Lightweight Approach to Enforcing Security Policies for JavaScript
Conference poster, 2010

We present a method to intercept JavaScript built-in functions with security policies in order to control the behavior of security-relevant events in a web page so that unintended behavior can be prevented. The method is lightweight in the sense that it does not require browser modification, original code transformation, or language restriction (or extension). We also address possible vulnerabilities in the enforcement mechanism, and provide a systematic way to avoid the identified vulnerabilities, including general issues such as object and function subversion, and library-specific problems. The issue of untyped arguments in JavaScript is solved by declarative type checking that implements call-by-primitive-value idea to avoid possible side effects from attacker code. Enforceable security policies for JavaScript that can ensure the safety of the defined policies is also discussed.


Phu Phung

Chalmers, Computer Science and Engineering (Chalmers), Software Engineering and Technology (Chalmers)

IEEE Symposium on Security and Privacy 2010 Posters

Areas of Advance

Information and Communication Technology

Subject Categories

Software Engineering

Computer Science

More information