Safe Wrappers and Sane Policies for Self Protecting JavaScript

  • Jonas Magazinius
  • Phu H. Phung
  • David Sands
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7127)


Phung et al (ASIACCS’09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects.


Policy Language User Code Declarative Policy Policy Writer Attack Code 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ajaxpect: Aspect-Oriented Programming for Ajax (2008),
  2. 2.
    Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, US Air Force, Electronic Systems Division, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), USA (1972)Google Scholar
  3. 3.
    AspectJS: A JavaScript MCI/AOP Component-Library. Version 1.1, commercial (2008),
  4. 4.
    Balz, C.M.: The AspectES Framework: AOP for EcmaScript, (accessed in January 2010)
  5. 5.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)CrossRefGoogle Scholar
  6. 6.
    Barth, A., Weinberger, J., Song, D.: Cross-origin JavaScript capability leaks: Detection, exploitation, and defense. In: Proc. of the 18th USENIX Security Symposium (USENIX Security 2009) (2009)Google Scholar
  7. 7.
    Cerny, R.: Cerny.js: a JavaScript library. Version 2.0,
  8. 8.
    Chess, B., O’Neil, Y.T., West, J.: JavaScript Hijacking, (accessed in January 2010)
  9. 9.
    Dantas, D.S., Walker, D.: Harmless advice. In: POPL 2006: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 383–396. ACM, New York (2006)CrossRefGoogle Scholar
  10. 10.
    dojo AOP library (2008),
  11. 11.
    Ecma International. Standard ECMA-262: ECMAScript Language Specification. 5th edn., (December 2009),
  12. 12.
    Facebook. FBJS,
  13. 13.
    Google. Attackvectors, (accessed January 2010)
  14. 14.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The Essence of JavaScript, (accessed in January 2010)
  15. 15.
    jQuery AOP. Version 1.3 (October 17, 2009),
  16. 16.
    Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 326–341. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Maffeis, S., Mitchell, J., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Proc of W2SP 2009. IEEE (2009)Google Scholar
  18. 18.
    Maffeis, S., Mitchell, J., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proc of IEEE Security and Privacy 2010. IEEE (2010)Google Scholar
  19. 19.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Meyerovich, L., Felt, A.P., Miller, M.: Object Views: FineGrained Sharing in Browsers. In: WWW2010: Proceedings of the 16th International Conference on World Wide Web. ACM (2010)Google Scholar
  21. 21.
    Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: SP 2010: Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE Computer Society (2010)Google Scholar
  22. 22.
    Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proc. of Network and Distributed System Security Symposium, NDSS 2009 (2009)Google Scholar
  23. 23.
    Ofuonye, E., Miller, J.: Resolving JavaScript Vulnerabilities in the Browser Runtime. In: 19th International Symposium on Software Reliability Engineering, ISSRE 2008, pp. 57–66 (November 2008)Google Scholar
  24. 24.
    Open Ajax Alliance. Ajax and Mashup Security, (accessed in January 2010)
  25. 25.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight Self-Protecting JavaScript. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47–60. ACM, New York (2009)Google Scholar
  26. 26.
    ProSec Security group, Chalmers. Self-Protecting JavaScript project,
  27. 27.
    Prototype Core Team. Prototype - A JavaScript Framework, (accessed in January 2010)
  28. 28.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web 1(3), 11 (2007)CrossRefGoogle Scholar
  29. 29.
    The Mozilla Development Team. New in JavaScript 1.8.1, (accessed in January 2010)
  30. 30.
    The Tor Project. Torbutton FAQ; Security Issues, (accessed in February 2010)
  31. 31.
    Toledo, R., Leger, P., Tanter, E.: AspectScript: Expressive Aspects for the Web. Technical report, University of Chile Santiago, Chile (2009)Google Scholar
  32. 32.
    Walden, J.: Web Tech Blog - Object and Array initializers should not invoke setters when evaluated, (accessed in January 2010)
  33. 33.
    Washizaki, H., Kubo, A., Mizumachi, T., Eguchi, K., Fukazawa, Y., Yoshioka, N., Kanuka, H., Kodaka, T., Sugimoto, N., Nagai, Y., Yamamoto, R.: AOJS: Aspect-Oriented JavaScript Programming Framework for Web Development. In: ACP4IS 2009: Proceedings of the 8th Workshop on Aspects, Components, and Patterns for Infrastructure Software, pp. 31–36. ACM, New York (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jonas Magazinius
    • 1
  • Phu H. Phung
    • 1
  • David Sands
    • 1
  1. 1.Chalmers University of TechnologySweden

Personalised recommendations