Article

JavaScript instrumentation for browser security

Authors:
Dachuan Yu

DoCoMo Communications Laboratories USA, Inc.

DoCoMo Communications Laboratories USA, Inc.
View Profile

,
Ajay Chander

DoCoMo Communications Laboratories USA, Inc.

DoCoMo Communications Laboratories USA, Inc.
View Profile

,
Nayeem Islam

DoCoMo Communications Laboratories USA, Inc.

DoCoMo Communications Laboratories USA, Inc.
View Profile

,
Igor Serikov

DoCoMo Communications Laboratories USA, Inc.

DoCoMo Communications Laboratories USA, Inc.
View Profile

POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJanuary 2007Pages 237–249https://doi.org/10.1145/1190216.1190252

Published:17 January 2007Publication History

POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 237–249

ABSTRACT

It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant operations, modifies questionable behaviors, and prompts the user (a web page viewer) for decisions on how to proceed when appropriate. Our solution is parametric with respect to the security policy-the policy is implemented separately from the rewriting, and the same rewriting process is carried out regardless of which policy is in use. Be-sides providing a rigorous account of the correctness of our solution, we also discuss practical issues including policy management and prototype experiments. A useful by-product of our work is an operational semantics of a core subset of JavaScript, where code embedded in (HTML) documents may generate further document pieces (with new code embedded) at runtime, yielding a form of self-modifying code.

References

C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proc. 19th European Conference on Object-Oriented Programming, pages 429--452, Glasgow, UK, July 2005. Google ScholarDigital Library
L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. 2005 ACM Conference on Programming Language Design and Implementation, pages 305--314, Chicago, IL, June 2005. Google ScholarDigital Library
N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft. In Proc. 11th Annual Network and Distributed System Security Symposium, San Diego, CA, Feb. 2004.Google Scholar
ECMA International. ECMAScript language specification. Stardard ECMA-262, 3rd Edition, http://www.ecma-international.org/publications/files/ECMA ST/Ecma-262.pdf, Dec. 1999.Google Scholar
U. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proc. 1999 New Security Paradigms Workshop, pages 87--95, Caledon Hills, Ontario, Canada, Sept. 1999. Google ScholarDigital Library
D. Evans and A. Twyman. Flexible policy-directed code safety. In Proc. 20th IEEE Symposium on Security and Privacy, pages 32--47, Oakland, CA, May 1999.Google ScholarCross Ref
J. J. Garrett. Ajax: A new approach to web applications. Adaptive Path essay, http://www.adaptivepath.com/publications/essays/archives/000385.php, Feb. 2005.Google Scholar
R. Hansen. XSS cheat sheet. Appendix of OWASP 2.0 Guide,http://ha.ckers.org/xss.html, Apr. 2005.Google Scholar
A. L. Hors, P. L. Hegaret, L. W. ad Gavin Nicol, J. Robie, M. Champion, and S. Byrne. Document Object Model (DOM) level 3 core specification. W3C candidate recommendation, http://www.w3.org/TR/2003/CR-DOM-Level-3-Core-20031107/, Nov. 2003.Google Scholar
J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(2):2--16, Feb. 2005.Google ScholarDigital Library
G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in web applications. In Proc. 6th IEEE International Workshop on Web Site Evolution, pages 71--80, Washington, DC, 2004. Google ScholarDigital Library
MozillaZine. XPCNativeWrapper. MozillaZine Knowledge Base, http://kb.mozillazine.org/XPCNativeWrapper, 2006.Google Scholar
T. Parr et al. ANTLR reference manual. Reference manual,http://www.antlr.org/, Jan. 2005.Google Scholar
Point Blank Security. The XSS blacklists. http://www.pointblanksecurity.com/xss/ and http://www.pointblanksecurity.com/xss/xss2.php, 2002--2005.Google Scholar
A. Rudys and D. S. Wallach. Termination in language-based systems. ACM Transactions on Information and System Security, 5(2):138--168, May 2002. Google ScholarDigital Library
J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceeding of the IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarCross Ref
F. B. Schneider. Enforceable security policies. Transactions on Information and System Security, 3(1):30--50, Feb. 2000. Google ScholarDigital Library
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proc. 33rd ACM Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. Google ScholarDigital Library
Symantec Corp. JS.Yamanner@m. Symantec Security Response, http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99, June 2006.Google Scholar
P. Thiemann. Towards a type system for analyzing JavaScript programs. In Proc. 14th European Symposium on Programming, pages 408--422, Edinburgh, UK, Apr. 2005. Google ScholarDigital Library
A. van Kesteren and D. Jackson. The XMLHttpRequest object. W3C working draft,http://www.w3.org/TR/XMLHttpRequest/, 2006.Google Scholar
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating Systems Principles, pages 203--216, Asheville, NC, 1993. Google ScholarDigital Library
D. Walker. A type system for expressive security policies. In Proc. 27th ACM Symposium on Principles of Programming Languages, pages 254--267, Boston, MA, 2000. Google ScholarDigital Library
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 2006. Google ScholarDigital Library

Index Terms

JavaScript instrumentation for browser security
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
2. Theory of computation

Recommendations

JavaScript instrumentation for browser security
Proceedings of the 2007 POPL Conference

It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant ...
Read More
An Analysis of URLs Generated from JavaScript Code
ICIS '12: Proceedings of the 2012 IEEE/ACIS 11th International Conference on Computer and Information Science

Search engines use a crawling system to recursively download web pages, analyze HTML pages, and generate a new list of URLs to crawl. As web pages are becoming more dynamic than before, JavaScript is heavily used, which poses a great challenge for the ...
Read More
The visible Web browser

As an aid to the study of the World-Wide Web, we have developed a software application that allows a user to observe the messages passed between a Web browser and a Web server. The application is based on the Mozilla Web Browser, and displays the HTTP ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2007
400 pages
ISBN:1595935754
DOI:10.1145/1190216
General Chair:
Martin Hofmann
Ludwig-Maximilians U, Munich, Germany
,
Program Chair:
Matthias Felleisen
Northeastern University, Boston MA
ACM SIGPLAN Notices Volume 42, Issue 1
Proceedings of the 2007 POPL Conference
January 2007
379 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1190215
Issue’s Table of Contents
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 January 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
JavaScript
edit automata
program instrumentation
web browser
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate824of4,130submissions,20%
Upcoming Conference
POPL '25

Sponsor:

sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 128
  Total Citations
  View Citations
- 3,020
  Total Downloads
- Downloads (Last 12 months)39
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

JavaScript instrumentation for browser security

POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

ABSTRACT

References

Cited By

Index Terms

Recommendations

JavaScript instrumentation for browser security

An Analysis of URLs Generated from JavaScript Code

The visible Web browser