Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
A Safety-Oriented Platform for Web Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Secure Web Browsing with the OP Web Browser
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
SS'08 Proceedings of the 17th conference on Security symposium
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
NOZZLE: a defense against heap-spraying code injection attacks
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
BLADE: an attack-agnostic approach for preventing drive-by malware infections
Proceedings of the 17th ACM conference on Computer and communications security
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
Proceedings of the 26th Annual Computer Security Applications Conference
Trust and protection in the Illinois browser operating system
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Adapting software fault isolation to contemporary CPU architectures
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
An approach for identifying JavaScript-loaded advertisements through static program analysis
Proceedings of the 2012 ACM workshop on Privacy in the electronic society
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Internet advertising is one of the most popular online business models. JavaScript-based advertisements (ads) are often directly embedded in a web publisher's page to display ads relevant to users (e.g., by checking the user's browser environment and page content). However, as third-party code, the ads pose a significant threat to user privacy. Worse, malicious ads can exploit browser vulnerabilities to compromise users' machines and install malware. To protect users from these threats, we propose AdSentry, a comprehensive confinement solution for JavaScript-based advertisements. The crux of our approach is to use a shadow JavaScript engine to sandbox untrusted ads. In addition, AdSentry enables flexible regulation on ad script behaviors by completely mediating its access to the web page (including its DOM) without limiting the JavaScript functionality exposed to the ads. Our solution allows both web publishers and end users to specify access control policies to confine ads' behaviors. We have implemented a proof-of-concept prototype of AdSentry that transparently supports the Mozilla Firefox browser. Our experiments with a number of ads-related attacks successfully demonstrate its practicality and effectiveness. The performance measurement indicates that our system incurs a small performance overhead.