AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan Department of Computer Science, University of Illinois at Chicago 19 th USENIX Security Symposium, Washington, DC. August Yi-Ning Chen 1
Outline Introduction Threat model and related work Architecture Implementation Evaluation Conclusion 2
INTRODUCTION 3
Term introduction Ad publisher is a web application that includes dynamically sourced content from an ad network in its output. Ad content is dynamically fetched from ad networks (e.g., Google AdSense), leaving little opportunity for publishers to inspect and approve ads before the ads are rendered. The Ad script is the ad network’s JavaScript and a an advertiser’s JavaScript. 4
The problem Ad publisher faced (1/2) 5 1. On Sep , New York Times home page were greeted by an virus-scan-like unauthorized advertisement. 2. Members of social web site Facebook were presented with advertisements deceptively portraying private images of their family and friends
The problem Ad publisher faced (2/2) For publishers, online advertising is an economic necessity but also cause security problem. A passive approach to enforce is for ad networks to screen ad for potential attacks. – But this approach leaves the publisher vulnerable to any gaps in the ad network’s screening strategy. In this paper, we confront the problem of rogue ads by a active approach -- from a publisher-centric perspective. 6
Contributions of this paper Confidentiality and integrity policy specification and enforcement Compatibility with ad network targeting algorithms Compatibility with ad network billing operations Consistency in user experience Satisfaction of practical deployment requirements 7
THREAT MODEL AND RELATED WORK 8
Threat model: Ads in a webmail application 9 (1) banner (2) skyscraper ads (3) inline text ad (4) floating ad
Some ads require partial page content 10 Both requires access to the message text.
Some ads require special deployment 11 Floating ad requires access to the real estate of the page to place the ad over the message text.
In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 12
In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 13
Out-of-scope threat (1/2) Browser security bugs – e.g. drive-by-downloads Opaque content – e.g. Flash Frame busting & navigation attacks 14 if(top.location != location) { top.location.href = document.location.href; }
Out-of-scope threat (2/2) Behavior tracking attacks Attacks through side channels – e.g. the “visited links” feature of browser 15
Related work (1/4) Privacy and behavior targeting – Rely on specialized, in-browser systems that support contextual placement of ads while preventing behavioral profiling of users. – ADJAIL: employ in server side to protect both publisher and user-owned content. 16
Related work (2/4) Restricting content languages – Focus on limiting the JavaScript language features that untrusted scripts are allowed to use. – FBJS: imposes the burden of new languages – AD-safe: places restrictions on JavaScript language features. – These kind of approaches may require re-development of ad script code. – ADJAIL: only effort required is to specify policies. 17
Related work (3/4) Code transformation approaches – Transform untrusted JavaScript code to interpose runtime policy enforcement checks. – The recommended method of transforming JavaScript dynamically by a publisher involves using a proxy. – However, this approach may appear suspicious to click- fraud detection mechanism employed by the ad network. 18
Related work (4/4) Publisher-browser collaboration – Publisher to instruct a browser to enforce the publisher’s policies on third-party content, leaving the enforcement entirely to the browser. – Content Security Policies: provides by Mozilla – Main positive: this approach can enforce fine-grained policies with minimal overheads. – Primary drawback: today’s browsers do not agree on a standard for publisher-browser collaboration. 19
ARCHITECTURE Using webmail application as example 20
Ad confinement using shadow pages 1.Remove the ad script from the publisher’s webmail page (real page). 2.Embed a hidden element in the page with a different origin URI, thus invoking browser’s SOP to isolate from real page. 3.Add the ad script to the page contained in the hidden (shadow page). 21 SOP (Same Origin Policy) Definition: 1. “Only the pages with same origin that stores some information in the browser may read or modify that information.” 2.Two pages have same origin (domain) if the protocol, port, and host are the same.
