Isolating JavaScript with Filters, Rewriting, and Wrappers
نویسندگان
چکیده
We study methods that allow web sites to safely combine JavaScript from untrusted sources. If implemented properly, filters can prevent dangerous code from loading into the execution environment, while rewriting allows greater expressiveness by inserting run-time checks. Wrapping properties of the execution environment can prevent misuse without requiring changes to imported JavaScript. Using a formal semantics for the ECMA 262-3 standard language, we prove security properties of a subset of JavaScript, comparable in expressiveness to Facebook FBJS, obtained by combining three isolation mechanisms. The isolation guarantees of the three mechanisms are interdependent, with rewriting and wrapper functions relying on the absence of JavaScript constructs eliminated by language filters.
منابع مشابه
Rewriting-based Dynamic Information Flow for JavaScript
JavaScript web applications often dynamically load third-party code, which in some cases can steal or corrupt important client information. In this paper, we present a rewriting-based approach for enforcing confidentiality and integrity policies that respectively specify what information can flow into and from untrusted thirdparty code. We have implemented our approach in the Chrome browser, an...
متن کاملFully Automated HTML and Javascript Rewriting for Constructing a Self-healing Web Proxy
Over the last few years, the complexity of web applications has increased to provide more dynamic web applications to users. The drawback of this complexity is the growing number of errors in the front-end applications. In this paper, we present BikiniProxy, a novel technique to provide self-healing for the web. BikiniProxy is designed as an HTTP proxy that uses five self-healing strategies to ...
متن کاملTransparent Object Proxies for JavaScript (Artifact)
This artifact provides two prototype extensions of the SpiderMonkey JavaScript engine. Both extensions implement alternative designs for transparent proxies that are better suited for use cases such as certain contract wrappers and access restricting membranes. The first prototype extends the proxy handler by an isTransparent trap that regulates the proxy’s transparency. The second prototype im...
متن کاملFrom Rewriting Logic, to Programming Language Semantics, to Program Verification
Rewriting logic has proven to be an excellent formalism to define executable semantics of programming languages, concurrent or not, and then to derive formal analysis tools for the defined languages with very little effort, such as model checkers. In this paper we give an overview of recent results obtained in the context of the rewriting logic semantics framework K, such as complete semantics ...
متن کاملRun-Time Enforcement of Secure JavaScript Subsets
Web sites that incorporate untrusted content may usebrowseror language-based methods to keep such contentfrom maliciously altering pages, stealing sensitive infor-mation, or causing other harm. We use accepted meth-ods from the study of programming languages to inves-tigate language-based methods for filtering and rewritingJavaScript code, using Facebook FBJS as a motiva...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2009