Presentation is loading. Please wait.

Presentation is loading. Please wait.

AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan.

Published byVernon Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan."— Presentation transcript:

1 AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan Department of Computer Science, University of Illinois at Chicago 19 th USENIX Security Symposium, Washington, DC. August 11-13 2010 Yi-Ning Chen 1

2 Outline Introduction Threat model and related work Architecture Implementation Evaluation Conclusion 2

3 INTRODUCTION 3

4 Term introduction Ad publisher is a web application that includes dynamically sourced content from an ad network in its output. Ad content is dynamically fetched from ad networks (e.g., Google AdSense), leaving little opportunity for publishers to inspect and approve ads before the ads are rendered. The Ad script is the ad network’s JavaScript and a an advertiser’s JavaScript. 4

5 The problem Ad publisher faced (1/2) 5 1. On Sep 13 2009, New York Times home page were greeted by an virus-scan-like unauthorized advertisement. 2. Members of social web site Facebook were presented with advertisements deceptively portraying private images of their family and friends

6 The problem Ad publisher faced (2/2) For publishers, online advertising is an economic necessity but also cause security problem. A passive approach to enforce is for ad networks to screen ad for potential attacks. – But this approach leaves the publisher vulnerable to any gaps in the ad network’s screening strategy. In this paper, we confront the problem of rogue ads by a active approach -- from a publisher-centric perspective. 6

7 Contributions of this paper Confidentiality and integrity policy specification and enforcement Compatibility with ad network targeting algorithms Compatibility with ad network billing operations Consistency in user experience Satisfaction of practical deployment requirements 7

8 THREAT MODEL AND RELATED WORK 8

9 Threat model: Ads in a webmail application 9 (1) banner (2) skyscraper ads (3) inline text ad (4) floating ad

10 Some ads require partial page content 10 Both requires access to the email message text.

11 Some ads require special deployment 11 Floating ad requires access to the real estate of the page to place the ad over the message text.

12 In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 12

13 In-scope threats Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy) These policies are specified by a website to restrict the capability of third-party scripts. – e.g. with reference to access and modification of first- party content, and control over the screen. 13

14 Out-of-scope threat (1/2) Browser security bugs – e.g. drive-by-downloads Opaque content – e.g. Flash Frame busting & navigation attacks 14 if(top.location != location) { top.location.href = document.location.href; }

15 Out-of-scope threat (2/2) Behavior tracking attacks Attacks through side channels – e.g. the “visited links” feature of browser 15

16 Related work (1/4) Privacy and behavior targeting – Rely on specialized, in-browser systems that support contextual placement of ads while preventing behavioral profiling of users. – ADJAIL: employ in server side to protect both publisher and user-owned content. 16

17 Related work (2/4) Restricting content languages – Focus on limiting the JavaScript language features that untrusted scripts are allowed to use. – FBJS: imposes the burden of new languages – AD-safe: places restrictions on JavaScript language features. – These kind of approaches may require re-development of ad script code. – ADJAIL: only effort required is to specify policies. 17

18 Related work (3/4) Code transformation approaches – Transform untrusted JavaScript code to interpose runtime policy enforcement checks. – The recommended method of transforming JavaScript dynamically by a publisher involves using a proxy. – However, this approach may appear suspicious to click- fraud detection mechanism employed by the ad network. 18

19 Related work (4/4) Publisher-browser collaboration – Publisher to instruct a browser to enforce the publisher’s policies on third-party content, leaving the enforcement entirely to the browser. – Content Security Policies: provides by Mozilla – Main positive: this approach can enforce fine-grained policies with minimal overheads. – Primary drawback: today’s browsers do not agree on a standard for publisher-browser collaboration. 19

20 ARCHITECTURE Using webmail application as example 20

21 Ad confinement using shadow pages 1.Remove the ad script from the publisher’s webmail page (real page). 2.Embed a hidden element in the page with a different origin URI, thus invoking browser’s SOP to isolate from real page. 3.Add the ad script to the page contained in the hidden (shadow page). 21 SOP (Same Origin Policy) Definition: 1. “Only the pages with same origin that stores some information in the browser may read or modify that information.” 2.Two pages have same origin (domain) if the protocol, port, and host are the same.

