Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security
作者: Yinzhi Cao , Zhichun Li , Vaibhav Rastogi , Yan Chen , Xitao Wen
关键词:
摘要: Third party JavaScripts not only offer much richer features to the web and its applications but also introduce new threats. These scripts cannot be completely trusted executed with privileges given host sites. Due incomplete virtualization lack of tracking all data flows, existing approaches without native sandbox support can secure a subset third JavaScripts, they are vulnerable attacks encoded in non-standard HTML/-JavaScript (browser quirks) as these will parse independently at server side considering client-side parsing quirks. At same time, sandboxes based on unknown JavaScript engine bugs.In this paper, we propose Virtual Browser, full browser-level virtualized environment within browsers for executing untrusted code. Our approach supports more complete language including those hard-to-secure functions, such eval. Since Browser does rely browser behavior, there is no possibility being through Moreover, third-party Javascripts running instead browsers, it harder attackers exploit vulnerabilities engine. In our design, first isolate from components then communication by adding flows carefully examined security. The evaluation prototype shows that execution speed Microsoft Web Sandbox[5], state art runtime web-level sandbox. addition, development.
acm.org
zhichunli.org 
researchgate.net 参考文章(21)
Mike Ter Louw, V. N. Venkatakrishnan, Karthik Thotta Ganesh, AdJail: practical enforcement of confidentiality and integrity policies on web advertisements usenix security symposium. pp. 24- 24 ,(2010)
Haruka Kikuchi, Dachuan Yu, Ajay Chander, Hiroshi Inamura, Igor Serikov, JavaScript Instrumentation in Practice Programming Languages and Systems. pp. 326- 341 ,(2008) , 10.1007/978-3-540-89330-1_23
Joel Weinberger, Dawn Song, Adam Barth, Cross-origin javascript capability leaks: detection, exploitation, and defense usenix security symposium. pp. 187- 198 ,(2009)
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
Spiridon Aristides Eliopoulos, Joe Gibbs Politz, Shriram Krishnamurthi, Arjun Guha, ADsafety: type-based verification of JavaScript Sandboxing usenix security symposium. pp. 12- 12 ,(2011)
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679
Steven Crites, Francis Hsu, Hao Chen, OMash Proceedings of the 15th ACM conference on Computer and communications security - CCS '08. pp. 99- 108 ,(2008) , 10.1145/1455770.1455784
Opher Dubrovsky, Saher Esmeir, John Dunagan, Helen J. Wang, Charles Reis, BrowserShield: vulnerability-driven filtering of dynamic HTML operating systems design and implementation. pp. 61- 74 ,(2006) , 10.5555/1298455.1298462
Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, Sachiko Yoshihama, SMash Proceeding of the 17th international conference on World Wide Web - WWW '08. pp. 535- 544 ,(2008) , 10.1145/1367497.1367570
Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov, JavaScript instrumentation for browser security symposium on principles of programming languages. ,vol. 42, pp. 237- 249 ,(2007) , 10.1145/1190215.1190252