JavaScript instrumentation for browser security

10 years 4 months ago
JavaScript instrumentation for browser security
It is well recognized that JavaScript can be exploited to launch browser-based security attacks. We propose to battle such attacks using program instrumentation. Untrusted JavaScript code goes through a rewriting process which identifies relevant operations, modifies questionable behaviors, and prompts the user (a web page viewer) for decisions on how to proceed when appropriate. Our solution is parametric with respect to the security policy--the policy is implemented separately from the rewriting, and the same rewriting process is carried out regardless of which policy is in use. Besides providing a rigorous account of the correctness of our solution, we also discuss practical issues including policy management and prototype experiments. A useful by-product of our work is an operational semantics of a core subset of JavaScript, where code embedded in (HTML) documents may generate further document pieces (with new code embedded) at runtime, yielding a form of self-modifying code. Cate...
Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serik
Added 03 Dec 2009
Updated 03 Dec 2009
Type Conference
Year 2007
Where POPL
Authors Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov
Comments (0)