WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011

Volumn , Issue , 2011, Pages

  Li, Zhichun ^a   Yi, Tang ^c   Cao, Yinzhi ^b   Rastogi, Vaibhav ^b   Chen, Yan ^b   Liu, Bin ^c   Sbisa, Clint ^b  

^a NEC LABORATORIES AMERICA   (United States)

^b NORTHWESTERN UNIVERSITY   (United States)

^c TSINGHUA UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY; WEBSITES;

CLIENT SIDES; DEFENSE TECHNIQUES; DEPLOYMENT PROBLEMS; HOST-BASED; JAVASCRIPT; MIDDLEBOXES; PROTECTION MECHANISMS; SECURITY PROTECTION; WEB ATTACKS; WEB-PAGE;

HIGH LEVEL LANGUAGES;

EID: 85030494194     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. Alexa Top Sites. http://www.alexa.com/topsites/global.
2. Blue Coat Secure Web Gateway. http://www.bluecoat.com.
3. Greasemokey Add-on for Firefox. https://addons.mozilla.org/en-US/firefox/addon/748/.
4. JavaScript Games. http://javascript.internet.com/games/.
5. JSON. http://json.org/.
6. McAFee SiteAdvisor. http://www.siteadvisor.com/.
7. Opera Mini. http://en.wikipedia.org/wiki/ Opera_Mini.
8. Research: 1.3 million malicious ads viewed daily. http://www.zdnet.com/blog/security/research-13-million-malicious-ads-viewed-daily/ 6466.
9. TC. http://pupa.da.ru/tc/.
10. The Webkit Open Source Project. http://webkit.org/.
11. W3C Document Object Model. http://www.w3.org/DOM/.
12. A. Barth, U. Berkeley, J. Weinberger, and D. Song. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. In Proc. of USENIX Security Symposium, August 2009.
13. A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proc of IEEE Symposium on Security and Privacy, 2009.
14. A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In Proc of USENIX Security Symposium, 2009.
15. M. Claypool and K. Claypool. Latency and player actions in online games. Commun. ACM, 49(11):40–45, 2006.
16. R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A safety-oriented platform for web applications. In Proc of IEEE Symposium on Security and Privacy, 2006.
17. C. Grier, S. Tang, and S. King. Secure web browsing with the OP web browser. In Proc. of IEEE Symposium on Security and Privacy, 2008.
18. R. Hansen. Xss (cross site scripting) cheat sheet esp: for filter evasion, 2008. http://ha.ckers.org/xss. html.
19. J. Howell, C. Jackson, H. J. Wang, and X. Fan. Mashupos: operating system abstractions for client mashups. In HotOS, 2007.
20. B. L. K.Vikram, Abhishek Prateek. Ripley: Automatically securing web 2.0 applications through replicated execution. In CCS, 2009.
21. D. Lowet and D. Goergen. Co-browsing dynamic web pages. In Proc of WWW, 2009.
22. D. Malkhi and M. K. Reiter. Secure execution of java applets using a remote playground. IEEE Trans. on Software Engineering, 26(12), 2000.
23. A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy. Spyproxy: execution-based detection of malicious web content. In USENIX Security, 2007.
24. A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Proc. of NDSS, 2006.
25. A. Moshchuk, S. D. Gribble, and H. M. Levy. Flashproxy: transparently enabling rich web content via remote execution. In Proc. of ACM MobiSys, 2008.
26. Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In Proc. of NDSS, 2009.
27. NSA. SELinux. http://www.nsa.gov/research/selinux/.
28. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In USENIX Security, 2008.
29. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: analysis of web-based malware. In USENIX HotBots, 2007.
30. P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In USENIX Security, 2009.
31. C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. In Proc. of OSDI, 2006.
32. C. Reis and S. D. Gribble. Isolating web programs in modern browser architectures. In Proc. of Eurosys, 2009.
33. M. Ter Louw and V. Venkatakrishnan. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Proc. of IEEE Symposium on Security and Privacy, 2009.
34. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. of NDSS, 2007.
35. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Usenix Security, 2009.
36. Y.-M. Wang, D. Beck, X. Jiang, and R. Roussev. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of NDSS, 2006.