Abstract
Approaches for safe execution of JavaScript on web pages have been a topic of recent research interest. A significant number of these approaches aim to provide safety through runtime mediation of accesses made by a JavaScript program. In this paper, we propose a novel, lightweight JavaScript transformation technique for enforcing security properties on untrusted JavaScript programs using source code interposition. Our approach assures namespace isolation between several principals within a single web page, and access control for sensitive browser interfaces. This access control mechanism is based on a whitelist approach to ensure soundness of the mediation. Our technique is lightweight, resulting in low run-time overhead compared to existing solutions such as BrowserShield and Caja.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Webjail: Least-privilege integration of third-party components in web mashups. In: Twenty-Seventh Annual Computer Security Applications Conference (ACSAC 2011), pp. 307–316 (2011)
Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications. In: Annual Computer Security Applications Conference (ACSAC 2012), pp. 1–10 (2012)
Douglas Crockford. ADsafe, http://www.adsafe.org/
Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: Comprehensive and flexible confinement of JavaScript-based advertisements. In: Twenty-Seventh Annual Computer Security Applications Conference (ACSAC 2011), pp. 297–306 (2011)
Ecma International. ECMAScript language specification, Standard ECMA-262, 3rd edn. (December 1999)
Erlingsson, U., Benjamin Livshits, V., Xie, Y.: End-to-end web application security. In: 11th Workshop on Hot Topics in Operating Systems, San Diego, CA, USA (May 2007)
Facebook Developers. Facebook JavaScript, http://wiki.developers.facebook.com/index.php/FBJS (retrieved on July 19, 2013)
Google Caja. A source-to-source translator for securing JavaScript-based web content, http://code.google.com/p/google-caja/
Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: 18th USENIX Security Symposium, Montreal, Canada (August 2009)
Maffeis, S., Mitchell, J.C., Taly, A.: Language-based isolation of untrusted JavaScript. In: 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, NY, USA (July 2009)
Maffeis, S., Mitchell, J.C., Taly, A.: Run-time enforcement of secure JavaScript subsets. In: 3rd Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA (May 2009)
Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010. IEEE Computer Society (2010)
Ofuonye, E., Miller, J.: Securing web-clients with instrumented code and dynamic runtime monitoring. Journal of Systems and Software 86(6), 1689–1711 (2013)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: ACM Symposium on Information, Computer and Communications Security, Sydney, Australia (March 2009)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, USA (November 2006)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930 (2010)
Wikipedia. Narcissus (JavaScript engine) (2012), http://en.wikipedia.org/wiki/Narcissus_JavaScript_engine , (Online; accessed December 12, 2012)
World Wide Web Consortium. Document object model (DOM) level 2 core specification (November 2000), http://www.w3.org/TR/DOM-Level-2-Core/
Yigit, O.: Hash functions, http://www.cse.yorku.ca/~oz/hash.html
Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Proceedings of the SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 237–249 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ter Louw, M., Phung, P.H., Krishnamurti, R., Venkatakrishnan, V.N. (2013). SafeScript: JavaScript Transformation for Policy Enforcement. In: Riis Nielson, H., Gollmann, D. (eds) Secure IT Systems. NordSec 2013. Lecture Notes in Computer Science, vol 8208. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41488-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-41488-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41487-9
Online ISBN: 978-3-642-41488-6
eBook Packages: Computer ScienceComputer Science (R0)