PanoptiChrome: A Modern In-browser Taint Analysis Framework
Pages 1914 - 1922
Abstract
Taint tracking in web browsers is a problem of profound interest because it allows developers to accurately understand the flow of sensitive data across JavaScript (JS) functions. Modern websites load JS functions from either the web server or other third-party sites, hence this problem has acquired a much more complex and pernicious dimension. Sadly, for the latest version of the Chromium browser (used by 75% of users), there is no dynamic taint propagation engine primarily because it is incredibly complex to build one. The nearest contending work in this space was published in 2018 for version 57; at the time of writing, we are at Chromium version 117, and the current version is very different from the 2018 version. We outline the details of a multi-year effort in this paper that led to PanoptiChrome, which accurately tracks information flow across an arbitrary number of sources and sinks and is, to a large extent, portable across platforms. As an example use case of the platform, we experimentally show that we can discover fingerprinting APIs that can uniquely identify the browser and sometimes the user, which are missed by state-of-the-art tools, owing to our comprehensive dynamic analysis methodology. For the top 20,000 most popular websites, we discovered a total of 362 APIs that have the potential to be used for fingerprinting -- out of these, 208 APIs were previously not reported by state-of-the-art tools.
Supplemental Material
MP4 File
video presentation
- Download
- 161.20 MB
MP4 File
Supplemental video
- Download
- 7.48 MB
References
[1]
2022. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web - NDSS Symposium. https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/thou-shalt-not-depend-me-analysing-use-outdated-javascript-libraries-web [Online; accessed 24. Feb. 2023].
[2]
2023. Build cross-platform desktop apps with JavaScript, HTML, and CSS | Electron. https://www.electronjs.org [Online; accessed 1. Mar. 2023].
[3]
2023. ECMAScript 2015 Language Specification -- ECMA-262 6th Edition. https://262.ecma-international.org/6.0 [Online; accessed 11. Oct. 2023].
[4]
2023. ECMAScript® 2024 Language Specification. https://tc39.es/ecma262 [Online; accessed 11. Oct. 2023].
[5]
2023. HTMLAnchorElement: hostname property - Web APIs | MDN. https://developer.mozilla.org/en-US/docs/Web/API [Online; accessed 11. Oct. 2023].
[6]
2023. Stack Overflow Developer Survey 2023. https://survey.stackoverflow.co/ 2023 [Online; accessed 11. Oct. 2023].
[7]
2023. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation - NDSS Symposium. https://www.ndss-symposium.org/ndss-paper/tranco-a-research-oriented-top-sites-ranking-hardened-against-manipulation [Online; accessed 11. Oct. 2023].
[8]
2023. WebPol: Fine-grained Information Flow Policies for Web Browsers (JSTools 2017) - ECOOP 2017. https://2017.ecoop.org/details/JSTools-2017-papers/6/WebPol-Fine-grained-Information-Flow-Policies-for-Web-Browsers [Online; accessed 24. Feb. 2023].
[9]
2024. India: wireless subscriber market share by provider 2022 | Statista. https://www.statista.com/statistics/258797/market-share-of-the-mobile-telecom-industry-in-india-by-company [Online; accessed 2. Feb. 2024].
[10]
2024. The Chromium (Google Chrome) Open Source Project on Open Hub: Languages Page. https://openhub.net/p/chrome/analyses/latest/languages_summary [Online; accessed 13. Feb. 2024].
[11]
2024. The Google V8 JavaScript Engine Open Source Project on Open Hub: Languages Page. https://openhub.net/p/v8-js/analyses/latest/languages_summary [Online; accessed 13. Feb. 2024].
[12]
2024. Web IDL Standard. https://webidl.spec.whatwg.org [Online; accessed 3. Feb. 2024].
[13]
Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. Association for Computing Machinery, New York, NY, USA, 1129--1140. https://doi.org/10.1145/2508859.2516674
[14]
Pouneh Nikkhah Bahrami, Umar Iqbal, and Zubair Shafiq. 2021. FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting. Proceedings on Privacy Enhancing Technologies (2021). https://www.semanticscholar.org/paper/FP-Radar%3A-Longitudinal-Measurement-and-Early-of-Bahrami-Iqbal/72bb8e71702fef660b44133d34b9a8a5456e99c3
[15]
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time Monitoring and Formal Analysis of Information Flows in Chromium. In Network and Distributed System Security Symposium.
