Privilege separation in HTML5 applications

Proceedings of the 21st USENIX Security Symposium

Volumn , Issue , 2012, Pages 429-444

  Akhawe, Devdatta ^a   Saxena, Prateek ^a   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

HTML; SEPARATION;

ADMINISTRATIVE COST; APPLICATION COMPONENTS; APPLICATION-SPECIFIC CODES; ARBITRARY NUMBER; CASE-STUDIES; REAL-WORLD; RICH CLIENT; WEB APPLICATION;

HIGH LEVEL LANGUAGES;

EID: 84887312865     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (54)

1. Google Inc., “Google chrome webstore.” https://chrome.google.com/webstore/.
2. HTTP Archive, “JS Transfer Size and JS Requests.” http://httparchive.org/trends.php#bytesJS&reqJS.
3. Google Inc., “Chromium os.” http://www.chromium.org/chromium-os.
4. “Mozilla boot2gecko.” https://wiki.mozilla.org/B2G.
5. Microsoft, “Metro style app development,” 2012. http://msdn.microsoft.com/en-us/windows/apps/.
6. H. Wang, A. Moshchuk, and A. Bush, “Convergence of desktop and web applications on a multiservice os,” in Proceedings of the 4th USENIX conference on Hot topics in security, 2009.
7. N. Carlini, A. P. Felt, and D. Wagner, “An evaluation of the google chrome extension security architecture,” in Proceedings of the 21st USENIX Conference on Security, 2012.
8. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. Mc-Camant, and D. Song, “A symbolic execution framework for javascript,” in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 513–528.
9. S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett, “Vex: vetting browser extensions for security vulnerabilities,” in Proceedings of the 19th USENIX conference on Security, 2010.
10. M. Dhawan and V. Ganapathy, “Analyzing information flow in javascript-based browser extensions,” in Proceedings of the Computer Security Applications Conference, pp. 382–391, IEEE, 2009.
11. S. Guarnieri and B. Livshits, “Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code,” in Usenix Security, 2009.
12. K. Jayaraman, W. Du, B. Rajagopalan, and S. Chapin, “Escudo: A fine-grained protection model for web browsers,” in Proceedings of the 30th International Conference on Distributed Computing Systems, pp. 231–240, IEEE, 2010.
13. J. Saltzer and M. Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE, vol. 63, no. 9, pp. 1278–1308, 1975.
14. “lxc linux containers.” http://lxc.sourceforge.net/.
15. “Google seccomp sandbox for linux.” http://code.google.com/p/seccompsandbox/.
16. N. Provos, “Improving host security with system call policies,” in Proceedings of the 12th USENIX Security Symposium, 2003.
17. N. Provos, M. Friedl, and P. Honeyman, “Preventing privilege escalation,” in Proceedings of the 12th USENIX Security Symposium, 2003.
18. D. J. Bernstein, “Some thoughts on security after ten years of qmail 1.0,” in Proceedings of the 2007 ACM workshop on Computer security architecture.
19. A. Barth, C. Jackson, C. Reis, and T. G. C. Team, “The security architecture of the chromium browser,” 2008.
20. E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson, “App isolation: get the security of multiple browsers with just one,” in Proceedings of the 18th ACM conference on Computer and communications security, pp. 227–238, 2011.
21. A. Guha, M. Fredrikson, B. Livshits, and N. Swamy, “Verified security for browser extensions,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 115–130, 2011.
22. “Html5 privilege separation: Source code release.” http://github.com/devd/html5privsep.
23. A. Barth, A. Felt, P. Saxena, and A. Boodman, “Protecting browsers from extension vulnerabilities,” in Proceedings of the 17th Network and Distributed System Security Symposium, 2010.
24. A. P. Felt, K. Greenwood, and D. Wagner, “The effectiveness of application permissions,” in Proceedings of the 2nd USENIX conference on Web application development, 2011.
25. K. W. Y. Au, Y. F. Zhou, Z. Huang, P. Gill, and D. Lie, “Short paper: A look at smartphone permission models,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011.
