Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Using web application construction frameworks to protect against code injection attacks
Proceedings of the 2007 workshop on Programming languages and analysis for security
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
CLAMP: Practical Prevention of Large-Scale Data Leaks
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
ESCUDO: A Fine-Grained Protection Model for Web Browsers
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Nemesis: preventing authentication & access control vulnerabilities in web applications
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Contego: capability-based access control for web browsers
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Contego: capability-based access control for web browsers
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Re-designing the web's access control system
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
Attacks on WebView in the Android system
Proceedings of the 27th Annual Computer Security Applications Conference
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Proceedings of the 28th Annual Computer Security Applications Conference
Mediums: visual integrity preserving framework
Proceedings of the third ACM conference on Data and application security and privacy
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
Over the last two decades, the Web has significantly transformed our lives. Along with the increased activities on the Web come the attacks. A recent report shows that 83% of web sites have had at least one serious vulnerability. As the Web becomes more and more sophisticated, the number of vulnerable sites is unlikely to decrease. A fundamental cause of these vulnerabilities is the inadequacy of the browser's access control model in dealing with the features in today's Web. We need better access control models for browsers. Today's web pages behave more and more like a system, with dynamic elements interacting with one another within each web page. A well-designed access control model is needed to mediate these interactions to ensure security. The capability-based access control model has many properties that are desirable for the Web. This paper designs a capability-based access control model for web browsers. We demonstrate how such a model can be beneficial to the Web, and how common vulnerabilities can be easily prevented using this model. We have implemented this model in the Google Chrome browser.