AdJail: practical enforcement of confidentiality and integrity policies on web advertisements

Authors:
Mike Ter Louw;Karthik Thotta Ganesh;V. N. Venkatakrishnan
Affiliations:
Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago;Department of Computer Science, University of Illinois at Chicago
Venue:
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Year:
2010

Citing 22
Cited 24

Timing attacks on Web privacy

Proceedings of the 7th ACM conference on Computer and communications security
Secure Execution of Java Applets Using a Remote Playground

IEEE Transactions on Software Engineering
Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Interface Illusions

IEEE Security and Privacy
Protecting browser state from web privacy attacks

Proceedings of the 15th international conference on World Wide Web
JavaScript instrumentation for browser security

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies

Proceedings of the 16th international conference on World Wide Web
Subspace: secure cross-domain communication for web mashups

Proceedings of the 16th international conference on World Wide Web
BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
End-to-end web application security

HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Talking to strangers without taking their candy: isolating proxied content

Proceedings of the 1st Workshop on Social Network Systems
JavaScript Instrumentation in Practice

APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium
Securing frame communication in browsers

SS'08 Proceedings of the 17th conference on Security symposium
Lightweight self-protecting JavaScript

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Language-Based Isolation of Untrusted JavaScript

CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Analyzing and Detecting Malicious Flash Advertisements

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Detection and analysis of drive-by-download attacks and malicious JavaScript code

Proceedings of the 19th international conference on World wide web
Reining in the web with content security policy

Proceedings of the 19th international conference on World wide web
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code

SSYM'09 Proceedings of the 18th conference on USENIX security symposium

System security, platform security and usability

Proceedings of the fifth ACM workshop on Scalable trusted computing
WebAppArmor: a framework for robust prevention of attacks on web applications

ICISS'10 Proceedings of the 6th international conference on Information systems security
ADsafety: type-based verification of JavaScript Sandboxing

SEC'11 Proceedings of the 20th USENIX conference on Security
Protecting private web content from embedded scripts

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
ToMaTo: a trustworthy code mashup development tool

Proceedings of the 5th International Workshop on Web APIs and Service Mashups
AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements

Proceedings of the 27th Annual Computer Security Applications Conference
WebJail: least-privilege integration of third-party components in web mashups

Proceedings of the 27th Annual Computer Security Applications Conference
A two-tier sandbox architecture for untrusted JavaScript

Proceedings of the Workshop on JavaScript Tools
Security of web mashups: a survey

NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves

USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
JavaScript in JavaScript (js.js): sandboxing third-party scripts

WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Privilege separation in HTML5 applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Better security and privacy for web browsers: a survey of techniques, and a new implementation

FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
Serene: self-reliant client-side protection against session fixation

DAIS'12 Proceedings of the 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems
Secure multi-execution through static program transformation

FMOODS'12/FORTE'12 Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Enhancing javascript with transactions

ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Knowing your enemy: understanding and detecting malicious web advertising

Proceedings of the 2012 ACM conference on Computer and communications security
You are what you include: large-scale evaluation of remote javascript inclusions

Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control

Proceedings of the 2012 ACM conference on Computer and communications security
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications

Proceedings of the 28th Annual Computer Security Applications Conference
Improving access control for browsers using dynamic scoping

Proceedings of the 51st ACM Southeast Conference
Flexible access control for javascript

Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A secure proxy-based cross-domain communication for web mashups

Journal of Web Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Web publishers frequently integrate third-party advertisements into web pages that also contain sensitive publisher data and end-user personal data. This practice exposes sensitive page content to confidentiality and integrity attacks launched by advertisements. In this paper, we propose a novel framework for addressing security threats posed by third-party advertisements. The heart of our framework is an innovative isolation mechanism that enables publishers to transparently interpose between advertisements and end users. The mechanism supports finegrained policy specification and enforcement, and does not affect the user experience of interactive ads. Evaluation of our framework suggests compatibility with several mainstream ad networks, security from many threats from advertisements and acceptable performance overheads.