22 Ad mirroring & event forwarding 1.We add Tunnel Script A to monitor the page changes mad by ad script. 2.Conveys those change to the real page via inter-origin message conduits. 3.Once we capture user generated events (e.g. onmousemove) on the mirrored ad content, we forward these event to the shadow page for processing. Controlled user interaction with ads (1/2) 22

23 Ad policies Can be defined in each HTML element 23 Controlled user interaction with ads (2/2)

24 IMPLEMENTATION Policies, real and shadow page, and synchronization 24

25 Policies specification Publisher can annotate in any HTML element of the real page with a policy attribute –policy = “ permission: value; ” 25

26 Policies composition Multiple policy statement may assign different values to a single permission. This can occur within a single policy attribute or through inheritance. 26 Effective value for a permission is the most restrictive value across all composed policy statement. Take inheritance policy statement into consider. Permissions left unspecified are set to their default values.

27 1.Remove ad script but retain element to containing a content send from shadow page 1.Add the tunnel script. 2.Annotation of HTML elements with policies. 3.Scans the real page to find all elements with policies granting the following permission. read-access: subtree;, write-access: append;, and write-access: subtree; 4.convert the elements find in 3. into models ( preparing to send to the shadow page) 27 Construction of the real page

28 HTML to JavaScript data structure (JSON) 28 For keeping synchronization of elements between real and shadow page

29 Construction of the shadow page 1.Begins as a template web page containing only the tunnel script. 2.After the tunnel script receives content model from the real page’s tunnel. It converts content model into HTML constructs. 3.Now shadow page contains all the non-sensitive content and construct of real page, allowing the ad script to execute. 4.Next, we install wrappers around several DOM API methods to interpose between the ad script and the DOM. Wrappers are used to monitor page updates and provides billing evidence. 29

30 DOM interposition Prevent ad impression on the shadow page, we interpose on the common interfaces ad scripts use to create content. – E.g. interpose on the src property of HTMLImageElement object. Substitute with a placeholder value 30

31 Content mirroring 1.Monitoring the shadow page for modifications 2.Modeling the detected modifications 3.Sending models to the real page 4.Enforcing policies on the models 5.Modifying the real page to reflect the modeled changes 31

32 Synchronization message 32

33 Event forwarding Using DOM interposition framework, we impose on script operation on event handlers Ad click – We click links on the real page, subject to enforcement of the link-target permission. Instead of directly invoke click event handlers. Position and style synchronization – Inline text pop-up ad can use synchronization message to get the precise location and positioned correctly. 33

34 EVALUATION Compatibility, security, and rendering overhead 34

35 Testbed Six popular ad networks: Banner ad – Yahoo! Network – Google AdSense – Microsoft Media Network – Federated Media Publishing Inline text ad – AdBrite – Clicksor 35

36 Compatibility We compare the original page and the page with sandboxed ads. Correct functionality – Worked well, but Google AdSense requires offline cached copy of the publisher’s page to perform contextual targeting. Minimum permissions – As show in next slide. Click and impression counts – Perform multiple rendering to ensure we click the same ad with and without sandbox. – Using this sandbox environment did not impose any additional impressions or generate any additional clicks. 36

37 Security – testing attacks (1/2) Single trial: replacing ad scripts with a malicious script tends launch an attack. Execute arbitrary code in context of real page – Can be blocked by enforcing a no-script policy Confidential information leak – Due to SOP restrictions, the sandboxed attack could not access the information by DOM traversal. Content integrity violation – Can protect the content of real page except it was given a policy with full write access. 37

38 Security – testing attacks (2/2) Clickjacking – With a policy that disallows elements, the sandboxed attack was unsuccessful. User interface spoofing – This attack was defeated by denying images, s and Flash, and further constraining the ad with policy. Arbitrary ad position – With a policy that denies overflow, violations due to out-of-bounds display positioning are blocked. Oversized ad – The size violation was blocked by configuring a policy to limit the maximum height and width, and disallowing overflow 38

39 Minimum permission & Security 39

40 Rendering overhead 40

41 Conclusion ADJAIL, a solution for the problem of confinement of third- party advertisements to prevents attacks on confidentiality and integrity. Policy setting provides flexible approach for publisher to implement its security strategy. ADJAIL is compatibility with the existing web usage models, requiring no changes to ad networks or browser. 41

Download ppt "AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements Mike Ter Louw, Karthik Thotta Ganesh, V.N. Venkatakrishnan."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google