ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Lightweight self-protecting JavaScript
Full text PdfPdf (728 KB)
Source
ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents
Sydney, Australia
SESSION: Software security table of contents
Pages 47-60  
Year of Publication: 2009
ISBN:978-1-60558-394-5
Authors
Phu H. Phung  Chalmers University of Technology, Gothenburg, Sweden
David Sands  Chalmers University of Technology, Gothenburg, Sweden
Andrey Chudnov  Stevens Institute of Technology, New Jersey
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 62,   Downloads (12 Months): 219,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533067
What is a DOI?

ABSTRACT

This paper introduces a method to control JavaScript execution. The aim is to prevent or modify inappropriate behaviour caused by e.g. malicious injected scripts or poorly designed third-party code. The approach is based on modifying the code so as to make it self-protecting: the protection mechanism (security policy) is embedded into the code itself and intercepts security relevant API calls. The challenges come from the nature of the JavaScript language: any variables in the scope of the program can be redefined, and code can be created and run on-the-fly. This creates potential problems, respectively, for tamper-proofing the protection mechanism, and for ensuring that no security relevant events bypass the protection. Unlike previous approaches to instrument and monitor JavaScript to enforce or adjust behaviour, the solution we propose is lightweight in that (i) it does not require a modified browser, and (ii) it does not require any run-time parsing and transformation of code (including dynamically generated code). As a result, the method has low run-time overhead compared to other methods satisfying (i), and the lack of need for browser modifications means that the policy can even be applied on the server to mitigate some effects of cross-site scripting bugs.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Aspect Oriented Extensions for jQuery. http://code.google.com/p/jquery-aop/.
 
2
CNN: 'Phishing' scams reel in your identity. http://www.cnn.com/2003/TECH/internet/07/21/phishing.scam.
 
3
ECMAScript 3.1 Language Specification. http://wiki.ecmascript.org/doku.php?id=es3.1: es3.1_proposal_working_draft. Working Draft as of 01 Dec 2008.
 
4
IBM Rational Web application security software (former AppShield). http://www-01.ibm.com/software/rational/offerings/websecurity.
 
5
Mozilla Developer Center: Core JavaScript 1.5 Reference. http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference.
 
6
Mozilla Developer Center: XPCNativeWrapper. http://developer.mozilla.org/en/docs/XPCNativeWrapper.
 
7
RSnake: XSS (Cross Site Scripting) Cheat Sheet. http://ha.ckers.org/xss.html.
 
8
Web 2.0. http://en.wikipedia.org/wiki/Web_2.
 
9
Yahoo Developer Network: YSlow for Firebug. http://developer.yahoo.com/yslow/.
 
10
Irem Aktug , Mads Dam , Dilian Gurov, Provably Correct Runtime Monitoring, Proceedings of the 15th international symposium on Formal Methods, May 26-30, 2008, Turku, Finland  [doi>10.1007/978-3-540-68237-0_19]
 
11
J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, US Air Force, Electronic Systems Division, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), USA, 1972.
 
12
M. Arciemowicz. phpBB 2.0.18 XSS and Full Path Disclosure. http://securityreason.com/securityalert/269.
13
Lujo Bauer , Jay Ligatti , David Walker, Composing security policies with polymer, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
 
14
S. Bubrouski. XSS in WebCal (v1.11-v3.04). http://securityreason.com/securityalert/267.
 
15
Richard S. Cox , Steven D. Gribble , Henry M. Levy , Jacob Gorm Hansen, A Safety-Oriented Platform for Web Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.350-364, May 21-24, 2006  [doi>10.1109/SP.2006.4]
 
16
D. Danchev. HSBC sites vulnerable to XSS flaws, could aid phishing attacks. http://blogs.zdnet.com/security/?p=1365. Posted on June 29th, 2008.
 
