CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Lightweight Self-Protecting JavaScript

Phu H. Phung (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; David Sands (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)) ; Andrey Chudnov
Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009) p. 47-60. (2009)
[Konferensbidrag, refereegranskat]

This paper introduces a method to control JavaScript execution. The aim is to prevent or modify inappropriate behaviour caused by e.g. malicious injected scripts or poorly designed third-party code. The approach is based on modifying the code so as to make it self-protecting: the protection mechanism (security policy) is embedded into the code itself and intercepts security relevant API calls. The challenges come from the nature of the JavaScript language: any variables in the scope of the program can be redefined, and code can be created and run on-the-fly. This creates potential problems, respectively, for tamper-proofing the protection mechanism, and for ensuring that no security relevant events bypass the protection. Unlike previous approaches to instrument and monitor JavaScript to enforce or adjust behaviour, the solution we propose is lightweight in that (i) it does not require a modified browser, and (ii) it does not require any run-time parsing and transformation of code (including dynamically generated code). As a result, the method has low run-time overhead compared to other methods satisfying (i), and the lack of need for browser modifications means that the policy can even be applied on the server to mitigate some effects of cross-site scripting bugs.

Nyckelord: Language Based Security, Inlined Reference Monitors

JavaScript, Security, Programming http://www.cs.chalmers.se/~dave/davewww_abstracts.html#Phung:Sands:Chudnov:ASIACCS09

Denna post skapades 2009-04-06. Senast ändrad 2017-09-14.
CPL Pubid: 92212


Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers) (2008-2010)
Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)



Chalmers infrastruktur

Relaterade publikationer

Denna publikation ingår i:

Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software