JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications

ACM International Conference Proceeding Series

Volumn , Issue , 2012, Pages 1-10

  Agten, Pieter ^a   Van Acker, Steven ^a   Brondsema, Yoran ^a   Phung, Phu H ^b   Desmet, Lieven ^a   Piessens, Frank ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

^b CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

Sandbox; Script Inclusion; Security Architecture; Web Application Security; Web Mashups

Indexed keywords

DIFFERENT ORIGINS; JAVASCRIPT; MASHUPS; SANDBOX; SANDBOXING; SECURITY ARCHITECTURE; WEB APPLICATION SECURITY;

SECURITY OF DATA; SECURITY SYSTEMS; WEBSITES;

HIGH LEVEL LANGUAGES;

EID: 84872105489     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2420950.2420952     Document Type: Conference Paper

References (41)

1. R. Berjon. W3C HTML5 Working Draft. http://www.w3.org/TR/html5/, September 2012.
2. BuiltWith. jQuery Usage Statistics. http://trends.builtwith.com/ javascript/jQuery.
3. D. Crockford. ADsafe - making JavaScript safe for advertising. http://adsafe.org/.
4. T. V. Cutsem and M. S. Miller. On the Design of the ECMAScript Reflection API. Technical Report VUB-SOFT-TR-12-03, Department of Computer Science, Vrije Universiteit Brussel, February 2012.
5. W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a web browser with flexible and precise information flow control. In Proc. of CCS'12. ACM, 2012.
6. P. De Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joosen. Security of web mashups: a survey. In Proc. of NordSec'10. Springer, 2011.
7. D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Proc of SP'10, IEEE, pages 109-124, Washington, DC, USA, 2010.
8. M. Heiderich. Locking the Throne Room - How ES5+ will change XSS and Client Side Security. http://www.slideshare.net/x00mario/locking-the-throneroom- 20, November 2011.
9. Jacaranda. Jacaranda. http://jacaranda.org.
10. T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proc. of WWW'07, pages 601-610, New York, NY, USA, 2007. ACM. (Pubitemid 47582289)
11. John Resig. Pure JavaScript HTML Parser. http: //ejohn.org/blog/pure- javascript-html-parser/.
12. A. Klein. DOM Based Cross Site Scripting or XSS of the Third Kind. http://www.webappsec.org/projects/articles/071105.shtml, April 2005.
13. T. Luo and W. Du. Contego: capability-based access control for web browsers. TRUST'11, pages 231-238, Berlin, Heidelberg, 2011. Springer-Verlag.
14. S. Maffeis, J. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In Proc. of SP'10. IEEE, 2010.
15. S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF'09, IEEE, 2009.
16. J. Magazinius, P. Phung, and D. Sands. Safe wrappers and sane policies for self protecting JavaScript. In Proc. of Nordsec'10, 2010.
17. L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In Proc. of SP'10, 2010.
18. Microsoft Live Labs. Live Labs Websandbox. http://websandbox.org.
19. Mihai Bazon. UglifyJS. https://github.com/mishoo/UglifyJS/.
20. M. S. Miller. Secure EcmaScript 5. http://code. google.com/p/es-lab/wiki/ SecureEcmaScript.
21. M. S. Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006. AAI3245526.
22. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008.
23. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proc. of CCS'12, October 2012.
24. NoMoreSleep. jquery-geolocation. http://code.google.com/p/jquery- geolocation/.
25. P. H. Phung and L. Desmet. A two-tier sandbox architecture for untrusted javascript. In Proc. of JSTools'12, pages 1-10, New York, NY, 2012. ACM.
26. P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. ASIACCS '09, pages 47-60, New York, NY, USA, 2009. ACM.
27. J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: type-based verification of JavaScript Sandboxing. In Proc. of USENIX'11, SEC'11, pages 12-12, Berkeley, CA, USA, 2011.
28. Programmable Web. Keeping you up to date with APIs, mashups and the Web as platform. http://www.programmableweb.com/.
29. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: vulnerability-driven filtering of dynamic HTML. In Proc. of OSDI'06, pages 61-74, Berkeley, CA, USA, 2006. USENIX Association.
30. SANS Institute. SANS: Top Cyber Security Risks. http://www.sans.org/top- cyber-security-risks/, 2009.
31. S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proc. of WWW'10, pages 921-930, New York, NY, 2010. ACM.
32. M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In 19th USENIX Security Symposium, Aug. 2010.
33. The FaceBook Team. FBJS. http: //wiki.developers.facebook.com/index.php/ FBJS.
34. S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: least-privilege integration of third-party components in web mashups. ACSAC '11, pages 307-316, New York, NY, USA, 2011. ACM.
35. T. Van Cutsem and M. S. Miller. Proxies: design principles for robust object-oriented intercession APIs. SIGPLAN Not., 45(12):59-72, Oct. 2010.
36. W3C. Document Object Model (DOM) Technical Reports. http://www.w3.org/ DOM/DOMTR.
37. W3C. W3C Standards and drafts - Cross-Origin Resource Sharing. http://www.w3.org/TR/cors/.
38. W3C. W3C Standards and drafts - Uniform Messaging Policy, Level One. http://www.w3.org/TR/UMP/.
39. Yahoo! Developer Network. JavaScript: Use a Web Proxy for Cross-Domain XMLHttpRequest Calls. http://developer.yahoo.com/javascript/howto-proxy.html.
40. C. Yue and H. Wang. Characterizing Insecure JavaScript Practices on the Web. In Proc. of WWW'09, pages 961-961, April 2009.
41. M. Zalewski. Browser Security Handbook. http://code.google.com/p/ browsersec/wiki/Main.