Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance

Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice.

[1]  Trent Jaeger,et al.  An architecture for enforcing end-to-end access control over web applications , 2010, SACMAT '10.

[2]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[3]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[4]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[5]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[6]  William K. Robertson,et al.  Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions , 2016, Financial Cryptography.

[7]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[8]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[9]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[10]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[11]  Marianne Winslett,et al.  SPROV 2.0: A Highly-Configurable Platform-Independent Library for Secure Provenance , 2009 .

[12]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[13]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[14]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[15]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[16]  Zhenkai Liang,et al.  AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements , 2011, ACSAC '11.

[17]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[18]  Luc Moreau,et al.  The Foundations for Provenance on the Web , 2010, Found. Trends Web Sci..

[19]  Antonio Nucci,et al.  Detecting malicious HTTP redirections using trees of user browsing activity , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[20]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[21]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[22]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[23]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[24]  Yuan Tian,et al.  Run-time Monitoring and Formal Analysis of Information Flows in Chromium , 2015, NDSS.

[25]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[26]  Lei Liu,et al.  Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.

[27]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[28]  Jong Youl Choi,et al.  SpyShield: Preserving Privacy from Spy Add-Ons , 2007, RAID.

[29]  Olaf Hartig Provenance Information in the Web of Data , 2009, LDOW.

[30]  Zhenkai Liang,et al.  Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations , 2012, ACNS.

[31]  Andreas Dewald,et al.  ADSandbox: sandboxing JavaScript to fight malicious websites , 2010, SAC '10.

[32]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[33]  Niels Provos,et al.  Trends and Lessons from Three Years Fighting Malicious Extensions , 2015, USENIX Security Symposium.

[34]  Julien Lironcourt Internet Security Seminar Analyzing Information Flow in JavaScript-based Browser Extensions , 2010 .

[35]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[36]  V. N. Venkatakrishnan,et al.  Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.

[37]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[38]  Wenliang Du,et al.  ESCUDO: A Fine-Grained Protection Model for Web Browsers , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[39]  Andreas Harth,et al.  Towards a social provenance model for the Web , 2007 .