JavaScript Instrumentation in Practice

Kikuchi, Haruka; Yu, Dejian; Chander, Ajay; Inamura, Hiroshi; Serikov, Igor

doi:10.1007/978-3-540-89330-1_23

Cited by 21 publications

(29 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, this will likely make it hard to use dynamic third-party content. Finally, Yu et al [32] present a formal semantics of the interaction between JavaScript and browsers and builds on it a proxy-based rewriting framework for dynamically enforcing automata-based security policies [17]. These policies are quite different from information flow in that they require sparser instrumentation, and cannot enforce fine-grained isolation.…”

Section: Related Workmentioning

confidence: 99%

An empirical study of privacy-violating information flows in JavaScript web applications

Jang

Jhala

Lerner

et al. 2010

Proceedings of the 17th ACM Conference on Computer and Communications Security

131

100

View full text Add to dashboard Cite

The dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an expressive, fine-grained information flow policy language that allows us to specify and detect different kinds of privacy-violating flows in JavaScript code, (2) implemented a new rewriting-based JavaScript information flow engine within the Chrome browser, and (3) used the enhanced browser to conduct a large-scale empirical study over the Alexa global top 50,000 websites of four privacyviolating flows: cookie stealing, location hijacking, history sniffing, and behavior tracking. Our survey shows that several popular sites, including Alexa global top-100 sites, use privacy-violating flows to exfiltrate information about users' browsing behavior. Our findings show that steps must be taken to mitigate the privacy threat from covert flows in browsers.

show abstract

Section: Related Workmentioning

confidence: 99%

An empirical study of privacy-violating information flows in JavaScript web applications

Jang

Jhala

Lerner

et al. 2010

Proceedings of the 17th ACM Conference on Computer and Communications Security

131

100

View full text Add to dashboard Cite

show abstract

“…Many recent works have transformed untrusted JS code to interpose runtime policy enforcement checks [1], [2], [8], [35], [48], [49]. These works cover many diverse attack vectors by which thirdparty content may subvert the checks.…”

Section: Related Workmentioning

confidence: 99%

Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web Content

Phung

Monshizadeh

Sridhar

et al. 2015

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract-Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.

show abstract

“…Yu et al [44] and Kikuchi et al [24] present an instrumentation approach for JavaScript in the browser. Their framework allows instrumented code to encode edit automata-based policies.…”

Section: Related Workmentioning

confidence: 99%

Architectures for Inlining Security Monitors in Web Applications

Magazinius

Hedin

Sabelfeld

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Securing JavaScript in the browser is an open and challenging problem. Code from pervasive third-party JavaScript libraries exacerbates the problem because it is executed with the same privileges as the code that uses the libraries. An additional complication is that the different stakeholders have different interests in the security policies to be enforced in web applications. This paper focuses on securing JavaScript code by inlining security checks in the code before it is executed. We achieve great flexibility in the deployment options by considering security monitors implemented as security-enhanced JavaScript interpreters. We propose architectures for inlining security monitors for JavaScript: via browser extension, via web proxy, via suffix proxy (web service), and via integrator. Being parametric in the monitor itself, the architectures provide freedom in the choice of where the monitor is injected, allowing to serve the interests of the different stake holders: the users, code developers, code integrators, as well as the system and network administrators. We report on experiments that demonstrate successful deployment of a JavaScript information-flow monitor with the different architectures.

show abstract

JavaScript Instrumentation in Practice

Cited by 21 publications

References 9 publications

An empirical study of privacy-violating information flows in JavaScript web applications

An empirical study of privacy-violating information flows in JavaScript web applications

Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web Content

Architectures for Inlining Security Monitors in Web Applications

Contact Info

Product

Resources

About