JavaScript instrumentation for browser security

Yu, Dejian; Chander, Ajay; Islam, Nayeem; Serikov, Igor

doi:10.1145/1190216.1190252

Cited by 93 publications

(29 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is not necessary to make customized modifications of web browsers as not all web browsers support user customization. Moreover, it is not necessary to enable script support in web browsers because such support introduces additional threats to users (Anupam and Mayer, 1998;Yu et al, 2007). Although using an external device enhances the security level, such devices are not mandatory.…”

Section: Related Workmentioning

confidence: 99%

Using one-time passwords to prevent password phishing attacks

Huang

Chen

2011

Journal of Network and Computer Applications

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Using one-time passwords to prevent password phishing attacks

Huang

Chen

2011

Journal of Network and Computer Applications

View full text Add to dashboard Cite

“…IRMs were first formalized in the development of the PoET/PSLang/SASI systems [4,6], which instrument Java bytecode and Gnu assembly code. Subsequently, numerous IRM frameworks have been developed for Java [2,3,8,[10][11][12][13]23], JavaScript [17,19], .NET [7], AS [9,23], Android [20], and x86/64 native code [1,[14][15][16] architectures. Our experiments target SPoX-IRMs [23], which rewrite Java and AS bytecode programs to satisfy declarative, aspect-oriented security policies.…”

Section: Background and Related Workmentioning

confidence: 99%

“…Runtime software monitoring via binary instrumentation (a.k.a., in-lined reference monitoring) has gained much attention in the literature as a powerful, flexible, and efficient approach to software security enforcement (e.g., [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]). In-lined reference monitors (IRMs) dynamically enforce security policies by injecting security guards into untrusted binary code.…”

Section: Introductionmentioning

confidence: 99%

Hippocratic binary instrumentation: First do no harm

Sridhar

Wartell²,

Hamlen

2014

Science of Computer Programming

View full text Add to dashboard Cite

In-lined Reference Monitors (IRMs) cure binary software of security violations by instrumenting them with runtime security checks. Although over a decade of research has firmly established the power and versatility of the in-lining approach to security, its widespread adoption by industry remains impeded by concerns that in-lining may corrupt or otherwise harm intended, safe behaviors of the software it protects. Practitioners with such concerns are unwilling to adopt the technology despite its security benefits for fear that some software may break in ways that are hard to diagnose. This paper shows how recent approaches for machine-verifying the policy-compliance (soundness) of IRMs can be extended to also formally verify IRM preservation of policy-compliant behaviors (transparency). Feasibility of the approach is demonstrated through a transparency-checker implementation for Adobe ActionScript bytecode. The framework is applied to enforce security policies for Adobe Flash web advertisements and automatically verify that their policy-compliant behaviors are preserved.

show abstract

“…Chugh and coworkers [CMJL09] present (among others) a dynamic information flow analysis based on wholesale rewriting. Yu and coworkers [YCIS07] perform rewriting guided by a security policy. BrowserShield [RDW + 07] relies on similar techniques to attain safety.…”

Section: Related Workmentioning

confidence: 99%

JSConTest: Contract-Driven Testing and Path Effect Inference for JavaScript.

Heidegger¹,

Thiemann²

2012

JOT

View full text Add to dashboard Cite

Program understanding is a major obstacle during program maintenance. In an object-oriented language, understanding an operation requires understanding its type and its effect on the object network. The effect is particularly important for scripting languages where there is neither class structure that restricts the shape of an object nor any other kind of access control.We have designed and implemented JSConTest, a tool that provides a facility to annotate JavaScript programs with type and effect contracts and to create random tests out of the contracts. Run-time monitoring for contracts is implemented with a program transformation. The effect of an operation is described by access permissions, which abstract sets of access paths along which the operation reads or writes object properties. Type contracts can also be used to drive guided random testing of the program.JSConTest contains an algorithm for computing access permissions from a set of access paths obtained by running the program. The main ingredient of the algorithm is a novel heuristic that produces precise and concise results without user interaction. It has been applied to a range of examples with encouraging results.

show abstract

JavaScript instrumentation for browser security

Cited by 93 publications

References 14 publications

Using one-time passwords to prevent password phishing attacks

Using one-time passwords to prevent password phishing attacks

Hippocratic binary instrumentation: First do no harm

JSConTest: Contract-Driven Testing and Path Effect Inference for JavaScript.

Contact Info

Product

Resources

About