Skip to main content
SpringerLink
Log in

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

We introduce a novel approach to protecting the privacy of web users. We propose to monitor the behaviors of JavaScript code within a web origin based on the source of the code, i.e., code origin, to detect and prevent malicious actions that would compromise users’ privacy. Our code-origin policy enforcement approach not only advances the conventional same-origin policy standard but also goes beyond the “all-or-nothing” contemporary ad-blockers and tracker-blockers. In particular, our monitoring mechanism does not rely on browsers’ network request interception and blocking as in existing blockers. In contrast, we monitor the code that reads or sends user data sent out of the browser to enforce fine-grained and context-aware policies based on the origin of the code. We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance. Although implemented as a browser extension, our approach is browser-agnostic and can be integrated into the core of a browser as it is based on standard JavaScript.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Agarwal L, Shrivastava N, Jaiswal S, Panjwani S. Do not embarrass: re-examining user concerns for online tracking and advertising. In: Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS 2013), vol. 8. ACM; 2013. pp. 1–16.

  2. Arshad S, Kharraz A, Robertso W. Identifying extension-based ad injection via fine-grained web content provenance. In: International Symposium on Research in Attacks, Intrusions, and Defenses. Springer; 2016. pp. 415–36.

  3. Arshad S, Kharraz A, Robertson W. Include me out: In-browser detection of malicious third-party content inclusions. In: International Conference on Financial Cryptography and Data Security. Springer; 2016. pp. 441–59.

  4. Bashir MA, Arshad S, Kirda E, Robertson W, Wilson C. How tracking companies circumvented ad blockers using Websockets. In: Proceedings of the Internet Measurement Conference 2018. ACM; 2018. pp. 471–77.

  5. Bashir MA, Arshad S, Robertson W, Wilson C. Tracing information flows between ad exchanges using retargeted ads. In: 25th USENIX Security Symposium (USENIX Security 16); 2016. pp. 481–96.

  6. Batt S. What is “do not track” and does it protect your privacy?; 2019. https://www.makeuseof.com/tag/not-track-actually-work/.

  7. Burt A. Privacy and cybersecurity are converging. Here’s Why that matters for people and for companies; 2019. https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies. Accessed on 13 Aug 2019.

  8. Caleb: Ranked: security and privacy for the most popular web browsers; 2019. https://www.expressvpn.com/blog/best-browsers-for-privacy/.

  9. Chanchary F, Chiasson S. User perceptions of sharing, advertising, and tracking. In: Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015); 2015. pp. 53–67.

  10. Chromium Blog: Improving privacy and security on the web; 2019. https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html.

  11. chromium.org. Zero-cost async stack traces; 2019. http://bit.ly/v8-zero-cost-async-stack-traces.

  12. Chudnov A, Naumann DA. Inlined information flow monitoring for JavaScript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM; 2015. pp. 629–43.

  13. Crockford D. ADsafe—making JavaScript safe for advertising; 2007. http://www.adsafe.org. Accessed on 11 Aug 2019.

  14. devlin@chromium.org. Manifest V3; 2018. https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-qnk4w4PX-0XMw8/edit#heading=h.xgjl2srtytjt. Accessed on 14 Aug 2019.

  15. Dhawan M, Ganapathy V. Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference. IEEE; 2009. pp. 382–91.

  16. Eckersley P. How unique is your web browser? In: International Symposium on Privacy Enhancing Technologies Symposium. Springer; 2010. pp. 1–18.

  17. Ecma International: ECMAScript 2015 Language Specification—ECMA-262 6th Edition; 2015. https://www.ecma-international.org/ecma-262/6.0/. Accessed on 14 Aug 2019.

