Advertisement

MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web

  • Panchakshari N. Hiremath
  • Jack Armentrout
  • Son Vu
  • Tu N. Nguyen
  • Quang Tran Minh
  • Phu H. PhungEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11814)

Abstract

We introduce a novel approach to implementing a browser-based tool for web users to protect their privacy. We propose to monitor the behaviors of JavaScript code within a webpage, especially operations that can read data within a browser or can send data from a browser to outside. Our monitoring mechanism is to ensure that all potential information leakage channels are detected. The detected leakage is either automatically prevented by our context-aware policies or decided by the user if needed. Our method advances the conventional same-origin policy standard of the Web by enforcing different policies for each source of the code. Although we develop the tool as a browser extension, our approach is browser-agnostic as it is based on standard JavaScript. Also, our method stands from existing proposals in the industry and literature. In particular, it does not rely on network request interception and blocking mechanisms provided by browsers, which face various technical issues.

We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance.

Keywords

Privacy Web security Online tracking 

Notes

Acknowledgment

The authors wish to thank the anonymous reviewers for their helpful comments and suggestions.

References

  1. 1.
    Agarwal, L., Shrivastava, N., Jaiswal, S., Panjwani, S.: Do not embarrass: re-examining user concerns for online tracking and advertising. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 8:1–16. ACM (2013)Google Scholar
  2. 2.
    Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 415–436. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-45719-2_19CrossRefGoogle Scholar
  3. 3.
    Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441–459. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54970-4_26CrossRefGoogle Scholar
  4. 4.
    Bashir, M.A., Arshad, S., Kirda, E., Robertson, W., Wilson, C.: How tracking companies circumvented ad blockers using Websockets. In: Proceedings of the Internet Measurement Conference 2018, pp. 471–477. ACM (2018)Google Scholar
  5. 5.
    Bashir, M.A., Arshad, S., Robertson, W., Wilson, C.: Tracing information flows between ad exchanges using retargeted ads. In: 25th USENIX Security Symposium, USENIX Security 16, pp. 481–496 (2016)Google Scholar
  6. 6.
    Batt, S.: What is “do not track” and does it protect your privacy?, August 2019 https://www.makeuseof.com/tag/not-track-actually-work/
  7. 7.
    Burt, A.: Privacy and cybersecurity are converging. here’s why that matters for people and for companies, January 2019. https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies. Accessed 13 Aug 2019
  8. 8.
    Caleb: Ranked: Security and privacy for the most popular web browsers, March 2019. https://www.expressvpn.com/blog/best-browsers-for-privacy/
  9. 9.
    Chanchary, F., Chiasson, S.: User perceptions of sharing, advertising, and tracking. In: Proceedings of the Eleventh Symposium On Usable Privacy and Security, SOUPS 2015, pp. 53–67 (2015)Google Scholar
  10. 10.
    Chromium Blog: Improving privacy and security on the web, May 2019. https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
  11. 11.
    Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for JavaScript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 629–643. ACM (2015)Google Scholar
  12. 12.
    Crockford, D.: ADsafe - Making JavaScript Safe for Advertising (2007). http://www.adsafe.org. Accessed 11 Aug 2019
  13. 13.
  14. 14.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)Google Scholar
  15. 15.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14527-8_1CrossRefGoogle Scholar
  16. 16.
    Ecma International: ECMAScript 2015 Language Specification ECMA-262 6th Edition, June 2015. https://www.ecma-international.org/ecma-262/6.0/. Accessed 14 Aug 2019
  17. 17.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1388–1401. ACM (2016)Google Scholar