Ad mirroring & event forwarding 1.We add Tunnel Script A to monitor the page changes mad by ad script. 2.Conveys those change to the real page via inter-origin message conduits. 3.Once we capture user generated events (e.g. onmousemove) on the mirrored ad content, we forward these event to the shadow page for processing. Controlled user interaction with ads (1/2) 22
Ad policies Can be defined in each HTML element 23 Controlled user interaction with ads (2/2)
IMPLEMENTATION Policies, real and shadow page, and synchronization 24
Policies specification Publisher can annotate in any HTML element of the real page with a policy attribute –policy = “ permission: value; ” 25
Policies composition Multiple policy statement may assign different values to a single permission. This can occur within a single policy attribute or through inheritance. 26 Effective value for a permission is the most restrictive value across all composed policy statement. Take inheritance policy statement into consider. Permissions left unspecified are set to their default values.
1.Remove ad script but retain element to containing a content send from shadow page 1.Add the tunnel script. 2.Annotation of HTML elements with policies. 3.Scans the real page to find all elements with policies granting the following permission. read-access: subtree;, write-access: append;, and write-access: subtree; 4.convert the elements find in 3. into models ( preparing to send to the shadow page) 27 Construction of the real page
HTML to JavaScript data structure (JSON) 28 For keeping synchronization of elements between real and shadow page
Construction of the shadow page 1.Begins as a template web page containing only the tunnel script. 2.After the tunnel script receives content model from the real page’s tunnel. It converts content model into HTML constructs. 3.Now shadow page contains all the non-sensitive content and construct of real page, allowing the ad script to execute. 4.Next, we install wrappers around several DOM API methods to interpose between the ad script and the DOM. Wrappers are used to monitor page updates and provides billing evidence. 29
DOM interposition Prevent ad impression on the shadow page, we interpose on the common interfaces ad scripts use to create content. – E.g. interpose on the src property of HTMLImageElement object. Substitute with a placeholder value 30
Content mirroring 1.Monitoring the shadow page for modifications 2.Modeling the detected modifications 3.Sending models to the real page 4.Enforcing policies on the models 5.Modifying the real page to reflect the modeled changes 31
Synchronization message 32
Event forwarding Using DOM interposition framework, we impose on script operation on event handlers Ad click – We click links on the real page, subject to enforcement of the link-target permission. Instead of directly invoke click event handlers. Position and style synchronization – Inline text pop-up ad can use synchronization message to get the precise location and positioned correctly. 33
EVALUATION Compatibility, security, and rendering overhead 34
Testbed Six popular ad networks: Banner ad – Yahoo! Network – Google AdSense – Microsoft Media Network – Federated Media Publishing Inline text ad – AdBrite – Clicksor 35
Compatibility We compare the original page and the page with sandboxed ads. Correct functionality – Worked well, but Google AdSense requires offline cached copy of the publisher’s page to perform contextual targeting. Minimum permissions – As show in next slide. Click and impression counts – Perform multiple rendering to ensure we click the same ad with and without sandbox. – Using this sandbox environment did not impose any additional impressions or generate any additional clicks. 36
Security – testing attacks (1/2) Single trial: replacing ad scripts with a malicious script tends launch an attack. Execute arbitrary code in context of real page – Can be blocked by enforcing a no-script policy Confidential information leak – Due to SOP restrictions, the sandboxed attack could not access the information by DOM traversal. Content integrity violation – Can protect the content of real page except it was given a policy with full write access. 37
Security – testing attacks (2/2) Clickjacking – With a policy that disallows elements, the sandboxed attack was unsuccessful. User interface spoofing – This attack was defeated by denying images, s and Flash, and further constraining the ad with policy. Arbitrary ad position – With a policy that denies overflow, violations due to out-of-bounds display positioning are blocked. Oversized ad – The size violation was blocked by configuring a policy to limit the maximum height and width, and disallowing overflow 38
Minimum permission & Security 39
Rendering overhead 40
Conclusion ADJAIL, a solution for the problem of confinement of third- party advertisements to prevents attacks on confidentiality and integrity. Policy setting provides flexible approach for publisher to implement its security strategy. ADJAIL is compatibility with the existing web usage models, requiring no changes to ad networks or browser. 41