  18. Englehardt S, Narayanan A. Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM; 2016. pp. 1388–1401.

  19. Erlingsson U. The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University, USA; 2004. AAI3114521.

  20. Finifter M, Weinberger J, Barth A. Preventing capability leaks in secure JavaScript subsets. In: NDSS; 2010.

  21. Fredrikson M, Livshits B. Repriv: Re-imagining content personalization and in-browser privacy. In: 2011 IEEE Symposium on Security and Privacy. IEEE; 2011. pp. 131–46.

  22. Georgiev M, Jana S, Shmatikov V. Rethinking security of web-based system applications. In: Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee; 2015. pp. 366–376.

  23. Google Caja: Compiler for making third-party HTML, CSS, and JavaScript safe for embedding; 2017. https://developers.google.com/caja/. Accessed on 5 Aug 2019.

  24. Google Chrome: chrome.webRequest; 2019. https://developer.chrome.com/extensions/webRequest. Accessed on 14 Aug 2019.

  25. Guha A, Fredrikson M, Livshits B, Swamy N. Verified security for browser extensions. In: 2011 IEEE symposium on security and privacy. IEEE; 2011. pp. 115–30.

  26. Guha S, Cheng B, Francis, P. Privad: Practical privacy in online advertising. In: USENIX conference on Networked systems design and implementation; 2011. pp. 169–182.

  27. Hausknecht D, Magazinius J, Sabelfeld A. May I?-content security policy endorsement for browser extensions. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer; 2015. pp. 261–81.

  28. Hedin D, Bello L, Sabelfeld A. Information-flow security for JavaScript and its APIs. J Comput Secur. 2016;24(2):181–234.

    Article  Google Scholar 

  29. Heule S, Rifkin D, Russo A, Stefan D. The most dangerous code in the browser. In: 15th Workshop on Hot Topics in Operating Systems (HotOS XV); 2015.

  30. Hiremath PN, Armentrout J, Vu S, Nguyen TN, Minh QT, Phung PH. MyWebGuard: toward a user-oriented tool for security and privacy protection on the web. In: International Conference on Future Data and Security Engineering. Springer; 2019. pp. 506–25.

  31. Iqbal U, Snyder P, Zhu S, Livshits B, Qian Z, Shafiq Z. AdGraph: a graph-based approach to Ad and tracker blocking. In: IEEE Symposium on Security and Privacy; 2020.

  32. Jakobi T, Stevens G, Seufert AM, Becker M, von Grafenstein M. Web tracking under the new data protection law: design potentials at the intersection of jurisprudence and HCI. i-com. 2020;19(1):31–45.

    Article  Google Scholar 

  33. Katz O, Livshits B. Toward an evidence-based design for reactive security policies and mechanisms; 2018. arXiv:1802.08915.

  34. Leith DJ. Web browser privacy: what do browsers say when they phone home? Tech. rep., School of Computer Science & Statistics, Trinity College Dublin; 2020.

  35. Leon PG, Ur B, Wang Y, Sleeper M, Balebako R, Shay R, Bauer L, Christodorescu M, Cranor LF. What matters to users?: factors that affect users’ willingness to share information with online advertisers. In: Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM; 2013.

  36. Maffeis S, Taly A. Language-based isolation of untrusted Javascript. In: 2009 22nd IEEE Computer Security Foundations Symposium. IEEE; 2009. pp. 77–91.

  37. Magazinius J, Phung PH, Sands D. Safe wrappers and sane policies for self protecting JavaScript. In: Proceedings of the 15th Nordic Conference in Secure IT Systems (NordSec); 2010. pp. 239–55.

  38. Marczak B, Weaver N, Dalek J, Ensafi R, Fifield D, McKune S, Rey A, Scott-Railton J, Deibert R, Paxson V. An analysis of china’s “great cannon”. In: 5th USENIX Workshop on Free and Open Communications on the Internet (FOCI 15); 2015.

  39. Mathur A, Vitak J, Narayanan A, Chetty M. Characterizing the use of browser-based blocking extensions to prevent online tracking. In: Fourteenth symposium on usable privacy and security (SOUPS 2018); 2018. pp. 103–16.

