AdCube: WebVR Ad fraud and practical confinement of third-party ads

Hyunjoo Lee; Jiyeon Lee; Daejun Kim; Suman Jana; Insik Shin; Sooel Son

AdCube: WebVR Ad fraud and practical confinement of third-party ads

Hyunjoo Lee, Jiyeon Lee, Daejun Kim, Suman Jana, Insik Shin, Sooel Son

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

15 Scopus citations

Abstract

Web technology has evolved to offer 360-degree immersive browsing experiences. This new technology, called WebVR, enables virtual reality by rendering a three-dimensional world on an HTML canvas. Unfortunately, there exists no browser-supported way of sharing this canvas between different parties. Assuming an abusive ad service provider who exploits this absence, we present four new ad fraud attack methods. Our user study demonstrates that the success rates of our attacks range from 88.23% to 100%, confirming their effectiveness. To mitigate the presented threats, we propose AdCube, which allows publishers to specify the behaviors of third-party ad code and enforce this specification. We show that AdCube is able to block the presented threats with a small page loading latency of 236 msec and a negligible frame-per-second (FPS) drop for nine WebVR official demo sites.

Original language	English
Title of host publication	Proceedings of the 30th USENIX Security Symposium
Publisher	USENIX Association
Pages	2543-2560
Number of pages	18
ISBN (Electronic)	9781939133243
State	Published - 2021
Event	30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online Duration: 11 Aug 2021 → 13 Aug 2021

Publication series

Name	Proceedings of the 30th USENIX Security Symposium

Conference

Conference	30th USENIX Security Symposium, USENIX Security 2021
City	Virtual, Online
Period	11/08/21 → 13/08/21

Cite this

@inproceedings{fe59bda77e2e4cc3b7df58833199c365,

title = "AdCube: WebVR Ad fraud and practical confinement of third-party ads",

abstract = "Web technology has evolved to offer 360-degree immersive browsing experiences. This new technology, called WebVR, enables virtual reality by rendering a three-dimensional world on an HTML canvas. Unfortunately, there exists no browser-supported way of sharing this canvas between different parties. Assuming an abusive ad service provider who exploits this absence, we present four new ad fraud attack methods. Our user study demonstrates that the success rates of our attacks range from 88.23\% to 100\%, confirming their effectiveness. To mitigate the presented threats, we propose AdCube, which allows publishers to specify the behaviors of third-party ad code and enforce this specification. We show that AdCube is able to block the presented threats with a small page loading latency of 236 msec and a negligible frame-per-second (FPS) drop for nine WebVR official demo sites.",

author = "Hyunjoo Lee and Jiyeon Lee and Daejun Kim and Suman Jana and Insik Shin and Sooel Son",

note = "Publisher Copyright: {\textcopyright} 2021 by The USENIX Association. All rights reserved.; 30th USENIX Security Symposium, USENIX Security 2021 ; Conference date: 11-08-2021 Through 13-08-2021",

year = "2021",

language = "English",

series = "Proceedings of the 30th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "2543--2560",

booktitle = "Proceedings of the 30th USENIX Security Symposium",

}

TY - GEN

T1 - AdCube

T2 - 30th USENIX Security Symposium, USENIX Security 2021

AU - Lee, Hyunjoo

AU - Lee, Jiyeon

AU - Kim, Daejun

AU - Jana, Suman

AU - Shin, Insik

AU - Son, Sooel

PY - 2021

Y1 - 2021

N2 - Web technology has evolved to offer 360-degree immersive browsing experiences. This new technology, called WebVR, enables virtual reality by rendering a three-dimensional world on an HTML canvas. Unfortunately, there exists no browser-supported way of sharing this canvas between different parties. Assuming an abusive ad service provider who exploits this absence, we present four new ad fraud attack methods. Our user study demonstrates that the success rates of our attacks range from 88.23% to 100%, confirming their effectiveness. To mitigate the presented threats, we propose AdCube, which allows publishers to specify the behaviors of third-party ad code and enforce this specification. We show that AdCube is able to block the presented threats with a small page loading latency of 236 msec and a negligible frame-per-second (FPS) drop for nine WebVR official demo sites.

AB - Web technology has evolved to offer 360-degree immersive browsing experiences. This new technology, called WebVR, enables virtual reality by rendering a three-dimensional world on an HTML canvas. Unfortunately, there exists no browser-supported way of sharing this canvas between different parties. Assuming an abusive ad service provider who exploits this absence, we present four new ad fraud attack methods. Our user study demonstrates that the success rates of our attacks range from 88.23% to 100%, confirming their effectiveness. To mitigate the presented threats, we propose AdCube, which allows publishers to specify the behaviors of third-party ad code and enforce this specification. We show that AdCube is able to block the presented threats with a small page loading latency of 236 msec and a negligible frame-per-second (FPS) drop for nine WebVR official demo sites.

UR - http://www.scopus.com/inward/record.url?scp=85114488089&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85114488089

T3 - Proceedings of the 30th USENIX Security Symposium

SP - 2543

EP - 2560

BT - Proceedings of the 30th USENIX Security Symposium

PB - USENIX Association

Y2 - 11 August 2021 through 13 August 2021

ER -

AdCube: WebVR Ad fraud and practical confinement of third-party ads

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this