Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, November 20 • 4:00pm - 4:50pm
Sandboxing JavaScript via Libraries and Wrappers

Sign up or log in to save this to your schedule and see who's attending!

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor.
In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies.
Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.

Speakers
avatar for Phu Phung

Phu Phung

Research Associate, University of Illinois at Chicago
Dr Phu Phung is a Research Associate at the University of Illinois at Chicago from December 2012, employed by the University of Gothenburg, Sweden. From October, 2011 to December 2012, he was a postdoctoral researcher at Department of Computer Science and Engineering, Chalmers University of Technology, where he received his PhD in October, 2011. Phu's research directions include web application security, runtime policy enforcement for untrusted... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis