ACM SIGPLAN Notices - Best of PLDI 1979-1999
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Improving software security with a C pointer analysis
Proceedings of the 27th international conference on Software engineering
Context-sensitive program analysis as database queries
Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Thorough static analysis of device drivers
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
JavaScript: The Good Parts
Talking to strangers without taking their candy: isolating proxied content
Proceedings of the 1st Workshop on Social Network Systems
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Compilers: Principles, Techniques, & Tools with Gradiance
Compilers: Principles, Techniques, & Tools with Gradiance
Using datalog with binary decision diagrams for program analysis
APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Towards type inference for javascript
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Object views: fine-grained sharing in browsers
Proceedings of the 19th international conference on World wide web
AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications
ACM Transactions on the Web (TWEB)
GULFSTREAM: staged static analysis for streaming JavaScript applications
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Proceedings of the 17th ACM conference on Computer and communications security
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
FIRM: capability-based inline mediation of Flash behaviors
Proceedings of the 26th Annual Computer Security Applications Conference
Towards automatically checking thousands of failures with micro-specifications
HotDep'10 Proceedings of the Sixth international conference on Hot topics in system dependability
VEX: vetting browser extensions for security vulnerabilities
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
FATE and DESTINI: a framework for cloud recovery testing
Proceedings of the 8th USENIX conference on Networked systems design and implementation
A framework for automated testing of javascript web applications
Proceedings of the 33rd International Conference on Software Engineering
Vetting browser extensions for security vulnerabilities with VEX
Communications of the ACM
Saving the world wide web from vulnerable JavaScript
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Modeling the HTML DOM and browser API in static analysis of JavaScript web applications
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
µZ: an efficient engine for fixed points with constraints
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
ZDVUE: prioritization of javascript attacks to discover new vulnerabilities
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Tool-supported refactoring for JavaScript
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
ToMaTo: a trustworthy code mashup development tool
Proceedings of the 5th International Workshop on Web APIs and Service Mashups
AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements
Proceedings of the 27th Annual Computer Security Applications Conference
WebJail: least-privilege integration of third-party components in web mashups
Proceedings of the 27th Annual Computer Security Applications Conference
IceShield: detection and mitigation of malicious websites with a frozen DOM
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Race detection for web applications
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Refactoring tools for dynamic languages
Proceedings of the Fifth Workshop on Refactoring Tools
Remedying the eval that men do
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Verifying client-side input validation functions using string analysis
Proceedings of the 34th International Conference on Software Engineering
JavaScript in JavaScript (js.js): sandboxing third-party scripts
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Efficient runtime policy enforcement using counterexample-guided abstraction refinement
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Privilege separation in HTML5 applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
JSART: javascript assertion-based regression testing
ICWE'12 Proceedings of the 12th international conference on Web Engineering
An analysis of the mozilla jetpack extension framework
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Correlation tracking for points-to analysis of javascript
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Eval begone!: semi-automated removal of eval from javascript programs
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
An empirical study of dangerous behaviors in firefox extensions
ISC'12 Proceedings of the 15th international conference on Information Security
MemRed: towards reliable web applications
Proceedings of the Workshop on Secure and Dependable Middleware for Cloud Monitoring and Management
Efficient and effective handling of exceptions in java points-to analysis
CC'13 Proceedings of the 22nd international conference on Compiler Construction
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Hybrid context-sensitivity for points-to analysis
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Position paper: the science of boxing
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Practical blended taint analysis for JavaScript
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Efficient construction of approximate call graphs for JavaScript IDE services
Proceedings of the 2013 International Conference on Software Engineering
Practical static analysis of JavaScript applications in the presence of frameworks and libraries
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Verifying higher-order programs with the dijkstra monad
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
All about the with statement in JavaScript: removing with statements in JavaScript applications
Proceedings of the 9th symposium on Dynamic languages
Type refinement for static analysis of JavaScript
Proceedings of the 9th symposium on Dynamic languages
Set-based pre-processing for points-to analysis
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Class hierarchy complementation: soundly completing a partial type graph
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Flexible access control for javascript
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
A trusted mechanised JavaScript specification
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Gradual typing embedded securely in JavaScript
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Security Signature Inference for JavaScript-based Browser Addons
Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization
Radigost: Interoperable web-based multi-agent platform
Journal of Systems and Software
Hi-index | 0.02 |
The advent of Web 2.0 has lead to the proliferation of client-side code that is typically written in JavaScript. This code is often combined -- or mashed-up -- with other code and content from disparate, mutually untrusting parties, leading to undesirable security and reliability consequences. This paper proposes GATEKEEPER, a mostly static approach for soundly enforcing security and reliability policies for JavaScript programs. GATEKEEPER is a highly extensible system with a rich, expressive policy language, allowing the hosting site administrator to formulate their policies as succinct Datalog queries. The primary application of GATEKEEPER this paper explores is in reasoning about JavaScript widgets such as those hosted by widget portals Live.com and Google/IG. Widgets submitted to these sites can be either malicious or just buggy and poorly written, and the hosting site has the authority to reject the submission of widgets that do not meet the site's security policies. To show the practicality of our approach, we describe nine representative security and reliability policies. Statically checking these policies results in 1,341 verified warnings in 684 widgets, no false negatives, due to the soundness of our analysis, and false positives affecting only two widgets.