CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Safe Wrappers and Sane Policies for Self Protecting JavaScript

Jonas Magazinius (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; Phu H. Phung (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; David Sands (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers))
Lecture Notes in Computer Science: 15th Nordic Conference on Secure IT Systems, NordSec 2010; Espoo; Finland; 27 October 2010 through 29 October 2010 (03029743). Vol. 7127 (2010), p. 239-255.
[Konferensbidrag, refereegranskat]

Phung et al (ASIACCS’09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects.


This paper has been accepted and presented at OWASP AppSec Research 2010.



Den här publikationen ingår i följande styrkeområden:

Läs mer om Chalmers styrkeområden  

Denna post skapades 2010-11-27. Senast ändrad 2015-05-04.
CPL Pubid: 129703

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)


Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers) (2008-2010)

Ämnesområden

Informations- och kommunikationsteknik
Datalogi
Programvaruteknik

Chalmers infrastruktur

Relaterade publikationer

Denna publikation ingår i:


Dynamic enforcement of decentralized security policies


Securing the mashed up web


Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software