JavaScript instrumentation for browser security-Reference-Cited by-同舟云学术

JavaScript instrumentation for browser security

Published:2007-01-17 Issue:1 Volume:42 Page:237-249
ISSN:0362-1340
Container-title:ACM SIGPLAN Notices
language:en
Short-container-title:SIGPLAN Not.

Author:

Yu Dachuan¹,Chander Ajay¹,Islam Nayeem¹,Serikov Igor¹

Affiliation:

1. DoCoMo Communications Laboratories USA, Inc.

Abstract

It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant operations, modifies questionable behaviors, and prompts the user (a web page viewer) for decisions on how to proceed when appropriate. Our solution is parametric with respect to the security policy-the policy is implemented separately from the rewriting, and the same rewriting process is carried out regardless of which policy is in use. Be-sides providing a rigorous account of the correctness of our solution, we also discuss practical issues including policy management and prototype experiments. A useful by-product of our work is an operational semantics of a core subset of JavaScript, where code embedded in (HTML) documents may generate further document pieces (with new code embedded) at runtime, yielding a form of self-modifying code.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Graphics and Computer-Aided Design,Software

Link

https://dl.acm.org/doi/pdf/10.1145/1190215.1190252

Reference24 articles.

1. Towards Type Inference for JavaScript

2. Composing security policies with polymer

3. ECMA International. ECMAScript language specification. Stardard ECMA-262 3rd Edition http://www.ecma-international.org/publications/files/ECMA ST/Ecma-262.pdf Dec. 1999. ECMA International. ECMAScript language specification. Stardard ECMA-262 3rd Edition http://www.ecma-international.org/publications/files/ECMA ST/Ecma-262.pdf Dec. 1999.

4. SASI enforcement of security policies

Cited by 31 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Survey on Defense Technology of Web Application Based on Interpretive Dynamic Programming Languages;2022 7th International Conference on Computer and Communication Systems (ICCCS);2022-04-22

2. Finding client-side business flow tampering vulnerabilities;Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering;2020-06-27

3. Towards the Efficient Use of Dynamic Call Graph Generators of Node.js Applications;Communications in Computer and Information Science;2020

4. Evaluation and Comparison of Dynamic Call Graph Generators for JavaScript;Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering;2019

5. A Survey of Dynamic Analysis and Test Generation for JavaScript;ACM Computing Surveys;2018-09-30