  40. Mayer JR, Mitchell JC. Third-party web tracking: Policy and technology. In: 2012 IEEE Symposium on Security and Privacy. IEEE; 2012. pp. 413–27.

  41. McDonald AM, Cranor LF. Americans’ attitudes about internet behavioral advertising practices. In: Proceedings of the 9th annual ACM workshop on Privacy in the electronic society. ACM; 2010. pp. 63–72.

  42. Merzdovnik G, Huber M, Buhov D, Nikiforakis N, Neuner S, Schmiedecker M, Weippl E. Block me if you can: a large-scale study of tracker-blocking tools. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE; 2017. pp. 319–33.

  43. Meyerovich LA, Livshits B. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In: 2010 IEEE Symposium on Security and Privacy. IEEE; 2010. pp. 481–496.

  44. Microsoft Edge. Security and privacy group policies; 2018. https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp. Accessed on 14 Aug 2019.

  45. Miller MS, Samuel M, Laurie B, Awad I, Stay M. Safe active content in sanitized JavaScript. Google, Inc., Tech. Rep; 2008.

  46. Mozilla. webRequest. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest. Accessed on 14 Aug 2019.

  47. Mozilla Developer Network. Same-origin policy; 2019. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed on 14 Aug 2019.

  48. Mozilla Developer Network. The WebSocket API (WebSockets); 2019. https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API

  49. Mozilla Developer Network. What are extensions?; 2019. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/What_are_WebExtensions.

  50. Mozilla Security Blog. Privacy archives; 2019. https://blog.mozilla.org/security/category/privacy/. Accessed on 14 Aug 2019.

  51. Musch M, Steffens M, Roth S, Stock B, Johns M. ScriptProtect: mitigating unsafe third-party JavaScript practices. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Asia CCS ’19. New York: ACM; 2019. pp. 391–402.

  52. Nakhaei K, Ansari E, Ansari F. JSSignature: eliminating third-party-hosted javascript infection threats using digital signatures; 2018. arXiv:1812.03939.

  53. Nikiforakis N, Invernizzi L, Kapravelos A, Van Acker S, Joosen W, Kruegel C, Piessens F, Vigna G. You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM conference on Computer and Communications Security. ACM; 2012. pp. 736–47.

  54. Nikiforakis N, Joosen W, Livshits B. Privaricator: Deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web; 2015. pp. 820–30.

  55. Phung PH, Monshizadeh M, Sridhar M, Hamlen KW, Venkatakrishnan V. Between worlds: securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans Dependable Secure Comput. 2015;12(4):443–57. https://doi.org/10.1109/TDSC.2014.2355847.

    Article  Google Scholar 

  56. Phung PH, Sands D, Chudnov A. Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (AsiaCCS); 2009. pp. 47–60.

  57. Politz JG, Eliopoulos SA, Guha A, Krishnamurthi S. ADsafety: type-based verification of JavaScript sandboxing. In: Proceedings of the 20th USENIX Conference on Security, SEC’11. USENIX Association; 2011.

  58. Pupo ALS, Nicolay J, Boix EG. GUARDIA: specification and enforcement of javascript security policies without VM modifications. In: The 15th International Conference on Managed Languages & Runtimes, vol. 17. ACM; 2018. pp. 1–10.

  59. Reis C, Dunagan J, Wang HJ, Dubrovsky O, Esmeir S. BrowserShield: vulnerability-driven filtering of dynamic HTML. ACM Trans Web. 2007;1(3):11.

    Article  Google Scholar 

  60. Reisman D, Englehardt S, Eubank C, Zimmerman P, Narayanan A. Cookies that give you away: evaluating the surveillance implications of web tracking; 2014 (draft: April 2, 2014).

  61. Roesner F, Kohno T, Wetherall D. Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation. USENIX Association; 2012.

