Cross-origin javascript capability leaks: detection, exploitation, and defense
作者: Joel Weinberger , Dawn Song , Adam Barth
DOI:
关键词:
摘要: We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the leaks pointer from one security origin to another. devise an algorithm for detecting these vulnerabilities by monitoring "points-to" relation heap. Our finds number new in opensource WebKit engine used Safari. propose approach mitigate this adding access control checks engines. These are backwardscompatible because they do not alter semantics platform. Through application inline cache, we implement with overhead 1-2% on industry-standard benchmarks.
joelweinberger.us参考文章(10)
Norm Hardy, The Confused Deputy: (or why capabilities might have been invented) Operating Systems Review. ,vol. 22, pp. 36- 38 ,(1988) , 10.1145/54289.871709
S.J. Mullender, G. van Rossum, A.S. Tananbaum, R. van Renesse, H. van Staveren, Amoeba: a distributed operating system for the 1990s IEEE Computer. ,vol. 23, pp. 44- 53 ,(1990) , 10.1109/2.53354
Collin Jackson, Helen J. Wang, Subspace: secure cross-domain communication for web mashups the web conference. pp. 611- 620 ,(2007) , 10.1145/1242572.1242655
Sergio Maffeis, John C. Mitchell, Ankur Taly, An Operational Semantics for JavaScript Programming Languages and Systems. pp. 307- 325 ,(2008) , 10.1007/978-3-540-89330-1_22
John C. Mitchell, Collin Jackson, Adam Barth, Securing frame communication in browsers usenix security symposium. pp. 17- 30 ,(2008)
Shuo Chen, David Ross, Yi-Min Wang, An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism computer and communications security. pp. 2- 11 ,(2007) , 10.1145/1315245.1315248
Chris Grier, Shuo Tang, Samuel T. King, Secure Web Browsing with the OP Web Browser ieee symposium on security and privacy. pp. 402- 416 ,(2008) , 10.1109/SP.2008.19
Jonathan S. Shapiro, Jonathan M. Smith, David J. Farber, EROS: a fast capability system symposium on operating systems principles. ,vol. 34, pp. 170- 185 ,(1999) , 10.1145/319151.319163
Norman Hardy, KeyKOS architecture ACM SIGOPS Operating Systems Review. ,vol. 19, pp. 8- 25 ,(1985) , 10.1145/858336.858337
Butler Lampson, Protection and access control in operating systems Operating Systems. ,vol. 14, ,(1972)