Preventing Capability Leaks in Secure JavaScript Subsets

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2010

Volumn , Issue , 2010, Pages

  Finifter, Matthew ^a   Weinberger, Joel ^a   Barth, Adam ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY;

JAVASCRIPT; NAMESPACES; PERFORMANCE; PROPERTY; STATIC VERIFICATION; THIRD PARTIES; WEB-SITES;

HIGH LEVEL LANGUAGES;

EID: 85180542459     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (30)

1. Alexa - Top Sites in United States. http://alexa.com/topsites/countries/US.
2. google-caja. http://code.google.com/p/google-caja/.
3. Live Labs Web Sandbox. http://websandbox.livelabs.com/.
4. Who’s using Prototype. http://www.prototypejs.org/real-world.
5. Caja Test Bed, August 2009. http://cajadores.com/demos/testbed/.
6. HTML 5: A vocabulary and associated APIs for HTML and XHTML, April 2009. http://www.w3.org/TR/2009/WD-html5-20090423/.
7. Performance of cajoled code, August 2009. http://code.google.com/p/google-caja/ wiki/Performance.
8. Prototype JavaScript Framework, May 2009. http://www.prototypejs.org/.
9. Adam Barth, Collin Jackson, and William Li. Attacks on JavaScript Mashup Communication. In Web 2.0 Security and Privacy Workshop 2009 (W2SP 2009), May 2009.
10. Adam Barth, Joel Weinberger, and Dawn Song. Cross-origin JavaScript capability leaks: Detection, exploitation, and defense. In Proc. of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX Association, August 2009.
11. Shuo Chen, David Ross, and Yi-Min Wang. An analysis of browser domain-isolation bugs and a lightweight transparent defense mechanism. In CCS’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 2–11, New York, NY, USA, 2007. ACM.
12. Steven Crites, Francis Hsu, and Hao Chen. OMash: enabling secure web mashups via object abstractions. In CCS’08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 99–108, New York, NY, USA. ACM.
13. Douglas Crockford. ADsafe. http://www.adsafe.org.
14. Douglas Crockford. ADsafe DOM API. http://www.adsafe.org/dom.html.
15. David-Sarah Hopwood. Jacaranda Language Specification, draft 0.3. http://www.jacaranda.org/jacaranda-spec-0.3.txt.
16. David-Sarah Hopwood. Personal Communication, June 2009.
17. Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, and Sachiko Yoshihama. SMash: secure component model for cross-domain mashups on unmodified browsers. In WWW’08: Proceeding of the 17th international conference on World Wide Web, pages 535–544, New York, NY, USA. ACM.
18. Adrienne Felt, Pieter Hooimeijer, David Evans, and Westley Weimer. Talking to strangers without taking their candy: isolating proxied content. In Social-Nets’08: Proceedings of the 1st Workshop on Social Network Systems, pages 25–30, New York, NY, USA, 2008. ACM.
19. Salvatore Guarnieri and Benjamin Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proc. of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX Association, August 2009.
20. Jon Howell, Collin Jackson, Helen J. Wang, and Xiaofeng Fan. MashupOS: operating system abstractions for client mashups. In HotOS’07: Proceedings of the 11th USENIX workshop on Hot topics in operating systems, pages 1–7, Berkeley, CA, USA. USENIX Association.
21. Collin Jackson and Helen J. Wang. Subspace: secure cross-domain communication for web mashups. In WWW’07: Proceedings of the 16th international conference on World Wide Web, pages 611–620, New York, NY, USA, 2007. ACM.
22. Dan Kaplan. Malicious banner ads hit major websites, September 2007. http://www.scmagazineus.com/Malicious-banner-ads-hit-major-websites/ article/35605/.
23. S. Maffeis, J.C. Mitchell, and A. Taly. Run-time enforcement of secure javascript subsets. In Proc of W2SP’09. IEEE, 2009.
24. S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF’09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009.
25. Sergio Maffeis, John C. Mitchell, and Ankur Taly. An Operational Semantics for JavaScript. In APLAS’08: Proceedings of the 6th Asian Symposium on Programming Languages and Systems, pages 307–325, Berlin, Heidelberg, 2008. Springer-Verlag.
26. Microsoft Live Labs. Microsoft Web Sandbox. http://www.websandbox-code.org/Samples/genericSample.aspx.
27. Elinor Mills. Malicious Flash ads attack, spread via clipboard, August 2008. http://news.cnet.com/8301-1009_3-10021715-83.html.
28. Ashlee Vance. Times Web Ads Show Security Breach, September 2009. http://www.nytimes.com/2009/09/15/ technology/internet/15adco.html.
29. Chuan Yue and Haining Wang. Characterizing insecure JavaScript practices on the web. In WWW ’09: Proceedings of the 18th international conference on World Wide Web, pages 961–970, New York, NY, USA, 2009. ACM.
30. Kris Zyp. Secure Mashups with dojox.secure. http://www.sitepen.com/blog/2008/08/01/ secure-mashups-with-dojoxsecure/.