Abstract
Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice.
To resolve this dilemma, we present a fine-grained approach to tracking the provenance of web content at the level of individual DOM elements. In conjunction with visual indicators, provenance information can be used to reliably determine the source of content modifications, distinguishing publisher content from content that originates from third parties such as extensions. We describe a prototype implementation of the approach called OriginTracer for Chromium, and evaluate its effectiveness, usability, and performance overhead through a user study and automated experiments. The results demonstrate a statistically significant improvement in the ability of users to identify unwanted third-party content such as injected ads with modest performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
SLOC were measured using David Wheeler’s SLOCCount [5].
References
The ad injection economy. http://googleonlinesecurity.blogspot.com/2015/05/new-research-ad-injection-economy.html
Adblock Plus. https://adblockplus.org/
ADsafe. http://www.adsafe.org/
Ghostery. https://www.ghostery.com/en/
SLOCCount. http://www.dwheeler.com/sloccount/
Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Financial Cryptography and Data Security (FC) (2016)
Barth, A., Jackson, C., Reis, C.: The security architecture of the chromium browser. Technical report (2008). The Google Chrome Team
Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in Chromium. In: Network and Distributed System Security Symposium (NDSS) (2015)
Chong, S., Vikram, K. and Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium (2007)
Coldewey, D.: Marriott puts an end to shady ad injection service (2012). http://techcrunch.com/2012/04/09/marriott-puts-an-end-to-shady-ad-injection-service/
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: International World Wide Web Conference (WWW) (2010)
Dewald, A., Holz, T., Freiling, F.C.: ADSandbox: sandboxing JavaScript to fight malicious websites. In: Symposium on Applied Computing (SAC) (2010)
Rachna Dhamija, J.D., Tygar, M.H.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI) (2006)
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Annual Computer Security Applications Conference (ACSAC) (2009)
Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements. In: Annual Computer Security Applications Conference (ACSAC) (2011)
Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: ACM Symposium on Operating Systems Principles (SOSP) (2005)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: USENIX Annual Technical Conference (ATC) (2007)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: USENIX Conference on Web Application Development (WebApps) (2011)
Gehani, A., Tariq, D.: SPADE: support for provenance auditing in distributed environments. In: Narasimhan, P., Triantafillou, P. (eds.) Middleware 2012. LNCS, vol. 7662, pp. 101–120. Springer, Heidelberg (2012)
Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazieres, D., Mitchell, J.C., Russo, A.: Hails: protecting data privacy in untrusted web applications. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2012)
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE Symposium on Security and Privacy (Oakland) (2011)
Harth, A., Polleres, A., Decker, S.: Towards a social provenance model for the web. In: Workshop on Principles of Provenance (PrOPr) (2007)
Hartig, O.: Provenance information in the web of data. In: Workshop on Linked Data on the Web (LDOW) (2009)
Hasan, R., Sion, R., Winslett, M.: SPROV 2.0: a highly configurable platform-independent library for secure provenance. In: ACM Conference on Computer and Communications Security (CCS) (2009)
Hicks, B., Rueda, S., King, D., Moyer, T., Schiffman, J., Sreenivasan, Y., McDaniel, P., Jaeger, T.: An architecture for enforcing end-to-end access control over web applications. In: ACM Symposium on Access Control Models and Technologies (SACMAT) (2010)
Jagpal, N., Dingle, E., Gravel, J.P., Mavrommatis, P., Provos, N., Rajab, M.A., Thomas, K.: Trends and lessons from three years fighting malicious extensions. In: USENIX Security Symposium (2015)
Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: a fine-grained protection model for web browsers. In: 30th IEEE International Conference on Distributed Computing Systems (ICDCS) (2010)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX Security Symposium (2014)
Krohn, M., Yip, A., Brodsky, M., Natan Cliffer, M., Kaashoek, F., Kohler, E., Morris, R.: Information flow control for standard os abstractions. In: Symposium on Operating Systems Principles (SOSP) (2007)
Kumparak, G.: Real evil: ISP inserted advertising. http://techcrunch.com/2007/06/23/real-evil-isp-inserted-advertising/ (2007)
Li, Z., Zhang, K., Xie, Y,. Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: ACM Conference on Computer and Communications Security (CCS) (2012)
Li, Z., Wang, X.-F., Choi, J.Y.: SpyShield: preserving privacy from spy add-ons. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 296–316. Springer, Heidelberg (2007)
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: Network and Distributed System Security Symposium (NDSS) (2012)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In: USENIX Security Symposium (2010)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: An attack-agnostic approach for preventing drive-by malware infections. In: ACM Conference on Computer and Communications Security (CCS) (2010)
Marvin, G.: Google study exposes “tangled web” of companies profiting from ad injection (2015). http://marketingland.com/ad-injector-study-google-127738
Mekky, H., Torres, R., Zhang, Z.L., Saha, S., Nucci, A.: Detecting malicious HTTP redirections using trees of user browsing activity. In: Annual IEEE International Conference on Computer Communications (INFOCOM) (2014)
Moreau, L.: The foundations for provenance on the web. Found. Trends Web Sci. 2(2–3), 99–241 (2010)
Myers, A.C.: JFlow: practical mostly-static information flow control. In: Symposium on Principles of Programming Languages (POPL) (1999)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (NDSS) (2009)
Pohly, D.J., McLaughlin, S., Butler, K.: Hi-Fi: collecting high-fidelity whole-system provenance. In: Annual Computer Security Applications Conference (ACSAC) (2012)
Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web Tripwires. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2008)
Selenium Contributors. Selenium: Web browser automation. http://www.seleniumhq.org/
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: ACM Conference on Computer and Communications Security (CCS) (2013)
Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., Provos, N., Rajab, M.A.: Ad injection at scale: assessing deceptive advertisement modifications. In: IEEE Symposium on Security and Privacy. IEEE, Oakland (2015)
Tran, M., Dong, X., Liang, Z., Jiang, X.: Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 418–435. Springer, Heidelberg (2012)
Xing, X., Meng, W., Weinsberg, U., Sheth, A., Lee, B., Perdisci, R., Lee, W.: Unraveling the relationship between ad-injecting browser extensions and malvertising. In: International World Wide Web Conference (WWW) (2015)
Zeldovich, N., Boyd-Wickizer, S., Mazieres, D.: Security distributed systems with information flow control. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Arshad, S., Kharraz, A., Robertson, W. (2016). Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)