AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Java Script Session1 INTRODUCTION.
The Web Warrior Guide to Web Design Technologies
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Microsoft ® Official Course Module 9 Configuring Applications.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:
Web 2.0: Concepts and Applications 2 Publishing Online.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
4.1 JavaScript Introduction
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
JavaScript, Fourth Edition
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
PUBLISHING ONLINE Chapter 2. Overview Blogs and wikis are two Web 2.0 tools that allow users to publish content online Blogs function as online journals.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Section 17.1 Add an audio file using HTML Create a form using HTML Add text boxes using HTML Add radio buttons and check boxes using HTML Add a pull-down.
OFFENSE PRESENTATION FOR ADJAIL Stephen Duraski and Allen Zeng.
Chapter 8 Cookies And Security JavaScript, Third Edition.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
JavaScript, Fourth Edition
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)
SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Reading Flash. Training target: Read the following reading materials and use the reading skills mentioned in the passages above. You may also choose some.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
What mobile ads know about mobile users
Database and Cloud Security
Overview Blogs and wikis are two Web 2.0 tools that allow users to publish content online Blogs function as online journals Wikis are collections of searchable,
Understanding Android Security
WWW and HTTP King Fahd University of Petroleum & Minerals
Section 17.1 Section 17.2 Add an audio file using HTML
Overview Blogs and wikis are two Web 2.0 tools that allow users to publish content online Blogs function as online journals Wikis are collections of searchable,
Understanding Android Security
Cross Site Request Forgery (CSRF)
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan Department of Computer Science, University of Illinois at Chicago 19 th USENIX Security Symposium, Washington, DC. August Yi-Ning Chen 1

Outline Introduction Threat model and related work Architecture Implementation Evaluation Conclusion 2

INTRODUCTION 3

Term introduction Ad publisher is a web application that includes dynamically sourced content from an ad network in its output. Ad content is dynamically fetched from ad networks (e.g., Google AdSense), leaving little opportunity for publishers to inspect and approve ads before the ads are rendered. The Ad script is the ad network’s JavaScript and a an advertiser’s JavaScript. 4

The problem Ad publisher faced (1/2) 5 1. On Sep , New York Times home page were greeted by an virus-scan-like unauthorized advertisement. 2. Members of social web site Facebook were presented with advertisements deceptively portraying private images of their family and friends

The problem Ad publisher faced (2/2) For publishers, online advertising is an economic necessity but also cause security problem. A passive approach to enforce is for ad networks to screen ad for potential attacks. – But this approach leaves the publisher vulnerable to any gaps in the ad network’s screening strategy. In this paper, we confront the problem of rogue ads by a active approach -- from a publisher-centric perspective. 6

Contributions of this paper Confidentiality and integrity policy specification and enforcement Compatibility with ad network targeting algorithms Compatibility with ad network billing operations Consistency in user experience Satisfaction of practical deployment requirements 7

THREAT MODEL AND RELATED WORK 8

Threat model: Ads in a webmail application 9 (1) banner (2) skyscraper ads (3) inline text ad (4) floating ad

Some ads require partial page content 10 Both requires access to the message text.

Some ads require special deployment 11 Floating ad requires access to the real estate of the page to place the ad over the message text.

In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 12

In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 13

Out-of-scope threat (1/2) Browser security bugs – e.g. drive-by-downloads Opaque content – e.g. Flash Frame busting & navigation attacks 14 if(top.location != location) { top.location.href = document.location.href; }

Out-of-scope threat (2/2) Behavior tracking attacks Attacks through side channels – e.g. the “visited links” feature of browser 15

Related work (1/4) Privacy and behavior targeting – Rely on specialized, in-browser systems that support contextual placement of ads while preventing behavioral profiling of users. – ADJAIL: employ in server side to protect both publisher and user-owned content. 16

Related work (2/4) Restricting content languages – Focus on limiting the JavaScript language features that untrusted scripts are allowed to use. – FBJS: imposes the burden of new languages – AD-safe: places restrictions on JavaScript language features. – These kind of approaches may require re-development of ad script code. – ADJAIL: only effort required is to specify policies. 17

Related work (3/4) Code transformation approaches – Transform untrusted JavaScript code to interpose runtime policy enforcement checks. – The recommended method of transforming JavaScript dynamically by a publisher involves using a proxy. – However, this approach may appear suspicious to click- fraud detection mechanism employed by the ad network. 18

Related work (4/4) Publisher-browser collaboration – Publisher to instruct a browser to enforce the publisher’s policies on third-party content, leaving the enforcement entirely to the browser. – Content Security Policies: provides by Mozilla – Main positive: this approach can enforce fine-grained policies with minimal overheads. – Primary drawback: today’s browsers do not agree on a standard for publisher-browser collaboration. 19

ARCHITECTURE Using webmail application as example 20

Ad confinement using shadow pages 1.Remove the ad script from the publisher’s webmail page (real page). 2.Embed a hidden element in the page with a different origin URI, thus invoking browser’s SOP to isolate from real page. 3.Add the ad script to the page contained in the hidden (shadow page). 21 SOP (Same Origin Policy) Definition: 1. “Only the pages with same origin that stores some information in the browser may read or modify that information.” 2.Two pages have same origin (domain) if the protocol, port, and host are the same.

