ISC 2010: Information Security pp 203-209 | Cite as
An Architecture for Enforcing JavaScript Randomization in Web2.0 Applications
Conference paper
Abstract
Instruction Set Randomization (ISR) is a promising technique for preventing code-injection attacks. In this paper we present a complete randomization framework for JavaScript aiming at detecting and preventing Cross-Site Scripting (XSS) attacks. RaJa randomizes JavaScript source without changing the code structure. Only JavaScript identifiers are carefully modified and the randomized code can be mixed with many other programming languages. Thus, RaJa can be practically deployed in existing web applications, which intermix server-side, client-side and markup languages.
Preview
Unable to display preview. Download preview PDF.
References
- 1.LD_PRELOAD Feature. See man page of LD.SO(8)Google Scholar
- 2.SpiderMonkey (JavaScript-C) Engine, http://www.mozilla.org/js/spidermonkey/
- 3.Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P.: xJS: Practical XSS Prevention for Web Application Development. In: Proceedings of the 1st USENIX WebApps Conference, Boston, US (June 2010)Google Scholar
- 4.Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 5.E. ECMA. 357: ECMAScript for XML (E4X) Specification. ECMA (European Association for Standardizing Information and Communication Systems), Geneva, Switzerland (2004)Google Scholar
- 6.Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)Google Scholar
- 7.Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 601–610. ACM, New York (2007)Google Scholar
- 8.Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM, New York (2003)Google Scholar
- 9.Keromytis, A.D.: Randomized Instruction Sets and Runtime Environments Past Research and Future Directions. In: IEEE Educational Activities Department, Piscataway, NJ, USA, vol. (1), pp. 18–25 (2009)Google Scholar
- 10.Krithinakis, A., Athanasopoulos, E., Markatos, E.P.: Isolating JavaScript in Dynamic Code Environments. In: Proceedings of the 1st Workshop on Analysis and Programming Languages for Web Applications and Cloud Applications (APLWACA), co-located with PLDI, Toronto, Canada (June 2010)Google Scholar
- 11.Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)Google Scholar
- 12.Nanda, S., Lam, L.C., Chiueh, T.: Dynamic Multi-Process Information Flow Tracking for Web Application Security. In: Proceedings of the 8th ACM/IFIP/USENIX International Conference on Middleware. ACM, New York (2007)Google Scholar
- 13.Nguyen-tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: Proceedings of the 20th IFIP International Information Security Conference, pp. 372–382 (2005)Google Scholar
- 14.SANS Insitute. The Top Cyber Security Risks (September 2009), http://www.sans.org/top-cyber-security-risks/
- 15.Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)Google Scholar
Copyright information
© Springer-Verlag Berlin Heidelberg 2011