Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Extensibility safety and performance in the SPIN operating system
SOSP '95 Proceedings of the fifteenth ACM symposium on Operating systems principles
The anatomy of a large-scale hypertextual Web search engine
WWW7 Proceedings of the seventh international conference on World Wide Web 7
A Safety-Oriented Platform for Web Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
Singularity: rethinking the software stack
ACM SIGOPS Operating Systems Review - Systems work at Microsoft Research
Compoweb: a component-oriented web architecture
Proceedings of the 17th international conference on World Wide Web
Organizing and sharing distributed personal web-service data
Proceedings of the 17th international conference on World Wide Web
Talking to strangers without taking their candy: isolating proxied content
Proceedings of the 1st Workshop on Social Network Systems
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
OMash: enabling secure web mashups via object abstractions
Proceedings of the 15th ACM conference on Computer and communications security
A comprehensive human computation framework: with application to image labeling
MM '08 Proceedings of the 16th ACM international conference on Multimedia
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
Privacy-preserving browser-side scripting with BFlow
Proceedings of the 4th ACM European conference on Computer systems
Automated security testing of web widget interactions
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Secure file system services for web 2.0 applications
Proceedings of the 2009 ACM workshop on Cloud computing security
Privacy-aware identity management for client-side mashup applications
Proceedings of the 5th ACM workshop on Digital identity management
Towards a uniform web application platform for desktop computers and mobile devices
Towards a uniform web application platform for desktop computers and mobile devices
Mashware: the future of web applications
Mashware: the future of web applications
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
A SIP-based web client for HTTP session mobility and multimedia services
Computer Communications
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
Alhambra: a system for creating, enforcing, and testing browser security policies
Proceedings of the 19th international conference on World wide web
Refactoring human roles solves systems problems
HotCloud'09 Proceedings of the 2009 conference on Hot topics in cloud computing
Convergence of desktop and web applications on a multi-service OS
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
BPM in cloud architectures: business process management with SLAs and events
BPM'10 Proceedings of the 8th international conference on Business process management
FIRM: capability-based inline mediation of Flash behaviors
Proceedings of the 26th Annual Computer Security Applications Conference
Visual security policy for the web
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
Securing script-based extensibility in web browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
Proceedings of the 2011 ACM Symposium on Applied Computing
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Protecting private web content from embedded scripts
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Fortifying web-based applications automatically
Proceedings of the 18th ACM conference on Computer and communications security
AdSentry: comprehensive and flexible confinement of JavaScript-based advertisements
Proceedings of the 27th Annual Computer Security Applications Conference
Practical end-to-end web content integrity
Proceedings of the 21st international conference on World Wide Web
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Composable reliability for asynchronous systems
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Jigsaw: efficient, low-effort mashup isolation
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Clickjacking: attacks and defenses
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Privilege separation in HTML5 applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
When good services go wild: reassembling web services for unintended purposes
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
MeghaOS: A Framework for Scalable, Interoperable Cloud Based Operating System
International Journal of Cloud Applications and Computing
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Embassies: radically refactoring the web
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
Preventing accidental data disclosure in modern operating systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Content-based isolation: rethinking isolation policy design on client systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
How to run POSIX apps in a minimal picoprocess
USENIX ATC'13 Proceedings of the 2013 USENIX conference on Annual Technical Conference
Hi-index | 0.00 |
Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "Web 2.0" applications (or mashups) offer rich services, rivaling those of desktop PCs. However, the protection andcommunication abstractions offered by today's browsers remain suitable onlyfor a single-principal system--either no trust through completeisolation between principals (sites) or full trust by incorporating third party code as libraries. In this paper, we address this deficiency by identifying and designing the missing abstractions needed for a browser-based multi-principal platform. We have designed our abstractions to be backward compatible and easily adoptable. We have built a prototype system that realizes almost all of our abstractions and their associated properties. Our evaluation shows that our abstractions make it easy to build more secure and robust client-side Web mashups and can be easily implemented with negligible performance overhead.