Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Paper notes: Measuring and disrupting anti-adblockers using differential execution analysis
Sat 07 April 2018 — download

If there is a difference in the javascript execution traces of a website visited with a browser with an adblocker and an other without, odds are that it's adblocking-related. The authors of the paper are using an instrumented Chrome instance to extract execution traces, in order to pinpoint where the detection is taking place. They aren't considering data differences, but only flow differences, since anti-adblockers are likely to take action upon adblocker detection.

The instrumentation is taking place during the native code generation process (since Chrome is doing JIT for javascript), to collect branches statements (identified by offsets in the file where they are defined), and their calltrace.

The two traces are aligned on those two parameters to be compared. It's interesting to note that traces is disjointed, since Javascript is single-threaded and event-based. Noise (conditions that depend of time/external/random events) is identified and discarded by tracing the same page several (three) times.

Although not being the only javascript conditional statements only if, else and ternaries are instrumented, because an other paper from 2016 (A First Look at Ad-block Detection – A New Arms Race on the Web) found that there were the main ones used to detect adblockers. This lead, in this paper, to several false-negatives.

Detection bypasses (found by manually reviewing a large number of sites, kudos!) were either:

  • Using non-instrumented conditions, or non-control-flow-based methods, like array-based ones.
  • Content randomization, that could, according to the paper, be addressed by analysing the same page several times, instead of reloading it. I don't think that this will work for pages with a significant amount of different randomized states.
  • Putting the anti-adblock message as a placeholder for the ad.

The paper suggests two methods to bypass anti-adblocking:

  • Use a proxy rewrite the detection conditions.
  • Hook javascript functions to intercept and monkey-patch functions used in detection.

Those two solutions would need to rely on lists, since the condition-detection process takes a bit more than 14 hours on a 32 cores machine for 10,000 websites.

No code is released with the paper, making this work unreproducible, and thus shouldn't be treated as science, as it might be completely made up.