PhD student to present paper at cybersecurity conference

Mir Ali Masood

PhD student Mir Ali Masood will co-present a new paper, Unbundle-Rewrite-Rebundle: Runtime Detection & Rewriting of Privacy-Harming Code in JavaScript Bundles, at one of the premier cybersecurity conferences this month. The paper was authored by Masood, his advisor, Associate Professor Chris Kanich, one of Kanich’s former students, Peter Snyder, and coauthor Hamed Haddadi.

The paper was accepted by the Association for Computing Machinery (ACM) and will be presented at their Computer and Communication Security (CCS) conference in Salt Lake City, which runs from October 14 to 18, 2024.

The researchers, who work to find ways to make browsing more private, developed a tool that unbundles code that tracks users from code used for necessary website functionality.

Preserving privacy of users who visit various websites has always been a balance. Websites use code to identify their users–to verify the user is a subscriber to a newsletter, for instance–which is important for the websites to function. Websites also use tracking tools, to not only see what you are doing on the website, but to figure out more about who you are. Today, websites are bundling together an increasing number of things, including benign code with privacy-harming code, making it harder for browsers to provide robust privacy protections.

This bundling makes it much harder to opt out of tracking, and website developers are doing this deliberately—libraries Masoor and his coauthors found contained documentation that suggested developers bundle script together to avoid getting blocked.

“Traditionally, volunteers from around the world would flag any script that was privacy harming and could be blocked because you could differentiate scripts that track you from scripts that are important for the website,” Masood said. “Now, these websites mix and match all of them in a single, large file. That’s very difficult to parse out, and existing approaches don’t work.”

The team developed a way to break scripts apart and, check each component individually, and patch any privacy-harming or tracking snippets of code.

Last summer, Masood interned with Brave Software, Inc., which was founded by Brendan Eich, who created JavaScript programming language. His coauthors Haddadi and Snyder work at the company that developed a free, open-source privacy-focused web browser, Brave, which automatically blocks most advertisements and web trackers in its default settings. According to PrivacyTests.org, Brave, along with Librewolf and Tor Browser, had the most privacy protection compared to other browsers. Brave has more than 68 million monthly active users.

Three of Kanich’s Guaranteed Paid Internship Program (GPIP) summer interns also contributed to the paper, helping out with last-minute experiments. They include Marek Cwiek, Victor Escudero, and Zaheer Safi. The students provided technical help to evaluate if use of the tool breaks a website, causes a delay in loading, or whether functionality is retained.

“They gave us really good feedback, and helped us refine the tool,” Masood said.

Masood hopes to continue to develop ways to make browsing private and more secure.