  18. 18.
    Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure JavaScript subsets. In: NDSS (2010)Google Scholar
  19. 19.
    Fredrikson, M., Livshits, B.: Repriv: re-imagining content personalization and in-browser privacy. In: 2011 IEEE Symposium on Security and Privacy, pp. 131–146. IEEE (2011)Google Scholar
  20. 20.
    Georgiev, M., Jana, S., Shmatikov, V.: Rethinking security of web-based system applications. In: Proceedings of the 24th International Conference on World Wide Web, pp. 366–376. International World Wide Web Conferences Steering Committee (2015)Google Scholar
  21. 21.
    Google Caja: Compiler for making third-party HTML, CSS, and JavaScript safe for embedding (2007). https://developers.google.com/caja/. Accessed 5 Aug 2019
  22. 22.
    Google Chrome: chrome. webRequest. https://developer.chrome.com/extensions/webRequest. Accessed 14 Aug 2019
  23. 23.
    Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 2011 IEEE symposium on security and privacy, pp. 115–130. IEEE (2011)Google Scholar
  24. 24.
    Guha, S., Cheng, B., Francis, P.: Privad: practical privacy in online advertising. In: USENIX Conference on Networked Systems Design and Implementation, pp. 169–182 (2011)Google Scholar
  25. 25.
    Hausknecht, D., Magazinius, J., Sabelfeld, A.: May I? - Content security policy endorsement for browser extensions. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 261–281. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-20550-2_14CrossRefGoogle Scholar
  26. 26.
    Hedin, D., Bello, L., Sabelfeld, A.: Information-flow security for JavaScript and its APIs. J. Comput. Secur. 24(2), 181–234 (2016)CrossRefGoogle Scholar
  27. 27.
    Heule, S., Rifkin, D., Russo, A., Stefan, D.: The most dangerous code in the browser. In: 15th Workshop on Hot Topics in Operating Systems (HotOS XV) (2015)Google Scholar
  28. 28.
    Iqbal, U., Snyder, P., Zhu, S., Livshits, B., Qian, Z., Shafiq, Z.: AdGraph: a graph-based approach to ad and tracker blocking. In: IEEE Symposium on Security and Privacy, May 2020Google Scholar
  29. 29.
    Katz, O., Livshits, B.: Toward an evidence-based design for reactive security policies and mechanisms. arXiv preprint arXiv:1802.08915 (2018)
  30. 30.
    Leon, P.G., et al.: What matters to users?: factors that affect users’ willingness to share information with online advertisers. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 7. ACM (2013)Google Scholar
  31. 31.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: 2009 22nd IEEE Computer Security Foundations Symposium, pp. 77–91. IEEE (2009)Google Scholar
  32. 32.
    Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting JavaScript. In: Proceedings of the 15th Nordic Conference in Secure IT Systems NordSec, pp. 239–255, October 2010CrossRefGoogle Scholar
  33. 33.
    Mathur, A., Vitak, J., Narayanan, A., Chetty, M.: Characterizing the use of browser-based blocking extensions to prevent online tracking. In: Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, pp. 103–116 (2018)Google Scholar
  34. 34.
    Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: 2012 IEEE Symposium on Security and Privacy, pp. 413–427. IEEE (2012)Google Scholar
  35. 35.
    McDonald, A.M., Cranor, L.F.: Americans’ attitudes about internet behavioral advertising practices. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 63–72. ACM (2010)Google Scholar
  36. 36.
    Merzdovnik, G., et al.: Block me if you can: a large-scale study of tracker-blocking tools. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P, pp. 319–333. IEEE (2017)Google Scholar
  37. 37.
    Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In: 2010 IEEE Symposium on Security and Privacy, pp. 481–496. IEEE (2010)Google Scholar
  38. 38.
    Microsoft Edge: Security and privacy group policies (2018). https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp. Accessed 14 Aug 2019
  39. 39.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Safe active content in sanitized JavaScript. Tech. rep. Google Inc. (2008)Google Scholar
  40. 40.
  41. 41.
