Defensive javascript building and verifying secure web components

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8604, Issue , 2014, Pages 88-123

  Bhargavan, Karthikeyan ^a   Delignat Lavaud, Antoine ^a   Maffeis, Sergio ^b  

^a INRIA ROCQUENCOURT   (France)

^b IMPERIAL COLLEGE LONDON   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

WEBSITES; SECURITY SYSTEMS;

BOOKMARKLETS; FUNCTIONAL BEHAVIORS; PROGRAM SECURITY; SECURITY COMPONENTS; SECURITY PROPERTIES; SINGLE SIGN ON; THIRD PARTIES; WEB COMPONENTS;

HIGH LEVEL LANGUAGES;

EID: 84927592750     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-10082-1_4     Document Type: Article

References (28)

1. Adida, B.: Helios: Web-based open-audit voting. In: USENIX Security Symposium, pp. 335-348 (2008)
2. Adida, B., Barth, A., Jackson, C.: Rootkits for JavaScript environments. In: WOOT (2009)
3. Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: IEEE CSF 2010, pp. 290-304(2010)
4. Akhawe, D., Saxena, P., Song, D.: Privilege separation in HTML5 applications. In: USENIX Security (2012)
5. Arapinis, M., Bursuc, S., Ryan, M.: Privacy supporting cloud computing: ConfiChair, a case study. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 89-108. Springer, Heidelberg (2012)
6. Avalle, M., Pironti, A., Pozza, D., Sisto, R.: JavaSPI: A framework for security protocol implementation. International Journal of Secure Software Engineering 2, 34-48 (2011)
7. Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Keys to the cloud: Formal analysis and concrete attacks on encrypted web storage. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 126-146. Springer, Heidelberg (2013)
8. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: CSF, pp. 247-262 (2012)
9. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In:Network andDistributed SystemSecurity Symposium,NDSS (2010)
10. Bhargavan, K., Delignat-Lavaud, A.: Web-based attacks on host-proof encrypted storage. In: WOOT (2012)
11. Bhargavan, K., Fournet, C., Gordon, A.D., Tse, S.: Verified interoperable implementations of security protocols. In: CSFW, pp. 139-152 (2006)
12. Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: 22nd USENIX Security Symposium (2013)
13. Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363-434 (2009)
14. Blanchet, B., Smyth, B.: ProVerif: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial, http://www.proverif.inria.fr/manual.pdf
15. Dahl, D., Sleevi, R.: Web Cryptography API. W3C Working Draft (2013)
16. ECMA International: ECMAScript language specification. Stardard ECMA-262, 3rd edn. (1999)
17. Fett, D., Küsters, R., Schmitz, G.: An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. In: 35th IEEE Symposium on Security and Privacy (S&P 2014). IEEE Computer Society (2014)
18. Fournet, C., Swamy, N., Chen, J., Dagand, P., Strub, P., Livshits, B.: Fully abstract compilation to JavaScript. In: POPL 2013 (2013)
19. Hardt, D.: The OAuth 2.0 authorization framework. IETF RFC 6749 (2012)
20. Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). IETF RFC 6797 (2012)
21. IETF: JavaScript Object Signing and Encryption, JOSE (2012), http://tools.ietf.org/wg/jose??
22. Milner, R.: Functions as processes. In: Paterson, M. (ed.) ICALP 1990. LNCS, vol. 443, pp. 167-180. Springer, Heidelberg (1990)
23. Stark, E., Hamburg, M., Boneh, D.: Symmetric cryptography in JavaScript. In: ACSAC, pp. 373-381 (2009)
24. Sterne, B., Barth, A.: Content Security Policy 1.0. W3C Candidate Recommendation (2012)
25. Swamy, N., Fournet, C., Rastogi, A., Bhargavan, K., Chen, J., Strub, P.Y., Bierman, G.M.: Gradual typing embedded securely in javascript. In: ACM Symposium on Principles of Programming Languages (POPL), pp. 425-438 (2014)
26. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE S&P, pp. 365-379. IEEE Computer Society (2012)
27. Woo, T., Lam, S.: A semantic model for authentication protocols. In: IEEE Symposium on Security and Privacy, pp. 178-194 (1993)
28. Zalewski, M.: Browser Security Handbook