Abstract
We introduce a novel approach to implementing a browser-based tool for web users to protect their privacy. We propose to monitor the behaviors of JavaScript code within a webpage, especially operations that can read data within a browser or can send data from a browser to outside. Our monitoring mechanism is to ensure that all potential information leakage channels are detected. The detected leakage is either automatically prevented by our context-aware policies or decided by the user if needed. Our method advances the conventional same-origin policy standard of the Web by enforcing different policies for each source of the code. Although we develop the tool as a browser extension, our approach is browser-agnostic as it is based on standard JavaScript. Also, our method stands from existing proposals in the industry and literature. In particular, it does not rely on network request interception and blocking mechanisms provided by browsers, which face various technical issues.
We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance.
S. Vu—Work performed while the author was visiting the Intelligent Systems Security Lab, Department of Computer Science, University of Dayton.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Agarwal, L., Shrivastava, N., Jaiswal, S., Panjwani, S.: Do not embarrass: re-examining user concerns for online tracking and advertising. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 8:1–16. ACM (2013)
Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 415–436. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_19
Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441–459. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_26
Bashir, M.A., Arshad, S., Kirda, E., Robertson, W., Wilson, C.: How tracking companies circumvented ad blockers using Websockets. In: Proceedings of the Internet Measurement Conference 2018, pp. 471–477. ACM (2018)
Bashir, M.A., Arshad, S., Robertson, W., Wilson, C.: Tracing information flows between ad exchanges using retargeted ads. In: 25th USENIX Security Symposium, USENIX Security 16, pp. 481–496 (2016)
Batt, S.: What is “do not track” and does it protect your privacy?, August 2019 https://www.makeuseof.com/tag/not-track-actually-work/
Burt, A.: Privacy and cybersecurity are converging. here’s why that matters for people and for companies, January 2019. https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies. Accessed 13 Aug 2019
Caleb: Ranked: Security and privacy for the most popular web browsers, March 2019. https://www.expressvpn.com/blog/best-browsers-for-privacy/
Chanchary, F., Chiasson, S.: User perceptions of sharing, advertising, and tracking. In: Proceedings of the Eleventh Symposium On Usable Privacy and Security, SOUPS 2015, pp. 53–67 (2015)
Chromium Blog: Improving privacy and security on the web, May 2019. https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for JavaScript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 629–643. ACM (2015)
Crockford, D.: ADsafe - Making JavaScript Safe for Advertising (2007). http://www.adsafe.org. Accessed 11 Aug 2019
devlin@chromium.org: Manifest V3, December 2018. https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-qnk4w4PX-0XMw8/edit#heading=h.xgjl2srtytjt. Accessed 14 Aug 2019
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Ecma International: ECMAScript 2015 Language Specification ECMA-262 6th Edition, June 2015. https://www.ecma-international.org/ecma-262/6.0/. Accessed 14 Aug 2019
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1388–1401. ACM (2016)
Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure JavaScript subsets. In: NDSS (2010)
Fredrikson, M., Livshits, B.: Repriv: re-imagining content personalization and in-browser privacy. In: 2011 IEEE Symposium on Security and Privacy, pp. 131–146. IEEE (2011)
Georgiev, M., Jana, S., Shmatikov, V.: Rethinking security of web-based system applications. In: Proceedings of the 24th International Conference on World Wide Web, pp. 366–376. International World Wide Web Conferences Steering Committee (2015)
Google Caja: Compiler for making third-party HTML, CSS, and JavaScript safe for embedding (2007). https://developers.google.com/caja/. Accessed 5 Aug 2019
Google Chrome: chrome. webRequest. https://developer.chrome.com/extensions/webRequest. Accessed 14 Aug 2019
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 2011 IEEE symposium on security and privacy, pp. 115–130. IEEE (2011)
Guha, S., Cheng, B., Francis, P.: Privad: practical privacy in online advertising. In: USENIX Conference on Networked Systems Design and Implementation, pp. 169–182 (2011)
Hausknecht, D., Magazinius, J., Sabelfeld, A.: May I? - Content security policy endorsement for browser extensions. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 261–281. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_14
Hedin, D., Bello, L., Sabelfeld, A.: Information-flow security for JavaScript and its APIs. J. Comput. Secur. 24(2), 181–234 (2016)
Heule, S., Rifkin, D., Russo, A., Stefan, D.: The most dangerous code in the browser. In: 15th Workshop on Hot Topics in Operating Systems (HotOS XV) (2015)
Iqbal, U., Snyder, P., Zhu, S., Livshits, B., Qian, Z., Shafiq, Z.: AdGraph: a graph-based approach to ad and tracker blocking. In: IEEE Symposium on Security and Privacy, May 2020
Katz, O., Livshits, B.: Toward an evidence-based design for reactive security policies and mechanisms. arXiv preprint arXiv:1802.08915 (2018)
Leon, P.G., et al.: What matters to users?: factors that affect users’ willingness to share information with online advertisers. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 7. ACM (2013)
Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: 2009 22nd IEEE Computer Security Foundations Symposium, pp. 77–91. IEEE (2009)
Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting JavaScript. In: Proceedings of the 15th Nordic Conference in Secure IT Systems NordSec, pp. 239–255, October 2010
Mathur, A., Vitak, J., Narayanan, A., Chetty, M.: Characterizing the use of browser-based blocking extensions to prevent online tracking. In: Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, pp. 103–116 (2018)
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: 2012 IEEE Symposium on Security and Privacy, pp. 413–427. IEEE (2012)
McDonald, A.M., Cranor, L.F.: Americans’ attitudes about internet behavioral advertising practices. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 63–72. ACM (2010)
Merzdovnik, G., et al.: Block me if you can: a large-scale study of tracker-blocking tools. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P, pp. 319–333. IEEE (2017)
Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In: 2010 IEEE Symposium on Security and Privacy, pp. 481–496. IEEE (2010)
Microsoft Edge: Security and privacy group policies (2018). https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp. Accessed 14 Aug 2019
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Safe active content in sanitized JavaScript. Tech. rep. Google Inc. (2008)
Mozilla: webRequest. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest. Accessed 14 Aug 2019
Mozilla Developer Network: Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed 14 Aug 2019
Mozilla Developer Network: The WebSocket API (WebSockets), April 2019. https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API
Mozilla Developer Network: What are extensions? March 2019. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/What_are_WebExtensions
Mozilla Security Blog: Privacy archives, August 2019. https://blog.mozilla.org/security/category/privacy/. Accessed 14 Aug 2019
Musch, M., Steffens, M., Roth, S., Stock, B., Johns, M.: ScriptProtect: mitigating unsafe third-party javascript practices, pp. 391–402 (2019)
Nakhaei, K., Ansari, E., Ansari, F.: JSSignature: eliminating third-party-hosted JavaScript infection threats using digital signatures. arXiv preprint arXiv:1812.03939 (2018)
Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)
Phung, P.H., Monshizadeh, M., Sridhar, M., Hamlen, K.W., Venkatakrishnan, V.: Between worlds: securing mixed JavaScript/ActionScript multi-party web content. IEEE Trans. Dependable Secure Comput. TDSC 12(4), 443–457 (2015). https://doi.org/10.1109/TDSC.2014.2355847
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (AsiaCCS), pp. 47–60, March 2009
Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of JavaScript sandboxing. In: Proceedings of the 20th USENIX Conference on Security. SEC 2011, USENIX Association (2011)
Pupo, A.L.S., Nicolay, J., Boix, E.G.: GUARDIA: specification and enforcement of Javascript security policies without VM modifications. In: The 15th International Conference on Managed Languages & Runtimes, pp. 17:1–17:10. ACM (2018)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. ACM Trans. Web (TWEB) 1(3), 11 (2007)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 12. USENIX Association (2012)
Schwenk, J., Niemietz, M., Mainka, C.: Same-origin policy: evaluation in modern browsers. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 713–727. USENIX Association, Vancouver, August 2017
Siddiqui, A.: Google’s Manifest V3 will change how ad blocking Chrome extensions work: is it to cripple them, or is it for security? June 2019. https://www.xda-developers.com/google-chrome-manifest-v3-ad-blocker-extension-api/
Sjösten, A., Van Acker, S., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 329–336. ACM (2017)
Swamy, N., Livshits, B., Guha, A., Fredrikson, M.J.: Programming, verifying, visualizing, and deploying browser extensions with fine-grained security policies, March 2015, US Patent 8,978,106
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)
Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Proceedings of the Eighth Symposium On Usable Privacy and Security, SOUPS 2012, p. 4. ACM (2012)
W3C: Content security policy (2018). https://www.w3.org/TR/CSP/
W3C: Tracking Preference Expression (DNT), January 2019. https://www.w3.org/TR/tracking-dnt/
W3Techs.com: Usage Statistics of JavaScript as Client-side Programming Language on Websites, August 2019. https://w3techs.com/technologies/details/cp-javascript/all/all
Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_11
Wills, C.E., Uzunoglu, D.C.: What ad blockers are (and are not) doing. In: 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb), pp. 72–77. IEEE (2016)
Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web, pp. 1286–1295 (2015). International World Wide Web Conferences Steering Committee
Acknowledgment
The authors wish to thank the anonymous reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hiremath, P.N., Armentrout, J., Vu, S., Nguyen, T.N., Minh, Q.T., Phung, P.H. (2019). MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web. In: Dang, T., Küng, J., Takizawa, M., Bui, S. (eds) Future Data and Security Engineering. FDSE 2019. Lecture Notes in Computer Science(), vol 11814. Springer, Cham. https://doi.org/10.1007/978-3-030-35653-8_33
Download citation
DOI: https://doi.org/10.1007/978-3-030-35653-8_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35652-1
Online ISBN: 978-3-030-35653-8
eBook Packages: Computer ScienceComputer Science (R0)