Alhambra: A system for creating, enforcing, and testing browser security policies

Proceedings of the 19th International Conference on World Wide Web, WWW '10

Volumn , Issue , 2010, Pages 941-950

  Tang, Shuo ^a   Grier, Chris ^b   Aciicmez, Onur ^c   King, Samuel T ^a  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c Samsung Advanced Institute of Technology (SAIT)   (South Korea)

Author keywords

cross site scripting; web browser; web security

Indexed keywords

ALHAMBRA; BROWSER SECURITY; BROWSING HISTORY; COMPARISON METRICS; CROSS-SITE SCRIPTING; GRAIN SECURITY; JAVASCRIPT; MULTIPLE SECURITIES; QUANTITATIVE EVALUATION; SECURITY POLICY; TEST COMPATIBILITY; WEB APPLICATION; WEB BROWSER SECURITY; WEB PAGE; WEB SECURITY;

ACCESS CONTROL; AUTOMATIC TEST PATTERN GENERATION; JAVA PROGRAMMING LANGUAGE; SECURITY SYSTEMS; XML;

WORLD WIDE WEB;

EID: 77954572680     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1772690.1772786     Document Type: Conference Paper

References (29)

1. W3C Document Object Model. http://www.w3.org/DOM/.
2. Alexa Internet, Inc. Alexa top 500 global sites. http://www.alexa.com/ topsites.
3. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 387-401, Washington, DC, USA, 2008. IEEE Computer Society.
4. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security, pages 75-88, New York, NY, USA, 2008. ACM.
5. P. Bisht and V. Venkatakrishnan. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 5th International Conference, Dimva 2008, Paris, France, July 10-11, 2008, Proceedings, page 23. Springer, 2008.
6. T. C. Bressoud and F. B. Schneider. Hypervisor-Based Fault-Tolerance. In Proceedings of the 1995 Symposium on Operating Systems Principles, pages 1-11, December 1995.
7. G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), pages 211-224, December 2002.
8. C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
9. M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the Network and Distributed System Security Symposium, February 2009.
10. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, 2007.
11. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In SAC '06: Proceedings of the 2006 ACM symposium on Applied computing, pages 330-337, New York, NY, USA, 2006. ACM.
12. D. Lowe. Distinctive image features from scale-invariant keypoints. International Journal of Computer Vision, 60(2):91-110, 2004.
13. G. Maone. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience!, 2008. http://noscript.net/.
14. P. Montesinos, M. Hicks, S. T. King, and J. Torrellas. Capo: Abstractions and software-hardware interface hardware-assisted deterministic multiprocessor replay. In Proceedings of the 2009 Symposium on Architectural Support for Programming Languages and Operating Systems (ASPLOS), March 2009.
15. Mozilla. Security/csp, 2009. https://wiki.mozilla.org/Security/CSP.
16. Y. Nadji, P. Saxen, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium, February 2009.
17. Perl.org. Perl taint mode. http://perldoc.perl.org/perlsec.html.
18. D. Ross. IEBlog : IE8 Security Part IV: The XSS Filter, 2008. http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xssfilter. aspx.
19. R. Sekar. An efficient black-box technique for defeating web application attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, February 2009.
20. U. Shankar and C. Karlof. Doppelganger: Better browser privacy without the bother. In Proceedings of the 13th ACM conference on computer and communications security (CCS), 2006.
21. S. Srinivasan, S. Kandula, C. Andrews, and Y. Zhou. Flashback: A light-weight rollback and deterministic replay extension for software debugging. In Proceedings of the 2004 USENIX Technical Conference, June 2004.
22. Symantec. Symantec Global Internet Security Threat Report Trends for July-December 07, April 2008. http://www.symantec.com/business/theme.jsp? themeid=threatreport.
23. M. Ter Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings IEEE Symposium on Security and Privacy, May 2009.
24. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2007.
25. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in mashupos. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), Oct 2007.
26. WebKit. The webkit open source project. http://www.webkit.org.
27. XSSed.com. XSSed - XSS (cross-site scripting) information and vulnerabile websites archive. http://xssed.com.
28. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, August 2006.
29. A. Yip, X. Wang, N. Zeldovich, and F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles, October 2009.