JavaScript Privacy
JavaScript is used extensively to load and display ads, which can sometimes be sources of malware and various forms of privacy violations. There could be other similar undesirable side-effects of ill-intentioned scripts. While most modern browsers offer an option to disable JavaScript it can result in a highly unsatisfactory browsing experience as more and more sites rely on JavaScript for providing more responsive and dynamic content.
This research aims at statically analyzing JavaScript for potential malware and privacy violations. Other past attempts have been based mainly on instrumenting the scripts on the fly and monitoring their behavior at run-time. Apart from adding run-time overhead that approach can sometimes be completely ineffective, since by the time a script starts to run it may already be too late to control privacy violations. Therefore, we emphasize on static techniques that can disable suspicious scripts before they get a chance to run, with the added benefit of not incurring any run-time overhead in the scripts considered safe.
We have started by exploring the possibility of determining if scripts loaded with a web page is responsible for loading ads. Our initial results indicate a high rate of success using a classifier trained on a carefully selected set of features that can be identified statically.
Related publications:
-
Caitlin R. Orr, Arun Chauhan, Minaxi Gupta, Christopher J. Frisz and Christopher W. Dunn. An Approach for Identifying JavaScript-loaded Advertisements through Static Analysis. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES), pages 1–12, 2012.
[Article DOI]