More Web Proxy on the site http://driver.im/

Article

Safe wrappers and sane policies for self protecting javascript

Authors:

Jonas Magazinius,

David SandsAuthors Info & Claims

NordSec'10: Proceedings of the 15th Nordic conference on Information Security Technology for Applications

Pages 239 - 255

https://doi.org/10.1007/978-3-642-27937-9_17

Published: 27 October 2010 Publication History

Abstract

Phung <em>et al</em> (ASIACCS'09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies --- i.e. policies upon which attacker code has no side effects.

References

[1]

Ajaxpect: Aspect-Oriented Programming for Ajax (2008), http://code.google.com/p/ajaxpect/

[2]

Anderson, J. P.: Computer security technology planning study. Technical Report ESD-TR- 73-51, US Air Force, Electronic Systems Division, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), USA (1972)

[3]

AspectJS: A JavaScript MCI/AOP Component-Library. Version 1.1, commercial (2008), http://www.aspectjs.com/

[4]

Balz, C. M.: The AspectES Framework: AOP for EcmaScript, http://aspectes.tigris.org/ (accessed in January 2010)

[5]

Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83-91 (2009)

Digital Library

[6]

Barth, A., Weinberger, J., Song, D.: Cross-origin JavaScript capability leaks: Detection, exploitation, and defense. In: Proc. of the 18th USENIX Security Symposium (USENIX Security 2009) (2009)

Digital Library

[7]

Cerny, R.: Cerny.js: a JavaScript library. Version 2.0, http://www.cerny-online.com/cerny.js/

[8]

Chess, B., O'Neil, Y. T., West, J.: JavaScript Hijacking, http://cli.gs/jshijack (accessed in January 2010)

[9]

Dantas, D. S., Walker, D.: Harmless advice. In: POPL 2006: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 383- 396. ACM, New York (2006)

Digital Library

[10]

dojo AOP library (2008), http://cli.gs/dojoaop

[11]

Ecma International. Standard ECMA-262: ECMAScript Language Specification. 5th edn., (December 2009), http://cli.gs/ecma2625e

[12]

Facebook. FBJS, http://cli.gs/facebookjs

[13]

Google. Attackvectors, http://code.google.com/p/google-caja/wiki/AttackVectors (accessed January 2010)

[14]

Guha, A., Saftoiu, C., Krishnamurthi, S.: The Essence of JavaScript, http://www.cs.brown.edu/research/plt/dl/CS-09-10/ (accessed in January 2010)

[15]

jQuery AOP. Version 1.3 (October 17, 2009), http://plugins.jquery.com/project/AOP

[16]

Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326-341. Springer, Heidelberg (2008)

Digital Library

[17]

Maffeis, S., Mitchell, J., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Proc of W2SP 2009. IEEE (2009)

[18]

Maffeis, S., Mitchell, J., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proc of IEEE Security and Privacy 2010. IEEE (2010)

Digital Library

[19]

Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505-522. Springer, Heidelberg (2009)

Digital Library

[20]

Meyerovich, L., Felt, A. P., Miller, M.: Object Views: FineGrained Sharing in Browsers. In: WWW2010: Proceedings of the 16th International Conference on World Wide Web. ACM (2010)

Digital Library

[21]

Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: SP 2010: Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE Computer Society (2010)

Digital Library

[22]

Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proc. of Network and Distributed System Security Symposium, NDSS 2009 (2009)

[23]

Ofuonye, E., Miller, J.: Resolving JavaScript Vulnerabilities in the Browser Runtime. In: 19th International Symposium on Software Reliability Engineering, ISSRE 2008, pp. 57-66 (November 2008)

Digital Library

[24]

Open Ajax Alliance. Ajax and Mashup Security, http://cli.gs/ajaxmashupsec (accessed in January 2010)

[25]

Phung, P. H., Sands, D., Chudnov, A.: Lightweight Self-Protecting JavaScript. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47-60. ACM, New York (2009)

Digital Library

[26]

ProSec Security group, Chalmers. Self-Protecting JavaScript project, http://www.cse.chalmers.se/~phung/projects/jss

[27]

Prototype Core Team. Prototype - A JavaScript Framework, http://www.prototypejs.org/ (accessed in January 2010)

[28]

Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerabilitydriven filtering of dynamic HTML. ACM Trans. Web 1(3), 11 (2007)

Digital Library

[29]

The Mozilla Development Team. New in JavaScript 1.8.1, http://cli.gs/newjs181 (accessed in January 2010)

[30]

The Tor Project. Torbutton FAQ; Security Issues, http://cli.gs/torsec (accessed in February 2010)

[31]

Toledo, R., Leger, P., Tanter, E.: AspectScript: Expressive Aspects for the Web. Technical report, University of Chile Santiago, Chile (2009)

[32]

Walden, J.: Web Tech Blog - Object and Array initializers should not invoke setters when evaluated, http://cli.gs/mozillasetters (accessed in January 2010)

[33]

Washizaki, H., Kubo, A., Mizumachi, T., Eguchi, K., Fukazawa, Y., Yoshioka, N., Kanuka, H., Kodaka, T., Sugimoto, N., Nagai, Y., Yamamoto, R.: AOJS: Aspect-Oriented JavaScript Programming Framework for Web Development. In: ACP4IS 2009: Proceedings of the 8th Workshop on Aspects, Components, and Patterns for Infrastructure Software, pp. 31-36. ACM, New York (2009)

