1

AdJail: Practical Enforcement of Confidentiality and Integrity Policies

on Web Advertisements

Mike Ter Louw, Karthik Thotta Ganesh, V.N. VenkatakrishnanDepartment of Computer Science, University of Illinois at Chicago

19th USENIX Security Symposium, Washington, DC. August 11-13 2010

Yi-Ning Chen

2

Outline

• Introduction• Threat model and related work• Architecture• Implementation• Evaluation• Conclusion

3

INTRODUCTION

4

Term introduction

• Ad publisher is a web application that includes dynamically sourced content from an ad network in its output.

• Ad content is dynamically fetched from ad networks (e.g., Google AdSense), leaving little opportunity for publishers to inspect and approve ads before the ads are rendered.

• The Ad script is the ad network’s JavaScript and a an advertiser’s JavaScript.

5

The problem Ad publisher faced (1/2)

1. On Sep 13 2009, New York Times home page were greeted by an virus-scan-like unauthorized advertisement.

2. Members of social web site Facebook were presented with advertisements deceptively portraying private images of their family and friends

6

The problem Ad publisher faced (2/2)

• For publishers, online advertising is an economic necessity but also cause security problem.

• A passive approach to enforce is for ad networks to screen ad for potential attacks.– But this approach leaves the publisher vulnerable to any

gaps in the ad network’s screening strategy.

• In this paper , we confront the problem of rogue ads by a active approach -- from a publisher-centric perspective.

7

Contributions of this paper

• Confidentiality and integrity policy specification and enforcement

• Compatibility with ad network targeting algorithms• Compatibility with ad network billing operations• Consistency in user experience• Satisfaction of practical deployment requirements

8

THREAT MODEL AND RELATED WORK

9

Threat model: Ads in a webmail application

(1) banner (2) skyscraper ads(3) inline text ad

(4) floating ad

10

Some ads require partial page content

Both requires access to the email message text.

11

Some ads require special deployment

Floating ad requires access to the real estate of the page to place the ad over the message text.

12

In-scope threats

• Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy)

• These policies are specified by a website to restrict the capability of third-party scripts.– e.g. with reference to access and modification of first-

party content , and control over the screen.

13

In-scope threats

• Targeted by recent efforts in the Web standards community for content restrictions. (e.g. Content Security Policy)

• These policies are specified by a website to restrict the capability of third-party scripts.– e.g. with reference to access and modification of first-

party content , and control over the screen.

<!-- " X-Content-Security-Policy: allow 'self‘; script-src userscripts.example.com -->

14

Out-of-scope threat (1/2)

• Browser security bugs– e.g. drive-by-downloads

• Opaque content– e.g. Flash

• Frame busting & navigation attacks<script type="text/javascript">

if(top.location != location) { top.location.href = document.location.href;

} </script>

15

Out-of-scope threat (2/2)

• Behavior tracking attacks• Attacks through side channels– e.g. the “visited links” feature of browser

16

Related work (1/4)

• Privacy and behavior targeting – Rely on specialized, in-browser systems that support

contextual placement of ads while preventing behavioral profiling of users.

– ADJAIL: employ in server side to protect both publisher and user-owned content.

17

Related work (2/4)

• Restricting content languages– Focus on limiting the JavaScript language features that

untrusted scripts are allowed to use.– FBJS: imposes the burden of new languages– AD-safe: places restrictions on JavaScript language

features.

– These kind of approaches may require re-development of ad script code.

– ADJAIL: only effort required is to specify policies.

18

Related work (3/4)

• Code transformation approaches– Transform untrusted JavaScript code to interpose runtime

policy enforcement checks.– The recommended method of transforming JavaScript

dynamically by a publisher involves using a proxy.

– However, this approach may appear suspicious to click-fraud detection mechanism employed by the ad network.

19

Related work (4/4)

• Publisher-browser collaboration– Publisher to instruct a browser to enforce the publisher’s

policies on third-party content, leaving the enforcement entirely to the browser.

– Content Security Policies: provides by Mozilla

– Main positive: this approach can enforce fine-grained policies with minimal overheads.

– Primary drawback: today’s browsers do not agree on a standard for publisher-browser collaboration.

20

ARCHITECTUREUsing webmail application as example

21

Ad confinement using shadow pages

1. Remove the ad script from the publisher’s webmail page (real page).

2. Embed a hidden <iframe> element in the page with a different origin URI, thus invoking browser’s SOP to isolate from real page.

3. Add the ad script to the page contained in the hidden <iframe> (shadow page).

SOP (Same Origin Policy)Definition: 1. “Only the pages with same origin

that stores some information in the browser may read or modify that information.”

