SafeJS: Hermetic Sandboxing for JavaScript
نویسندگان
چکیده
Isolating programs is an important mechanism to support more secure applications. Isolating program in dynamic languages such as JavaScript is even more challenging since reflective operations can circumvent simple mechanisms that could protect program parts. In this article we present SafeJS, an approach and implementation that offers isolation based on separate sandboxes and control of information exchanged between them. In SafeJS, sandboxes based on web workers do not share any data. Data exchanged between sandboxes is solely based on strings. Using different policies, this infrastructure supports the isolation of the different scripts that usually populate web pages. A foreign component cannot modify the main DOM tree in unexpected manner. Our SafeJS implementation is currently being used in an industrial setting in the context of the Resilience FUI 12 project.
منابع مشابه
ADsafety: Type-Based Verification of JavaScript Sandboxing
Web sites routinely incorporate JavaScript programs from several sources into a single page. These sources must be protected from one another, which requires robust sandboxing. The many entry-points of sandboxes and the subtleties of JavaScript demand robust verification of the actual sandbox source. We use a novel type system for JavaScript to encode and verify sandboxing properties. The resul...
متن کاملA Two-Tier Sandbox Architecture to Enforce Modular Fine-Grained Security Policies for Untrusted JavaScript
Existing approaches to providing security for untrusted JavaScript include isolation of capabilities – a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified...
متن کاملTyped-based verification of Web sandboxes
Web pages routinely incorporate JavaScript code from third-party sources. However, all code in a page runs in the same security context, regardless of provenance. When Web pages incorporate third-party JavaScript without any checks, as many do, they open themselves to attack. A third-party can trivially inject malicious JavaScript into such a page, causing all manner of harm. Several such attac...
متن کاملTreehouse: Javascript Sandboxes to Help Web Developers Help Themselves
Many Web applications (meaning sites that employ JavaScript) incorporate third-party code and, for reasons rooted in today’s Web ecosystem, are vulnerable to bugs or malice in that code. Our goal is to give Web developers a mechanism that (a) contains included code, limiting (or eliminating) its influence as appropriate; and (b) is deployable today, or very shortly. While the goal of containmen...
متن کاملSandboxing Untrusted Javascript a Dissertation Submitted to the Department of Computer Science and the Committee on Graduate Studies of Stanford University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy
Many contemporary Web sites incorporate third-party content in the form of advertisements, social-networking widgets, and maps. A number of sites like Facebook and Twitter also allow users to post comments that are then served to others, or allow users to add their own applications to the site. Such third-party content often comprises of executable code, commonly written in JavaScript, that run...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- CoRR
دوره abs/1309.3914 شماره
صفحات -
تاریخ انتشار 2013