research-article

Flexible access control for javascript

Authors:

Gregor Richards,

Christian Hammer,

Francesco Zappa Nardelli,

Suresh Jagannathan,

Jan VitekAuthors Info & Claims

ACM SIGPLAN Notices, Volume 48, Issue 10

Pages 305 - 322

https://doi.org/10.1145/2544173.2509542

Published: 29 October 2013 Publication History

Abstract

Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.

References

[1]

M. Abadi and C. Fournet. Access control based on execution history. In Network and Distributed System Security Symp. (NDSS), 2003.

[2]

D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a formal foundation of web security. In ph Computer Security Foundations Symposium (CSF), 2010.

Digital Library

[3]

E. Athanasopoulos, V. Pappas, and E. P. Markatos. Code-injection attacks in browsers supporting policies. In W2SP 2009: WEB 2.0 Security and Privacy, 2009.

[4]

A. Barth, C. Jackson, and W. Li. Attacks on javascript mashup communication. In W2SP 2009: WEB 2.0 Security and Privacy, 2009.

[5]

A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6), 2009.

Digital Library

[6]

L. Bauer, J. Ligatti, and D. Walker. Composing expressive runtime security policies. ACM Trans. Softw. Eng. Methodol., 18:9:1--9:43, 2009.

Digital Library

[7]

A. Birgisson, M. Dhawan, U. Erlingsson, V. Ganapathy, and L. Iftode. Enforcing authorization policies using transactional memory introspection. In Conference on Computer and communications security (CCS), 2008.

Digital Library

[8]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Conference on Programming language design and implementation (PLDI), 2009.

Digital Library

[9]

W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. FlowFox: a web browser with flexible and precise information flow control. In Computer and Communications Security (CCS), 2012.

Digital Library

[10]

F. De Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In Conference on World Wide Web (WWW), 2008.

Digital Library

[11]

M. Dhawan, C.-c. Shan, and V. Ganapathy. Enhancing JavaScript with transactions. In ECOOP-Object-Oriented Programming, 2012.

Digital Library

[12]

A. Felt, P. Hooimeijer, D. Evans, and W. Weimer. Talking to strangers without taking their candy: isolating proxied content. In Workshop on Social Network Systems (SocialNets), 2008.

Digital Library

[13]

S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, 2009.

Digital Library

[14]

A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In Conference on World wide web (WWW), 2009.

Digital Library

[15]

O. Hallaraker and G. Vigna. Detecting malicious JavaScript Code in Mozilla. In Conference on Engineering of Complex Computer Systems (ICECCS), 2005.

Digital Library

[16]

M. Herlihy and J. E. B. Moss. Transactional memory: architectural support for lock-free data structures. In International Symposium on Computer architecture (ISCA), 1993.

Digital Library

[17]

J. Howell, C. Jackson, H. J. Wang, and X. Fan. MashupOS: operating system abstractions for client mashups. In Workshop on Hot topics in Operating Systems (HOTOS), 2007.

Digital Library

[18]

A. Janc and L. Olejnik. Feasibility and real-world implications of web browser history detection. In Proceedings of the 2010 Workshop on Web 2.0 Security and Privacy, 2010.

[19]

D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In Conference on Computer and communications security (CSS, 2010.

Digital Library

[20]

T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In International conference on World Wide Web (WWW), 2007.

Digital Library

[21]

M. E. Locasto, A. Stavrou, G. F. Cretu, and A. D. Keromytis. From STEM to SEAD: Speculative execution for automated defense. In USENIX Annual Technical Conference, 2007.

Digital Library

[22]

M. T. Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements. In USENIX Security Symposium, 2010.

Digital Library

[23]

S. Maffeis, J. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In Computer Security (ESORICS), 2009.

Digital Library

[24]

S. Maffeis and A. Taly. Language-based isolation of untrusted JavaScript. In Symposium on Computer Security Foundations (CSF), 2009.

Digital Library

[25]

L. A. Meyerovich and B. Livshits. ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In Symposium on Security and Privacy (S&P), 2010.

Digital Library

[26]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Computer and Communications Security (CCS), 2012.

Digital Library

[27]

P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. In International Symposium on Information, Computer, and Communications Security (ASIACCS), 2009.

Digital Library

[28]

C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic HTML. ACM Trans. Web, 1(3):11, 2007.

Digital Library

[29]

C. Reis and S. D. Gribble. Isolating web programs in modern browser architectures. In European Conference on Computer Systems (EUROSYS), 2009.

Digital Library

[30]

G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do -- a large-scale study of the use of eval in JavaScript applications. In ECOOP--Object-oriented Programming, 2011.

Digital Library

[31]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An analysis of the dynamic behavior of JavaScript programs. In Conference on Programming Language Design and Implementation (PLDI), 2010.

