Transactional memory: architectural support for lock-free data structures
ISCA '93 Proceedings of the 20th annual international symposium on computer architecture
ACM Transactions on Information and System Security (TISSEC)
Transactional Rollback for Language-Based Systems
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
The inlined reference monitor approach to security policy enforcement
The inlined reference monitor approach to security policy enforcement
Detecting Malicious JavaScript Code in Mozilla
ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
BrowserShield: Vulnerability-driven filtering of dynamic HTML
ACM Transactions on the Web (TWEB)
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
From STEM to SEAD: speculative execution for automated defense
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
SMash: secure component model for cross-domain mashups on unmodified browsers
Proceedings of the 17th international conference on World Wide Web
Talking to strangers without taking their candy: isolating proxied content
Proceedings of the 1st Workshop on Social Network Systems
Enforcing authorization policies using transactional memory introspection
Proceedings of the 15th ACM conference on Computer and communications security
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
Isolating web programs in modern browser architectures
Proceedings of the 4th ACM European conference on Computer systems
Composing expressive runtime security policies
ACM Transactions on Software Engineering and Methodology (TOSEM)
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Isolating JavaScript with filters, rewriting, and wrappers
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Towards a Formal Foundation of Web Security
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Automated Analysis of Security-Critical JavaScript APIs
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
| Hi-index | 0.00 |
Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.