WebJail: Least-privilege integration of third-party components in web mashups

ACM International Conference Proceeding Series

Volumn , Issue , 2011, Pages 307-316

  Van Acker, Steven ^a   De Ryck, Philippe ^a   Desmet, Lieven ^a   Piessens, Frank ^a   Joosen, Wouter ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Least privilege integration; Sandbox; Web application security; Web mashups

Indexed keywords

FACEBOOK; FIREFOX; HIGH LEVEL POLICIES; INDIVIDUAL COMPONENTS; INTEGRATION TECHNIQUES; INTERNET USERS; JAVASCRIPT; LEAST-PRIVILEGE INTEGRATION; MASHUPS; MICROBENCHMARKS; MOZILLA; PERFORMANCE PENALTIES; POLICY LANGUAGE; SAME-ORIGIN POLICY; SANDBOX; SECURITY ARCHITECTURE; WEB 2.0; WEB APPLICATION; WEB APPLICATION SECURITY;

CODES (SYMBOLS); COMPUTER APPLICATIONS; INTEGRAL EQUATIONS; INTEGRATION; JAVA PROGRAMMING LANGUAGE; SECURITY OF DATA; SECURITY SYSTEMS; WORLD WIDE WEB;

WEB BROWSERS;

EID: 84855708536     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2076732.2076775     Document Type: Conference Paper

References (34)

1. A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52:83-91, June 2009.
2. P. Bisht and V. Venkatakrishnan. Xss-guard: Precise dynamic prevention of cross-site scripting attacks. In 5th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assesment, July 2008.
3. D. Crockford. ADsafe - making JavaScript safe for advertising. http://adsafe.org/.
4. P. De Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joosen. Security of web mashups: a survey. In 15th Nordic Conference in Secure IT Systems (NordSec 2010). Springer, 2011.
5. P. De Ryck, L. Desmet, T. Heyman, F. Piessens, and W. Joosen. Csfire: Transparent client-side mitigation of malicious cross-domain requests. In Lecture Notes in Computer Science, volume 5965, pages 18-34. Springer Berlin / Heidelberg, February 2010.
6. P. De Ryck, L. Desmet, W. Joosen, and F. Piessens. Automatic and precise client-side protection against csrf attacks. In V. Atluri and C. Diaz, editors, Computer Security - ESORICS 2011, volume 6879 of Lecture Notes in Computer Science, pages 100-116. Springer Berlin / Heidelberg, 2011.
7. P. De Ryck, L. Desmet, P. Philippaerts, and F. Piessens. A security analysis of next generation web standards. Technical report, G. Hogben and M. Dekker (Eds.), European Network and Information Security Agency (ENISA), July 2011.
8. M. Decat. Ondersteuning voor veilige Web Mashups. Master's thesis, Katholieke Universiteit Leuven, 2010.
9. D. Devriese and F. Piessens. Noninterference through Secure Multi-execution. 2010 IEEE Symposium on Security and Privacy, pages 109-124, 2010.
10. A. Felt, P. Hooimeijer, D. Evans, and W. Weimer. Talking to strangers without taking their candy: isolating proxied content. In SocialNets '08: Proceedings of the 1st Workshop on Social Network Systems, pages 25-30, New York, NY, USA, 2008. ACM.
11. Google. Google Latitude. https://www.google.com/latitude/.
12. S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the Usenix Security Symposium, Aug. 2009.
13. I. Hickson and D. Hyatt. HTML 5 Working Draft -The sandbox Attribute. http://www.w3.org/TR/html5/the-iframe-element.html#attr-iframe-sandbox, June 2010.
14. Involver. Tweets To Pages. http://www.facebook.com/TweetsApp.
15. Jacaranda. Jacaranda. http://jacaranda.org.
16. T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 601-610, New York, NY, USA, 2007. ACM. (Pubitemid 47582289)
17. Z. Li, K. Zhang, and X. Wang. Mash-if: Practical information-flow control within client-side mashups. In Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on, pages 251 -260, 28 2010-july 1 2010.
18. J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 15-23, New York, NY, USA, 2010. ACM.
19. J. Magazinius, P. Phung, and D. Sands. Safe wrappers and sane policies for self protecting javascript. In The 15th Nordic Conf. in Secure IT Systems. Springer Verlag, 2010.
20. G. Maone. Noscript 2.0.9.9. http://noscript.net/, 2011.
21. L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In IEEE Symposium on Security and Privacy, May 2010.
22. Microsoft Live Labs. Live Labs Websandbox. http://websandbox.org.
23. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008.
24. P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting javascript. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS '09, pages 47-60, New York, NY, USA, 2009. ACM.
25. Programmable Web. Keeping you up to date with APIs, mashups and the Web as platform. http://www.programmableweb.com/.
26. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: vulnerability-driven filtering of dynamic HTML. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 61-74, Berkeley, CA, USA, 2006. USENIX Association.
27. J. Ruderman. Configurable Security Policies. http://www.mozilla.org/ projects/security/components/ConfigPolicy.html.
28. J. Samuel. Requestpolicy 0.5.20. http://www.requestpolicy.com, 2011.
29. S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 921-930, New York, NY, USA, 2010. ACM.
30. M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium, Aug. 2010.
31. The FaceBook Team. FBJS. http://wiki.developers.facebook.com/index.php/ FBJS.
32. W3C. W3C Standards and drafts - Javascript APIs. http://www.w3.org/TR/ #tr-Javascript-APIs.
33. Willem De Groef. ConScript For Firefox. http://cqrit.be/conscript/.
34. M. Zalewski. Browser security handbook. http://code.google.com/p/ browsersec/wiki/Main, 2010.