    Mozilla Developer Network: Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed 14 Aug 2019
  42. 42.
    Mozilla Developer Network: The WebSocket API (WebSockets), April 2019. https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API
  43. 43.
  44. 44.
    Mozilla Security Blog: Privacy archives, August 2019. https://blog.mozilla.org/security/category/privacy/. Accessed 14 Aug 2019
  45. 45.
    Musch, M., Steffens, M., Roth, S., Stock, B., Johns, M.: ScriptProtect: mitigating unsafe third-party javascript practices, pp. 391–402 (2019)Google Scholar
  46. 46.
    Nakhaei, K., Ansari, E., Ansari, F.: JSSignature: eliminating third-party-hosted JavaScript infection threats using digital signatures. arXiv preprint arXiv:1812.03939 (2018)
  47. 47.
    Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)Google Scholar
  48. 48.
    Phung, P.H., Monshizadeh, M., Sridhar, M., Hamlen, K.W., Venkatakrishnan, V.: Between worlds: securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans. Dependable Secure Comput. TDSC 12(4), 443–457 (2015).  https://doi.org/10.1109/TDSC.2014.2355847CrossRefGoogle Scholar
  49. 49.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (AsiaCCS), pp. 47–60, March 2009Google Scholar
  50. 50.
    Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of JavaScript sandboxing. In: Proceedings of the 20th USENIX Conference on Security. SEC 2011, USENIX Association (2011)Google Scholar
  51. 51.
    Pupo, A.L.S., Nicolay, J., Boix, E.G.: GUARDIA: specification and enforcement of Javascript security policies without VM modifications. In: The 15th International Conference on Managed Languages & Runtimes, pp. 17:1–17:10. ACM (2018)Google Scholar
  52. 52.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. ACM Trans. Web (TWEB) 1(3), 11 (2007)CrossRefGoogle Scholar
  53. 53.
    Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 12. USENIX Association (2012)Google Scholar
  54. 54.
    Schwenk, J., Niemietz, M., Mainka, C.: Same-origin policy: evaluation in modern browsers. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 713–727. USENIX Association, Vancouver, August 2017Google Scholar
  55. 55.
    Siddiqui, A.: Google’s Manifest V3 will change how ad blocking Chrome extensions work: is it to cripple them, or is it for security? June 2019. https://www.xda-developers.com/google-chrome-manifest-v3-ad-blocker-extension-api/
  56. 56.
    Sjösten, A., Van Acker, S., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 329–336. ACM (2017)Google Scholar
  57. 57.
    Swamy, N., Livshits, B., Guha, A., Fredrikson, M.J.: Programming, verifying, visualizing, and deploying browser extensions with fine-grained security policies, March 2015, US Patent 8,978,106Google Scholar
  58. 58.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)CrossRefGoogle Scholar
  59. 59.
    Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Proceedings of the Eighth Symposium On Usable Privacy and Security, SOUPS 2012, p. 4. ACM (2012)Google Scholar
  60. 60.
    W3C: Content security policy (2018). https://www.w3.org/TR/CSP/
  61. 61.
    W3C: Tracking Preference Expression (DNT), January 2019. https://www.w3.org/TR/tracking-dnt/
  62. 62.
    W3Techs.com: Usage Statistics of JavaScript as Client-side Programming Language on Websites, August 2019. https://w3techs.com/technologies/details/cp-javascript/all/all
  63. 63.
    Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11379-1_11CrossRefGoogle Scholar
  64. 64.
    Wills, C.E., Uzunoglu, D.C.: What ad blockers are (and are not) doing. In: 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb), pp. 72–77. IEEE (2016)Google Scholar
  65. 65.
    Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web, pp. 1286–1295 (2015). International World Wide Web Conferences Steering CommitteeGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Intelligent Systems Security Lab, Department of Computer Science, University of DaytonDaytonUSA
  2. 2.Truman State UniversityKirksvilleUSA
  3. 3.Purdue University Fort WayneFort WayneUSA
  4. 4.Ho Chi Minh City University of Technology, VNU-HCMHo Chi Minh CityVietnam

Personalised recommendations