Loading…
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Conference Proceeding |
| Language: | English |
| Subjects: | |
| Online Access: | Request full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | |
|---|---|
| cites | |
| container_end_page | 496 |
| container_issue | |
| container_start_page | 481 |
| container_title | |
| container_volume | |
| creator | Meyerovich, Leo A Livshits, Benjamin |
| description | Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively opens the hosting site up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. This paper presents ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8. ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also show how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop. |
| doi_str_mv | 10.1109/SP.2010.36 |
| format | conference_proceeding |
| fullrecord | <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_5504806</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5504806</ieee_id><sourcerecordid>5504806</sourcerecordid><originalsourceid>FETCH-LOGICAL-i241t-fdca4e6639857120f88734f27088233fb275e73429f349cd57097f277220899a3</originalsourceid><addsrcrecordid>eNo1j8tOwzAURM1LIi3dsGXjH0i5vrZjmx1UbQFVolJgXYxjg1FJIieA-vcEFVajmTMaaQg5ZzBlDMxluZ4iDIYXB2TEBApRaCPVIcmQK5kzBHVEJkbpfybwmGQMNMsLYOyUjLruHQCBG5GR51lTly7Ftr-iZetdDLtYv1JbV3Rehya5X7eItc-XyQ5S0dK7zxT7HV032-ii7-hQo_f2y-53aKxp_-bpTWq-O5_OyEmw285P_nRMnhbzx9ltvnpY3s2uV3lEwfo8VM4KXxTcaKmGD0FrxUVABVoj5-EFlfRDgiZwYVwlFRg1YIUI2hjLx-Rivxu995s2xQ-bdhspQWgo-A-rjFWa</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Meyerovich, Leo A ; Livshits, Benjamin</creator><creatorcontrib>Meyerovich, Leo A ; Livshits, Benjamin</creatorcontrib><description>Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively opens the hosting site up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. This paper presents ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8. ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also show how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.</description><identifier>ISSN: 1081-6011</identifier><identifier>ISBN: 9781424468942</identifier><identifier>ISBN: 1424468949</identifier><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 1424468957</identifier><identifier>EISBN: 9781424468959</identifier><identifier>DOI: 10.1109/SP.2010.36</identifier><language>eng</language><publisher>IEEE</publisher><subject>aspects ; browsers ; Computer bugs ; Functional programming ; HTML ; Internet ; Java ; JavaScript ; language security ; Libraries ; Privacy ; Runtime ; Security ; security policies ; Web and client-side programming ; Web pages</subject><ispartof>2010 IEEE Symposium on Security and Privacy, 2010, p.481-496</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5504806$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2058,27925,54555,54920,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5504806$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Meyerovich, Leo A</creatorcontrib><creatorcontrib>Livshits, Benjamin</creatorcontrib><title>ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser</title><title>2010 IEEE Symposium on Security and Privacy</title><addtitle>SP</addtitle><description>Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively opens the hosting site up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. This paper presents ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8. ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also show how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.</description><subject>aspects</subject><subject>browsers</subject><subject>Computer bugs</subject><subject>Functional programming</subject><subject>HTML</subject><subject>Internet</subject><subject>Java</subject><subject>JavaScript</subject><subject>language security</subject><subject>Libraries</subject><subject>Privacy</subject><subject>Runtime</subject><subject>Security</subject><subject>security policies</subject><subject>Web and client-side programming</subject><subject>Web pages</subject><issn>1081-6011</issn><issn>2375-1207</issn><isbn>9781424468942</isbn><isbn>1424468949</isbn><isbn>1424468957</isbn><isbn>9781424468959</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2010</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNo1j8tOwzAURM1LIi3dsGXjH0i5vrZjmx1UbQFVolJgXYxjg1FJIieA-vcEFVajmTMaaQg5ZzBlDMxluZ4iDIYXB2TEBApRaCPVIcmQK5kzBHVEJkbpfybwmGQMNMsLYOyUjLruHQCBG5GR51lTly7Ftr-iZetdDLtYv1JbV3Rehya5X7eItc-XyQ5S0dK7zxT7HV032-ii7-hQo_f2y-53aKxp_-bpTWq-O5_OyEmw285P_nRMnhbzx9ltvnpY3s2uV3lEwfo8VM4KXxTcaKmGD0FrxUVABVoj5-EFlfRDgiZwYVwlFRg1YIUI2hjLx-Rivxu995s2xQ-bdhspQWgo-A-rjFWa</recordid><startdate>20100101</startdate><enddate>20100101</enddate><creator>Meyerovich, Leo A</creator><creator>Livshits, Benjamin</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>20100101</creationdate><title>ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser</title><author>Meyerovich, Leo A ; Livshits, Benjamin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i241t-fdca4e6639857120f88734f27088233fb275e73429f349cd57097f277220899a3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2010</creationdate><topic>aspects</topic><topic>browsers</topic><topic>Computer bugs</topic><topic>Functional programming</topic><topic>HTML</topic><topic>Internet</topic><topic>Java</topic><topic>JavaScript</topic><topic>language security</topic><topic>Libraries</topic><topic>Privacy</topic><topic>Runtime</topic><topic>Security</topic><topic>security policies</topic><topic>Web and client-side programming</topic><topic>Web pages</topic><toplevel>online_resources</toplevel><creatorcontrib>Meyerovich, Leo A</creatorcontrib><creatorcontrib>Livshits, Benjamin</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE/IET Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Meyerovich, Leo A</au><au>Livshits, Benjamin</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser</atitle><btitle>2010 IEEE Symposium on Security and Privacy</btitle><stitle>SP</stitle><date>2010-01-01</date><risdate>2010</risdate><spage>481</spage><epage>496</epage><pages>481-496</pages><issn>1081-6011</issn><eissn>2375-1207</eissn><isbn>9781424468942</isbn><isbn>1424468949</isbn><eisbn>1424468957</eisbn><eisbn>9781424468959</eisbn><abstract>Much of the power of modern Web comes from the ability of a Web page to combine content and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion effectively opens the hosting site up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. This paper presents ConScript, a client-side advice implementation for security, built on top of Internet Explorer 8. ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also show how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.</abstract><pub>IEEE</pub><doi>10.1109/SP.2010.36</doi><tpages>16</tpages></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1081-6011 |
| ispartof | 2010 IEEE Symposium on Security and Privacy, 2010, p.481-496 |
| issn | 1081-6011 2375-1207 |
| language | eng |
| recordid | cdi_ieee_primary_5504806 |
| source | IEEE Electronic Library (IEL) Conference Proceedings |
| subjects | aspects browsers Computer bugs Functional programming HTML Internet Java JavaScript language security Libraries Privacy Runtime Security security policies Web and client-side programming Web pages |
| title | ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T05%3A36%3A34IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=ConScript:%20Specifying%20and%20Enforcing%20Fine-Grained%20Security%20Policies%20for%20JavaScript%20in%20the%20Browser&rft.btitle=2010%20IEEE%20Symposium%20on%20Security%20and%20Privacy&rft.au=Meyerovich,%20Leo%20A&rft.date=2010-01-01&rft.spage=481&rft.epage=496&rft.pages=481-496&rft.issn=1081-6011&rft.eissn=2375-1207&rft.isbn=9781424468942&rft.isbn_list=1424468949&rft_id=info:doi/10.1109/SP.2010.36&rft.eisbn=1424468957&rft.eisbn_list=9781424468959&rft_dat=%3Cieee_6IE%3E5504806%3C/ieee_6IE%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i241t-fdca4e6639857120f88734f27088233fb275e73429f349cd57097f277220899a3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=5504806&rfr_iscdi=true |