Digital Library

[32]

A. Rudys and D. S. Wallach. Transactional rollback for language-based systems. In Conference on Dependable Systems and Networks (DSN), 2002.

Digital Library

[33]

F. B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3:30--50, February 2000.

Digital Library

[34]

A. Taly, Ú. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated Analysis of Security-Critical JavaScript APIs. In Symposium on Security and Privacy (S&P), 2011.

Digital Library

[35]

K. Vikram, A. Prateek, and B. Livshits. Ripley: automatically securing web 2.0 applications through replicated execution. In Conference on Computer and Communications Security (CCS), 2009.

Digital Library

[36]

D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Symposium on Principles of programming languages (POPL), 2007.

Digital Library

[37]

Úlfar Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University, 2004.

Digital Library

Cited By

Besson FBlazy SDang AJensen TWilke P(2019)Compiling Sandboxes: Formally Verified Software Fault IsolationProgramming Languages and Systems10.1007/978-3-030-17184-1_18(499-524)Online publication date: 6-Apr-2019
https://doi.org/10.1007/978-3-030-17184-1_18
Pupo ANicolay JBoix ETilevich EMössenböck H(2018)GUARDIAProceedings of the 15th International Conference on Managed Languages & Runtimes10.1145/3237009.3237025(1-15)Online publication date: 12-Sep-2018
https://dl.acm.org/doi/10.1145/3237009.3237025
Bichhawat ARajani VGarg DHammer C(2014)Information Flow Control in WebKit’s JavaScript BytecodePrinciples of Security and Trust10.1007/978-3-642-54792-8_9(159-178)Online publication date: 2014
https://doi.org/10.1007/978-3-642-54792-8_9
Show More Cited By

Index Terms

Flexible access control for javascript
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Flexible access control for javascript
OOPSLA '13: Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications

Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a ...
Flexible support for multiple access control policies

Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a specific policy (usually the closed policy). As a consequence, ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 48, Issue 10

OOPSLA '13

October 2013

867 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2544173

Editor:
Mark W. Bailey
Hamilton College, Clinton, NY

Issue’s Table of Contents

OOPSLA '13: Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
October 2013
904 pages
ISBN:9781450323741
DOI:10.1145/2509136
Co-chair:
Antony Hosking
Purdue University, USA
,
General Chair:
Patrick Eugster
Purdue University, USA
,
Program Chair:
Cristina V. Lopes
University of California, Irvine, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2013

Published in SIGPLAN Volume 48, Issue 10

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
406
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Besson FBlazy SDang AJensen TWilke P(2019)Compiling Sandboxes: Formally Verified Software Fault IsolationProgramming Languages and Systems10.1007/978-3-030-17184-1_18(499-524)Online publication date: 6-Apr-2019
https://doi.org/10.1007/978-3-030-17184-1_18
Pupo ANicolay JBoix ETilevich EMössenböck H(2018)GUARDIAProceedings of the 15th International Conference on Managed Languages & Runtimes10.1145/3237009.3237025(1-15)Online publication date: 12-Sep-2018
https://dl.acm.org/doi/10.1145/3237009.3237025
Bichhawat ARajani VGarg DHammer C(2014)Information Flow Control in WebKit’s JavaScript BytecodePrinciples of Security and Trust10.1007/978-3-642-54792-8_9(159-178)Online publication date: 2014
https://doi.org/10.1007/978-3-642-54792-8_9
Drossopoulou SNoble J(2014)How to Break the Bank: Semantics of Capability PoliciesIntegrated Formal Methods10.1007/978-3-319-10181-1_2(18-35)Online publication date: 2014
https://doi.org/10.1007/978-3-319-10181-1_2
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-21138529:4(361-401)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.3233/JCS-211385
Besson FBlazy SDang AJensen TWilke P(2019)Compiling Sandboxes: Formally Verified Software Fault IsolationProgramming Languages and Systems10.1007/978-3-030-17184-1_18(499-524)Online publication date: 6-Apr-2019
https://doi.org/10.1007/978-3-030-17184-1_18
De Groef WMassacci FPiessens FPayne CHahn AButler KSherr M(2014)NodeSentryProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664276(446-455)Online publication date: 8-Dec-2014
https://dl.acm.org/doi/10.1145/2664243.2664276
Joiner RReps TJha SDhawan MGanapathy VCheung SOrso AStorey M(2014)Efficient runtime-enforcement techniques for policy weavingProceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering10.1145/2635868.2635907(224-234)Online publication date: 11-Nov-2014
https://dl.acm.org/doi/10.1145/2635868.2635907
Mickens J(2014)PivotProceedings of the 2014 IEEE Symposium on Security and Privacy10.1109/SP.2014.24(261-275)Online publication date: 18-May-2014
https://dl.acm.org/doi/10.1109/SP.2014.24
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents