Abstract
JavaScript has been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out the theory in practice. Specifically, we discuss how the instrumentation is performed on various JavaScript and HTML syntactic constructs, present a new policy construction method for facilitating the creation and compilation of security policies, and document various practical difficulties arose during our prototyping. Our prototype currently works with several different web browsers, including Safari Mobile running on iPhones. We report our results based on experiments using representative real-world web applications
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Apple Inc. Safari mobile on iphone, http://www.apple.com/iphone/internet/
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007), http://cve.mitre.org/
ECMA International. ECMAScript language specification. Standard ECMA-262, 3rd Edition (December 1999)
Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies: A retrospective. In: Proc. 1999 New Security Paradigms Workshop, Caledon Hills, Ontario, Canada, pp. 87–95 (September 1999)
Erlingsson, U., Schneider, F.B.: IRM enforcement of Java stack inspection. In: Proc. IEEE S&P (2000)
Evans, D., Twyman, A.: Flexible policy-directed code safety. In: Proc. 20th IEEE S&P, pp. 32–47 (1999)
Hewitt, J.: Firebug—web development evolved, http://www.getfirebug.com/
Kiciman, E., Livshits, B.: AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications. In: Proc. SOSP 2007, pp. 17–30 (2007)
Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript instrumentation in practice. Technical Report DCL-TR-2008-0053, DoCoMo USA Labs (June 2008), http://www.docomolabsresearchers-usa.com/~dyu/jiip-tr.pdf
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proc. 2006 ACM Symposium on Applied Computing, pp. 330–337 (2006)
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proc. 11th USENIX Security Symposium, pp. 191–206 (2002)
Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(2), 2–16 (2005)
Luotonen, A.: Tunneling TCP based protocols through web proxy servers. IETF RFC 2616 (1998)
OWASP Foundation. The ten most critical web application security vulnerabilities (2007), http://www.owasp.org/
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proc. OSDI 2006, Seattle, WA (2006)
Schneider, F.B.: Enforceable security policies. Trans. on Information & System Security 3(1), 30–50 (2000)
van Kesteren, A., Jackson, D.: The XMLHttpRequest object. W3C working draft (2006), http://www.w3.org/TR/XMLHttpRequest/
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proc. SOSP 1993, Asheville, NC, pp. 203–216 (1993)
Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proc. POPL 2007, Nice, France, pp. 237–249 (January 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I. (2008). JavaScript Instrumentation in Practice. In: Ramalingam, G. (eds) Programming Languages and Systems. APLAS 2008. Lecture Notes in Computer Science, vol 5356. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89330-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-89330-1_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89329-5
Online ISBN: 978-3-540-89330-1
eBook Packages: Computer ScienceComputer Science (R0)