SafeScript: JavaScript Transformation for Policy Enforcement

  • Mike Ter Louw
  • Phu H. Phung
  • Rohini Krishnamurti
  • Venkat N. Venkatakrishnan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)

Abstract

Approaches for safe execution of JavaScript on web pages have been a topic of recent research interest. A significant number of these approaches aim to provide safety through runtime mediation of accesses made by a JavaScript program. In this paper, we propose a novel, lightweight JavaScript transformation technique for enforcing security properties on untrusted JavaScript programs using source code interposition. Our approach assures namespace isolation between several principals within a single web page, and access control for sensitive browser interfaces. This access control mechanism is based on a whitelist approach to ensure soundness of the mediation. Our technique is lightweight, resulting in low run-time overhead compared to existing solutions such as BrowserShield and Caja.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Webjail: Least-privilege integration of third-party components in web mashups. In: Twenty-Seventh Annual Computer Security Applications Conference (ACSAC 2011), pp. 307–316 (2011)Google Scholar
  2. 2.
    Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications. In: Annual Computer Security Applications Conference (ACSAC 2012), pp. 1–10 (2012)Google Scholar
  3. 3.
    Douglas Crockford. ADsafe, http://www.adsafe.org/
  4. 4.
    Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: Comprehensive and flexible confinement of JavaScript-based advertisements. In: Twenty-Seventh Annual Computer Security Applications Conference (ACSAC 2011), pp. 297–306 (2011)Google Scholar
  5. 5.
    Ecma International. ECMAScript language specification, Standard ECMA-262, 3rd edn. (December 1999)Google Scholar
  6. 6.
    Erlingsson, U., Benjamin Livshits, V., Xie, Y.: End-to-end web application security. In: 11th Workshop on Hot Topics in Operating Systems, San Diego, CA, USA (May 2007)Google Scholar
  7. 7.
    Facebook Developers. Facebook JavaScript, http://wiki.developers.facebook.com/index.php/FBJS (retrieved on July 19, 2013)
  8. 8.
    Google Caja. A source-to-source translator for securing JavaScript-based web content, http://code.google.com/p/google-caja/
  9. 9.
    Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: 18th USENIX Security Symposium, Montreal, Canada (August 2009)Google Scholar
  10. 10.
    Maffeis, S., Mitchell, J.C., Taly, A.: Language-based isolation of untrusted JavaScript. In: 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, NY, USA (July 2009)Google Scholar
  11. 11.
    Maffeis, S., Mitchell, J.C., Taly, A.: Run-time enforcement of secure JavaScript subsets. In: 3rd Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA (May 2009)Google Scholar
  12. 12.
    Meyerovich, L., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010. IEEE Computer Society (2010)Google Scholar
  13. 13.
    Ofuonye, E., Miller, J.: Securing web-clients with instrumented code and dynamic runtime monitoring. Journal of Systems and Software 86(6), 1689–1711 (2013)CrossRefGoogle Scholar
  14. 14.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: ACM Symposium on Information, Computer and Communications Security, Sydney, Australia (March 2009)Google Scholar
  15. 15.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, USA (November 2006)Google Scholar
  16. 16.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930 (2010)Google Scholar
  17. 17.
    Wikipedia. Narcissus (JavaScript engine) (2012), http://en.wikipedia.org/wiki/Narcissus_JavaScript_engine, (Online; accessed December 12, 2012)
  18. 18.
    World Wide Web Consortium. Document object model (DOM) level 2 core specification (November 2000), http://www.w3.org/TR/DOM-Level-2-Core/
  19. 19.
    Yigit, O.: Hash functions, http://www.cse.yorku.ca/~oz/hash.html
  20. 20.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Proceedings of the SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 237–249 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Mike Ter Louw
    • 1
  • Phu H. Phung
    • 2
    • 1
    • 3
  • Rohini Krishnamurti
    • 1
  • Venkat N. Venkatakrishnan
    • 1
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoUSA
  2. 2.Department of Computer Science and EngineeringUniversity of GothenburgSweden
  3. 3.Chalmers University of TechnologySweden

Personalised recommendations