WiP: Client Side Protections Against Rogue JavaScript

pdf

With more dynamic technologies being deployed, developers continue to make websites more reactive and add more features. An unintended side effect of these new capabilities is the opportunity to abuse the privacy and security of users. At the same time, targeted advertising profits off the collection of users’ data, which provides little incentive to prevent third-parties from amassing such data.

Thus, while new security mechanisms have been proposed to prevent misuse of dynamic web capabilities, they rely on a traditional threat model with an outdated root of trust that includes the visited website. Indeed, the traditional threat model places the onus of securing visitors on the developer.

In this work, we show that the traditional threat model is illsuited to the modern web. We find that under 13% of popular websites use modern protection mechanisms, and fewer deploy them comprehensively. Based on these findings, we plan to implement a prototype dynamic policy enforcement system that is purely clientside, requiring no cooperation from the site developer and little cooperation from the user. Our system will be able to enforce customized policies to control the behavior of JavaScript, including the ability to prevent data that users consider to be sensitive from leaving the browser and to prevent functions that the user considers to be prohibited from being executed.

Ross Copeland is in his third year of undergraduate studies at the University of Kansas studying Computer Science. He is a researcher part of the PADLOCK research group at the Information and Telecommunication Technology Center under the advisement of Drew Davidson. He can be contacted at rcopeland@ku.edu

Drew Davidson is an Assistant Professor in the Electrical Engineering and Computer Science department at the University of Kansas and a researcher at the Information and Telecommunication Technology Center. His research group, PADLOCK, is broadly focused on computer security and privacy with an emphasis on principled, usable systems. Prior to his position at the University of Kansas, Drew was a founding engineer at Tala Security. He may be contacted at drewdavidson@ku.edu

Tags:
License: CC-2.5
Submitted by Drew Davidson on