Detecting Filter List Evasion With Event-Loop-TurnGranularity JavaScript Signatures.

Detecting Filter List Evasion With Event-Loop-TurnGranularity JavaScript Signatures

Content blocking is an important part of a per-formant, user-serving, privacy respecting web. Current contentblockers work by building trust labels over URLs. While useful,this approach has many well understood shortcomings. Attackersmay avoid detection by changing URLs or domains, bundlingunwanted code with benign code, or inlining code in pages. The common flaw in existing approaches is that they eval-uate code based on its delivery mechanism, not its behavior.In this work we address this problem by building a systemfor generating signatures of the privacy-and-security relevantbehavior of executed JavaScript. Our system uses as the unit ofanalysis each script’s behavior during each turn on the JavaScriptevent loop. Focusing on event loop turns allows us to buildhighly identifying signatures for JavaScript code that are robustagainst code obfuscation, code bundling, URL modification, andother common evasions, as well as handle unique aspects of webapplications.

This work makes the following contributions to the problem ofmeasuring and improving content blocking on the web: First, we design and implement a novel system to build per-event-loop-turnsignatures of JavaScript behavior through deep instrumentationof the Blink and V8 runtimes. Second, we apply these signaturesto measure how much privacy-and-security harming code ismissed by current content blockers, by using EasyList andEasyPrivacy as ground truth and finding scripts that have thesame privacy and security harming patterns. We build 1,995,444 signatures of privacy-and-security relevant behaviors from 11,212 unique scripts blocked by filter lists, and find 3,589 unique scriptshosting known harmful code, but missed by filter lists, affecting 12.48% of websites measured. Third, we provide a taxonomy ofways scripts avoid detection and quantify the occurrence of each.Finally, we present defenses against these evasions, in the formof filter list additions where possible, and through a proposed,signature based system in other cases.As part of this work, we share the implementation of oursignature-generation system, the data gathered by applying thatsystem to the Alexa 100K, and 586 AdBlock Plus compatible filter list rules to block instances of currently blocked code being moved to new URLs.