Abstract
JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today’s web, especially in the context of Internet advertisements and web analytics. In this paper we present a novel, fast and scalable architecture to address the shortcomings of previous work. Specifically, we have developed a novel technique called principal-based tainting that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead. We have crawled and measured more than one million websites. Our findings show that privacy attacks are more prevalent and serious than previously known.
Chapter PDF
Similar content being viewed by others
References
Mozilla: Same origin policy for javascript, https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
Krishnamurthy, B., Wills, C.: Privacy Leakage in Mobile Online Social Networks. In: Workshop on Online Social Networks (2010)
Krishnamurthy, B., Naryshkin, K., Wills, C.: Privacy Leakage Vs. Protection Measures: The Growing Disconnect. In: Web 2.0 Security and Privacy (2011)
Jang, D., Jhala, R., Lerner, S., Shacham, H.: An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In: 17th ACM Conference on Computer and Communications Security (2010)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Network and Distributed System Security Symposium (2007)
Dhawan, M., Ganapathy, V.: Analyzing Information Flow in JavaScript-based Browser Extensions. In: ACSAC 2009: Proceedings of the 25th Annual Computer Security Applications Conference (2009)
Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Network and Distributed System Security Symposium (2006)
Webkit: SunSpider JavaScript Benchmark, http://www.webkit.org/perf/sunspider/sunspider.html
The Wall Street Journal: The Web’s New Gold Mine: Your Secrets, http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html
The Center for Internet and Society: Tracking the Trackers: Microsoft Advertising, http://cyberlaw.stanford.edu/node/6715
Electronic Frontier Foundation: Panopticlick, http://panopticlick.eff.org/
Eckersley, P.: How Unique Is Your Web Browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)
Heritrix: Heritrix, https://webarchive.jira.com/wiki/display/Heritrix/Heritrix
The Wall Street Journal: What They Know About You, http://online.wsj.com/article/SB10001424052748703999304575399041849931612.html
Cooke, L.: Is the Mouse a ’Poor Man’s Eye Tracker?’. In: Society for Technical Communication Conference (2006)
Forbes: Class Action Lawsuit Filed Over YouPorn History Sniffing, http://www.forbes.com/sites/kashmirhill/2010/12/06/class-action-lawsuit-filed-over-youporn-history-sniffing/
Forbes: McDonald’s, CBS, Mazda, and Microsoft Sued for ’History Sniffing’, http://www.forbes.com/sites/kashmirhill/2011/01/03/mcdonalds-cbs-mazda-and-microsoft-sued-for-history-sniffing/
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead Mostly Static JavaScript Malware Detection. In: 20th USENIX Security (2011)
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A Defense Against Heap-Spraying Code Injection Attacks. In: 18th USENIX Security (2009)
Canali, D., Cova, M., Kruegel, C., Vigna, G.: Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In: Proceedings of the World Wide Web Conference, WWW (2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the World Wide Web Conference, WWW (2010)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All Your iFRAMEs Point to Us. In: 17th USENIX Security (2008)
Seifert, C., Komisarczuk, P., Welch, I.: Identification Of Malicious Web Pages With Static Heuristics. In: Australasian Telecommunication Networks and Applications Conference (2008)
Spoor, R.J., Kijewski, P., Overes, C.: The HoneySpider Network: Fighting Client-side Threats. In: FIRST (2008)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven Filtering of Dynamic HTML. In: Proceedings of the Symposium on Operating Systems Design and Implementation (2006)
Louw, M., Venkatakrishnan, V.: Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the IEEE Symposium on Security and Privacy (2009)
Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: Proceedings of the IEEE Symposium on Security and Privacy (2010)
Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Network and Distributed System Security Symposium (2009)
Clover, A.: CSS Visited Pages Disclosure. BUGTRAQ Mailing List Posting, http://seclists.org/bugtraq/2002/Feb/271
Baron, L.D.: Preventing Attacks on a User’s History Through CSS: visited Selectors, http://dbaron.org/mozilla/visited-privacy
Weinberg, Z., Chen, E., Jayaraman, P.R., Jackson, C.: I Still Know What You Visited Last Summer: Leaking Browsing History Via User Interaction and Side Channel Attacks. In: 31st IEEE Symposium on Security and Privacy (May 2011)
Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: Type-Based Verification of JavaScript Sandboxing. In: 20th USENIX Security (2011)
Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated Analysis of Security-Critical JavaScript APIs. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tran, M., Dong, X., Liang, Z., Jiang, X. (2012). Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations. In: Bao, F., Samarati, P., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2012. Lecture Notes in Computer Science, vol 7341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31284-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-31284-7_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31283-0
Online ISBN: 978-3-642-31284-7
eBook Packages: Computer ScienceComputer Science (R0)