Language-based defenses against untrusted browser origins

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 653-669

  Bhargavan, Karthikeyan ^a   Delignat Lavaud, Antoine ^a   Maffeis, Sergio ^b  

^a INRIA ROCQUENCOURT   (France)

^b IMPERIAL COLLEGE LONDON   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION PROGRAMMING INTERFACES (API); HIGH LEVEL LANGUAGES; LIBRARIES; WEBSITES;

BROWSER SECURITY; CRYPTOGRAPHIC PROTOCOLS; FINE-GRAINED COMPONENTS; HOSTILE ENVIRONMENTS; MODEL EXTRACTION; SECURITY PROPERTIES; SENSITIVE COMPONENTS; TYPE INFERENCES;

CRYPTOGRAPHY;

EID: 85076276087     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (44)

1. B. Adida, A. Barth, and C. Jackson. Rootkits for JavaScript environments. In WOOT, 2009.
2. D. Akhawe, P. Saxena, and D. Song. Privilege separation in HTML5 applications. In USENIX Security, 2012.
3. T. Austin and C. Flanagan. Multiple facets for dynamic information flow. In POPL, pages 165-178, 2012.
4. M. Avalle, A. Pironti, D. Pozza, and R. Sisto. JavaSPI: A framework for security protocol implementation. International Journal of Secure Software Engineering, 2:34-48, 2011.
5. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Keys to the cloud: Formal analysis and concrete attacks on encrypted web storage. In POST, 2013.
6. C. Bansal, K. Bhargavan, and S. Maffeis. Discovering concrete attacks on website authorization by formal analysis. In CSF, pages 247-262, 2012.
7. A. Barth, C. Jackson, and W. Li. Attacks on JavaScript mashup communication. In W2SP, 2009.
8. A. Barth, C. Jackson, and J.C. Mitchell. Securing browser frame communication. In USENIX Security, 2008.
9. A. Belenko and D. Sklyarov. "Secure password managers "and "Military-grade encryption" on smartphones: Oh, really? Technical report, Elcomsoft Ltd., 2012.
10. K. Bhargavan and A. Delignat-Lavaud. Web-based attacks on host-proof encrypted storage. In WOOT, 2012.
11. K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Defensive JavaScript website with testbed, technical report and supporting materials. http://www.defensivejs.com, 2013.
12. K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse. Verified interoperable implementations of security protocols. In CSFW, pages 139-152, 2006.
13. B. Blanchet and B. Smyth. ProVerif: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. http://www.proverif.inria.fr/manual.pdf.
14. P. Canning, W. Cook, W. Hill, W. Olthoff, and J. Mitchell. F-bounded polymorphism for object-oriented programming. In FPCA, pages 273-280, 1989.
15. L. Cardelli. Extensible records in a pure calculus of subtyping. In In Theoretical Aspects of Object-Oriented Programming, pages 373-425. MIT Press, 1994.
16. D. Crockford. ADsafe: Making JavaScript safe for advertising. http://www.adsafe.org/, 2008.
17. W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a web browser with flexible and precise information flow control. In CCS, pages 748-759, 2012.
18. D. Dolev and A.C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT-29(2):198-208, 1983.
19. M. Finifter, A. Mettler, N. Sastry, and D. Wagner. Verifiable functional purity in Java. In CCS, pages 161-174. ACM, 2008.
20. M. Finifter, J. Weinberger, and A. Barth. Preventing Capability Leaks in Secure JavaScript Subsets. In BDSS, 2010.
21. C. Fournet, N. Swamy, J. Chen, P. Dagand, P. Strub, and B. Livshits. Fully abstract compilation to JavaScript. In POPL'13, 2013.
22. P. Haack. JSON hijacking. http://hhacked.com/2009/06/25/json-hijacking.aspx, 2009.
23. D. Hardt. The OAuth 2.0 authorization framework. IETF RFC 6749, 2012.
24. D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In CSF, pages 3-18, 2012.
25. IETF. JavaScript Object Signing and Encryption (JOSE), 2012. http://tools.ietf.org/wg/jose/.
26. S. Maffeis, J. C. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In ESORICS'09, 2009.
27. L. Meyerovich, A. Porter Felt, and M. Miller. Object views: Fine-grained sharing in browsers. In WWW, 2010.
28. L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE S & P, 2010.
29. J. Mickens and M. Finifter. Jigsaw: Efficient, low-effort mashup isolation. In USENIX Web Application Development, 2012.
30. R. Milner. Functions as processes. In Automata, Languages and Programming, Volume 443, pages 167-180. 1990.
31. P. Phung, D. Sands, and D. Chudnov. Lightweight self-protecting JavaScript. In ASIACCS, 2009.
32. J. Politz, S. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: Type-based verification of JavaScript sandboxing. In USENIX Security, 2011.
33. F. Pottier. Type inference in the presence of subtyping: from theory to practice. Research Report 3483, INRIA, September 1998.
34. C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM Transactions on the Web, 1(3), 2007.
35. G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In W2SP'10, 2010.
36. J. Somorovsky, A. Mayer, A. Worth, J. Schwenk, M. Kampmann, and M. Jensen. On breaking SAML: Be whoever you want to be. In WOOT, 2012.
37. E. Stark, M. Hamburg, and D. Boneh. Symmetric cryptography in JavaScript. In ACSAC, pages 373-381, 2009.
38. B. Sterne and A. Barth. Content Security Policy 1.0. W3C Candidate Recommendation, 2012.
39. A. Taly, Ú. Erlingsson, J. C. Mitchell, M. Miller, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE S & P, 2011.
40. Google Caja Team. A source-to-source translator for securing JavaScript-based web. http://code.google.com/p/google-caja/.
41. R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In IEEE S & P, pages 365-379. IEEE Computer Society, 2012.
42. R. Wang, S. Chen, X. Wang, and S. Qadeer. How to shop for free online - security analysis of cashier-as-a-service based web stores. In IEEE S & P, pages 465-480, 2011.
43. M. Zalewski. The Tangled Web. No Starch Press, November 2011.
44. L. Zhengqin and T. Rezk. Mashic compiler: Mashup sandboxing based on inter-frame communication. 2012.