JavaScript Instrumentation in Practice

Kikuchi, Haruka; Yu, Dachuan; Chander, Ajay; Inamura, Hiroshi; Serikov, Igor

doi:10.1007/978-3-540-89330-1_23

Haruka Kikuchi²,
Dachuan Yu³,
Ajay Chander³,
Hiroshi Inamura³ &
…
Igor Serikov³

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5356))

Included in the following conference series:

Asian Symposium on Programming Languages and Systems

793 Accesses
17 Citations

Abstract

JavaScript has been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out the theory in practice. Specifically, we discuss how the instrumentation is performed on various JavaScript and HTML syntactic constructs, present a new policy construction method for facilitating the creation and compilation of security policies, and document various practical difficulties arose during our prototyping. Our prototype currently works with several different web browsers, including Safari Mobile running on iPhones. We report our results based on experiments using representative real-world web applications

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Apple Inc. Safari mobile on iphone, http://www.apple.com/iphone/internet/
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007), http://cve.mitre.org/
ECMA International. ECMAScript language specification. Standard ECMA-262, 3rd Edition (December 1999)
Google Scholar
Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies: A retrospective. In: Proc. 1999 New Security Paradigms Workshop, Caledon Hills, Ontario, Canada, pp. 87–95 (September 1999)
Google Scholar
Erlingsson, U., Schneider, F.B.: IRM enforcement of Java stack inspection. In: Proc. IEEE S&P (2000)
Google Scholar
Evans, D., Twyman, A.: Flexible policy-directed code safety. In: Proc. 20th IEEE S&P, pp. 32–47 (1999)
Google Scholar
Hewitt, J.: Firebug—web development evolved, http://www.getfirebug.com/
Kiciman, E., Livshits, B.: AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications. In: Proc. SOSP 2007, pp. 17–30 (2007)
Google Scholar
Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript instrumentation in practice. Technical Report DCL-TR-2008-0053, DoCoMo USA Labs (June 2008), http://www.docomolabsresearchers-usa.com/~dyu/jiip-tr.pdf
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proc. 2006 ACM Symposium on Applied Computing, pp. 330–337 (2006)
Google Scholar
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proc. 11th USENIX Security Symposium, pp. 191–206 (2002)
Google Scholar
Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(2), 2–16 (2005)
Article Google Scholar
Luotonen, A.: Tunneling TCP based protocols through web proxy servers. IETF RFC 2616 (1998)
Google Scholar
OWASP Foundation. The ten most critical web application security vulnerabilities (2007), http://www.owasp.org/
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proc. OSDI 2006, Seattle, WA (2006)
Google Scholar
Schneider, F.B.: Enforceable security policies. Trans. on Information & System Security 3(1), 30–50 (2000)
Article MathSciNet Google Scholar
van Kesteren, A., Jackson, D.: The XMLHttpRequest object. W3C working draft (2006), http://www.w3.org/TR/XMLHttpRequest/
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proc. SOSP 1993, Asheville, NC, pp. 203–216 (1993)
Google Scholar
Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proc. POPL 2007, Nice, France, pp. 237–249 (January 2007)
Google Scholar

Download references

Author information

Authors and Affiliations

NTT DOCOMO, Inc., Japan
Haruka Kikuchi
DOCOMO Communications Laboratories USA, Inc., USA
Dachuan Yu, Ajay Chander, Hiroshi Inamura & Igor Serikov

Authors

Haruka Kikuchi
View author publications
You can also search for this author in PubMed Google Scholar
Dachuan Yu
View author publications
You can also search for this author in PubMed Google Scholar
Ajay Chander
View author publications
You can also search for this author in PubMed Google Scholar
Hiroshi Inamura
View author publications
You can also search for this author in PubMed Google Scholar
Igor Serikov
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Microsoft Research India, 196/36, 2nd Main, Sadashivnagar, 560080, Bangalore, India
G. Ramalingam

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I. (2008). JavaScript Instrumentation in Practice. In: Ramalingam, G. (eds) Programming Languages and Systems. APLAS 2008. Lecture Notes in Computer Science, vol 5356. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89330-1_23

Download citation

DOI: https://doi.org/10.1007/978-3-540-89330-1_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89329-5
Online ISBN: 978-3-540-89330-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics