Dear CS Faculty and Students, I am pleased to invite you to Haddi Amjad's final Ph.D defense at 3pm (ET) on Friday, Feb 13. Zoom: https://virginiatech.zoom.us/j/7370786267 Title: Enhancing Web Privacy through JavaScript Code-Aware Program Analysis Abstract: Advertisers and tracking services (ATS) are pervasive on the modern web. To counter these practices, millions of users rely on privacy-enhancing technologies (PETs), such as ad-blockers, which primarily depend on filter lists composed of regex-based rules to block network requests associated with data exfiltration. However, this approach has become increasingly ineffective in the face of an ongoing arms race. Currently, PETs struggle to handle mixed JavaScript (JS) scripts that combine tracking behavior with legitimate website functionality. These tools operate at the network level and can only block entire script requests rather than specific behaviors within a script. As a result, once a mixed script executes, any subsequent data exfiltration carried out through encrypted URL requests becomes invisible to network-based defenses, rendering existing PETs ineffective. Mixed JS scripts create a fundamental dilemma for PETs: aggressively blocking them risks breaking websites, while allowing them undermines user privacy. This thesis addresses this challenge by asking: How can code-aware program analysis be leveraged to design privacy-enhancing technologies that effectively mitigate tracking while preserving essential web functionality? This thesis makes three primary contributions. First, we focus on identification of mixed JS by introducing TrackerSift, a large-scale measurement framework that reveals mixed behavior in a substantial fraction of web JS scripts. Second, we validate that mixed JS scripts can be effectively handled through program analysis, demonstrating that functions inside mixed JS scripts can clearly separate tracking code from functional code. Finally, we address mitigation by presenting NoT.JS, a code-aware, ML–based system that accurately identifies tracking JS functions inside mixed JS scripts and refactors them to selectively remove tracking logic while maintaining legitimate functionality. Together, these contributions advance privacy-enhancing technologies by enabling principled mitigation of mixed JS scripts through code-aware program analysis. Best regards, Gulzar — Muhammad Ali Gulzar Assistant Professor Virginia Tech | Department of Computer Science 220 Gilbert Street, Room 4106 Blacksburg, VA 24060 (540) 231-0851 | gulzar@cs.vt.edu | https://people.cs.vt.edu/~gulzar