Abstract
It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant operations, modifies questionable behaviors, and prompts the user (a web page viewer) for decisions on how to proceed when appropriate. Our solution is parametric with respect to the security policy-the policy is implemented separately from the rewriting, and the same rewriting process is carried out regardless of which policy is in use. Be-sides providing a rigorous account of the correctness of our solution, we also discuss practical issues including policy management and prototype experiments. A useful by-product of our work is an operational semantics of a core subset of JavaScript, where code embedded in (HTML) documents may generate further document pieces (with new code embedded) at runtime, yielding a form of self-modifying code.
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proc. 19th European Conference on Object-Oriented Programming, pages 429--452, Glasgow, UK, July 2005. Google ScholarDigital Library
- L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. 2005 ACM Conference on Programming Language Design and Implementation, pages 305--314, Chicago, IL, June 2005. Google ScholarDigital Library
- N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft. In Proc. 11th Annual Network and Distributed System Security Symposium, San Diego, CA, Feb. 2004.Google Scholar
- ECMA International. ECMAScript language specification. Stardard ECMA-262, 3rd Edition, http://www.ecma-international.org/publications/files/ECMA ST/Ecma-262.pdf, Dec. 1999.Google Scholar
- U. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proc. 1999 New Security Paradigms Workshop, pages 87--95, Caledon Hills, Ontario, Canada, Sept. 1999. Google ScholarDigital Library
- D. Evans and A. Twyman. Flexible policy-directed code safety. In Proc. 20th IEEE Symposium on Security and Privacy, pages 32--47, Oakland, CA, May 1999.Google ScholarCross Ref
- J. J. Garrett. Ajax: A new approach to web applications. Adaptive Path essay, http://www.adaptivepath.com/publications/essays/archives/000385.php, Feb. 2005.Google Scholar
- R. Hansen. XSS cheat sheet. Appendix of OWASP 2.0 Guide,http://ha.ckers.org/xss.html, Apr. 2005.Google Scholar
- A. L. Hors, P. L. Hegaret, L. W. ad Gavin Nicol, J. Robie, M. Champion, and S. Byrne. Document Object Model (DOM) level 3 core specification. W3C candidate recommendation, http://www.w3.org/TR/2003/CR-DOM-Level-3-Core-20031107/, Nov. 2003.Google Scholar
- J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(2):2--16, Feb. 2005.Google ScholarDigital Library
- G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in web applications. In Proc. 6th IEEE International Workshop on Web Site Evolution, pages 71--80, Washington, DC, 2004. Google ScholarDigital Library
- MozillaZine. XPCNativeWrapper. MozillaZine Knowledge Base, http://kb.mozillazine.org/XPCNativeWrapper, 2006.Google Scholar
- T. Parr et al. ANTLR reference manual. Reference manual,http://www.antlr.org/, Jan. 2005.Google Scholar
- Point Blank Security. The XSS blacklists. http://www.pointblanksecurity.com/xss/ and http://www.pointblanksecurity.com/xss/xss2.php, 2002--2005.Google Scholar
- A. Rudys and D. S. Wallach. Termination in language-based systems. ACM Transactions on Information and System Security, 5(2):138--168, May 2002. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceeding of the IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarCross Ref
- F. B. Schneider. Enforceable security policies. Transactions on Information and System Security, 3(1):30--50, Feb. 2000. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proc. 33rd ACM Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. Google ScholarDigital Library
- Symantec Corp. JS.Yamanner@m. Symantec Security Response, http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99, June 2006.Google Scholar
- P. Thiemann. Towards a type system for analyzing JavaScript programs. In Proc. 14th European Symposium on Programming, pages 408--422, Edinburgh, UK, Apr. 2005. Google ScholarDigital Library
- A. van Kesteren and D. Jackson. The XMLHttpRequest object. W3C working draft,http://www.w3.org/TR/XMLHttpRequest/, 2006.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating Systems Principles, pages 203--216, Asheville, NC, 1993. Google ScholarDigital Library
- D. Walker. A type system for expressive security policies. In Proc. 27th ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, MA, 2000. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 2006. Google ScholarDigital Library
Index Terms
- JavaScript instrumentation for browser security
Recommendations
JavaScript instrumentation for browser security
POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesIt is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant ...
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications ConferenceJavaScript-based browser extensions (JSEs) enhance the core functionality of web browsers by improving their look and feel, and are widely available for commodity browsers. To enable a rich set of functionalities, browsers typically execute JSEs with ...
JSISOLATE: lightweight in-browser JavaScript isolation
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringModern web applications commonly include third-party scripts from external hosts. While enabling code reuse and enhancing the functionalities, the reliability of client-side JavaScript code can be impaired by the inclusion of other scripts. Since all ...
Comments