JavaScript in JavaScript (js.js): sandboxing third-party scripts
作者: Naga Praveen Kumar Katta , Jeff Terrace , Stephen R. Beard
DOI:
关键词:
摘要: Running on billions of today's computing devices, JavaScript has become a ubiquitous platform for deploying web applications. Unfortunately, an application developer who wishes to include third-party script must enter into implicit trust relationship with the third-party--granting it unmediated access its entire content. In this paper, we present js.js, interpreter (which runs in JavaScript) that allows execute inside completely isolated, sandboxed environment. An can, at runtime, create and interact objects, properties, methods available from within environment, giving complete control over script. js.js supports full range language, is compatible major browsers, resilient attacks malicious scripts. We conduct performance evaluation quantifying overhead using example Twitter's Tweet Button API.
princeton.edu 参考文章(13)
Mike Ter Louw, V. N. Venkatakrishnan, Karthik Thotta Ganesh, AdJail: practical enforcement of confidentiality and integrity policies on web advertisements usenix security symposium. pp. 24- 24 ,(2010)
Spiridon Aristides Eliopoulos, Joe Gibbs Politz, Shriram Krishnamurthi, Arjun Guha, ADsafety: type-based verification of JavaScript Sandboxing usenix security symposium. pp. 12- 12 ,(2011)
Sid Stamm, Brandon Sterne, Gervase Markham, Reining in the web with content security policy the web conference. pp. 921- 930 ,(2010) , 10.1145/1772690.1772784
Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, Saher Esmeir, BrowserShield ACM Transactions on the Web. ,vol. 1, pp. 11- ,(2007) , 10.1145/1281480.1281481
Leo A. Meyerovich, Benjamin Livshits, ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser ieee symposium on security and privacy. pp. 481- 496 ,(2010) , 10.1109/SP.2010.36
Salvatore Guarnieri, Benjamin Livshits, GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code usenix security symposium. pp. 151- 168 ,(2009)
Sergio Maffeis, Ankur Taly, Language-Based Isolation of Untrusted JavaScript ieee computer security foundations symposium. pp. 77- 91 ,(2009) , 10.1109/CSF.2009.11
Jason Ansel, Petr Marchenko, Úlfar Erlingsson, Elijah Taylor, Brad Chen, Derek L. Schuff, David Sehr, Cliff L. Biffle, Bennet Yee, Language-independent sandboxing of just-in-time compilation and self-modifying code programming language design and implementation. ,vol. 46, pp. 355- 366 ,(2011) , 10.1145/1993316.1993540
Chris Lattner, Vikram Adve, LLVM: a compilation framework for lifelong program analysis & transformation symposium on code generation and optimization. pp. 75- 86 ,(2004) , 10.5555/977395.977673
Alon Zakai, Emscripten: an LLVM-to-JavaScript compiler conference on object-oriented programming systems, languages, and applications. pp. 301- 312 ,(2011) , 10.1145/2048147.2048224