynamic analysis and static analysis. In IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops. 1--6. https://doi.org/10.1109/INFOCOMWKSHPS51825.2021.9484564

[32]

Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the Internet Measurement Conference. 373--380.

Digital Library

Cited By

Genjga ETanovic ACerimagic-Hasibovic A(2024)Improvements in information security using the example of a web application for automatic class schedule generation2024 32nd Telecommunications Forum (TELFOR)10.1109/TELFOR63250.2024.10819156(1-4)Online publication date: 26-Nov-2024
https://doi.org/10.1109/TELFOR63250.2024.10819156

Index Terms

Unbundle-Rewrite-Rebundle: Runtime Detection and Rewriting of Privacy-Harming Code in JavaScript Bundles
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Mining rule violations in JavaScript code snippets
MSR '19: Proceedings of the 16th International Conference on Mining Software Repositories

Programming code snippets readily available on platforms such as StackOverflow are undoubtedly useful for software engineers. Unfortunately, these code snippets might contain issues such as deprecated, misused, or even buggy code. These issues could ...
JavaScript Testing Beginner's Guide
Source Code Analytics With Roslyn and JavaScript Data Visualization

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

December 2024

5188 pages

ISBN:9798400706363

DOI:10.1145/3658644

General Chairs:
Bo Luo
University of Kansas, USA
,
Xiaojing Liao
Indiana University Bloomington, USA
,
Jun Xu
University of Utah, USA
,
Program Chairs:
Engin Kirda
Northeastern University, USA
,
David Lie
University of Toronto, Canada

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '24

Sponsor:

SIGSAC

CCS '24: ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

UT, Salt Lake City, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
74
Total Downloads

Downloads (Last 12 months)74
Downloads (Last 6 weeks)74

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Genjga ETanovic ACerimagic-Hasibovic A(2024)Improvements in information security using the example of a web application for automatic class schedule generation2024 32nd Telecommunications Forum (TELFOR)10.1109/TELFOR63250.2024.10819156(1-4)Online publication date: 26-Nov-2024
https://doi.org/10.1109/TELFOR63250.2024.10819156

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents