ABSTRACT
It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant operations, modifies questionable behaviors, and prompts the user (a web page viewer) for decisions on how to proceed when appropriate. Our solution is parametric with respect to the security policy-the policy is implemented separately from the rewriting, and the same rewriting process is carried out regardless of which policy is in use. Be-sides providing a rigorous account of the correctness of our solution, we also discuss practical issues including policy management and prototype experiments. A useful by-product of our work is an operational semantics of a core subset of JavaScript, where code embedded in (HTML) documents may generate further document pieces (with new code embedded) at runtime, yielding a form of self-modifying code.
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proc. 19th European Conference on Object-Oriented Programming, pages 429--452, Glasgow, UK, July 2005. Google ScholarDigital Library
- L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. 2005 ACM Conference on Programming Language Design and Implementation, pages 305--314, Chicago, IL, June 2005. Google ScholarDigital Library
- N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft. In Proc. 11th Annual Network and Distributed System Security Symposium, San Diego, CA, Feb. 2004.Google Scholar
- ECMA International. ECMAScript language specification. Stardard ECMA-262, 3rd Edition, http://www.ecma-international.org/publications/files/ECMA ST/Ecma-262.pdf, Dec. 1999.Google Scholar
- U. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proc. 1999 New Security Paradigms Workshop, pages 87--95, Caledon Hills, Ontario, Canada, Sept. 1999. Google ScholarDigital Library
- D. Evans and A. Twyman. Flexible policy-directed code safety. In Proc. 20th IEEE Symposium on Security and Privacy, pages 32--47, Oakland, CA, May 1999.Google ScholarCross Ref
- J. J. Garrett. Ajax: A new approach to web applications. Adaptive Path essay, http://www.adaptivepath.com/publications/essays/archives/000385.php, Feb. 2005.Google Scholar
- R. Hansen. XSS cheat sheet. Appendix of OWASP 2.0 Guide,http://ha.ckers.org/xss.html, Apr. 2005.Google Scholar
- A. L. Hors, P. L. Hegaret, L. W. ad Gavin Nicol, J. Robie, M. Champion, and S. Byrne. Document Object Model (DOM) level 3 core specification. W3C candidate recommendation, http://www.w3.org/TR/2003/CR-DOM-Level-3-Core-20031107/, Nov. 2003.Google Scholar
- J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(2):2--16, Feb. 2005.Google ScholarDigital Library
- G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in web applications. In Proc. 6th IEEE International Workshop on Web Site Evolution, pages 71--80, Washington, DC, 2004. Google ScholarDigital Library
- MozillaZine. XPCNativeWrapper. MozillaZine Knowledge Base, http://kb.mozillazine.org/XPCNativeWrapper, 2006.Google Scholar
- T. Parr et al. ANTLR reference manual. Reference manual,http://www.antlr.org/, Jan. 2005.Google Scholar
- Point Blank Security. The XSS blacklists. http://www.pointblanksecurity.com/xss/ and http://www.pointblanksecurity.com/xss/xss2.php, 2002--2005.Google Scholar
- A. Rudys and D. S. Wallach. Termination in language-based systems. ACM Transactions on Information and System Security, 5(2):138--168, May 2002. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceeding of the IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarCross Ref
- F. B. Schneider. Enforceable security policies. Transactions on Information and System Security, 3(1):30--50, Feb. 2000. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proc. 33rd ACM Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. Google ScholarDigital Library
- Symantec Corp. JS.Yamanner@m. Symantec Security Response, http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99, June 2006.Google Scholar
- P. Thiemann. Towards a type system for analyzing JavaScript programs. In Proc. 14th European Symposium on Programming, pages 408--422, Edinburgh, UK, Apr. 2005. Google ScholarDigital Library
- A. van Kesteren and D. Jackson. The XMLHttpRequest object. W3C working draft,http://www.w3.org/TR/XMLHttpRequest/, 2006.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating Systems Principles, pages 203--216, Asheville, NC, 1993. Google ScholarDigital Library
- D. Walker. A type system for expressive security policies. In Proc. 27th ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, MA, 2000. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 2006. Google ScholarDigital Library
Index Terms
- JavaScript instrumentation for browser security
Recommendations
JavaScript instrumentation for browser security
Proceedings of the 2007 POPL ConferenceIt is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant ...
An Analysis of URLs Generated from JavaScript Code
ICIS '12: Proceedings of the 2012 IEEE/ACIS 11th International Conference on Computer and Information ScienceSearch engines use a crawling system to recursively download web pages, analyze HTML pages, and generate a new list of URLs to crawl. As web pages are becoming more dynamic than before, JavaScript is heavily used, which poses a great challenge for the ...
The visible Web browser
As an aid to the study of the World-Wide Web, we have developed a software application that allows a user to observe the messages passed between a Web browser and a Web server. The application is based on the Mozilla Web Browser, and displays the HTTP ...
Comments