CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Lightweight Self-Protecting JavaScript

Phu H. Phung (Institutionen för data- och informationsteknik (Chalmers)) ; David Sands (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)) ; Andrey Chudnov
Göteborg : Chalmers University of Technology, 2008. ISBN: 1652-926X.- 40 s.
[Rapport]

This paper introduces a method to control JavaScript execution. The aim is to prevent or modify inappropriate behaviour caused by e.g. malicious injected scripts or poorly designed third-party code. The approach is based on modifying the code so as to make it self-protecting: the protection mecha- nism (security policy) is embedded into the code itself and intercepts security relevant API calls. The challenges come from the nature of the JavaScript language: any variables in the scope of the program can be redefined, and code can be created and run on-the-fly. This creates potential problems, respectively, for tamper-proofing the protection mechanism, and for ensur- ing that no security relevant events bypass the protection. Unlike previous approaches to instrument and monitor JavaScript to enforce or adjust be- haviour, the solution we propose is lightweight in that (i) it does not require a modified browser, and (ii) it does not require any run-time parsing and transformation of code (including dynamically generated code). As a result, the method has low run-time overhead compared to other methods satisfying (i), and the lack of need for browser modifications means that the policy can even be applied on the server to mitigate some effects of cross-site scripting bugs. We describe the implementation, and present an abstract formalisation of the basic method. Based on this formalisation we show, as an example, that it can soundly enforce the class of policies known as security automata.

Nyckelord: JavaScript, Language Based Security, Inlined Reference Monitors, Security Policy


A vesrion of this technical report is to appear in Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), Sydney, Australia, 10 - 12 March 2009. ACM Press.



Denna post skapades 2008-12-12.
CPL Pubid: 81344