A two-tier sandbox architecture for untrusted JavaScript
Paper in proceeding, 2012

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third-party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor. In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine-grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sandbox that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, without imposing restrictions on the expressiveness of the policies. Our proposed architecture improves upon the state-of-the-art as it does not depend on browser modification nor preprocessing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and applied it to a representative online advertisement case study to validate the feasibility and security of the proposed architecture.

Web application security

Web mashups

Fine-grained security policy

Untrusted

Author

Phu Phung

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Lieven Desmet

KU Leuven

JSTools '12 Proceedings of the Workshop on JavaScript Tools, Beijing,13 June, 2012

1-10
978-1-4503-1274-5 (ISBN)

Areas of Advance

Information and Communication Technology

Subject Categories

Computer Science

DOI

10.1145/2307720.2307721

ISBN

978-1-4503-1274-5

More information

Latest update

5/29/2018