17
Douglas Crockford. ADsafe -- making JavaScript safe for advertising. http://adsafe.org/.
 
18
Facebook. FBJS. http: //wiki.developers.facebook.com/index.php/FBJS.
 
19
Oystein Hallaraker , Giovanni Vigna, Detecting Malicious JavaScript Code in Mozilla, Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, p.85-94, June 16-20, 2005  [doi>10.1109/ICECCS.2005.35]
 
20
I. Jacobs. URIs, Addressability, and the use of HTTP GET and POST. http: //www.w3.org/2001/tag/doc/whenToUseGet.html. Accessed May 16 2007.
21
Trevor Jim , Nikhil Swamy , Michael Hicks, Defeating script injection attacks with browser-enforced embedded policies, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada  [doi>10.1145/1242572.1242654]
 
22
Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.258-263, May 21-24, 2006  [doi>10.1109/SP.2006.29]
 
23
G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. In ECOOP, pages 220--242, 1997.
 
24
Elias Levy, Worst-Case Scenario, IEEE Security and Privacy, v.4 n.5, p.71-73, September 2006  [doi>10.1109/MSP.2006.141]
 
25
J. Ligatti, L. Bauer, and D. Walker. Edit Automata: Enforcement Mechanisms for Run-time Security Policies. International Journal of Information Security, 4(1--2):2--16, 2005.
 
26
Sergio Maffeis , John C. Mitchell , Ankur Taly, An Operational Semantics for JavaScript, Proceedings of the 6th Asian Symposium on Programming Languages and Systems, p.307-325, December 09-11, 2008, Bangalore, India  [doi>10.1007/978-3-540-89330-1_22]
 
27
M. S. Miller, M. Samuel, B. Laurie, and I. A. M. Stay. Caja: Safe active content in sanitized JavaScript. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.
 
28
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In In 20th IFIP International Information Security Conference, 2005.
 
29
P. H. Phung, D. Sands, and A. Chudnov. Lightweight Self-Protecting JavaScript. Technical Report 2008:24, Department of Computer Science and Engineering, Chalmers University of Technology, Gothenburg, Sweden, December 2008. Project URL: http://www.cse.chalmers.se/~phung/projects/jss. ISSN:1652-926X.
 
30
T. Pietraszek, C. V, and E. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID), 2005.
31
Charles Reis , John Dunagan , Helen J. Wang , Opher Dubrovsky , Saher Esmeir, BrowserShield: Vulnerability-driven filtering of dynamic HTML, ACM Transactions on the Web (TWEB), v.1 n.3, p.11-es, September 2007  [doi>10.1145/1281480.1281481]
 
32
J. Ruderman. Same origin policy for JavaScript. http://developer.mozilla.org/En/Same_origin_ policy_for_JavaScript.
33
Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000  [doi>10.1145/353323.353382]
 
34
Fred B. Schneider , J. Gregory Morrisett , Robert Harper, A Language-Based Approach to Security, Informatics - 10 Years Back. 10 Years Ahead., p.86-101, January 2001
 
35
A. Stevens. KaVaDo InterDo: A useful tool in the fight to keep your server secure. http://www.vnunet.com/pc-magazine/software/2133317/kavado-interdo. PC Magazine, 08 Jul 2002.
 
36
Ulfar Erlingsson , Fred B. Schneider, The inlined reference monitor approach to security policy enforcement, Cornell University, Ithaca, NY, 2004
 
37
Úlfar Erlingsson , Benjamin Livshits , Yinglian Xie, End-to-end web application security, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
 
38
Ulfar Erlingsson , Fred B. Schneider, IRM Enforcement of Java Stack Inspection, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.246, May 14-17, 2000
 
39
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, and C. Kruegel. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS '07: Proceeding of the 14th Annual Network and Distributed System Security, San Diego, CA, 2007. Internet Society.
40
Robert Wahbe , Steven Lucco , Thomas E. Anderson , Susan L. Graham, Efficient software-based fault isolation, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.203-216, December 05-08, 1993, Asheville, North Carolina, United States
 
41
J. Wells. Protect sensitive Web data with Teros-100 APS. http://articles.techrepublic.com.com/5100-10878_11-1060422.html.
 
42
A. Wirfs-Brock. Proposed ECMAScript 3.1 Static Object Functions: Use Cases and Rationale. http://wiki.ecmascript.org/lib/exe/fetch.php? id=es3.1%3Aes3.1_proposal_working_draft&cache=cache&media=es3.1:rationale_for_es3_1_static_ object_methodsaug26.pdf. Revised August 26, 2008.
 
43
Yichen Xie , Alex Aiken, Static detection of security vulnerabilities in scripting languages, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
44
Dachuan Yu , Ajay Chander , Nayeem Islam , Igor Serikov, JavaScript instrumentation for browser security, Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 17-19, 2007, Nice, France

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Assertion checkers

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection


General Terms:
Security


Keywords:
JavaScript, inlined reference monitors, language based security, programming

Collaborative Colleagues:
Phu H. Phung: colleagues
David Sands: colleagues
Andrey Chudnov: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player