  62. Schwenk J, Niemietz M, Mainka C. Same-origin policy: Evaluation in modern browsers. In: 26th USENIX Security Symposium (USENIX Security 17). Vancouver, BC: USENIX Association; 2017. pp. 713–27.

  63. Siddiqui A. Google’s Manifest V3 will change how ad blocking Chrome extensions work: Is it to cripple them, or is it for security?; 2019. https://www.xda-developers.com/google-chrome-manifest-v3-ad-blocker-extension-api/.

  64. Sjösten A, Van Acker S, Sabelfeld A. Discovering browser extensions via web accessible resources. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. ACM; 2017. pp. 329–36.

  65. Swamy N, Livshits B, Guha A, Fredrikson MJ. Programming, verifying, visualizing, and deploying browser extensions with fine-grained security policies; 2015. US Patent 8,978,106.

  66. Ter Louw M, Lim JS, Venkatakrishnan VN. Enhancing web browser security against malware extensions. J Comput Virol. 2008;4(3):179–95.

    Article  Google Scholar 

  67. Ur B, Leon PG, Cranor LF, Shay R, Wang Y. Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Proceedings of the Eighth Symposium On Usable Privacy and Security (SOUPS 2012). ACM; 2012.

  68. Vastel A, Snyder P, Livshits B. Who filters the filters: Understanding the growth, usefulness and efficiency of crowdsourced ad blocking; 2018. arXiv:1810.09160.

  69. W3C. Content security policy; 2018. https://www.w3.org/TR/CSP/.

  70. W3C: Tracking Preference Expression (DNT); 2019. https://www.w3.org/TR/tracking-dnt/

  71. W3Techs.com. Usage statistics of JavaScript as client-side programming language on websites; 2019. https://w3techs.com/technologies/details/cp-javascript/all/all.

  72. Weissbacher M, Lauinger T, Robertson W. Why is CSP failing? Trends and challenges in CSP adoption. In: International Workshop on recent advances in intrusion detection. Springer; 2014.

  73. Wills CE, Uzunoglu DC. What ad blockers are (and are not) doing. In: 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb). IEEE; 2016. pp. 72–77.

  74. Xing X, Meng W, Lee B, Weinsberg U, Sheth A, Perdisci R, Lee W. Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web, 2015; pp. 1286–95 (International World Wide Web Conferences Steering Committee).

Download references

Acknowledgements

We acknowledge Son Vu and Tu N. Nguyen for their contributions in the preliminary version of this work published in the 2019 International Conference on Future Data and Security Engineering (FDSE 2019). We want to thank the anonymous reviewers of FDSE 2019 and this special issue of Springer Nature of Computer Science for their helpful comments and suggestions.

Funding

There was no funding for this study.

Author information

Authors and Affiliations

  1. Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA

    Phu H. Phung, Jack Armentrout & Panchakshari N. Hiremath

  2. University of Information Technology, Vietnam National University, Ho Chi Minh City, Vietnam

    Huu-Danh Pham

  3. Department of Information Systems, Faculty of Computer Science and Engineering, University of Technology, 268 Ly Thuong Kiet, District 10, Ho Chi Minh City, Vietnam

    Quang Tran-Minh

  4. Vietnam National University, Linh Trung Ward, Thu Duc District, Ho Chi Minh City, Vietnam

    Quang Tran-Minh

Authors
  1. Phu H. Phung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huu-Danh Pham
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jack Armentrout
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Panchakshari N. Hiremath
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Quang Tran-Minh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Phu H. Phung.

Ethics declarations

Conflict of interest

Phu H. Phung has received a research grant from Novobi, LLC. The other authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Future Data and Security Engineering 2019” guest-edited by Tran Khanh Dang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Phung, P.H., Pham, HD., Armentrout, J. et al. A User-Oriented Approach and Tool for Security and Privacy Protection on the Web. SN COMPUT. SCI. 1, 222 (2020). https://doi.org/10.1007/s42979-020-00237-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-020-00237-5

Keywords

Search

Navigation