Blocking Tracking JavaScript at the Function Granularity
- URL: http://arxiv.org/abs/2405.18385v1
- Date: Tue, 28 May 2024 17:26:57 GMT
- Title: Blocking Tracking JavaScript at the Function Granularity
- Authors: Abdul Haddi Amjad, Shaoor Munir, Zubair Shafiq, Muhammad Ali Gulzar,
- Abstract summary: Not.js is a fine grained JavaScript blocking tool that operates at the function level granularity.
Not.js trains a supervised machine learning classifier on a webpage's graph representation to first detect tracking at the JavaScript function level.
Not.js then automatically generates surrogate scripts that preserve functionality while removing tracking.
- Score: 15.86649576818013
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Modern websites extensively rely on JavaScript to implement both functionality and tracking. Existing privacy enhancing content blocking tools struggle against mixed scripts, which simultaneously implement both functionality and tracking, because blocking the script would break functionality and not blocking it would allow tracking. We propose Not.js, a fine grained JavaScript blocking tool that operates at the function level granularity. Not.js's strengths lie in analyzing the dynamic execution context, including the call stack and calling context of each JavaScript function, and then encoding this context to build a rich graph representation. Not.js trains a supervised machine learning classifier on a webpage's graph representation to first detect tracking at the JavaScript function level and then automatically generate surrogate scripts that preserve functionality while removing tracking. Our evaluation of Not.js on the top 10K websites demonstrates that it achieves high precision (94%) and recall (98%) in detecting tracking JavaScript functions, outperforming the state of the art while being robust against off the shelf JavaScript obfuscation. Fine grained detection of tracking functions allows Not.js to automatically generate surrogate scripts that remove tracking JavaScript functions without causing major breakage. Our deployment of Not.js shows that mixed scripts are present on 62.3% of the top 10K websites, with 70.6% of the mixed scripts being third party that engage in tracking activities such as cookie ghostwriting. We share a sample of the tracking functions detected by Not.js within mixed scripts not currently on filter lists with filter list authors, who confirm that these scripts are not blocked due to potential functionality breakage, despite being known to implement tracking.
Related papers
- Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis [3.7980955101286322]
Fakeium is a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs.
Fakeium complements traditional static analysis by providing additional API calls and string literals.
Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.
arXiv Detail & Related papers (2024-10-28T09:27:26Z) - jscefr: A Framework to Evaluate the Code Proficiency for JavaScript [1.7174932174564534]
jscefr (pronounced jes-cee-fer) is a tool that detects the use of different elements of the JavaScript (JS) language.
jscefr categorizes JS code into six levels based on proficiency.
arXiv Detail & Related papers (2024-08-29T11:37:49Z) - GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes [5.852467142337343]
Prototype pollution is a recent vulnerability that affects JavaScript code.
It is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime.
We study gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno.
arXiv Detail & Related papers (2024-07-15T15:30:00Z) - FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques [53.288368877654705]
FV8 is a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code.
It selectively enforces code execution on APIs that conditionally inject dynamic code.
It identifies 1,443 npm packages and 164 (82%) extensions containing at least one type of evasion.
arXiv Detail & Related papers (2024-05-21T19:54:19Z) - Concolic Testing of JavaScript using Sparkplug [6.902028735328818]
Insitu concolic testing for JS is effective but slow and complex.
Our method enhances tracing with V8 Sparkplug baseline compiler and remill libraries for assembly to LLVM IR conversion.
arXiv Detail & Related papers (2024-05-10T22:11:53Z) - Tracking with Human-Intent Reasoning [64.69229729784008]
This work proposes a new tracking task -- Instruction Tracking.
It involves providing implicit tracking instructions that require the trackers to perform tracking automatically in video frames.
TrackGPT is capable of performing complex reasoning-based tracking.
arXiv Detail & Related papers (2023-12-29T03:22:18Z) - SalienDet: A Saliency-based Feature Enhancement Algorithm for Object
Detection for Autonomous Driving [160.57870373052577]
We propose a saliency-based OD algorithm (SalienDet) to detect unknown objects.
Our SalienDet utilizes a saliency-based algorithm to enhance image features for object proposal generation.
We design a dataset relabeling approach to differentiate the unknown objects from all objects in training sample set to achieve Open-World Detection.
arXiv Detail & Related papers (2023-05-11T16:19:44Z) - Learning Dynamic Compact Memory Embedding for Deformable Visual Object
Tracking [82.34356879078955]
We propose a compact memory embedding to enhance the discrimination of the segmentation-based deformable visual tracking method.
Our method outperforms the excellent segmentation-based trackers, i.e., D3S and SiamMask on DAVIS 2017 benchmark.
arXiv Detail & Related papers (2021-11-23T03:07:12Z) - Contrastive Code Representation Learning [95.86686147053958]
We show that the popular reconstruction-based BERT model is sensitive to source code edits, even when the edits preserve semantics.
We propose ContraCode: a contrastive pre-training task that learns code functionality, not form.
arXiv Detail & Related papers (2020-07-09T17:59:06Z) - Ocean: Object-aware Anchor-free Tracking [75.29960101993379]
The regression network in anchor-based methods is only trained on the positive anchor boxes.
We propose a novel object-aware anchor-free network to address this issue.
Our anchor-free tracker achieves state-of-the-art performance on five benchmarks.
arXiv Detail & Related papers (2020-06-18T17:51:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.