Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance

  • Sajjad ArshadEmail author
  • Amin Kharraz
  • William Robertson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)


Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice.

To resolve this dilemma, we present a fine-grained approach to tracking the provenance of web content at the level of individual DOM elements. In conjunction with visual indicators, provenance information can be used to reliably determine the source of content modifications, distinguishing publisher content from content that originates from third parties such as extensions. We describe a prototype implementation of the approach called OriginTracer for Chromium, and evaluate its effectiveness, usability, and performance overhead through a user study and automated experiments. The results demonstrate a statistically significant improvement in the ability of users to identify unwanted third-party content such as injected ads with modest performance overhead.


Web security Ad injection Browser extension 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Financial Cryptography and Data Security (FC) (2016)Google Scholar
  7. 7.
    Barth, A., Jackson, C., Reis, C.: The security architecture of the chromium browser. Technical report (2008). The Google Chrome TeamGoogle Scholar
  8. 8.
    Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in Chromium. In: Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  9. 9.
    Chong, S., Vikram, K. and Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium (2007)Google Scholar
  10. 10.
    Coldewey, D.: Marriott puts an end to shady ad injection service (2012).
  11. 11.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: International World Wide Web Conference (WWW) (2010)Google Scholar
  12. 12.
    Dewald, A., Holz, T., Freiling, F.C.: ADSandbox: sandboxing JavaScript to fight malicious websites. In: Symposium on Applied Computing (SAC) (2010)Google Scholar
  13. 13.
    Rachna Dhamija, J.D., Tygar, M.H.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI) (2006)Google Scholar
  14. 14.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Annual Computer Security Applications Conference (ACSAC) (2009)Google Scholar
  15. 15.
    Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements. In: Annual Computer Security Applications Conference (ACSAC) (2011)Google Scholar
  16. 16.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: ACM Symposium on Operating Systems Principles (SOSP) (2005)Google Scholar
  17. 17.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: USENIX Annual Technical Conference (ATC) (2007)Google Scholar
  18. 18.
    Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: USENIX Conference on Web Application Development (WebApps) (2011)Google Scholar
  19. 19.
    Gehani, A., Tariq, D.: SPADE: support for provenance auditing in distributed environments. In: Narasimhan, P., Triantafillou, P. (eds.) Middleware 2012. LNCS, vol. 7662, pp. 101–120. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazieres, D., Mitchell, J.C., Russo, A.: Hails: protecting data privacy in untrusted web applications. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2012)Google Scholar
  21. 21.
    Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE Symposium on Security and Privacy (Oakland) (2011)Google Scholar
  22. 22.
    Harth, A., Polleres, A., Decker, S.: Towards a social provenance model for the web. In: Workshop on Principles of Provenance (PrOPr) (2007)Google Scholar
  23. 23.
    Hartig, O.: Provenance information in the web of data. In: Workshop on Linked Data on the Web (LDOW) (2009)Google Scholar
  24. 24.
    Hasan, R., Sion, R., Winslett, M.: SPROV 2.0: a highly configurable platform-independent library for secure provenance. In: ACM Conference on Computer and Communications Security (CCS) (2009)Google Scholar
  25. 25.
    Hicks, B., Rueda, S., King, D., Moyer, T., Schiffman, J., Sreenivasan, Y., McDaniel, P., Jaeger, T.: An architecture for enforcing end-to-end access control over web applications. In: ACM Symposium on Access Control Models and Technologies (SACMAT) (2010)Google Scholar
  26. 26.
    Jagpal, N., Dingle, E., Gravel, J.P., Mavrommatis, P., Provos, N., Rajab, M.A., Thomas, K.: Trends and lessons from three years fighting malicious extensions. In: USENIX Security Symposium (2015)Google Scholar
  27. 27.
    Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: a fine-grained protection model for web browsers. In: 30th IEEE International Conference on Distributed Computing Systems (ICDCS) (2010)Google Scholar
  28. 28.
    Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX Security Symposium (2014)Google Scholar
  29. 29.
    Krohn, M., Yip, A., Brodsky, M., Natan Cliffer, M., Kaashoek, F., Kohler, E., Morris, R.: Information flow control for standard os abstractions. In: Symposium on Operating Systems Principles (SOSP) (2007)Google Scholar
  30. 30.
    Kumparak, G.: Real evil: ISP inserted advertising. (2007)
  31. 31.
    Li, Z., Zhang, K., Xie, Y,. Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  32. 32.
    Li, Z., Wang, X.-F., Choi, J.Y.: SpyShield: preserving privacy from spy add-ons. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 296–316. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: Network and Distributed System Security Symposium (NDSS) (2012)Google Scholar
  34. 34.
    Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In: USENIX Security Symposium (2010)Google Scholar
  35. 35.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)CrossRefGoogle Scholar
  36. 36.
    Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: An attack-agnostic approach for preventing drive-by malware infections. In: ACM Conference on Computer and Communications Security (CCS) (2010)Google Scholar
  37. 37.
    Marvin, G.: Google study exposes “tangled web” of companies profiting from ad injection (2015).
  38. 38.
    Mekky, H., Torres, R., Zhang, Z.L., Saha, S., Nucci, A.: Detecting malicious HTTP redirections using trees of user browsing activity. In: Annual IEEE International Conference on Computer Communications (INFOCOM) (2014)Google Scholar
  39. 39.
    Moreau, L.: The foundations for provenance on the web. Found. Trends Web Sci. 2(2–3), 99–241 (2010)MathSciNetCrossRefGoogle Scholar
  40. 40.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: Symposium on Principles of Programming Languages (POPL) (1999)Google Scholar
  41. 41.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (NDSS) (2009)Google Scholar
  42. 42.
    Pohly, D.J., McLaughlin, S., Butler, K.: Hi-Fi: collecting high-fidelity whole-system provenance. In: Annual Computer Security Applications Conference (ACSAC) (2012)Google Scholar
  43. 43.
    Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web Tripwires. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2008)Google Scholar
  44. 44.
    Selenium Contributors. Selenium: Web browser automation.
  45. 45.
    Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: ACM Conference on Computer and Communications Security (CCS) (2013)Google Scholar
  46. 46.
    Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., Provos, N., Rajab, M.A.: Ad injection at scale: assessing deceptive advertisement modifications. In: IEEE Symposium on Security and Privacy. IEEE, Oakland (2015)Google Scholar
  47. 47.
    Tran, M., Dong, X., Liang, Z., Jiang, X.: Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 418–435. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  48. 48.
    Xing, X., Meng, W., Weinsberg, U., Sheth, A., Lee, B., Perdisci, R., Lee, W.: Unraveling the relationship between ad-injecting browser extensions and malvertising. In: International World Wide Web Conference (WWW) (2015)Google Scholar
  49. 49.
    Zeldovich, N., Boyd-Wickizer, S., Mazieres, D.: Security distributed systems with information flow control. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Sajjad Arshad
    • 1
    Email author
  • Amin Kharraz
    • 1
  • William Robertson
    • 1
  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations