Skip to main content
Springer Nature Link
Log in

Enhancing JavaScript with Transactions

  • Conference paper
ECOOP 2012 – Object-Oriented Programming (ECOOP 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7313))

Included in the following conference series:

Abstract

Transcript is a system that enhances JavaScript with support for transactions. Hosting Web applications can use transactions to demarcate regions that contain untrusted guest code. Actions performed within a transaction are logged and considered speculative until they are examined by the host and committed. Uncommitted actions simply do not take and cannot affect the host in any way. Transcript therefore provides hosting Web applications with powerful mechanisms to understand the behavior of untrusted guests, mediate their actions and also cleanly recover from the effects of security-violating guest code.

This paper describes the design of Transcript and its implementation in Firefox. Our exposition focuses on the novel features introduced by Transcript to support transactions, including a suspend/resume mechanism for JavaScript and support for speculative DOM updates. Our evaluation presents case studies showing that Transcript can be used to enforce powerful security policies on untrusted JavaScript code, and reports its performance on real-world applications and microbenchmarks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Addthis, http://www.addthis.com/

  2. AJS: The ultra lightweight JavaScript library, http://orangoo.com/labs/AJS/

  3. BIGACE web content management system, http://www.bigace.de/

  4. Dom-based xss injection, https://www.owasp.org/index.php/Interpreter_Injection#DOM-based_XSS_Injection

  5. jQuery: The write less, do more, JavaScript library, http://jquery.com

  6. Jquery UI slider plugin, http://jqueryui.com/demos/slider

  7. JavaScript widgets/menu, http://jswidgets.sourceforge.net

  8. Twitter/profile widget, http://twitter.com/about/resources/widgets/widget_profile

  9. ECMAScript language spec., ECMA-262, 5th edn. (December 2009)

    Google Scholar 

  10. Bauer, L., Ligatti, J., Walker, D.: Composing security policies with Polymer. In: ACM PLDI (2005)

    Google Scholar 

  11. Cao, Y., Li, Z., Rastogi, V., Chen, Y.: Virtual browser: a Web-level sandbox to secure third-party JavaScript without sacrificing functionality (poster). In: ACM CCS (2010)

    Google Scholar 

  12. Chugh, R., Meister, J., Jhala, R., Lerner, S.: Staged information flow in JavaScript. In: ACM SIGPLAN PLDI (2009)

    Google Scholar 

  13. Crockford, D.: ADsafe - Making JavaScript safe for advertising, http://adsafe.org

  14. Dhawan, M., Shan, C.-C., Ganapathy, V.: Position paper: The case for JavaScript transactions. In: 5th ACM SIGPLAN PLAS Workshop (June 2010)

    Google Scholar 

  15. ECMAScript. Harmony modules, http://wiki.ecmascript.org/doku.php?id=harmony:modules

  16. Erlingsson, Ú.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University (2004)

    Google Scholar 

  17. Evans, D., Twyman, A.: Flexible policy-directed code safety. In: IEEE S&P (1999)

    Google Scholar 

  18. Facebook. FBJS - Facebook developerwiki (2007)

    Google Scholar 

  19. Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure JavaScript subsets. In: NDSS (2010)

    Google Scholar 

  20. Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. SIGPLAN Not. 40 (June 2005)

    Google Scholar 

  21. Guarnieri, S., Livshits, B.: GateKeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: USENIX Security (2009)

    Google Scholar 

  22. Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for Ajax intrusion detection. In: WWW (2009)

    Google Scholar 

  23. Washizaki, H., et al.: AOJS: Aspect-oriented JavaScript programming framework for Web development. In: Intl. Wkshp. Aspects, Components, and Patterns for Infrastructure Software (2009)

    Google Scholar 

  24. Hickson, I.: Html iframe sandbox attribute, http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

  25. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW (2007)

    Google Scholar 

  26. Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on Web advertisements. In: USENIX Security (2010)

    Google Scholar 

  27. Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE S&P (2009)

    Google Scholar 

  28. Maffeis, S., Mitchell, J.C., Taly, A.: An Operational Semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  29. Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  30. Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted Web applications. In: IEEE S&P (2010)

    Google Scholar 

  31. Maffeis, S., Taly, A.: Language based isolation of untrusted JavaScript. In: IEEE CSF (2009)

    Google Scholar 

  32. Mehrara, M., Hsu, P.-C., Samadi, M., Mahlke, S.: Dynamic parallelization of javascript applications using an ultra-lightweight speculation mechanism. In: International Symposium on High-Performance Computer Architecture, pp. 87–98 (2011)

    Google Scholar 

  33. Meyerovich, L., Porter Felt, A., Miller, M.S.: Object views: Fine-grained sharing in browsers. In: WWW (2010)

    Google Scholar 

  34. Meyerovich, L., Livshits, B.: Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In: IEEE S&P (2010)

    Google Scholar 

  35. Mickens, J., Elson, J., Howell, J., Lorch, J.: Crom: Faster Web browsing using speculative execution. In: NSDI (2010)

    Google Scholar 

  36. Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized JavaScript (2008) (manuscript)

    Google Scholar 

  37. Mozilla Developer Center. HTTP access control, http://developer.mozilla.org/En/HTTP_access_control

  38. Orangoo-Labs. GoogieSpell, http://orangoo.com/labs/GoogieSpell

  39. Orangoo-Labs GreyBox, http://orangoo.com/labs/GreyBox

  40. Orangoo-Labs. Sortable list widget, http://orangoo.com/AJS/examples/sortable_list.html

  41. Di Paola, S., Fedon, G.: Subverting Ajax: Next generation vulnerabilities in 2.0 Web applications. In: 23rd Chaos Communication Congress (2006)

    Google Scholar 

  42. Phung, P., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: ASIACCS (2009)

    Google Scholar 

  43. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web 1(3), 11 (2007)

    Article  Google Scholar 

  44. Sen, K., Marinov, D., Agha, G.: Cute: a concolic unit testing engine for c. SIGSOFT Softw. Eng. Notes 30 (September 2005)

    Google Scholar 

  45. Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in MashupOS. In: ACM SOSP (2007)

    Google Scholar 

  46. Warth, A., Ohshima, Y., Kaehler, T., Kay, A.: Worlds: Controlling the Scope of Side Effects. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 179–203. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  47. WWW-Consortium. Document object model events (November 2000), http://www.w3.org/TR/DOM-Level-2-Events/events.html

  48. Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: ACM POPL (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Rutgers University, USA

    Mohan Dhawan & Vinod Ganapathy

  2. University of Tsukuba, Japan

    Chung-chieh Shan

Authors
  1. Mohan Dhawan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chung-chieh Shan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vinod Ganapathy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Engineering and Computer Science, Victoria University of Wellington, 6140, Wellington, New Zealand

    James Noble

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dhawan, M., Shan, Cc., Ganapathy, V. (2012). Enhancing JavaScript with Transactions. In: Noble, J. (eds) ECOOP 2012 – Object-Oriented Programming. ECOOP 2012. Lecture Notes in Computer Science, vol 7313. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31057-7_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31057-7_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31056-0

  • Online ISBN: 978-3-642-31057-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics