understanding and monitoring embedded web scripts yuchen zhou, david evans, university of virginia...
TRANSCRIPT
![Page 1: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/1.jpg)
Understanding and Monitoring Embedded Web
ScriptsYuchen Zhou, David Evans, University of Virginia
PRESENT BY ZEYI TAO
![Page 2: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/2.jpg)
Introduction
![Page 3: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/3.jpg)
Example: New York Times Website
![Page 4: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/4.jpg)
Related Work
Client-side script protections.
Script transformations.
Policy generation.
![Page 5: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/5.jpg)
Motivation
Introduces tools to assist site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded
in their site.
![Page 6: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/6.jpg)
OVERVIEW Introduction & Pervious Works
Motivation
Design
Policing
Inspecting Script Behavior
Visualizing
More Design Details
Developing Base Polices
Developing Site-Specific Polices
Police Evaluations
Conclusions & Quizzes
![Page 7: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/7.jpg)
BASIC DESIGN
![Page 8: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/8.jpg)
BASIC DESIGN
![Page 9: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/9.jpg)
Document Object Model(DOM)
![Page 10: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/10.jpg)
POLICIES
![Page 11: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/11.jpg)
Node Descriptor
AbsoluteXPath: /HTML[1]/BODY[1]/DIV[1]/
SelectorXPath: // DIV[@class=‘ad’] Regular Expression Xpath //DIV[@ID=‘adSize−\d∗x\d∗’] ^NodeSelector ˆˆ// DIV[@ID=‘adPos’] // DIV[@ID=‘adPos’]/DIV[2]
![Page 12: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/12.jpg)
INSPECTING SCRIPT BEHAVIOR
Recording accesses
Checking policies
DOM access recording
Recording other actions
Script-injected nodes
Attribution
![Page 13: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/13.jpg)
VISUALIZATION
![Page 14: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/14.jpg)
FINDINGS
Browser properties
Network
Modifying page content
Reading page content
![Page 15: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/15.jpg)
DEVELOPING BASE POLICIES
Evaluation method
Base policy examples
Analytics scripts
Advertisements
Social widgets
Web development
25 selected scripts, 1000 highest ranked websites
![Page 16: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/16.jpg)
Analytics scripts
![Page 17: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/17.jpg)
DEVELOPING SITE-SPECIFIC POLICIES
PolicyGenerator
Site-specific policy examples
![Page 18: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/18.jpg)
POLICY EVALUATION
Policy size
![Page 19: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/19.jpg)
POLICY EVALUATION
Policy robustness
![Page 20: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/20.jpg)
ConclusionScriptInspector
Visualizer
PolicyGenerator
Threat model
Capable of intercepting and recording API calls from third-party scripts to critical resources, including the DOM, local storage, and network
Firefox extension that uses the instrumented DOM maintained by ScriptInspector to highlight nodes accessed by third-party scripts and help a site administrator understand script behaviors.
PolicyGenerator to help site administrators develop effective policies with limited human intervention
Provide site administrators with a way to ensure the integrity of their site and protect the privacy of their users from embedded scripts
![Page 21: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO](https://reader035.vdocument.in/reader035/viewer/2022081603/5697bf981a28abf838c91219/html5/thumbnails/21.jpg)
Quizzes
What are the 4 major Script groups based on this paper
What is the limitation of this system?
What is the DOM?