Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
BrowserShield: Vulnerability-driven filtering of dynamic HTML
ACM Transactions on the Web (TWEB)
Resolving JavaScript Vulnerabilities in the Browser Runtime
ISSRE '08 Proceedings of the 2008 19th International Symposium on Software Reliability Engineering
JavaScript Instrumentation in Practice
APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
AOJS: aspect-oriented javascript programming framework for web development
Proceedings of the 8th workshop on Aspects, components, and patterns for infrastructure software
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Object views: fine-grained sharing in browsers
Proceedings of the 19th international conference on World wide web
Isolating JavaScript with filters, rewriting, and wrappers
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Object Capabilities and Isolation of Untrusted Web Applications
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Cross-origin javascript capability leaks: detection, exploitation, and defense
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
WebJail: least-privilege integration of third-party components in web mashups
Proceedings of the 27th Annual Computer Security Applications Conference
Decentralized delimited release
APLAS'11 Proceedings of the 9th Asian conference on Programming Languages and Systems
A two-tier sandbox architecture for untrusted JavaScript
Proceedings of the Workshop on JavaScript Tools
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Secure multi-execution in haskell
PSI'11 Proceedings of the 8th international conference on Perspectives of System Informatics
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Proceedings of the 28th Annual Computer Security Applications Conference
Gradual typing embedded securely in JavaScript
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
| Hi-index | 0.00 |
Phung et al (ASIACCS'09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies --- i.e. policies upon which attacker code has no side effects.