PAD: Programming third-party web advertisement censorship

In the current online advertisement delivery, an ad slot on a publisher's website may go through multiple layers of bidding and reselling until the final ad content is delivered. The publishers have little control on the ads being displayed on their web pages. As a result, website visitors may suffer from unwanted ads such as malvertising, intrusive ads, and information disclosure ads. Unfortunately, the visitors often blame the publisher for their unpleasant experience and switch to competitor websites. In this paper, we propose a novel programming support system for ad delivery, called PAD, for publisher programmers, who specify their policies on regulating third-party ads shown on their websites. PAD features an expressive specification language and a novel persistent policy enforcement runtime that can self-install and self-protect throughout the entire ad delegation chain. It also provides an ad-specific memory protection scheme that prevents malvertising by corrupting malicious payloads. Our experiments show that PAD has negligible runtime overhead. It effectively suppresses a set of malvertising cases and unwanted ad behaviors reported in the real world, without affecting normal functionalities and regular ads.

[1]  Christopher Krügel,et al.  Analyzing and Detecting Malicious Flash Advertisements , 2009, 2009 Annual Computer Security Applications Conference.

[2]  Alireza Sahami Shirazi,et al.  Adaptive User Profiles in Pervasive Advertising Environments , 2009, AmI.

[3]  Tommi Mikkonen,et al.  The mashware challenge: bridging the gap between web development and software engineering , 2010, FoSER '10.

[4]  Patrick Th. Eugster,et al.  WebRanz: web page randomization for better advertisement delivery and web-bot prevention , 2016, SIGSOFT FSE.

[5]  William G. J. Halfond,et al.  Truth in Advertising: The Hidden Cost of Mobile Ads for Software Developers , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[6]  Bernd Fischer,et al.  Fine-Grained Role- and Attribute-Based Access Control for Web Applications , 2012 .

[7]  Antonio Nucci,et al.  Detecting malicious HTTP redirections using trees of user browsing activity , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[8]  William G. J. Halfond,et al.  What Aspects of Mobile Ads Do Users Care About? An Empirical Study of Mobile In-app Ad Reviews , 2017, ArXiv.

[9]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[10]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[11]  Grigore Rosu,et al.  Security-policy monitoring and enforcement with JavaMOP , 2012, PLAS '12.

[12]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[13]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[14]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[15]  Zhenkai Liang,et al.  AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements , 2011, ACSAC '11.

[16]  R. Preston McAfee,et al.  The Economic and Cognitive Costs of Annoying Display Advertisements , 2014 .

[17]  Prabaharan Poornachandran,et al.  Demalvertising: A Kernel Approach for Detecting Malwares in Advertising Networks , 2017 .