JavaScript Instrumentation in Practice

Authors:
Haruka Kikuchi;Dachuan Yu;Ajay Chander;Hiroshi Inamura;Igor Serikov
Affiliations:
NTT DOCOMO, Inc.,;DOCOMO Communications Laboratories USA, Inc.,;DOCOMO Communications Laboratories USA, Inc.,;DOCOMO Communications Laboratories USA, Inc.,;DOCOMO Communications Laboratories USA, Inc.,
Venue:
APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
Year:
2008

Citing 9
Cited 7

Efficient software-based fault isolation

SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
SASI enforcement of security policies: a retrospective

Proceedings of the 1999 workshop on New security paradigms
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
Secure Execution via Program Shepherding

Proceedings of the 11th USENIX Security Symposium
IRM Enforcement of Java Stack Inspection

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
JavaScript instrumentation for browser security

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

An empirical study of privacy-violating information flows in JavaScript web applications

Proceedings of the 17th ACM conference on Computer and communications security
VEX: vetting browser extensions for security vulnerabilities

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
WebAppArmor: a framework for robust prevention of attacks on web applications

ICISS'10 Proceedings of the 6th international conference on Information systems security
Vetting browser extensions for security vulnerabilities with VEX

Communications of the ACM
Safe wrappers and sane policies for self protecting javascript

NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Securing web-clients with instrumented code and dynamic runtime monitoring

Journal of Systems and Software

Quantified Score

Hi-index	0.02

Visualization

Abstract

JavaScript has been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out the theory in practice. Specifically, we discuss how the instrumentation is performed on various JavaScript and HTML syntactic constructs, present a new policy construction method for facilitating the creation and compilation of security policies, and document various practical difficulties arose during our prototyping. Our prototype currently works with several different web browsers, including Safari Mobile running on iPhones. We report our results based on experiments using representative real-world web applications