Digital Library

Cited By

Karami FOwe OSchneider G(2020)Information-Flow Control by Means of Security Wrappers for Active Object Languages with FuturesSecure IT Systems10.1007/978-3-030-70852-8_5(74-91)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1007/978-3-030-70852-8_5
Pupo ANicolay JBoix ETilevich EMössenböck H(2018)GUARDIAProceedings of the 15th International Conference on Managed Languages & Runtimes10.1145/3237009.3237025(1-15)Online publication date: 12-Sep-2018
https://dl.acm.org/doi/10.1145/3237009.3237025
Nicolay JSpruyt VDe Roover CMurray TStefan D(2016)Static Detection of User-specified Security Vulnerabilities in Client-side JavaScriptProceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security10.1145/2993600.2993612(3-13)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2993600.2993612
Show More Cited By

Recommendations

Lightweight self-protecting JavaScript
ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

This paper introduces a method to control JavaScript execution. The aim is to prevent or modify inappropriate behaviour caused by e.g. malicious injected scripts or poorly designed third-party code. The approach is based on modifying the code so as to ...
Goal-Based Policies for Self-Protecting Systems
AINA '12: Proceedings of the 2012 IEEE 26th International Conference on Advanced Information Networking and Applications

With the constantly growing complexity and heterogeneity of distributed system, the ability to control their security mechanisms in a human-understandable way becomes increasingly important. Policies, for specifying the behavior of a system in terms of ...
Protecting Web Browser Extensions from JavaScript Injection Attacks
ICECCS '13: Proceedings of the 2013 18th International Conference on Engineering of Complex Computer Systems

Vulnerable web browser extensions can be used by an attacker to steal users' credentials and lure users into leaking sensitive information to unauthorized parties. Current browser security models and existing JavaScript security solutions are inadequate ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

NordSec'10: Proceedings of the 15th Nordic conference on Information Security Technology for Applications

October 2010

288 pages

ISBN:9783642279362

Editors:
Tuomas Aura
School of Science and Technology, Aalto University, Konemiehentie 2, Espoo, Finland
,
Kimmo Järvinen
Department of Information and Computer Science, Aalto University, Konemiehentie 2, Aalto, Finland
,
Kaisa Nyberg
Department of Information and Computer Science, Aalto University, Konemiehentie 2, Aalto, Finland

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 27 October 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Karami FOwe OSchneider G(2020)Information-Flow Control by Means of Security Wrappers for Active Object Languages with FuturesSecure IT Systems10.1007/978-3-030-70852-8_5(74-91)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1007/978-3-030-70852-8_5
Pupo ANicolay JBoix ETilevich EMössenböck H(2018)GUARDIAProceedings of the 15th International Conference on Managed Languages & Runtimes10.1145/3237009.3237025(1-15)Online publication date: 12-Sep-2018
https://dl.acm.org/doi/10.1145/3237009.3237025
Nicolay JSpruyt VDe Roover CMurray TStefan D(2016)Static Detection of User-specified Security Vulnerabilities in Client-side JavaScriptProceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security10.1145/2993600.2993612(3-13)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2993600.2993612
Guan CSun KWang ZZhu WChen XWang XHuang X(2016)Privacy Breach by Exploiting postMessage in HTML5Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897901(629-640)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897901
De Groef WSubramanian DJohns MPiessens FDesmet LOssowski S(2016)Ensuring endpoint authenticity in WebRTC peer-to-peer communicationProceedings of the 31st Annual ACM Symposium on Applied Computing10.1145/2851613.2851804(2103-2110)Online publication date: 4-Apr-2016
https://dl.acm.org/doi/10.1145/2851613.2851804
Van Acker SSabelfeld A(2016)JavaScript SandboxingTutorial Lectures on Foundations of Security Analysis and Design VIII - Volume 980810.1007/978-3-319-43005-8_2(32-86)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1007/978-3-319-43005-8_2
Chudnov ANaumann DRay ILi NKruegel C(2015)Inlined Information Flow Monitoring for JavaScriptProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813684(629-643)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813684
Van Acker SHausknecht DJoosen WSabelfeld APark JSquicciarini A(2015)Password Meters and Generators on the WebProceedings of the 5th ACM Conference on Data and Application Security and Privacy10.1145/2699026.2699118(253-262)Online publication date: 2-Mar-2015
https://dl.acm.org/doi/10.1145/2699026.2699118
Stock BJohns MMoriai SJaeger TSakurai K(2014)Protecting users against XSS-based password manager abuseProceedings of the 9th ACM symposium on Information, computer and communications security10.1145/2590296.2590336(183-194)Online publication date: 4-Jun-2014
https://dl.acm.org/doi/10.1145/2590296.2590336
Van Acker SNikiforakis NDesmet LPiessens FJoosen WMoriai SJaeger TSakurai K(2014)Monkey-in-the-browserProceedings of the 9th ACM symposium on Information, computer and communications security10.1145/2590296.2590311(525-530)Online publication date: 4-Jun-2014
https://dl.acm.org/doi/10.1145/2590296.2590311
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents