Lightweight Self-Protecting JavaScript
Rapport, 2008
This paper introduces a method to control JavaScript execution. The aim
is to prevent or modify inappropriate behaviour caused by e.g. malicious
injected scripts or poorly designed third-party code. The approach is based
on modifying the code so as to make it self-protecting: the protection mecha-
nism (security policy) is embedded into the code itself and intercepts security
relevant API calls. The challenges come from the nature of the JavaScript
language: any variables in the scope of the program can be redefined, and
code can be created and run on-the-fly. This creates potential problems,
respectively, for tamper-proofing the protection mechanism, and for ensur-
ing that no security relevant events bypass the protection. Unlike previous
approaches to instrument and monitor JavaScript to enforce or adjust be-
haviour, the solution we propose is lightweight in that (i) it does not require
a modified browser, and (ii) it does not require any run-time parsing and
transformation of code (including dynamically generated code). As a result,
the method has low run-time overhead compared to other methods satisfying
(i), and the lack of need for browser modifications means that the policy can
even be applied on the server to mitigate some effects of cross-site scripting
bugs. We describe the implementation, and present an abstract formalisation
of the basic method. Based on this formalisation we show, as an example,
that it can soundly enforce the class of policies known as security automata.
JavaScript
Inlined Reference Monitors
Security Policy
Language Based Security