[16]
Darion Cassel, Su-Chin Lin, Alessio Buraggina, William Wang, Andrew Zhang, Lujo Bauer, Hsu-Chun Hsiao, Limin Jia, and Timothy Libert. 2022. OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile Browsers. Proceedings on Privacy Enhancing Technologies (2022). https://petsymposium.org/popets/2022/popets-2022-0012.php
[17]
Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 1687--1700. https://doi.org/10.1145/3243734.3243823
[18]
Andrey Chudnov and David A. Naumann. 2015. Inlined Information Flow Monitoring for JavaScript. In CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 629--643. https://doi.org/10.1145/2810103.2813684
[19]
Dorothy E. Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May 1976), 236--243. https://doi.org/10.1145/360051.360056
[20]
Dorothy E. Denning and Peter J. Denning. 1977. Certification of programs for secure information flow. Commun. ACM 20, 7 (July 1977), 504--513. https://doi.org/10.1145/359636.359712
[21]
Peter Eckersley. 2010. How Unique Is Your Web Browser? In Privacy Enhancing Technologies. Springer, Berlin, Germany, 1--18. https://doi.org/10.1007/978--3--642--14527--8_1
[22]
Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 1388--1401. https://doi.org/10.1145/2976749.2978313
[23]
J. S. Fenton. 1974. Memoryless subsystems. Comput. J. 17, 2 (Jan. 1974), 143--147. https://doi.org/10.1093/comjnl/17.2.143
[24]
Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: tracking information flow in JavaScript and its APIs. In SAC '14: Proceedings of the 29th Annual ACM Symposium on Applied Computing. Association for Computing Machinery, New York, NY, USA, 1663--1671. https://doi.org/10.1145/2554850.2554909
[25]
Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, and Roya Ensafi. 2019. The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading. In The World Wide Web Conference (San Francisco, CA, USA) (WWW '19). Association for Computing Machinery, New York, NY, USA, 2851--2857. https://doi.org/10.1145/3308558.3313521
[26]
Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In 2021 IEEE Symposium on Security and Privacy (SP). 1143--1161. https://doi.org/10.1109/SP40001.2021.00017
[27]
Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In IMC '19: Proceedings of the Internet Measurement Conference. Association for Computing Machinery, New York, NY, USA, 393--405. https://doi.org/10.1145/3355369.3355599
[28]
Rezwana Karim, Frank Tip, Alena Sochurková, and Koushik Sen. 2018. Platform-Independent Dynamic Taint Analysis for JavaScript. IEEE Trans. Software Eng. 46, 12 (Oct. 2018), 1364--1379. https://doi.org/10.1109/TSE.2018.2878020
[29]
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: a static analysis platform for JavaScript. In FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, 121--132. https://doi.org/10.1145/2635868.2635904
[30]
Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. CrowdFlow: Efficient Information Flow Security. In ISC 2013: Proceedings of the 16th International Conference on Information Security - Volume 7807. Springer-Verlag, Berlin, Germany, 321--337. https://doi.org/10.1007/978--3--319--27659--5_23
[31]
D. Klein, T. Barber, S. Bensalim, B. Stock, and M. Johns. 2022. Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, Los Alamitos, CA, USA, 236--250. https://doi.org/10.1109/EuroSP53844.2022.00023
[32]
Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: large-scale detection of DOM-based XSS. In CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. Association for Computing Machinery, New York, NY, USA, 1193--1204. https://doi.org/10.1145/2508859.2516703
[33]
Bo Li, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In Network and Distributed System Security Symposium.
[34]
Magnus Madsen, Benjamin Livshits, and Michael Fanning. 2013. Practical static analysis of JavaScript applications in the presence of frameworks and libraries. In ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, 499--509. https://doi.org/10.1145/2491411.2491417
[35]
William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting. In Network and Distributed System Security Symposium.
[36]
Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. In Data Privacy Management, and Security Assurance. Springer, Cham, Switzerland, 254--263. https://doi.org/10.1007/978--3--319--29883--2_18
[37]
Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, 488--498. https://doi.org/10.1145/2491411.2491447
[38]
Junhua Su and Alexandros Kapravelos. 2023. Automatic Discovery of Emerging Browser Fingerprinting Techniques. In WWW '23: Proceedings of the ACM Web Conference 2023. Association for Computing Machinery, New York, NY, USA, 2178--2188. https://doi.org/10.1145/3543507.3583333
[39]
Omer Tripp, Pietro Ferrara, and Marco Pistoia. 2014. Hybrid security analysis of web JavaScript code via dynamic partial evaluation. In ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis. Association for Computing Machinery, New York, NY, USA, 49--59. https://doi.org/10.1145/2610384.2610385
[40]
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. 2007. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Network and Distributed System Security Symposium.
Index Terms
- PanoptiChrome: A Modern In-browser Taint Analysis Framework
Recommendations
Automatic Discovery of Emerging Browser Fingerprinting Techniques
WWW '23: Proceedings of the ACM Web Conference 2023With the progression of modern browsers, online tracking has become the most concerning issue for preserving privacy on the web. As major browser vendors plan to or already ban third-party cookies, trackers have to shift towards browser fingerprinting ...
Browser Feature Usage on the Modern Web
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceModern web browsers are incredibly complex, with millions of lines of code and over one thousand JavaScript functions and properties available to website authors. This work investigates how these browser features are used on the modern, open web. We ...
Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWe present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 218Total Downloads
- Downloads (Last 12 months)218
- Downloads (Last 6 weeks)54
Reflects downloads up to 14 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in