Abstract
Modern websites include various types of third-party content such as JavaScript, images, stylesheets, and Flash objects in order to create interactive user interfaces. In addition to explicit inclusion of third-party content by website publishers, ISPs and browser extensions are hijacking web browsing sessions with increasing frequency to inject third-party content (e.g., ads). However, third-party content can also introduce security risks to users of these websites, unbeknownst to both website operators and users. Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user’s system.
In this paper, we propose a novel approach to achieving the goal of preemptive blocking of malicious third-party content inclusion through an analysis of inclusion sequences on the Web. We implemented our approach, called Excision, as a set of modifications to the Chromium browser that protects users from malicious inclusions while web pages load. Our analysis suggests that by adopting our in-browser approach, users can avoid a significant portion of malicious third-party content on the Web. Our evaluation shows that Excision effectively identifies malicious content while introducing a low false positive rate. Our experiments also demonstrate that our approach does not negatively impact a user’s browsing experience when browsing popular websites drawn from the Alexa Top 500.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
While our implementation could be adopted as-is by any browser vendors that use WebKit-derived engines, the design presented here is highly likely to be portable to other browsers.
References
ADsafe. http://www.adsafe.org/
CSP in Content Scripts. https://developer.chrome.com/extensions/contentSecurityPolicy#interactions
PhantomJS. http://phantomjs.org/
Selenium: Web Browser Automation. http://www.seleniumhq.org/
VirtusTotal. https://www.virustotal.com/
Cross-Origin Resource Sharing (CORS) (2014). http://www.w3.org/TR/cors/
Content Security Policy 1.1 (2015). https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
Bilge, L., Kirda, E., Kruegel, C., Marco Balduzzi, E.: Finding malicious domains using passive DNS analysis. In: Network and Distributed System Security Symposium (NDSS) (2011)
Coldewey, D.: Marriott puts an end to shady ad injection service (2012). http://techcrunch.com/2012/04/09/marriott-puts-an-end-to-shady-ad-injection-service/
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International World Wide Web Conference (WWW) (2010)
Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: Comprehensive and flexible confinement of JavaScript-based advertisements. In: Annual Computer Security Applications Conference (ACSAC) (2011)
Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure JavaScript subsets. In: Network and Distributed System Security Symposium (NDSS) (2010)
Google, Inc., Google Safe Browsing API (2015). https://developers.google.com/safe-browsing/
Grier, C., Tang, S., King, S.T.: Secure web browsing with the OP web browser. In: IEEE Symposium on Security and Privacy (Oakland) (2008)
Guarnieri, S., Benjamin Livshits, G.: Mostly static enforcement of security and reliability policies for JavaScript code. In: USENIX Security Symposium (2009)
Huang, L.-S., Weinberg, Z., Evans, C., Jackson, C.: Protecting browsers from cross-origin CSS attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2010)
Jagpal, N., Dingle, E., Gravel, J.-P., Mavrommatis, P., Provos, N., Rajab, M.A., Thomas, K.: Trends and lessons from three years fighting malicious extensions. In: USENIX Security Symposium (2015)
John, J.P., Yu, F., Xie, Y., Krishnamurthy, A., Abadi, M.: deSEO: Combating search-result poisoning. In: USENIX Security Symposium (2011)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX Security Symposium (2014)
Lewis, D.D.: Naive (Bayes) at forty: the independence assumption in information retrieval. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 4–15. Springer, Heidelberg (1998). doi:10.1007/BFb0026666
Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy (Oakland) (2013)
Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: ACM Conference on Computer and Communications Security (CCS) (2012)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In: USENIX Security Symposium (2010)
Maffeis, S., Taly, A.: Language-based isolation of untrusted JavaScript. In: IEEE Computer Security Foundations Symposium (CSF) (2009)
Marvin, G.: Google study exposes “tangled web” of companies profiting from ad injection (2015). http://marketingland.com/ad-injector-study-google-127738
Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: IEEE Symposium on Security and Privacy (Oakland) (2010)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: WebWitness: investigating, categorizing, and mitigating malware download paths. In: USENIX Security Symposium (2015)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what You include: large-scale evaluation of remote JavaScript inclusions. In: ACM Conference on Computer and Communications Security (CCS) (2012)
Nikiforakis, N., Maggi, F., Stringhini, G., Rafique, M., Joosen, W., Kruegel, C., Piessens, F., Vigna, G., Zanero, S.: Stranger danger: exploring the ecosystem of ad-based URL shortening services. In: International World Wide Web Conference (WWW) (2014)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: ACM Symposium on Information, Computer, and Communications Security (ASIACCS) (2009)
Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc. IEEE 77(2), 257–285 (1989)
Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of new malware-control domains in large ISP networks. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2015)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006)
Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postMessage in HTML5 websites. In: Network and Distributed System Security Symposium (NDSS) (2013)
Stone-Gross, B., Stevens, R., Kemmerer, R., Kruegel, C., Vigna, G., Zarras, A.: Understanding fraudulent activities in online ad exchanges. In: Internet Measurement Conference (IMC) (2011)
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages. In: ACM Conference on Computer and Communications Security (CCS) (2013)
Tang, S., Mai, H., King, S.T.: Trust and protection in the Illinois browser operating system. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2010)
Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., Provos, N., Rajab, M.A.: Ad injection at scale: assessing deceptive advertisement modifications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal OS construction of the Gazelle web browser. In: USENIX Security Symposium (2009)
Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? Trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014). doi:10.1007/978-3-319-11379-1_11
World Wide Web Consortium (W3C). What is the document object model? http://www.w3.org/TR/DOM-Level-2-Core/introduction.html
Xing, X., Meng, W., Weinsberg, U., Sheth, A., Lee, B., Perdisci, R., Lee, W.: Unraveling the relationship between ad-injecting browser extensions and malvertising. In: International World Wide Web Conference (WWW) (2015)
Zarras, A., Kapravelos, A., Stringhini, G., Holz, T., Kruegel, C., Vigna, G.: The dark alleys of madison avenue: understanding malicious advertisements. In: Proceedings of the Internet Measurement Conference (IMC) (2014)
Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No. CNS-1409738.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Arshad, S., Kharraz, A., Robertson, W. (2017). Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)