Upload File

understanding and monitoring embedded web scripts yuchen zhou, david evans, university of virginia...

  • Home
  • Documents
  • Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO
21
Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Upload: damian-west

Post on 17-Jan-2016

217 views

Category:

Documents


1 download

Report

Tags:

TRANSCRIPT

Page 1: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Understanding and Monitoring Embedded Web

ScriptsYuchen Zhou, David Evans, University of Virginia

PRESENT BY ZEYI TAO

Page 2: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Introduction

Page 3: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Example: New York Times Website 

Page 4: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Related Work

Client-side script protections.

Script transformations.

Policy generation.

Page 5: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Motivation

Introduces tools to assist site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded

in their site.

Page 6: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

OVERVIEW Introduction & Pervious Works

Motivation

Design

Policing

Inspecting Script Behavior

Visualizing

More Design Details

Developing Base Polices

Developing Site-Specific Polices

Police Evaluations

Conclusions & Quizzes

Page 7: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

BASIC DESIGN

Page 8: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

BASIC DESIGN

Page 9: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Document Object Model(DOM)

Page 10: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

POLICIES

Page 11: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Node Descriptor

AbsoluteXPath: /HTML[1]/BODY[1]/DIV[1]/

SelectorXPath: // DIV[@class=‘ad’] Regular Expression Xpath //DIV[@ID=‘adSize−\d∗x\d∗’] ^NodeSelector ˆˆ// DIV[@ID=‘adPos’] // DIV[@ID=‘adPos’]/DIV[2]

Page 12: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

INSPECTING SCRIPT BEHAVIOR

Recording accesses

Checking policies

DOM access recording

Recording other actions

Script-injected nodes

Attribution

Page 13: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

VISUALIZATION

Page 14: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

FINDINGS

Browser properties

Network

Modifying page content

Reading page content

Page 15: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

DEVELOPING BASE POLICIES

Evaluation method

Base policy examples

Analytics scripts

Advertisements

Social widgets

Web development

25 selected scripts, 1000 highest ranked websites

Page 16: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Analytics scripts

Page 17: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

DEVELOPING SITE-SPECIFIC POLICIES

PolicyGenerator

Site-specific policy examples

Page 18: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

POLICY EVALUATION

Policy size

Page 19: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

POLICY EVALUATION

Policy robustness

Page 20: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

ConclusionScriptInspector

Visualizer

PolicyGenerator

Threat model

Capable of intercepting and recording API calls from third-party scripts to critical resources, including the DOM, local storage, and network

Firefox extension that uses the instrumented DOM maintained by ScriptInspector to highlight nodes accessed by third-party scripts and help a site administrator understand script behaviors.

PolicyGenerator to help site administrators develop effective policies with limited human intervention

Provide site administrators with a way to ensure the integrity of their site and protect the privacy of their users from embedded scripts

Page 21: Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

Quizzes

What are the 4 major Script groups based on this paper

What is the limitation of this system?

What is the DOM?


Prof. Xu Yuchen

ZHou Proof

Xia, Shang, Zhou Dynasties - Mr. Brown's Webpageheritagesocialstudies.weebly.com/.../54074601/xia_shang_zhou_dynasties.pdf · Zhou Dynasty Government: •Zhou said Shang overthrown

Photos by Sun Yuchen Park Culture Week in Futian · 2017-12-07 · Photos by Sun Yuchen Citizens dance at Huanggang Park in the morning. Teams from Hong Kong, Macao and other Guangdong

Zhou dynasty

Hardware Software Co-design for Automotive CPS using ... · Hardware Software Co-design for Automotive CPS using Architecture Analysis and Design Language Yuchen Zhou 1John Baras

xing, zhou

Yuchen Zhou, Thomas E Fuhrman, Prathap …...Yuchen Zhou, Thomas E Fuhrman, Prathap Venugopal General Motors AUTOSAR Nov-2017 2 Introduction Adaptive Platform & Scheduling Techniques

By Neng-Fa Zhou Compiler Construction CIS 707 Prof. Neng-Fa Zhou [email protected] zhou

Intel Redefines GPU: Larrabee Tianhao Tong Liang Wang Runjie Zhang Yuchen Zhou

ATTRIBUTE YUCHEN LI A dissertation submitted to the In

from Core Dumps with Stack Pivoting Yuchen Ying · unROP: Creating Correct Backtrace from Core Dumps with Stack Pivoting by Yuchen Ying (Under the direction of Kang Li) Abstract Return-oriented

Global Sparse Momentum SGD for Pruning Very Deep Neural ... · Global Sparse Momentum SGD for Pruning Very Deep Neural Networks Xiaohan Ding 1Guiguang Ding Xiangxin Zhou 2 Yuchen

Catching Pitfalls in Authentication Implementations (Yuchen Zhou)

Working conditions in hong kong & germany Yuchen Xin 07051468 Man Yee Wang 07010257

Yuchen ye final journal

Nematoda By Liviu, Ross, and Yuchen Ross

The Smart Grid Bob Moreo And Yuchen Mao

from Core Dumps with Stack Pivoting Yuchen Yingcybersecurity.uga.edu/thesis/ying_yuchen_201408_ms.pdf · unROP: Creating Correct Backtrace from Core Dumps with Stack Pivoting by Yuchen

Adelyn zhou

Yuchen Zhang Percy Liang Moses Charikarz April …Yuchen Zhang Percy Liangy Moses Charikarz April 10, 2018 Abstract We study the Stochastic Gradient Langevin Dynamics (SGLD) algorithm

Zhou Cheng

Zhou GrowingUpAmerican

Ye yuchen 633991 finaljournal

Tianjun ZHOU

Yuchen Ding_Design Portfolio

Yuchen Francisco Anika Design and Cooling Team Members: Nareg

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

Casestudy1 Zhou

SJTU Zhou Lingling1 Introduction to Electronics Zhou Lingling

Xia, Shang, & Zhou Dynasties Xia, Shang, & Zhou Dynasties

Zhou Xianling

Yuchen Portfolio 2012

Indigenous People of Mexico Natchaya Zhou& Allison Zhou

Steven Zhou