JavaScript instrumentation for browser security

Yu, Dejian; Chander, Ajay; Islam, Nayeem; Serikov, Igor

doi:10.1145/1190215.1190252

Cited by 76 publications

(77 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yu et al [44] and Kikuchi et al [24] present an instrumentation approach for JavaScript in the browser. Their framework allows instrumented code to encode edit automata-based policies.…”

Section: Related Workmentioning

confidence: 99%

Architectures for Inlining Security Monitors in Web Applications

Magazinius

Hedin

Sabelfeld

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Securing JavaScript in the browser is an open and challenging problem. Code from pervasive third-party JavaScript libraries exacerbates the problem because it is executed with the same privileges as the code that uses the libraries. An additional complication is that the different stakeholders have different interests in the security policies to be enforced in web applications. This paper focuses on securing JavaScript code by inlining security checks in the code before it is executed. We achieve great flexibility in the deployment options by considering security monitors implemented as security-enhanced JavaScript interpreters. We propose architectures for inlining security monitors for JavaScript: via browser extension, via web proxy, via suffix proxy (web service), and via integrator. Being parametric in the monitor itself, the architectures provide freedom in the choice of where the monitor is injected, allowing to serve the interests of the different stake holders: the users, code developers, code integrators, as well as the system and network administrators. We report on experiments that demonstrate successful deployment of a JavaScript information-flow monitor with the different architectures.

show abstract

“…Yu et al [44] and Kikuchi et al [24] present an instrumentation approach for JavaScript in the browser. Their framework allows instrumented code to encode edit automata-based policies.…”

Section: Related Workmentioning

confidence: 99%

Architectures for Inlining Security Monitors in Web Applications

Magazinius

Hedin

Sabelfeld

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…As for JavaScript several techniques have been proposed (Nentwich et al, 2007;Yu et al, 2007;Jim et al, 2007;Dhawan and Ganapathy, 2009;Chudnov and Naumann, 2010;Jang et al, 2010) such as solutions based on client-side or server-side to prevent history sniffing, disable unknown scripts, signed scripts, program instrumentation and dynamic taint propagation and checking. Some of these solutions can be implemented in proxies and other requires the modification of Web browser source code.…”

Section: Privacy Solutions For Application Layermentioning

confidence: 99%

A survey on solutions and main free tools for privacy enhancing Web communications

Ruiz‐Martínez¹

2012

Journal of Network and Computer Applications

View full text Add to dashboard Cite

Concern for privacy when users are surfing on the Web has increased recently. Nowadays, many users are aware that when they are accessing Web sites, these Web sites can track them and create profiles on the elements they access, the advertisements they see, the different links they visit, from which Web sites they come from and to which sites they exit, and so on. In order to maintain user privacy, several techniques, methods and solutions have appeared. In this paper we present an analysis of both these solutions and the main tools that are freely distributed or can be used freely and that implement some of these techniques and methods to preserve privacy when users and surfing on the Internet. This work, unlike previous reviews, shows in a comprehensive way, all the different risks when a user navigates on the Web, the different solutions proposed that finally have being implemented and being used to achieve Web privacy goal. Thus, users can decide which tools to use when they want navigate privately and what kind of risks they are assuming.

show abstract

“…By inserting and suppressing actions, edit automata capture the practical ability of runtime mechanisms to transform invalid executions into valid executions, rather than the ability of truncation automata to only recognize and halt invalid executions. Edit automata have served as the basis for additional studies of runtime enforcement (e.g., [18,16,4]). …”

Section: Related Workmentioning

confidence: 99%

A Theory of Runtime Enforcement, with Results

Ligatti

Reddy

2010

Computer Security – ESORICS 2010

View full text Add to dashboard Cite

Abstract. This paper presents a theory of runtime enforcement based on mechanism models called MRAs (Mandatory Results Automata). MRAs can monitor and transform security-relevant actions and their results. Because previous work could not model monitors transforming results, MRAs capture realistic behaviors outside the scope of previous models. MRAs also have a simple but realistic operational semantics that makes it straightforward to define concrete MRAs. Moreover, the definitions of policies and enforcement with MRAs are significantly simpler and more expressive than those of previous models. Putting all these features together, we argue that MRAs make good general models of runtime mechanisms, upon which a theory of runtime enforcement can be based. We develop some enforceability theory by characterizing the policies MRAs can and cannot enforce.

show abstract

JavaScript instrumentation for browser security

Cited by 76 publications

References 14 publications

Architectures for Inlining Security Monitors in Web Applications

Architectures for Inlining Security Monitors in Web Applications

A survey on solutions and main free tools for privacy enhancing Web communications

A Theory of Runtime Enforcement, with Results

Contact Info

Product

Resources

About