26. A. P. Felt, “Advertising and android permissions,” Nov 2011. http://www.adrienneporterfelt.com/blog/?p=357.
27. Google Inc., “Google chrome extensions: chrome.* apis.” http://code.google.com/chrome/extensions/api_index.html.
28. S. Maffeis, J. C. Mitchell, and A. Taly, “Object capabilities and isolation of untrusted web applications,” in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 125–140.
29. Google Inc., “Issues: google-caja: A source-to-source translator for securing Javascript-based web content.” http://code.google.com/p/ google-caja.
30. M. Finifter, J. Weinberger, and A. Barth, “Preventing capability leaks in secure JavaScript subsets,” in Proc. of Network and Distributed System Security Symposium, 2010.
31. G. Tan and J. Croft, “An empirical security study of the native code in the jdk,” in Proceedings of the 17th Usenix Conference on Security, pp. 365–377, 2008.
32. A. Barth, “Rfc 6454: The web origin concept.” http://tools.ietf.org/html/rfc6454.
33. Bugzilla@Mozilla, “Bug 341604 - (framesandbox) implement html5 sandbox attribute for iframes.” https://bugzilla.mozilla.org/show_bug.cgi?id=341604.
34. B. Sterne and A. Barth, “Content security policy: W3c editor’s draft,” 2012. https://dvcs.w3.org/hg/content-security-policy/ raw-file/tip/csp-specification.dev. html.
35. diigo.com, “Awesome screenshot: Capture annotate share.” http://www.awesomescreenshot.com/.
36. Dropbox Inc., “Dropbox developer reference.” http://www.dropbox.com/developers/ reference.
37. “Ace - ajax.org cloud9 editor.” http://ace.ajax.org/.
38. The Dojo Foundation, “The dojo toolkit.” http://dojotoolkit.org/.
39. GitHub Inc., “Edit like an ace.” https://github.com/blog/905-edit-like-an-ace.
40. “Oauth.” http://oauth.net/.
41. D. Brumley and D. Song, “Privtrans: automatically partitioning programs for privilege separation,” in Proceedings of the 13th on USENIX Conference on Security, 2004.
42. P. Josling, “dropbox-js: A javascript library for the dropbox api.” http://code.google.com/p/dropbox-js/.
43. A. van Kesteren (Ed.), “Cross-origin resource sharing.” http://www.w3.org/TR/cors/.
44. “pynarcissus: The narcissus javascript interpreter ported to python.” http://code.google.com/p/pynarcissus/.
45. A. Bittau, P. Marchenko, M. Handley, and B. Karp, “Wedge: splitting applications into reduced-privilege compartments,” in Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, pp. 309–322, 2008.
46. H. J. Wang, X. Fan, J. Howell, and C. Jackson, “Protection and communication abstractions for web browsers in mashupos,” SIGOPS Oper. Syst. Rev., vol. 41, pp. 1–16, Oct. 2007.
47. H. Wang, C. Grier, A. Moshchuk, S. King, P. Choudhury, and H. Venter, “The multi-principal os construction of the gazelle web browser,” in Proceedings of the 18th USENIX security symposium, pp. 417–432, 2009.
48. C. Grier, S. Tang, and S. King, “Designing and implementing the op and op2 web browsers,” ACM Transactions on the Web (TWEB), 2011.
49. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, “Permission re-delegation: Attacks and defenses,” in Proceedings of the 20th USENIX conference on Security, 2011.
50. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig, “Clamp: Practical prevention of large-scale data leaks,” in Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 154–169, 2009.
51. A. Barth, C. Jackson, and W. Li, “Attacks on javascript mashup communication,” in Workshop on Web 2.0 Security and Privacy (W2SP), 2009.
52. M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan, “Adjail: practical enforcement of confidentiality and integrity policies on web advertisements,” in Proceedings of the 19th USENIX conference on Security, 2010.
53. L. Ingram and M. Walfish, “Treehouse: Javascript sandboxes to help web developers help themselves,” in Proceedings of the USENIX annual technical conference, 2012.
54. “AdSafe: Making JavaScript Safe for Advertising.” http://www.adsafe.org/.