JavaScript instrumentation for browser security

Conference Record of the Annual ACM Symposium on Principles of Programming Languages

Volumn , Issue , 2007, Pages 237-249

  Yu, Dachuan ^a   Chander, Ajay ^a   Islam, Nayeem ^a   Serikov, Igor ^a  

^a NTT CORPORATION   (Japan)

Author keywords

Edit automata; JavaScript; Program instrumentation; Web browser

Indexed keywords

CODES (SYMBOLS); EMBEDDED SYSTEMS; JAVA PROGRAMMING LANGUAGE; WEB BROWSERS;

EDIT AUTOMATA; JAVASCRIPT; PROGRAM INSTRUMENTATION;

SECURITY OF DATA;

EID: 34548253921     PISSN: 07308566     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1190216.1190252     Document Type: Conference Paper

References (24)

1. C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proc. 19th European Conference on Object-Oriented Programming, pages 429-452, Glasgow, UK, July 2005.
2. L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. 2005 ACM Conference on Programming Language Design and Implementation, pages 305-314, Chicago, IL, June 2005.
3. N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft. In Proc. 11th Annual Network and Distributed System Security Symposium, San Diego, CA, Feb. 2004.
4. ECMA International. ECMAScript language specification. Stardard ECMA-262, 3rd Edition, http://www.ecma-international. org/publications/files/ECMA-ST/ Ecma-262.pdf, Dec. 1999.
5. U. Erlingsson and F. B. Schneider. SASI enforcement of security policies: A retrospective. In Proc. 1999 New Security Paradigms Workshop, pages 87-95, Caledon Hills, Ontario, Canada, Sept. 1999.
6. D. Evans and A. Twyman. Flexible policy-directed code safety. In Proc. 20th IEEE Symposium on Security and Privacy, pages 32-47, Oakland, CA, May 1999.
7. J. J. Garrett. Ajax: A new approach to web applications. Adaptive Path essay, http://www.adaptivepath.com/ publications/essays/archives/000385 .php, Feb. 2005.
8. R. Hansen. XSS cheat sheet. Appendix of OWASP 2.0 Guide, http://ha.ckers.org/xss.html, Apr. 2005.
9. A. L. Hors, P. L. Hegaret, L. W. ad Gavin. Nicol, J. Robie, M. Champion, and S. Byrne. Document Object Model (DOM) level 3 core specification. W3C candidate recommendation, http://www. w3.org/TR/2003/CR-DOM-Level-3-Core- 20031107/, Nov. 2003.
10. J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(2):2-16, Feb. 2005.
11. G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in web applications. In Proc. 6th IEEE International Workshop on Web Site Evolution, pages 71-80, Washington, DC, 2004.
12. MozillaZine. XPCNativeWrapper. MozillaZine Knowledge Base, http://kb.mozillazine.org/XPCNativeWrapper, 2006.
13. T. Parr et al., ANTLR reference manual. Reference manual, http: //www.antlr.org/, Jan. 2005.
14. Point Blank Security. The XSS blacklists, http://www.pointblanksecurity. com/xss/ and http://www.pointblanksecurity.com/xss/xss2 .php, 2002-2005.
15. A. Rudys and D. S. Wallach. Termination in language-based systems. ACM Transactions on Information and System Security, 5(2):138168, May 2002.
16. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceeding of the IEEE, 63(9):1278-1308, Sept. 1975.
17. F. B. Schneider. Enforceable security policies. Transactions on Information and System Security, 3(1):30-50, Feb. 2000.
18. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proc. 33rd ACM Symposium on Principles of Programming Languages, pages 372-382, Charleston, SC, Jan. 2006.
19. Symantec Corp. JS.Yamanner@m. Symantec Security Response, http://www.Symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99, June 2006.
20. P. Thiemann. Towards a type system for analyzing JavaScript programs. In Proc. 14th European Symposium on Programming, pages 408-422, Edinburgh, UK, Apr. 2005.
21. A. van Kesteren and D. Jackson. The XMLHttpRequest object. W3C working draft, http ://www.w3.org/TR/XMLHttpRequest/, 2006.
22. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating Systems Principles, pages 203-216, Asheville, NC, 1993.
23. D. Walker. A type system for expressive security policies. In Proc. 27th ACM Symposium on Principles of Progmmming Languages, pages 254-267, Boston, MA, 2000.
24. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 2006.