Ad mirroring & event forwarding 1.We add Tunnel Script A to monitor the page changes mad by ad script. 2.Conveys those change to the real page via inter-origin message conduits. 3.Once we capture user generated events (e.g. onmousemove) on the mirrored ad content, we forward these event to the shadow page for processing. Controlled user interaction with ads (1/2) 22

Ad policies Can be defined in each HTML element 23 Controlled user interaction with ads (2/2)

IMPLEMENTATION Policies, real and shadow page, and synchronization 24

Policies specification Publisher can annotate in any HTML element of the real page with a policy attribute –policy = “ permission: value; ” 25

Policies composition Multiple policy statement may assign different values to a single permission. This can occur within a single policy attribute or through inheritance. 26 Effective value for a permission is the most restrictive value across all composed policy statement. Take inheritance policy statement into consider. Permissions left unspecified are set to their default values.

1.Remove ad script but retain element to containing a content send from shadow page 1.Add the tunnel script. 2.Annotation of HTML elements with policies. 3.Scans the real page to find all elements with policies granting the following permission. read-access: subtree;, write-access: append;, and write-access: subtree; 4.convert the elements find in 3. into models ( preparing to send to the shadow page) 27 Construction of the real page

HTML to JavaScript data structure (JSON) 28 For keeping synchronization of elements between real and shadow page

Construction of the shadow page 1.Begins as a template web page containing only the tunnel script. 2.After the tunnel script receives content model from the real page’s tunnel. It converts content model into HTML constructs. 3.Now shadow page contains all the non-sensitive content and construct of real page, allowing the ad script to execute. 4.Next, we install wrappers around several DOM API methods to interpose between the ad script and the DOM. Wrappers are used to monitor page updates and provides billing evidence. 29

DOM interposition Prevent ad impression on the shadow page, we interpose on the common interfaces ad scripts use to create content. – E.g. interpose on the src property of HTMLImageElement object. Substitute with a placeholder value 30

Content mirroring 1.Monitoring the shadow page for modifications 2.Modeling the detected modifications 3.Sending models to the real page 4.Enforcing policies on the models 5.Modifying the real page to reflect the modeled changes 31

Synchronization message 32

Event forwarding Using DOM interposition framework, we impose on script operation on event handlers Ad click – We click links on the real page, subject to enforcement of the link-target permission. Instead of directly invoke click event handlers. Position and style synchronization – Inline text pop-up ad can use synchronization message to get the precise location and positioned correctly. 33

EVALUATION Compatibility, security, and rendering overhead 34

Testbed Six popular ad networks: Banner ad – Yahoo! Network – Google AdSense – Microsoft Media Network – Federated Media Publishing Inline text ad – AdBrite – Clicksor 35

Compatibility We compare the original page and the page with sandboxed ads. Correct functionality – Worked well, but Google AdSense requires offline cached copy of the publisher’s page to perform contextual targeting. Minimum permissions – As show in next slide. Click and impression counts – Perform multiple rendering to ensure we click the same ad with and without sandbox. – Using this sandbox environment did not impose any additional impressions or generate any additional clicks. 36

Security – testing attacks (1/2) Single trial: replacing ad scripts with a malicious script tends launch an attack. Execute arbitrary code in context of real page – Can be blocked by enforcing a no-script policy Confidential information leak – Due to SOP restrictions, the sandboxed attack could not access the information by DOM traversal. Content integrity violation – Can protect the content of real page except it was given a policy with full write access. 37

Security – testing attacks (2/2) Clickjacking – With a policy that disallows elements, the sandboxed attack was unsuccessful. User interface spoofing – This attack was defeated by denying images, s and Flash, and further constraining the ad with policy. Arbitrary ad position – With a policy that denies overflow, violations due to out-of-bounds display positioning are blocked. Oversized ad – The size violation was blocked by configuring a policy to limit the maximum height and width, and disallowing overflow 38

Minimum permission & Security 39

Rendering overhead 40

Conclusion ADJAIL, a solution for the problem of confinement of third- party advertisements to prevents attacks on confidentiality and integrity. Policy setting provides flexible approach for publisher to implement its security strategy. ADJAIL is compatibility with the existing web usage models, requiring no changes to ad networks or browser. 41