Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations

Authors:
Minh Tran;Xinshu Dong;Zhenkai Liang;Xuxian Jiang
Affiliations:
Department of Computer Science, North Carolina State University;School of Computing, National University of Singapore, Singapore;School of Computing, National University of Singapore, Singapore;Department of Computer Science, North Carolina State University
Venue:
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Year:
2012

Citing 14
Cited 1

BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Analyzing Information Flow in JavaScript-Based Browser Extensions

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Detection and analysis of drive-by-download attacks and malicious JavaScript code

Proceedings of the 19th international conference on World wide web
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
NOZZLE: a defense against heap-spraying code injection attacks

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Privacy leakage in mobile online social networks

WOSN'10 Proceedings of the 3rd conference on Online social networks
An empirical study of privacy-violating information flows in JavaScript web applications

Proceedings of the 17th ACM conference on Computer and communications security
How unique is your web browser?

PETS'10 Proceedings of the 10th international conference on Privacy enhancing technologies
Prophiler: a fast filter for the large-scale detection of malicious web pages

Proceedings of the 20th international conference on World wide web
I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Automated Analysis of Security-Critical JavaScript APIs

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
ADsafety: type-based verification of JavaScript Sandboxing

SEC'11 Proceedings of the 20th USENIX conference on Security

Information flow tracking meets just-in-time compilation

ACM Transactions on Architecture and Code Optimization (TACO)

Quantified Score

Hi-index	0.00

Visualization

Abstract

JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today's web, especially in the context of Internet advertisements and web analytics. In this paper we present a novel, fast and scalable architecture to address the shortcomings of previous work. Specifically, we have developed a novel technique called principal-based tainting that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead. We have crawled and measured more than one million websites. Our findings show that privacy attacks are more prevalent and serious than previously known.