2. Two pages have same origin (domain) if the protocol, port, and host are the same.

22

Ad mirroring & event forwarding

1. We add Tunnel Script A to monitor the page changes mad by ad script. 2. Conveys those change to the real

page via inter-origin message conduits.

3. Once we capture user generated events (e.g. onmousemove) on the mirrored ad content, we forward these event to the shadow page for processing.

Controlled user interaction with ads (1/2)

23

Ad policies

• Can be defined in each HTML element

Controlled user interaction with ads (2/2)

24

IMPLEMENTATIONPolicies, real and shadow page, and synchronization

25

Policies specification• Publisher can annotate in any HTML element of the real page

with a policy attribute– policy = “ permission: value; ”

26

Policies composition• Multiple policy statement may assign different values to a

single permission. This can occur within a single policy attribute or through inheritance.

Effective value for a permission is the most restrictive value across all composed policy statement.

Take inheritance policy statement into consider.

Permissions left unspecified are set to their default values.

27

1. Remove ad script but retain <div> element to containing a content send from shadow page2. Add the tunnel script.3. Annotation of HTML elements with policies.4. Scans the real page to find all elements with policies

granting the following permission.• read-access: subtree;, write-access: append;, and write-access:

subtree;

5. convert the elements find in 3. into models ( preparing to send to the shadow page)

Construction of the real page

28

HTML to JavaScript data structure (JSON)

For keeping synchronization of elements between real and shadow page

29

Construction of the shadow page

1. Begins as a template web page containing only the tunnel script.2. After the tunnel script receives content model from the real page’s tunnel. It converts content model into

HTML constructs.3. Now shadow page contains all the non-sensitive content and

construct of real page, allowing the ad script to execute.4. Next, we install wrappers around several DOM API methods

to interpose between the ad script and the DOM. • Wrappers are used to monitor page updates and provides billing

evidence.

30

DOM interposition

• Prevent ad impression on the shadow page, we interpose on the common interfaces ad scripts use to create content.

– E.g. interpose on the src property of HTMLImageElement object. Substitute with a placeholder value

31

Content mirroring

1. Monitoring the shadow page for modifications

2. Modeling the detected modifications

3. Sending models to the real page4. Enforcing policies on the models 5. Modifying the real page to reflect

the modeled changes

32

Synchronization message

33

Event forwarding

• Using DOM interposition framework, we impose on script operation on event handlers

• Ad click– We click links on the real page, subject to enforcement of

the link-target permission. Instead of directly invoke click event handlers.

• Position and style synchronization– Inline text pop-up ad can use synchronization message to

get the precise location and positioned correctly.

34

EVALUATIONCompatibility, security, and rendering overhead

35

Testbed

• Six popular ad networks: Banner ad– Yahoo! Network – Google AdSense– Microsoft Media Network– Federated Media PublishingInline text ad– AdBrite– Clicksor

36

Compatibility

We compare the original page and the page with sandboxed ads.

• Correct functionality– Worked well, but Google AdSense requires offline cached copy of the

publisher’s page to perform contextual targeting.

• Minimum permissions– As show in next slide.

• Click and impression counts– Perform multiple rendering to ensure we click the same ad with and

without sandbox. – Using this sandbox environment did not impose any additional

impressions or generate any additional clicks.

37

Security – testing attacks (1/2)

Single trial: replacing ad scripts with a malicious script tends launch an attack.

• Execute arbitrary code in context of real page– Can be blocked by enforcing a no-script policy

• Confidential information leak– Due to SOP restrictions, the sandboxed attack could not access the

information by DOM traversal.

• Content integrity violation– Can protect the content of real page except it was given a policy with

full write access.

38

Security – testing attacks (2/2)

• Clickjacking– With a policy that disallows <iframe> elements, the sandboxed

attack was unsuccessful.

• User interface spoofing– This attack was defeated by denying images, <iframe>s and Flash,

and further constraining the ad with policy.

• Arbitrary ad position– With a policy that denies overflow, violations due to out-of-bounds

display positioning are blocked.

• Oversized ad– The size violation was blocked by configuring a policy to limit the

maximum height and width, and disallowing overflow

39

Minimum permission & Security

40

Rendering overhead

41

Conclusion

• ADJAIL, a solution for the problem of confinement of third-party advertisements to prevents attacks on confidentiality and integrity.

• Policy setting provides flexible approach for publisher to implement its security strategy.

• ADJAIL is compatibility with the existing web usage models, requiring no changes to ad networks or browser.