A Two-Tier Sandbox Architecture to Enforce Modular Fine-Grained Security Policies for Untrusted JavaScript
Saved in:
| Title: | A Two-Tier Sandbox Architecture to Enforce Modular Fine-Grained Security Policies for Untrusted JavaScript |
|---|---|
| Authors: | Phung, Phu, 1979 |
| Subject Terms: | self-protecting JavaScript, ECMAScript 5, mashup security, sandbox, Untruste JavaScript |
| Description: | Existing approaches to providing security for untrusted JavaScript include isolation of capabilities -- a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified to make sandboxing easier and more widely applicable. This is illustrated in a sandboxing library recently developed by the Google Caja Team which allows untrusted code to interact with a restricted API.However, specifying and enforcing fine-grained policies within an API implementation is complex and inflexible, since each sandboxed application (there may be several within a single web page) may need an application-specific policy. In this paper, we present a two-tier architecture for sandboxed code which combines a baseline sandbox with a stateful fine-grained policy specified in an aspect-oriented programming style. The implementation of the fine-grained policy part is an adaptation of lightweight self-protecting JavaScript mechanism proposed by Phung at el (ASIACCS'09). This enforcement mechanism allows the policies to be defined in a modular way so that, for example, different policies can be specified and enforced for different untrusted applications within the same page. The mechanism is realized as a JavaScript library, so that it does not require a modified browser and untrusted code can be dynamically loaded and executed without run-time checking or transformation. We show the effectiveness of the mechanism by deploying some case studies and analyzing their security features. |
| Access URL: | https://research.chalmers.se/publication/146091 |
| Database: | SwePub |
Nájsť tento článok vo Web of Science | Abstract: | Existing approaches to providing security for untrusted JavaScript include isolation of capabilities -- a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified to make sandboxing easier and more widely applicable. This is illustrated in a sandboxing library recently developed by the Google Caja Team which allows untrusted code to interact with a restricted API.However, specifying and enforcing fine-grained policies within an API implementation is complex and inflexible, since each sandboxed application (there may be several within a single web page) may need an application-specific policy. In this paper, we present a two-tier architecture for sandboxed code which combines a baseline sandbox with a stateful fine-grained policy specified in an aspect-oriented programming style. The implementation of the fine-grained policy part is an adaptation of lightweight self-protecting JavaScript mechanism proposed by Phung at el (ASIACCS'09). This enforcement mechanism allows the policies to be defined in a modular way so that, for example, different policies can be specified and enforced for different untrusted applications within the same page. The mechanism is realized as a JavaScript library, so that it does not require a modified browser and untrusted code can be dynamically loaded and executed without run-time checking or transformation. We show the effectiveness of the mechanism by deploying some case studies and analyzing their security features. |
|---|