JSLocker: Security for JavaScript

Page Content

Research Areas: End System Security

Principal Investigator: Jan Vitek

Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. This paper presents a security infrastructure which allows users and content providers to specify access control policies over delimited histories, subsets of JavaScript execution traces, allowing revocation of the history, and reversion to a safe state if a violation is detected. We report on an empirical evaluation of this proposal in the context of a production browser. We show examples of security policies which can prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our proposal with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code. Between 72% and 84% of the sites were fully functional, and only 1 site was rendered non-functional. In term of performance overhead we observed a worst case 106% slowdown with a typical case closer to 10%.

 

Personnel

Other PIs: Suresh Jagannathan

Other Faculty: Christian Hammer

Students: Gregor Richards

Keywords: access control, browser, JavaScript, sandbox