Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Safe Wrappers and Sane Policies for Self Protecting JavaScript

  • Conference paper
Information Security Technology for Applications (NordSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7127))

Included in the following conference series:

Abstract

Phung et al (ASIACCS’09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Ajaxpect: Aspect-Oriented Programming for Ajax (2008), http://code.google.com/p/ajaxpect/

  2. Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, US Air Force, Electronic Systems Division, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), USA (1972)

    Google Scholar 

  3. AspectJS: A JavaScript MCI/AOP Component-Library. Version 1.1, commercial (2008), http://www.aspectjs.com/

  4. Balz, C.M.: The AspectES Framework: AOP for EcmaScript, http://aspectes.tigris.org/ (accessed in January 2010)

  5. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)

    Article  Google Scholar 

  6. Barth, A., Weinberger, J., Song, D.: Cross-origin JavaScript capability leaks: Detection, exploitation, and defense. In: Proc. of the 18th USENIX Security Symposium (USENIX Security 2009) (2009)

    Google Scholar 

  7. Cerny, R.: Cerny.js: a JavaScript library. Version 2.0, http://www.cerny-online.com/cerny.js/

  8. Chess, B., O’Neil, Y.T., West, J.: JavaScript Hijacking, http://cli.gs/jshijack (accessed in January 2010)

  9. Dantas, D.S., Walker, D.: Harmless advice. In: POPL 2006: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 383–396. ACM, New York (2006)

    Chapter  Google Scholar 

  10. dojo AOP library (2008), http://cli.gs/dojoaop

  11. Ecma International. Standard ECMA-262: ECMAScript Language Specification. 5th edn., (December 2009), http://cli.gs/ecma2625e

  12. Facebook. FBJS, http://cli.gs/facebookjs

  13. Google. Attackvectors, http://code.google.com/p/google-caja/wiki/AttackVectors (accessed January 2010)

  14. Guha, A., Saftoiu, C., Krishnamurthi, S.: The Essence of JavaScript, http://www.cs.brown.edu/research/plt/dl/CS-09-10/ (accessed in January 2010)

  15. jQuery AOP. Version 1.3 (October 17, 2009), http://plugins.jquery.com/project/AOP

  16. Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326–341. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Maffeis, S., Mitchell, J., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Proc of W2SP 2009. IEEE (2009)

    Google Scholar 

  18. Maffeis, S., Mitchell, J., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proc of IEEE Security and Privacy 2010. IEEE (2010)

    Google Scholar 

  19. Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Meyerovich, L., Felt, A.P., Miller, M.: Object Views: FineGrained Sharing in Browsers. In: WWW2010: Proceedings of the 16th International Conference on World Wide Web. ACM (2010)

    Google Scholar 

  21. Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: SP 2010: Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE Computer Society (2010)

    Google Scholar 

  22. Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proc. of Network and Distributed System Security Symposium, NDSS 2009 (2009)

    Google Scholar 

  23. Ofuonye, E., Miller, J.: Resolving JavaScript Vulnerabilities in the Browser Runtime. In: 19th International Symposium on Software Reliability Engineering, ISSRE 2008, pp. 57–66 (November 2008)

    Google Scholar 

  24. Open Ajax Alliance. Ajax and Mashup Security, http://cli.gs/ajaxmashupsec (accessed in January 2010)

  25. Phung, P.H., Sands, D., Chudnov, A.: Lightweight Self-Protecting JavaScript. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47–60. ACM, New York (2009)

    Google Scholar 

  26. ProSec Security group, Chalmers. Self-Protecting JavaScript project, http://www.cse.chalmers.se/~phung/projects/jss

  27. Prototype Core Team. Prototype - A JavaScript Framework, http://www.prototypejs.org/ (accessed in January 2010)

  28. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web 1(3), 11 (2007)

    Article  Google Scholar 

  29. The Mozilla Development Team. New in JavaScript 1.8.1, http://cli.gs/newjs181 (accessed in January 2010)

  30. The Tor Project. Torbutton FAQ; Security Issues, http://cli.gs/torsec (accessed in February 2010)

  31. Toledo, R., Leger, P., Tanter, E.: AspectScript: Expressive Aspects for the Web. Technical report, University of Chile Santiago, Chile (2009)

    Google Scholar 

  32. Walden, J.: Web Tech Blog - Object and Array initializers should not invoke setters when evaluated, http://cli.gs/mozillasetters (accessed in January 2010)

  33. Washizaki, H., Kubo, A., Mizumachi, T., Eguchi, K., Fukazawa, Y., Yoshioka, N., Kanuka, H., Kodaka, T., Sugimoto, N., Nagai, Y., Yamamoto, R.: AOJS: Aspect-Oriented JavaScript Programming Framework for Web Development. In: ACP4IS 2009: Proceedings of the 8th Workshop on Aspects, Components, and Patterns for Infrastructure Software, pp. 31–36. ACM, New York (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Sweden

    Jonas Magazinius, Phu H. Phung & David Sands

Authors
  1. Jonas Magazinius
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Phu H. Phung
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Sands
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Science and Technology, Aalto University, Konemiehentie 2, 02150, Espoo, Finland

    Tuomas Aura

  2. Department of Information and Computer Science, Aalto University, Konemiehentie 2, 02150, Aalto, Finland

    Kimmo Järvinen  & Kaisa Nyberg  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Magazinius, J., Phung, P.H., Sands, D. (2012). Safe Wrappers and Sane Policies for Self Protecting JavaScript. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation