Guardia

Pupo, Angel Luis Scull; Nicolay, Jens; Boix, Elisa Gonzalez

doi:10.1145/3237009.3237025

Cited by 5 publications

(6 citation statements)

References 21 publications

(65 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…JIPDA and the flow graphs it produces fulfill the assumptions discussed before. For RASP, we use a revised version of Guardia [41] for AC policies, which we load as a library before analysing a particular application.…”

Section: Discussionmentioning

confidence: 99%

“…In the context of security, some approaches [28,41,48] decouple policy specification from actual verification and enforcement through the use of some security policy language. However, this decoupling does not facilitate the development of complementary SAST and RASP tools, because any additional or reused implementation still faces the same aforementioned problems.…”

Section: Challenges For Rasp and Sast Integrationmentioning

confidence: 99%

“…Approaches that rely on source code instrumentation [4,41,42] could allow the derivation of SAST from RASP by analyzing the base program with the runtime enforcement code included. However, analyzing the instrumented application makes the task of the static analyzer even harder, as the code to be analyzed contains both the policy enforcement code and the target application.…”

Section: Challenges For Rasp and Sast Integrationmentioning

confidence: 99%

“…Listing 2 Specification using Guardia [41] of "Disallow calling fetch more than three times" policy. 1…”

Section: Rasp Through Metaprogrammingmentioning

confidence: 99%

“…Since most of the common JavaScript vulnerabilities cannot be prevented or resolved with browser-level security (which can be omitted, wrongly configured, or bypassed [11,29,38]), a variety of static [15,22,23,33] and dynamic [5,7,13,25,32,35,36,37,39,41] analyses have been proposed to make applications more secure. On the one hand, a static analysis reason about the program's source code, allowing developers to detect and resolve security issues in the early stages before deploying or executing the application.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Deriving Static Security Testing from Runtime Security Protection for Web Applications

2021

Self Cite

View full text Add to dashboard Cite

Context: Static Application Security Testing (SAST) and Runtime Application Security Protection (RASP) are important and complementary techniques used for detecting and enforcing application-level security policies in web applications.Inquiry: The current state of the art, however, does not allow a safe and efficient combination of SAST and RASP based on a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both tools.Approach: In this work, we present a novel technique for deriving SAST from an existing RASP mechanism by using a two-phase abstract interpretation approach in the SAST component that avoids duplicating the effort of specifying security policies and implementing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The static analysis of security policies is then obtained from the RASP mechanism by first statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code.Knowledge: Splitting the analysis into two phases enables running each phase with a specific analysis configuration, rendering the static analysis approach tractable while maintaining sufficient precision.Grounding: We validate the applicability of our two-phase analysis approach by using it to both dynamically enforce and statically detect a range of security policies found in related work. Our experiments suggest that our two-phase analysis can enable faster and more precise policy violation detection compared to analyzing the full instrumented application under a single analysis configuration.Importance: Deriving a SAST component from a RASP mechanism enables equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development lifecycle. Moreover, our two-phase abstract interpretation approach does not require RASP developers to reimplement the enforcement code for static analysis.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Challenges For Rasp and Sast Integrationmentioning

confidence: 99%

Section: Challenges For Rasp and Sast Integrationmentioning

confidence: 99%

“…Listing 2 Specification using Guardia [41] of "Disallow calling fetch more than three times" policy. 1…”

Section: Rasp Through Metaprogrammingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Deriving Static Security Testing from Runtime Security Protection for Web Applications

2021

Self Cite

View full text Add to dashboard Cite

show abstract

MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web

Hiremath

Armentrout

et al. 2019

Future Data and Security Engineering

View full text Add to dashboard Cite

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

et al. 2020

View full text Add to dashboard Cite

We introduce a novel approach to protecting the privacy of web users. We propose to monitor the behaviors of JavaScript code within a web origin based on the source of the code, i.e., code origin, to detect and prevent malicious actions that would compromise users' privacy. Our code-origin policy enforcement approach not only advances the conventional same-origin policy standard but also goes beyond the "all-or-nothing" contemporary ad-blockers and tracker-blockers. In particular, our monitoring mechanism does not rely on browsers' network request interception and blocking as in existing blockers. In contrast, we monitor the code that reads or sends user data sent out of the browser to enforce fine-grained and context-aware policies based on the origin of the code. We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance. Although implemented as a browser extension, our approach is browser-agnostic and can be integrated into the core of a browser as it is based on standard JavaScript.

show abstract

Guardia

Cited by 5 publications

References 21 publications

Deriving Static Security Testing from Runtime Security Protection for Web Applications

Deriving Static Security Testing from Runtime Security Protection for Web Applications

MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

Contact Info

Product

Resources

About