skip to main content
research-article

Flexible access control for javascript

Published:29 October 2013Publication History
Skip Abstract Section

Abstract

Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.

References

  1. M. Abadi and C. Fournet. Access control based on execution history. In Network and Distributed System Security Symp. (NDSS), 2003.Google ScholarGoogle Scholar
  2. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a formal foundation of web security. In ph Computer Security Foundations Symposium (CSF), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. E. Athanasopoulos, V. Pappas, and E. P. Markatos. Code-injection attacks in browsers supporting policies. In W2SP 2009: WEB 2.0 Security and Privacy, 2009.Google ScholarGoogle Scholar
  4. A. Barth, C. Jackson, and W. Li. Attacks on javascript mashup communication. In W2SP 2009: WEB 2.0 Security and Privacy, 2009.Google ScholarGoogle Scholar
  5. A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. L. Bauer, J. Ligatti, and D. Walker. Composing expressive runtime security policies. ACM Trans. Softw. Eng. Methodol., 18:9:1--9:43, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. A. Birgisson, M. Dhawan, U. Erlingsson, V. Ganapathy, and L. Iftode. Enforcing authorization policies using transactional memory introspection. In Conference on Computer and communications security (CCS), 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Conference on Programming language design and implementation (PLDI), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a web browser with flexible and precise information flow control. In Computer and Communications Security (CCS), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. F. De Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In Conference on World Wide Web (WWW), 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. Dhawan, C.-c. Shan, and V. Ganapathy. Enhancing JavaScript with transactions. In ECOOP-Object-Oriented Programming, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. A. Felt, P. Hooimeijer, D. Evans, and W. Weimer. Talking to strangers without taking their candy: isolating proxied content. In Workshop on Social Network Systems (SocialNets), 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In Conference on World wide web (WWW), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. O. Hallaraker and G. Vigna. Detecting malicious JavaScript Code in Mozilla. In Conference on Engineering of Complex Computer Systems (ICECCS), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. Herlihy and J. E. B. Moss. Transactional memory: architectural support for lock-free data structures. In International Symposium on Computer architecture (ISCA), 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. J. Howell, C. Jackson, H. J. Wang, and X. Fan. MashupOS: operating system abstractions for client mashups. In Workshop on Hot topics in Operating Systems (HOTOS), 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. A. Janc and L. Olejnik. Feasibility and real-world implications of web browser history detection. In Proceedings of the 2010 Workshop on Web 2.0 Security and Privacy, 2010.Google ScholarGoogle Scholar
  19. D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In Conference on Computer and communications security (CSS, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In International conference on World Wide Web (WWW), 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. E. Locasto, A. Stavrou, G. F. Cretu, and A. D. Keromytis. From STEM to SEAD: Speculative execution for automated defense. In USENIX Annual Technical Conference, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. M. T. Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements. In USENIX Security Symposium, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. S. Maffeis, J. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In Computer Security (ESORICS), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. S. Maffeis and A. Taly. Language-based isolation of untrusted JavaScript. In Symposium on Computer Security Foundations (CSF), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. L. A. Meyerovich and B. Livshits. ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In Symposium on Security and Privacy (S&P), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Computer and Communications Security (CCS), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. In International Symposium on Information, Computer, and Communications Security (ASIACCS), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web, 1(3):11, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. C. Reis and S. D. Gribble. Isolating web programs in modern browser architectures. In European Conference on Computer Systems (EUROSYS), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do -- a large-scale study of the use of eval in JavaScript applications. In ECOOP--Object-oriented Programming, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. G. Richards, S. Lebresne, B. Burg, and J. Vitek. An analysis of the dynamic behavior of JavaScript programs. In Conference on Programming Language Design and Implementation (PLDI), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. A. Rudys and D. S. Wallach. Transactional rollback for language-based systems. In Conference on Dependable Systems and Networks (DSN), 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. F. B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3:30--50, February 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. A. Taly, Ú. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated Analysis of Security-Critical JavaScript APIs. In Symposium on Security and Privacy (S&P), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. K. Vikram, A. Prateek, and B. Livshits. Ripley: automatically securing web 2.0 applications through replicated execution. In Conference on Computer and Communications Security (CCS), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Symposium on Principles of programming languages (POPL), 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Úlfar Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Flexible access control for javascript

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 48, Issue 10
      OOPSLA '13
      October 2013
      867 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2544173
      Issue’s Table of Contents
      • cover image ACM Conferences
        OOPSLA '13: Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
        October 2013
        904 pages
        ISBN:9781450323741
        DOI:10.1145/2509136

      Copyright © 2013 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 29 October 2013

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!